The future of connectivity is 5G, and the Cybersecurity and Infrastructure Security Agency wants to ensure that the federal government and its many state, local, tribal, territorial and private sector partners are as secure as possible when the technology arrives.
CISA is currently developing a testing framework, hosting workshops, and identifying and disseminating key risks and best practices for 5G security in support of the agency’s 5G strategy, which it released in August as a complement to the administration’s National Strategy to Secure 5G.
“We … have a 5G testing framework going on and the draft is currently undergoing coordination — [it] should be out next month — developed by the Federal Mobility Group in coordination with CISA, the National Security Council and the National Economic Council,” Danny Dagher, program lead for 5G and supply chain at CISA, said during the ACT-IAC Emerging Technology Forum on Wednesday. “And the focus of that report is to build on a 5G testing framework for the federal government. The report surveys the current federal landscape of 5G-related initiatives and investments to understand the breadth and focus areas of these efforts. It collects a set of 5G use cases and testing needs from across the federal government to identify commonalities across agencies. Those use cases are intended to inform the foundation of the testing network, and it’ll help promote 5G collaboration and testing within the United States.”
CISA is also hosting a series of 5G workshops focused on risk management with state, local, tribal and territorial governments to help them understand and prepare for security considerations. The first occurred in Washington, D.C., two weeks ago. More than 180 participants attended, including federal agencies, D.C. government, and members of the private sector. The next workshops will occur later this month in Utah and Minnesota.
The idea, Dagher said, is to gather and consolidate best practices and lessons learned as organizations experiment with 5G and then disseminate that information. As they try something new, fail fast and shift course, or conduct R&D, CISA wants to make that information as widely available as possible.
In its 5G strategy, CISA has already outlined five key risks to 5G infrastructure:
- Attempts by threat actors to influence the design and architecture of 5G networks.
- Susceptibility of the supply chain to malicious or inadvertent introduction of vulnerabilities.
- Current 5G deployments leveraging legacy infrastructure or untrusted components with known vulnerabilities.
- Limited competition in the 5G marketplace resulting in more proprietary solutions from untrusted vendors.
- 5G tech potentially increasing the attack surface for malicious actors by introducing new vulnerabilities.
“We’re also planning to do critical infrastructure sector infographics, and really being able to look at the use cases, and the landscape of 5G that affects the different sectors,” said Dahger. “We have the different critical infrastructures that we focus on. And we’re also looking to release some of these in the next few weeks. One is for the defense industrial base. One is for the transportation sector. Public health is extremely important.”
And CISA is already working on mitigation strategies for those threats. Its threat evaluation working group within the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force has spent years categorizing around 200 types of threats into nine categories in preparation for this step, including cybersecurity, which involves external actors exploiting a vulnerability or planting malware.
“Over the past year, this group has added mitigation scenarios onto these threats as well. So just, for example, on that particular threat, the report now includes mitigation strategies: How would you patch or what other practices or measures would you put in place to protect against something like, for example, something like ransomware?” Noel Kyle, supply chain risk management initiative lead within CISA’s National Risk Management Center, said during the forum. “So there are a lot of other categories in this report as well. There’s an internal security operations bucket, a secure system development, lifecycle bucket, counterfeit parts, insider threat. So there’s a lot of work that’s been done to define what these threats are, and how can we mitigate? What kind of practices can we put in place to protect against them?”
And that’s just one working group focusing on 5G. Another working group within the ICT-SCRM Task Force is currently working on a SCRM template for vendors.
“This is a set of questions that can be customized, but it would help vendors self-attest to their own security practices, and then they could submit those for potential acquisitions or procurements and to give the purchaser, the buyer more insight into the security practices that that vendor puts into place,” Kyle said. “So there’s some work underway with the task force that might help with some of these challenges going forward.”