DoD has made the shift from bespoke to commercial-reliant computing systems over the past decade, but this change in approach carried less risk than is currently faced because the United States dominated the computing systems market and was able to “own” the supply chain and better secure it against vulnerabilities. As a result, DoD now incorporates varying degrees of COTS products into its computing systems while keeping vulnerability risk at an acceptable level. However, in the current 5G competition, neither DoD nor the United States writ large is in a position to dictate the content and integration of the 5G supply chain - our focus on building a mmWave 5G ecosystem leaves us out of the global supply chain for the sub-6 5G ecosystem. This mismatch will create serious security risks for DoD going forward if the rest of the world accepts Chinese products as the cheaper and superior option for 5G.
5G Infrastructure and Services
5G networks have a number of security risks to consider, regardless of what spectrum bands they operate in. While DoD security typically focuses on vendor-installed backdoors that could be used to remotely control a system or exfiltrate information, a wide variety of security issues could also be introduced through poor software development practices both during and after the rollout of 5G. Many of these risks were mentioned in a UK report on the joint effort with Huawei and the UK government to manage security issues with Huawei deployments in the UK.[1] Security issues from poor software development issues are a universal problem, and are not restricted to only Chinese vendors.
Even if the security of a particular release of software for a 5G base station may be secure and well-implemented, there is no guarantee that future releases will continue to be equally secure. Bugs will inevitably be found and require software patches, and these fixes may need to be fielded quickly without fully considering new security issues that might be introduced with the patch. It will become increasingly challenging to validate continued security with each iteration.
Even if base station code is secure and well-managed over time, the business model of the wireless infrastructure providers is such that personnel from the vendor are typically involved in the commissioning, operation, and maintenance of network infrastructure. This requires vendors to access core management systems that operate the network, and allows vendors to deploy software to equipment in the system. In many cases, network operators both in and out of the United States outsource entire operations of the network to the vendor of the equipment, increasing potential vulnerabilities via this third party activity.
Field maintenance is also typically contracted back to the vendor. Service staff visiting field sites are able to upload new software to the network and change network configurations. DoD has a long history of combating malware that has been transmitted into weapons systems through computers that were not patched, did not have multi-factor authentication, or were exposed to
- ↑ “Huawei Cyber Security Official Oversight Board Annual Report 2019,” March 2019, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf.
