NSA About To Release Unclassified 5G Security Guidance

WASHINGTON: The National Security Agency, working with others, is creating new unclassified 5G security guidance to be published this spring, NSA Executive Director Wendy Noble said today.

It will “outline threats and risks to 5G infrastructure,” Noble said and be based on work by the Enduring Security Framework (ESF), which is “currently assessing 5G adoption across the threat landscape and examining ways to minimize those risks to the US.”

“Looking out on the 5G security horizon,” she said, “[NSA’s internal] research organization is investigating the role of artificial intelligence and machine learning in mitigating security risks. They are developing data analytics to define expected behavioral patterns, identify anomalies, and implement the zero-trust model. We look to data analytics to provide insight into network automation and orchestration, given the large amount of data that will traverse 5G networks and overwhelm network managers.”

The ESF is a public-private partnership between the NSA, Defense Department, Department of Homeland Security (specifically, CISA), Intelligence Community, and companies within the US IT and defense industrial base sectors. The ESF’s charter is to address threats and risks to the security and stability of US national security systems and critical infrastructure, Noble noted.

The guidance is one way NSA is “focusing our expertise in cryptography and cybersecurity to help industry and government to integrate security into all aspects of the 5G ecosystem,” Noble said in a keynote at AFCEA DC’s 2021 5G Defense Tech Summit. The guidance will be published on NSA’s website “sometime this spring,” Noble said.

“The cumulative goal” of ESF’s work on 5G “is to jointly improve the ability of the 5G infrastructure to identify and build threat models, detect threats in networks, recover from attacks, and securely leverage the benefits of virtualization,” according to NSA.

Noble’s speech highlighted the importance of zero-trust architecture in 5G networks. The NSA recently urged the defense sector to adopt a zero-trust security model in the wake of the SolarWinds cyberespionage campaign. Given Noble’s emphasis today on zero-trust security models and supply chain risks — as well as the fact that the SolarWinds breach was on the agenda for ESF’s January meeting — it’s reasonable to expect that future NSA 5G security recommendations will emphasize zero trust as a key component.

NSA has characterized zero trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy.” It’s a “data-center centric” approach to security, which assumes the worst — that an organization is already breached or will be breached. Based on “assumed breach,” zero-trust models apply the security principle of “least privilege” to every user and node in a network, enforced with risk-based access control, security monitoring, and security automation.

Noble noted today, “The zero-trust model is predicated on encryption algorithms and key exchange processes that are quantum resistant. Likewise, fine-grain, cross-domain management of authorities and access controls must be embedded throughout the architecture.”

Zero-trust security, implemented correctly, is effective and prudent for current IT environments. Zero trust will become increasingly important in future 5G environments because of the radically expanding attack surface — via the increased number of connected nodes, commonly known as the Internet of Things — and the vast amount of data that will be exchanged over networks. Each node in the network will be a potential weak point, which is why identity and access management, access control via least privilege, and anomalous behavior detection will be critical elements to securing 5G-enabled IoT environments. And 5G security will be further complicated by extensive decentralized (i.e., edge vs. cloud) computing and data storage, as well as the high degree of network automation.

“High-speed networks will test our defenses,” Noble predicted.

Noble also discussed supply chain risks, specifically mentioning the SolarWinds breach, certain foreign countries, and some telecommunications equipment makers. NSA recognizes that the US’s “strategic and economic competitors will seek to dominate and, yes, exploit the evolution of this technology,” Noble said.

“If China leads the field in the development and deployment of 5G infrastructure and systems,” she continued, “then the future 5G ecosystem will likely have Chinese components embedded throughout. This could pose a serious threat to the security of DoD operations and networks when operating both at home and abroad.”

For this reason, it’s “critical DoD work closely with trusted partners within the US 5G defense industrial base,” Noble added.

In addition to adopting zero-trust architectures and addressing supply chain risks, Noble highlighted four other areas that should be considered, at a minimum, for 5G security:

• Standards bodies;
• Spectrum management;
• Secure code; and
• Improved network resiliency and redundancy.

These are all based on recommendations in a 2019 Defense Innovation Board study on the 5G ecosystem.

Given the broad applications of 5G across the defense, public, and private sectors, the “stakes for securing this new technology could not be higher,” Noble said. 5G will “impact the way we defend our nation.”