The very applications that make people excited about 5G are the same applications that are the riskiest
In promising a faster and more reliable connection, 5G networks are creating new use cases, particularly in the enterprise space. While this new era of connectivity is exciting, many of these new applications are critical, and therefore, the potential risks of a 5G network go beyond the traditional understanding of security risks. Software company MobileIron’s engineer Russ Mohr told RCR Wireless News that it is time for companies to completely reevaluate security practices because not only are the stakes higher, but the target for attacks has changed.
“We’ve got some really critical applications that are going to leverage not only the higher speeds, but also the low latency that 5G promises,” Mohr explained, “so that means that when a network allows a compromise to happen, that compromise could be effecting a hospital, or a power plant or elements of a smart city.”
According to Mohr, in the past, companies were more concerned with protecting their enterprise or building a firewire to stop hackers from getting in.
“But now,” he said, “there are some really critical services that are going to run on this 5G network and when they do get infiltrated, there will be true life or death consequences.”
The very applications that make people really excited about 5G, like drones delivering packages or autonomous vehicles, are the same applications that are the riskiest if they should become compromised.
The traditional approach to security — the firewall — is dangerously outdated in those circumstances, according to Mohr.
“In 2019, companies need to reevaluate everything they do around security, because I feel like the cheese has moved,” said Mohr. “We built a whole industry around protecting a network and the things that sit behind that network. And it’s based on a firewall, which either does or doesn’t let you in.”
But Mohr said this doesn’t make sense anymore, because the mobile landscape is growing, which means that hackers are no longer trying to access what is behind an enterprise’s firewall. Instead, they’re going after mobile devices.
“There are more critical vulnerabilities every year that are affecting mobile, only because the critical information does not reside on the desktop anymore,” he elaborated.
He said that the increase MobileIron is seeing “across the board” when it comes to the number of attacks on mobile devices is causing their customers to reevaluate how they approach mobile security. For many, this means beginning the process of building a mobile security practice in the first place — because many of them hadn’t done anything on that front yet.
So what can an enterprise do to protect itself?
MobileIron is a huge proponent of the Zero Trust approach to security. “Zero Trust means that you never trust an end point and you always have to verify. And when verifying, you making sure that the device hasn’t been compromised, that it’s the right user, that it’s the right application before you let a device access a resource that belong to your company or a cloud resource,” Mohr said.
And most importantly, this should be done continuously. “Just because you trust a device on Tuesday, does not mean you trust the same device on Wednesday,” said Mohr.
MobileIron also highlights the necessity to take action if you do discover something wrong with a device.
“That action is usually removing enterprise content from the device or blocking the device from getting to the cloud services or networks that sit behind the firewall,” Mohr explained.
Finally, Mohr encouraged enterprises to leverage machine learning to make sure that they can stay ahead of the attacker when compromises do happen on 5G networks. “There are lot more practical cases for machine learning and threat defense is a really good one,” he said.
With machine learning, an enterprise can run a device through million different scenarios and develop a computer model based on those scenarios. Then, an enterprise can be alerted to the things that almost always indicate a device is under attack.
While Mohr agrees that the U.S. government’s focus on the untrusted supply chain aspect of 5G is valid, he also fears that enough attention isn’t be paid to other elements of cybersecurity.
“The FCC has totally washed their hands of it,” he said. “The FCC says it’s not part of their mandate, but 5G is part of their mandate; they just don’t seem to care about the security bits.”
In general, he feels there is a very large “underinvestment” in security, an opinion shared by many. Even Huawei, the target of the U.S. government’s primary security concerns, has pointed out the not enough is being done to protect America’s networks. In fact, the Chinese equipment vendor sponsored a seminar at this year’s Competitive Carriers Association annual convention, calling for global collaboration between mobile operators, government agencies and equipment vendors to make American’s communications networks more secure.