《经合组织:提高通讯基础设施的安全性(2023)(英文版)(82页).pdf》由会员分享,可在线阅读,更多相关《经合组织:提高通讯基础设施的安全性(2023)(英文版)(82页).pdf(82页珍藏版)》请在三个皮匠报告上搜索。
1、OECD DIGITAL ECONOMY PAPERSSeptember 2023 No.358ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE2|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS Foreword This report on“Enhancing the Security of Communication Infrastructure”was prepared jointly by the OECD W
2、orking Party on Security in the Digital Economy(WPSDE)and Working Party on Communication Infrastructure and Services Policy(WPCISP),of the Committee on Digital Economy Policy(CDEP).It aims to inform policy makers about the current challenges and opportunities related to the digital security of commu
3、nication networks.In parallel with the development of this document,the WPSDE and WPCISP developed reports on the“Security of the Domain Name System(DNS):an Introduction for Policy Makers”and on“Routing security:BGP incidents,mitigation techniques and policy actions”.This report was drafted by Laure
4、n Crean and Ghislain de Salins with contributions from Laurent Bernat,Verena Weber and by WPSDE and WPCISP delegates.It was prepared under the supervision of Laurent Bernat and Verena Weber.This paper was approved and declassified by written procedure by the Committee on Digital Economy Policy on 31
5、 May 2023 and prepared for publication by the OECD Secretariat.The Secretariat wishes to thank the external experts who contributed to the development of this report including,inter alia:Amy Alvarez,Chris Boyer and Jason Olson(AT&T);Eric Wenger(Cisco Systems);Claire Milne(CSISAC),Carolina Botero and
6、 Andrs Velsquez(Fundacin Karisma,CSISAC);Judith Furlong and Said Tabet(Dell Technologies);ENISA,the European Union Agency for Cybersecurity;Jason S.Boswell,Mikko Karikyt,Scott Poretsky and Rene Summer(Ericsson);the European Commission;Kathryn Condello(Lumen Technologies,Inc.);Chelsea Smethurst and M
7、ark Svancarek(Microsoft);Roopa Prabhu(Nvidia);Alexander Botting(Open RAN Policy Coalition);Leonid Burakovsky and Alex Hinchliffe(Palo Alto Networks);Brian Larkin(National Telecommunications and Information Administration),Brandon Moss and Katie Mellinger(Federal Communications Commission),and Jonath
8、an Murphy(Department of Homeland Security)(United States).Note to Delegations:This document is also available on O.N.E under the reference code:DSTI/CDEP/CISP/SDE(2021)3/FINAL This document,as well as any data and any map included herein,are without prejudice to the status of or sovereignty over any
9、 territory,to the delimitation of international frontiers and boundaries and to the name of any territory,city or area.OECD 2023 The use of this work,whether digital or print,is governed by the Terms and Conditions to be found at http:/www.oecd.org/termsandconditions ENHANCING THE SECURITY OF COMMUN
10、ICATION INFRASTRUCTURE|3 OECD DIGITAL ECONOMY PAPERS Executive summary Communication networks are the foundation of the digital transformation.Given their crucial role,digital security and resilience have become a priority for policy makers across the OECD to ensure the functioning of our digitally
11、dependent economies and societies and strengthen trust in the ongoing digital transformation.However,cyberattacks on these networks are on the rise and increasingly sophisticated.At the same time,communication networks are undergoing significant changes and are being upgraded to new technological st
12、andards(e.g.5G and 6G),which,in turn,impact their security.This report considers four trends that are shaping and changing communication networks and the digital security implications these raise:The increasing criticality of and reliance on communication networks by the economy and society,which is
13、 changing the context of digital security of communication networks.An increased virtualisation of networks and a more important use of cloud services.A shift towards more openness in networks,including open radio access network(RAN).The role of artificial intelligence in communication networks.Each
14、 of these trends is shaping communication networks and,therefore,prompts questions on their implications on digital security.On the one hand,these trends benefit digital security risk management of communication infrastructure.They can help improve network visibility and management,enable network se
15、gmentation and isolation,allocate security resources more effectively,and automate the early detection of malware and malicious activity.Increased transparency and reduced dependencies on certain suppliers are additional possible benefits to digital security,driven by the shift towards more openness
16、.However,these trends also challenge digital security risk management in communication infrastructure.Overall,they result in:An expanding attack surface(i.e.the set of points of an information system that are potentially vulnerable to an attack).Since the architecture of communication networks is in
17、creasingly complex,and because networks are increasingly software-defined,cloud-based and virtualised,they contain more software vulnerabilities that can be exploited.A broader and more complex supply chain.Some of the technological advancements outlined in the trends tend to increase the dependency
18、 of network operators on some of their suppliers and to redistribute control and responsibility for the management of digital security risk along the entire value chain.These suppliers include providers of telecommunication equipment,as well as providers of cloud,components,servers and managed servi
19、ces,which are likely to play an increasingly important role in the digital security of communication networks.The communication infrastructure supply chain is often complex,which makes the allocation of responsibility in case of a digital security incident even more difficult.4|ENHANCING THE SECURIT
20、Y OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS An aggravating threat landscape,driven in part by the commoditisation of attacks(e.g.,“ransomware-as-a-service”)and the increasing sophistication of State-sponsored and other threat actors.Against this backdrop,malicious actors motivation
21、 to breach communication networks availability,integrity or confidentiality is significantly increasing as communication networks become increasingly critical.The paradox facing governments is that while communication networks are increasingly considered critical infrastructure,their digital securit
22、y ultimately depends upon decisions made by third parties,namely network operators and their suppliers.Nevertheless,governments do have a clear role to play to incentivise the adoption of digital security best practices and to support an enabling environment that empowers stakeholders to reach an op
23、timal level of digital security.This can be fostered through the following policy objectives:First,adopting a holistic and strategic approach towards enhancing the digital security of communication infrastructure,which i)considers the entire lifecycle of products and services on which operators rely
24、,ii)gathers all relevant stakeholders and iii)is co-ordinated across the whole government and at the international level.Importantly,co-ordination across governmental agencies and a clear definition of responsibility and/or mandates between them are essential.Second,incentivising network operators t
25、o enhance digital security and adopt comprehensive risk management frameworks(i.e.,risk assessment and risk treatment)and encouraging them to explore more advanced security approaches,such as the“zero trust”model.Third,addressing supply chain digital security risk by incentivising suppliers to impro
26、ve supply chain transparency(e.g.through enhanced traceability of components and digital security certification)and supporting diversification within information and communication technology and services supply chains.These three objectives can help structure public policy interventions to improve t
27、he digital security of communication infrastructure.Governments can apply several policy actions to address the cross-cutting challenges and uphold policy objectives,ranging from light-touch to more interventionist approaches:voluntary frameworks and guidance,multistakeholder initiatives and funding
28、 research,third-party evaluation and certification,public procurement,and legal requirements.These actions can be shaped as needed to carefully address the cross-cutting challenges in terms of scope,scale and speed of cyberattacks.OECD countries have introduced policy initiatives spanning these poli
29、cy actions,from voluntary frameworks to legal requirements on digital security.However,digital security is an ever-moving target that requires constant re-evaluation,both regarding the best practices available for private stakeholders to implement as well as the structure and objective of public pol
30、icies to create the enabling environment to incentivise the adoption of best practices by private stakeholders.ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|5 OECD DIGITAL ECONOMY PAPERS Table of contents Foreword 2 Executive summary 3 Enhancing the security of communication infrastructure
31、7 Introduction 7 Scope 7 Digital security of communication networks 9 A brief description of communication networks 10 Trends in communication networks impacting digital security risk 12 Increasing criticality of communication networks 12 Virtualisation of networks and the integration of cloud servi
32、ces 15 Towards more openness in networks 22 Artificial Intelligence(AI)in communication networks 31 Cross-cutting overview of security implications 34 Main security benefits:a potential for increased transparency,automation and supply chain diversification 34 High-level challenges:a shift in scale,s
33、cope and speed 35 Policy discussion 38 Policy objectives 38 Policy actions and country initiatives around the OECD 46 Concluding remarks 56 Annex 1.Open Source Software in communication networks 57 Annex 2.Open RAN initiatives in OECD countries 58 Annex 3.Selection of legal requirements for the digi
34、tal security of communication networks 61 References 64 Tables Table 1.Selected partnerships between communication operators and cloud providers 17 Table 2.Example of identifying assets and assessing their criticality in 5G networks in the European Union 42 Annex Table 2.1.Selected examples of indus
35、try open RAN initiatives around the OECD 59 Figures Figure 1.High-level overview of communication network architecture 11 Figure 2.Example of an open networking solution for a data centre proposed by NVIDIA 24 Figure 3.Three policy objectives to enhance the digital security of communication networks
36、 38 6|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS Figure 4.Architecture of communication networks:a lifecycle approach 39 Figure 5.Example of a threat assessment for 5G networks in the European Union 41 Figure 6.Areas of focus to increase transparency 45 Figure
37、 7.The EU certification process for ICT products,services and processes 52 Boxes Box 1.From traditional RAN to open RAN 25 Box 2.The SS7 vulnerability how legacy protocols can affect the digital security of communication networks on the road towards 5G 36 Box 3.The NIST Cybersecurity Framework 47 Bo
38、x 4.Software Bill of Material(SBOM):an emerging best practice to increase supply chain traceability 50 Box 5.The role of Standard Development Organisations(SDOs)in the digital security of communication networks 51 ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|7 OECD DIGITAL ECONOMY PAPERS I
39、ntroduction Communication networks are a key foundation of the digital transformation of the economy and society.Given their crucial role,as evidenced by the COVID-19 pandemic,ensuring their digital security has become a priority for policy makers across the OECD.Enhancing the digital security and r
40、esilience of these networks is critical to ensure the functioning of our digitally dependent societies and strengthen trust in the ongoing digital transformation.This is especially important as our interconnected economies face increasing endogenous and exogenous risks,exacerbated by geopolitical te
41、nsions and conflicts(OECD,20211).As most critical sectors have become reliant on digital technologies,the impact of digital security attacks on operators of critical activities has increased significantly.In the past few years,malicious actors have disrupted key industries such as gasoline and fuel
42、distribution(Colonial Pipeline),healthcare(Irish Health Service Executive),finance(Reserve Bank of New Zealand),food production(meat supplier JBS),energy(Ignitis Group)and postal services(Royal Mail)(ZDNet,20212;Government of Ireland,20213;Reserve Bank of New Zealand,20224;BBC,20215;LRT,20226;The Gu
43、ardian,20237).In this context,communication network operators have developed multiple solutions and partnerships to better manage digital security risk,for instance by establishing communication-specific Computer Emergency Response Teams(CERTs)and Information Sharing and Analysis Centres(ISACs).Howe
44、ver,they also fall victim to cyberattacks that exploit vulnerabilities in their information systems and networks,or through their supply chains.For example,the Mirai malware incident in 2016 demonstrated the possibility of leveraging poorly secured Internet of Things(IoT)devices to form a botnet and
45、 launch Distributed Denial-of-Service attacks(DDoS)(OECD,20218).One malware based off the Mirai source code disrupted more than 900 000 Deutsche Telekom(DT)routers,limiting DTs clients ability to access the Internet(OECD,20218).Malicious actors may also specifically target the communication sector i
46、n order to gain access to sensitive customers data.For instance,security researchers uncovered targeted attacks on the communication industry in Southeast Asia in 2021(“DeadRinger”),as well as an advanced persistent threat(APT)group targeting communication operators identified in 2018(“Operation Sof
47、t Cell”)(Cybereason Nocturnus,20219;White House,202110).In both cases,security researchers suspect the attackers aim was to obtain sensitive data,such as call data records.Scope This report aims to analyse the digital security implications of key trends that are affecting communication network infra
48、structure.1 The scope of the report is limited to public communication networks,works Enhancing the security of communication infrastructure 8|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS used primarily for the provision of publicly available communication servi
49、ces.Unless specified otherwise,the term“communication networks”therefore refers to“public communication networks”in the report.Private networks,including private clouds,are outside the scope of this report.Such private networks may range from an individual customers local area network(LAN)to an orga
50、nisations intranet or to a private 5G network deployed by a large organisation(e.g.Nornickel,a mining company in Australia(AMSJ,202111).Those private networks are typically not subject to the same regulatory regime that applies to public communication networks.In addition,while there are different w
51、ays to transmit communication signals(for instance,terrestrial,submarine cable,satellite),this report does not discuss the specific security implications of one mode of transmission.Several stakeholders are responsible for the digital security of communication networks.At a high level,these can be g
52、rouped into three broad categories:End users of communication networks(“Users”),including individuals,businesses and governments that use public communication services to carry out economic and social activities;Operators of communication networks(“Operators”),which provide public communication serv
53、ices to end users or deliver traffic in the provision of these services.This category includes Internet Service Providers(ISPs)(e.g.,Orange or Vodafone),and backbone Internet providers(e.g.,Lumen,Comcast);Actors of the operators supply chain(“Suppliers”):o Suppliers of software and hardware used in
54、communication networks,including,for example:Suppliers specifically offering communication hardware equipment and associated services,such as Cisco,Ericsson,Huawei,Nokia,Samsung or ZTE;Other more generic hardware and software suppliers.o Service providers,including,for example:Managed service provid
55、ers(MSPs),including for digital security(e.g.FireEye,Palo Alto Networks);Cloud service providers(e.g.Microsoft Azure or Amazon Web Services);Content delivery networks(CDNs)(e.g.,Akamai or Cloudflare);System integrators,which facilitate the deployment of suppliers products in operators networks(e.g.C
56、apgemini,NEC,Parallel Wireless).In this report,the term“supplier”includes the direct suppliers of operators as well as their suppliers.While end users have some responsibility for managing digital security risk,they are outside the scope of this report.These categories are not meant to be exhaustive
57、 and they may overlap(e.g.,some businesses fall into several categories).For instance,one operator could also provide certain services to another operator,becoming part of its supply chain,such as in the case of a large ISP providing transit services to another ISP(carrying the traffic of a customer
58、 ISP for a fee)or settlement-free peering(carrying traffic of another ISP free of charge,on a reciprocal basis).The report provides an overview of four key trends,both technical and non-technical,that are impacting the digital security of communication network infrastructure.Although other trends ma
59、y impact communication networks in the future,such as quantum computing,the report focuses on those currently shaping them today.The report analyses the security implications of these trends and discusses how policy makers can best address them.ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|
60、9 OECD DIGITAL ECONOMY PAPERS Digital security of communication networks Digital security,which is often referred to as cybersecurity or information security,is usually defined as the set of measures organisations take to manage digital security risk.Digital security risk is the detrimental effect t
61、hat digital security incidents can have on economic and social activities.In this report,a digital security incident is an intentional or unintentional event that can disrupt the availability,integrity and confidentiality(“AIC triad”)of data,information systems and communication networks,and as a co
62、nsequence,negatively impact the economic and social activities that rely on these networks:Availability:the communication network is not accessible and usable on demand by authorised users;Integrity:the communication network,or the data transiting over it,have been altered in an unauthorised manner;
63、Confidentiality:unauthorised entities have access to the data transiting over the network.Digital security attacks,also known as cyberattacks,are incidents that are intentionally caused by malicious actors,such as a Denial-of-Service(DoS)attack affecting the availability of the network for a few hou
64、rs or days(Security Boulevard,202112).A ransomware attack would usually affect the whole AIC triad,as the encrypted data would no longer be available on-demand for authorised users,and likely would have been accessed and/or altered by unauthorised users.On the other hand,some attacks may affect only
65、 the confidentiality of data,and may therefore be more difficult to detect as they do not alter availability.Unintentional incidents include,for instance,a power outage,a flood or a human error.Digital security incidents result from a combination of vulnerabilities and threats.Vulnerabilities are we
66、aknesses in software,hardware,networks or data whose exploitation would lead to an incident.They include,inter alia,flaws in the code of software or hardware products used by network operators,misconfigurations of equipment or software,human error(e.g.an employee susceptible to phishing)or poorly ma
67、naged access controls.Much of the public debate surrounding 5G security focuses on vulnerabilities in network equipment that could be inserted intentionally(“backdoors”)by State-sponsored entities(Bloomberg,201913).However,this is only a fraction of vulnerabilities that can be exploited as products
68、that contain code almost always contain“unintentional”vulnerabilities.For example,on average,40 new code vulnerabilities are discovered every day in widely used products such as iOS,Windows or Android(OECD,20218;OECD,202114).Threats include malicious actors willing to exploit vulnerabilities to caus
69、e harm and the tools and techniques(“vectors”)they use to carry out attacks(e.g.“malware”).Malicious actors range from relatively unskilled individuals and attackers with ideological motivations to more sophisticated groups including organised crime and State-sponsored actors,which can benefit from
70、quasi-unlimited resources and are often referred to as“APTs”.State-sponsored attacks are generally pursuing geopolitical goals,while cybercriminals are primarily seeking financial gains.Key trends in this area include:A sharp rise in ransomware attacks,whose objective is to extort money from various
71、 types of organisations,from businesses to hospitals(OECD,202015);The commoditisation of cybercrime tools,now largely accessible“as-a-service”or“on-demand”(Dark Reading,201916);and The increasing sophistication of attacks,resulting in part from State-sponsored offensive capabilities.Examples of larg
72、e-scale sophisticated attacks include the SolarWinds intrusion campaign(FireEye,202017).Most experts agree that the evolution of the global threat landscape increases the overall level of digital security risk and affects all organisations,regardless of their size and location.This evolution also af
73、fects the availability,integrity and confidentiality of communication networks,which could seriously impair the functioning of the whole economy and society(NIS Cooperation Group(EU),202018).10|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS As a result,there has b
74、een a growing awareness among policy makers of the need to better understand and manage the digital security of communication networks.However,many publications tend to focus either on the technical aspects of digital security or on national security concerns.The purpose of this report is to go beyo
75、nd these two angles and to favour a holistic approach,focusing on economic and social aspects.Approaching digital security primarily from the national security perspective typically leads to a focus on threats2(in particular,foreign States and associated States-sponsored actors),while overlooking vu
76、lnerabilities and resilience.However,while economic actors,such as operators and suppliers,have little leeway to influence the behaviour of threat actors,they can mitigate vulnerabilities for which they are responsible(see below)and take measures to reduce the impact of potential incidents and incre
77、ase resilience.For both policy makers and organisations,effective digital security policies should aim to manage digital security risk rather than to entirely avoid it(e.g.by going offline or slowing down the digital transformation).A key challenge is that digital security measures usually impact ot
78、her aspects of business operations,for instance costs,performance or usability.As there may be trade-offs,network operators and their suppliers should seek to reach an optimal level of digital security,e.g.in alignment with stakeholders risk tolerance and regulatory requirements,rather than“100%secu
79、rity”.In addition,as the risk is constantly evolving with new vulnerabilities and threats constantly appearing,digital security should be considered an ongoing process,rather than a definite state.A brief description of communication networks Communication networks can be seen as transmission system
80、s that enable the exchange of information in an analogue or digital way.These networks can include,for example,broadband(fixed or mobile)networks,the Internet,which is a network of networks,or legacy public telecommunication networks,such as the public switched telephone network(PSTN).The architectu
81、re of communication networks can be broken down into three distinct parts:the access network(also commonly referred to as last-mile)the transport network(including backhaul),and the core network.The access network is the part of the communication network that connects subscribers to their communicat
82、ion service provider.In fixed networks,the access network connects to end users devices through wired technologies such as copper,cable and fibre.For mobile networks,the access network is referred to as the radio access network(RAN),which connects to end users devices using spectrum(see Figure 1).Ba
83、ckhaul infrastructure forms the transport network,connecting the core networks to the access networks.The core network,which may also be called“backbone”,exchanges information and connects nodes within the network.When considering telephony,the core network directs calls over the PSTN;when consideri
84、ng IP packets,the core network exchanges packets quickly between different network nodes.Communication networks are interconnected in order to provide end-to-end communication between end users with different operators.Interconnection can take place directly between two communication networks or at
85、Internet exchange points(IXPs),which can be seen as bulk traffic exchange crossroads where multiple networks such as ISPs,CDNs,and content providers exchange traffic.ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|11 OECD DIGITAL ECONOMY PAPERS Figure 1.High-level overview of communication ne
86、twork architecture Source:OECD elaboration,based on information from Figure 1 in European Court of Auditors(201819),Broadband in the EU Member States:despite progress,not all the Europe 2020 targets will be met,https:/op.europa.eu/webpub/eca/special-reports/broadband-12-2018/en/.Communication networ
87、ks infrastructure is made up of software and hardware like routers,switches,middleboxes and servers:Routers connect two or more networks and act to manage traffic and forward packets;Switches allow multiple devices to connect and form a network;Middleboxes are devices that perform network-specific f
88、unctions on traffic(for example,firewalls inspect traffic and apply access control policies);Servers manage higher-level network services,such as billing,telemetry,analytics,and operations control.Servers are often located in data centres where they can rely on additional services such as cloud solu
89、tions for mobile edge computing.3 Networking hardware,such as those defined above,are located throughout the whole infrastructure,from the core network,to the transport network,to Internet exchange points(IXPs)and to the access network.Given the increasing convergence of mobile and fixed networks,th
90、is report discusses the trends affecting the digital security of fixed and mobile networks jointly,instead of evaluating each market separately.As Figure 1 shows,mobile networks can be thought of as an extension of fixed networks,with the distinction referring primarily to the last-mile access netwo
91、rk,connecting to the end customer.In addition,mobile networks increasingly rely on fixed networks to meet demands on the network,through backhaul as well as offloading traffic from the mobile network to the fixed network through Wi-Fi offloading.For instance,5G networks require fibre backhaul to sup
92、port demands for high capacity and high speeds on its network(OECD,201920).Base stationBackhaul(e.g.,fibre)Access network(mobile,“RAN”)Terminal device(user equipment)Air interface(spectrum)Access network(fixed)Wired technologies(cable,DSL,fibre)Transport network(backhaul+backbone connectivity)Core n
93、etwork Public InternetCore network Core network Core network 12|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS Trends in communication networks impacting digital security risk This section presents and discusses four trends that are particularly important for the
94、digital security of communication networks:The criticality of communication networks;The virtualisation of networks and the integration of cloud services into networks;The momentum towards openness;and The use of AI in communication networks.Each section describes the trend and how it is changing co
95、mmunication networks,as well as a brief analysis of its main drivers,including economic incentives for industry adoption,where appropriate.Then,each section examines the key security benefits and challenges brought by the trend,to point governments to the key elements to consider when devising polic
96、y options on how to best accompany these trends.Importantly,policy makers should keep the following nuances in mind when reading this report,including regarding the analysis of the security benefits and challenges that can be associated with each trend.First,the level of development of the trends an
97、alysed below may vary significantly,including across and within countries,and between different network operators.Some trends have already impacted communication networks and will continue to develop,whereas others are at an earlier stage,with the exact pace of their development uncertain.For instan
98、ce,various scenarios are plausible regarding the short-term evolution of open networking architectures(e.g.open RAN)(European Commission,Directorate-General for Communications Networks,Content and Technology,Dinges,M.,Hofer,M.,Leitner,K.,et.al.,202121).Second,the analysis of the security benefits an
99、d challenges should not be read as an argument on whether or not policy makers should support or prevent the development of these trends.The framing of these developments as“trends”underlines that they are already underway,and that their adoption is driven by the significant benefits they bring for
100、the industry.Digital security is just one policy objective amongst others and should be balanced with other objectives such as economic development,quality of service,coverage,affordability of communication services and strategic autonomy,to name a few.Therefore,policy makers should focus on how to
101、best accompany stakeholders throughout these changes and adjust policies accordingly,taking into account the impact of these trends on digital security risk.Third,the level of development of these trends does not necessarily make communication networks more or less secure.In fact,the development of
102、these trends may make some vulnerabilities more easily manageable,while making other vulnerabilities more prominent or more difficult to handle.More generally,the level of digital security of a communication network depends upon numerous factors,and many of them depend on the contexts of implementat
103、ion,including across time(e.g.changing threats)and space(e.g.applicable law).Overall,the development of these trends is likely to result in a shift of digital security risk.Whether this shift will result in higher or lower risk in the medium-to long-term will depend in part on how stakeholders will
104、handle it and how threat actors will adapt to it,which is unknown.It is,however,essential to recognise and understand this shift to make appropriate risk management decisions at the operational and public policy levels.Increasing criticality of communication networks Digital transformation leads to
105、a growing reliance of the economy and society on communication networks.The COVID-19 pandemic accelerated and illustrated the many benefits of the digital transformation,as digital technologies supported the resilience of individuals and businesses during the crisis(e.g.,maintaining business continu
106、ity during stay-at-home orders).Fixed and mobile operators witnessed a surge in Internet traffic to meet the increased demand as more and more citizens of OECD countries began ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|13 OECD DIGITAL ECONOMY PAPERS working and studying from home due to
107、mobility restrictions(OECD,202022).In the first quarter of 2020,some operators experienced up to a 60%increase in Internet traffic compared to pre-pandemic levels and various operators recorded increases in the use of videoconferencing tools,virtual private network traffic,messaging and content traf
108、fic(OECD,202022).4 Internet traffic also grew by 58%on average among OECD countries from 2019 to 2020(OECD,202223).OECD countries added over 21 million fixed broadband subscriptions over the course of 2020 which represents a 48%growth compared to average yearly additions from 2010 to 2019(OECD,20232
109、4).The increase in traffic and subscriptions also indicates a wider adoption of digital services,which are more and more intertwined with critical activities.For instance,the number of telemedicine appointments in France grew from around 40,000 in February 2020 to 5.5 million between March and April
110、 2020 at the peak of lockdown restrictions(Eurohealth,202025).The United States similarly saw an increase in telehealth visits by 50%in the first quarter of 2020 compared to Q1 2019 and a peak increase of 154%in the last week of March 2020,compared to the same week in 2019(Koonin et al.,202026).Whil
111、e the circumstances surrounding the pandemic drove this growth,the benefits of increased convenience and access suggest it will continue to play a role in the delivery of health services.This is just one example of how the digital transformation makes other critical sectors(e.g.healthcare,transport,
112、banking,energy)increasingly dependent upon the communication sector.While communication networks are usually considered as critical infrastructure in and of themselves,they are also interlinked to the functioning of other critical sectors.Therefore,any disruption in communication networks can have r
113、ipple effects in other critical sectors.This dependence on communication networks across sectors is only expected to increase.In particular,the rollout of 5G networks is expected to enable new and advanced use cases in critical sectors of the economy and society,including healthcare,transport and ma
114、nufacturing,which require low latencies,high network reliability,high capacity and high speeds.Many of these advanced use cases incorporate IoT devices,especially in critical sectors such as transport and healthcare,which will require the capability and reliability of 5G networks.Therefore,the amoun
115、t of connected IoT devices relying on communication networks(especially 5G networks)is expected to increase exponentially as new use cases emerge that leverage the advanced capabilities.Communication networks are especially important to support these IoT applications for critical uses or sectors,as
116、they typically have more stringent requirements for reliability,speed and capacity than can be guaranteed over Wi-Fi networks.5 To support the requirements of these advanced use cases and increased number of devices,5G networks require a significant amount of fibre backhaul to meet the speed and cap
117、acity demands on the network(OECD,201920).Therefore,both fixed and mobile communication networks play important roles in providing connectivity to support the digitalisation of other critical sectors.Security implications As most critical activities increasingly rely on communication networks to fun
118、ction,the potential impact of digital security attacks targeting communication networks is much higher now than it was several years ago and will continue to grow.For instance,a breach of the availability of communication networks could seriously impair the functioning of other critical activities,s
119、uch as international trade or the provision of healthcare or energy,with cascading effects in other critical and non-critical sectors.Cyberattacks on critical infrastructures are common and sometimes successful.In 2021,the United States Colonial Pipeline incident led to fuel shortages across the Eas
120、t Coast,and the attack on the Irish Health Service Executive disrupted dozens of hospitals in the country.Hospitals around the world experience numerous ransomware attacks,some of which severely affect patients.In the United States,an Alabama woman whose baby died during a ransomware attack on the h
121、ospital where she was giving birth in 2019 has sued the institution for negligence and wrongful death(The Independent,202127).According to the US Cybersecurity and Infrastructure Security Agency(CISA),ransomware cyberattacks on hospitals lead 14|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE
122、 OECD DIGITAL ECONOMY PAPERS to significant and sustained hospital strain and related consequences(CISA,202128).In 2021,water supplies have also been targeted in the United States and France(NBC News,202129;Vitard,202130).In December 2015,30 electricity substations were shut down by a cyberattack in
123、 Ukraine,leaving 230 000 customers without power from one to six hours(Wired,201631).The interest of threat actors in targeting communication networks is growing.In recent years,communication network operators fell victim to a wave of ransomware attacks that hit many organisations across sectors and
124、 countries,in particular operators of critical activities.There have been reports of successful ransomware attacks on communication network operators,for example,in Argentina(ZDNet,202032)France(Forbes,202033),Korea(BBC,201734)and Sri Lanka(EconomyNext,202035).In these cases,the attacks were attribu
125、ted to criminal groups motivated by financial gain and impacted the availability of information systems.However,in most of these cases,the impact was limited to internal information systems,and did not impact the availability of the networks and associated services to their customers.Beyond criminal
126、 groups,the increasing dependency of critical activities over communication networks is expected to further attract State-sponsored actors and other military-grade groups,and the threat posed by such actors is expected to significantly increase in the coming years(ENISA,201936).In 2019,for example,a
127、 long-term,large-scale attack specifically targeted ten communication network operators across Europe,Africa and the Middle East.Operation“Soft Cell”was attributed to State-sponsored intelligence-gathering groups,also known as APTs(CSO,201937).The goal of the attack was to extract confidential infor
128、mation,and in this specific case,hundreds of gigabytes of data of call records were stolen.However,experts consider that as the attackers had gained full control of their targets information systems,they could have shut down entire mobile networks if they wanted to,hence impacting the availability o
129、f these communication networks infrastructure.Experts consider that in the coming years,APTs will increasingly seek to disrupt the availability of communication networks.The combination of motivation,intent,and a high-level capability enables States and associated actors to carry out very complex at
130、tacks on communication networks with major impact on critical activities,such as large-scale outages,or to attack interdependent critical activities,such as power supply,through communication networks(NIS Cooperation Group,201938).For the same reasons,terrorist groups are also likely to be increasin
131、gly interested in launching digital security attacks targeting communication networks specifically.The scale of the impact that successful attacks on communication networks could have on the economy and society is both a powerful incentive for sophisticated threat actors and a growing concern for go
132、vernments.There are many possible scenarios of large-scale disasters affecting communication networks,which are characterised by cross-sectoral dependencies.For example,the disruption of a major operator in a country would likely affect large parts of the economy because of downstream dependencies:t
133、he impact would cascade from the operator to its customers,whose activities would also be disrupted,on to their customers or users,and so on.Furthermore,some of these knock-on effects may also affect other critical sectors whose functioning depends upon it such as energy,transport and health care,wh
134、ose operators may not have appropriate communication redundancy.In another scenario,the same failure may affect several operators at the same time,for example if an attacker exploits a vulnerability in a common product or component used by operators.Such critical vulnerabilities have been found in s
135、everal popular software and software libraries embedded in numerous products used across sectors.The Wannacry and NotPetya attacks,as well as Spectre and Meltdown vulnerabilities in microprocessors,provide examples of a single vulnerability,or group of vulnerabilities,that potentially affects large
136、spans of the economy.Other examples include vulnerabilities grouped under names such as Amnesia:33,Urgent/11 and Ripple20,which in these cases affected TCP/IP libraries in widespread communication,IoT and industrial equipment(Armis,202039;Hacker News,202040;Wired,201941).The possible economic impact
137、 of such catastrophic scenarios has yet to be assessed,as models are difficult to develop given the complexity of dependencies and multiplicity of factors.6 ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|15 OECD DIGITAL ECONOMY PAPERS Virtualisation of networks and the integration of cloud s
138、ervices This section introduces two trends that are increasingly intertwined in todays communication networks:network virtualisation and the increased role of cloud services in communication networks.Virtualisation of networks Network virtualisation describes a shift from a hardware-dependent networ
139、k to one that relies on software to handle network functions.Network virtualisation abstracts a machines resources from hardware to software.It allows for the creation of virtual simulated environment(s)by separating a machines resources from its physical hardware(e.g.,the physical network)and makin
140、g them available to these virtual environments,or to aggregate multiple physical networks into one virtual network(VMware,202342).In other words,virtualisation creates a software-based version of a piece of hardware such as compute,storage or networking components,servers,applications(IBM Cloud,2021
141、43).Network operators are applying virtualisation to their networks through network function virtualisation(NFV)and Software-defined networking(SDN).In mobile networks,NFV and SDN together enable network slicing(OECD,201920).Network function virtualisation(NFV)and Software-defined networks(SDN)NFV v
142、irtualises the different components of networks and SDN centralises network control.NFV decouples network functions from hardware appliances,allowing them to be run as software(OECD,201920).7 With NFV network functions of a legacy(i.e.non-virtualised)network,such as firewalls,routing,load balancing,
143、and traffic management,among others,are transformed into“virtualised network functions”(VNFs)and can run on virtual machines.Virtual machines(VMs),which have been around for several years,are one type of a virtualised environment that virtualises the physical hardware.8 Another more recent and incre
144、asingly popular approach is to use containers,which virtualises the operating system rather than the hardware by leveraging the resources of the host operating system(OS)(IBM Cloud,202143).9 Both containers and VMs offer flexibility,scalability,cost benefits and less network downtime(IBM Cloud,20214
145、3).However,compared to VMs,containers are more lightweight and portable,and are well suited to microservice architecture and to cloud deployments,as they can be easily moved.However,VMs are more isolated from one another than containers,which share a hosts OS,which has security implications.Neverthe
146、less,networks can and are using both VMs and containers in conjunction to leverage the advantages of both(VMware,202044).10 Complementary to NFV,software-defined networks(SDN)separate the control plane from the forwarding plane(also referred to as user or data plane)in the network(SDxCentral Studios
147、,201645).The control plane decides how packets(data)are sent from one point to another,while the forwarding plane sends or“forwards”the data(Cloudflare,202346).A single control panel can,for example,manage and define policies for the whole network.NFV and SDN bring many benefits,including enabling e
148、fficient resource management,automation and centralisation.Separating hardware from software,as in NFV,allows infrastructure resources to be shared and reassigned more easily,and enables these resources to serve different virtualised network functions(ETSI,201447).This allows resources to be used mo
149、re efficiently and provides the ability to scale network functions dynamically,in response to actual and changing demands seen on a network(ETSI,201447).The centralisation of control enabled with SDN reduces operational costs by automating software updates and policy changes across the network and i
150、ntroduces flexibility to quickly respond to changing business needs by deploying new application,services,and infrastructure through software updates(SDxCentral Studios,201645).This trend can be applied broadly to network architecture and is not limited to only mobile networks.Software-defined acces
151、s networks(SDAN)also leverage the benefits of SDN and NFV for fixed networks,which may lead to cost savings,better network management,and flexibility(Nokia,202348).Other 16|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS applications of network virtualisation can b
152、e seen in software-defined wide area networks(SD-WAN)as well as at lower layers of the transport network,for instance.Nevertheless,both NFV and SDN have been trialled for 4G networks but are expected to be especially important for 5G networks to allow for network slicing(OECD,201920).Many operators
153、recognise the benefits NFV and SDN bring to networking.For example,in 2020,Vodafone deployed NFV in its 21 European markets and is leveraging NFV and SDN to deliver cloud-based network functions(VMWare,202149).Vodafone estimates that its investment reduces the time to develop and deploy network func
154、tions by 40%and the cost savings of up to 55%(VMWare,202149).Network slicing Network slicing allows an operator to provide several logical service networks,called slices,over the same physical network infrastructure(OECD,201920).Network resources can be shared among the slices,providing the respecti
155、ve services with different performance characteristics to meet their respective needs(OECD,201920).Several performance characteristics could differ between network slices based on service requirements,including speed,latency,mobility,reliability,or level of security.With network slicing,an operator
156、can physically separate traffic through slices and each slice could be configured for a specific service,set of users or application(IBM,202150).Network slicing has been discussed for some time and is possible on 4G networks(Ericsson,201851).In 5G networks,it is expected to provide the flexibility a
157、nd more efficient use of resources to handle the diverse demands expected on the network.11 Use cases for 5G networks are often broken into:i)enhanced mobile broadband(eMBB),including augmented and virtual reality;ii)massive machine type communication(mMTC),such as IoT use cases where a large number
158、 of connected devices with long battery lives send non-time sensitive data;and iii)ultra-reliable and low latency communication(urLLC),i.e.use cases that have strict performance requirements such as high capacity and availability and low latency such as autonomous cars and industrial automation(ITU,
159、201552).A key benefit of network slicing lies in its ability to use one physical network infrastructure to deliver different performance and quality of service characteristics,depending on the needs of that particular slice,and to charge customers according to the characteristics of the slice in que
160、stion(OECD,201920).While networks are able to support different quality of service parameters without using network slicing,for instance to support high resiliency and availability for certain types of traffic,like emergency services,this can be accomplished more easily with network slicing.The acti
161、ve implementation of network slicing in 5G networks remains a complex undertaking and is still in the beginning stages(Subedi et al.,202153).However,anticipated benefits are encouraging network operators to implement it.Telefnica,together with the University of Vigo in Spain and Cisco announced a ne
162、twork slicing trial in February 2021,focusing on three slices dedicated to low latency,high bandwidth,and emergency cases,respectively(Telefnica,202154).Vodafone UK and UK Power Networks announced a partnership,whereby“smart substations”12,which transform energy in the electricity grid,will communic
163、ate with each other over a dedicated,highly secure slice of Vodafones SA-5G network(Vodafone,202155).In Korea,KT announced the commercialisation of its Standalone(SA)5G network,noting its plans to further develop 5G services for enterprise customers leveraging network slicing(KT,202156).In the Unite
164、d States,Verizon noted its aim to deploy network slicing where needed(Mobile World Live,202157).The integration of cloud services in communication networks Cloud services are used across different parts of the network.There are two simultaneous trends related to cloud technologies,which are discusse
165、d in the following sections.On the one hand,the use of the cloud is increasing to handle key network functions,including in the core of networks.On the other hand,more ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|17 OECD DIGITAL ECONOMY PAPERS cloud services are currently being deployed at
166、 the edge of networks and closer to the end-user,which is termed“multi-access edge computing”(MEC).Cloud services Cloud services rely on virtualisation and can be defined as“a service model for computing services based on a set of computing resources that can be accessed in a flexible,elastic,on-dem
167、and way with low management effort”(OECD,201458).A cloud pools resources,such as computing,networking and/or storage capacity,and makes them available to different users on-demand,providing increased flexibility and potential cost savings for cloud users compared to managing dedicated infrastructure
168、(RedHat,201859).Cloud architectures are complementary to and increasingly interwoven with SDN and NFV.SDN can manage cloud-based infrastructure and provides useful visibility and automation into the entire network,including in cloud environments.The flexibility and automation of SDN meshes well with
169、 cloud environments and the integration between enterprise SDN and cloud will likely continue.Furthermore,NFV infrastructure can all be hosted on the cloud.A few key benefits of cloud services include flexibility and potential cost savings through the transformation of capital expenditures to operat
170、ional expenditures.Cloud services give organisations the flexibility to quickly scale up or down their computing resources according to demand without having to own or maintain their own infrastructure.Cloud services are well-established in communication networks and are considered a key enabler to
171、support communication networks to meet demands for bandwidth,including for 5G networks.While operators have long recognised the benefits of leveraging cloud processing,storage and computing resources in their networks,they are now considering how cloud strategies can support their future needs,as an
172、 extension of their recent migration towards NFV architecture.One emergent trend is the increased use of cloud services to manage key components of networks,as network functions are increasingly being integrated into the cloud.As cloud services become more important for communication networks,dedica
173、ted partnerships between communication operators and cloud providers have been emerging in recent years.Microsoft Azure,Google Cloud and Amazon Web Services(AWS)all have dedicated offerings targeting the communication industry,demonstrating the increasing role of the cloud in network operations and
174、conversely,the industrys growing importance for cloud providers(Microsoft Azure,202060;Google Cloud,202061;AWS,202362).While the offerings from each cloud provider may vary,most include solutions related to edge computing,cloud-native mobile solutions,network operations,and AI,machine learning,and d
175、ata analytics.As shown in Table 1,operators are often engaging in partnerships with more than one cloud provider.Indeed,cloud providers targeted strategies suggest that they are actively competing for network operators business,although some may argue that the small number of global providers of clo
176、ud services may result in a lack of supplier diversity and increase the risk of lock-in due to challenges related to cloud portability.Table 1.Selected partnerships between communication operators and cloud providers Companies involved in partnership Year Description Amazon,KDDI,SK Telecom,Verizon,V
177、odafone 2019 Launch of AWS Wavelength to bring AWS services to the edge of the 5G network.AT&T,Google Cloud 2020 Development of 5G edge computing solutions for enterprise customers using AT&Ts 5G network and Google Cloud.AT&T,IBM 2019 AT&T Business applications will migrate to IBM Cloud and IBM will
178、 help manage AT&T hybrid cloud infrastructure.AT&T Business named as primary provider of SDN at IBM.AT&T,IBM 2020 Joint solution to offer hybrid cloud to enterprise 5G customers leveraging AT&T MEC and IBM Cloud.18|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS AT
179、&T,Microsoft 2019 AT&T is migrating non-network infrastructure application to Microsoft Azure.Microsoft will also support AT&Ts consolidation of its data centre infrastructure and operations.Bell Canada,Google Cloud 2021 Bell is shifting its IT infrastructure,network functions and critical applicati
180、ons from on-premise cloud to Google Cloud and leveraging Google Clouds“Anthos for Telecom”.BT,AWS 2023 BT will use AWS Wavelength to power edge cloud services for its enterprise customers.Lumen,Microsoft 2021 Lumen will integrate Microsoft Azure capabilities with Lumens bare metal(physical HW)edge n
181、etwork,allowing customers to launch applications on Azure anywhere within its edge network.NTT,Microsoft 2019 Development of a“Global Digital Fabric”,solutions built on Azure,and next-generation technologies.Orange,Google Cloud 2020 Orange plans to build a data analytics and machine-learning platfor
182、m with Google technologies Telefnica Germany,AWS 2020 Telefnica Germany will use AWS cloud infrastructure to virtualise 5G core,targeting industrial 5G applications.Telefnica,IBM 2021 Collaboration on Telefnicas hybrid cloud services platform for enterprise customers(“Cloud Garden 2.0).Telenet,Googl
183、e Cloud Telenet will use Google Clouds,“Anthos for Telecom”in its data centres.Telstra,AWS 2021 Integration of AWS edge compute solutions in Telstras multi-access network.Verizon,AWS 2020 Verizon 5G edge with AWS is a cloud computing platform leveraging AWS compute and storage resources to allow Ver
184、izon customers to build/deploy new applications at the edge of the network.Vodafone,Google Cloud 2021 Development of an integrated data platform to process and move large volumes of data into the cloud from different systems.Source:OECD elaboration based on operator information including(in order):(
185、AWS,201963);(Google Cloud,202064);(AT&T,201965);(IBM,202066);(Microsoft,201967);(Bell Canada,202168);(BT,202369);(Fierce Telecom,202170);(NTT,201971);(Google Cloud,202072);(Telefnica Germany,202073);(IBM,202174);(Telenet,202175)(AWS,202176);(Verizon,202177);(Vodafone,202178).One example of the incre
186、asing level of partnership between providers of cloud services and operators can be seen in Microsofts 2021 acquisition of AT&T Network Cloud platform technology,which AT&T had used previously to run cloud applications for its third-party customers.Under this arrangement,the Microsoft Azure for Oper
187、ators cloud platform would support some of AT&Ts network computing functions,including those previously handled by the operators Network Cloud platform technology(Microsoft,202179).Microsoft also would develop tailored compute and storage capabilities for the operator.Along with the acquisition of i
188、ts Network Cloud platform technology,Microsoft can also leverage AT&Ts technical expertise to inform its offering tailored for communication operators(Microsoft,202179).For its part,AT&T aims to reduce cost,and leverage the cloud providers edge network,AI technology,and cloud services to deliver new
189、 5G services(AT&T,202180).Other similar cloud-related announcements include DISHs decision to build its standalone open RAN-based 5G network on AWS(Amazon,202181).Telefonica Germany plans to build its 5G core and network functions in AWS cloud,specifically for industry-specific use cases(SDX Central
190、,202082),with AWS virtualising the 5G core and developing network functions and Ericsson acting as the 5G core vendor and providing orchestration services.Finally,Telefonica announced plans to build an on-premise cloud in its data centres managed by Oracle,to support its mission-critical operational
191、 and commercial systems(Oracle,202183).Multi-access edge computing(MEC)Multi-access edge computing shifts cloud computing resources to the edge of the network to perform analysis,processing,and storage of data to reduce latency and increase performance of high-bandwidth applications(Juniper,202084).
192、Previously referred to as mobile edge computing,MEC is access-agnostic(“multi-access”).It is expected to play an important role in 5G networks to handle expected demands on the network in terms of traffic and latency.For example,by enabling services and content caches to be placed at the network edg
193、e,local traffic can be handled efficiently,lessening congestion on the core network(ETSI,202185).In addition,computing at the network edge also allows for better observation of local demand and network conditions,which could include during cases of localised attacks.MEC includes near edge compute,wh
194、ich is located in between the centralised core(e.g.centralised data centres at the operator),and far edge compute,which is nearest to the end user.Near edge and far edge ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|19 OECD DIGITAL ECONOMY PAPERS compute serve different purposes in network
195、architecture and may require different levels of security and resiliency based on their placement within the network.13 MEC environments are characterised by a complex equipment ecosystem of diverse suppliers,vendors and stakeholders for both hardware and software devices,including infrastructure ow
196、ners,service providers,system integrators and application developers(ETSI,202186).While MEC has been deployed in 4G LTE networks,these solutions were developed as an add-on to existing networks and were largely self-contained(ETSI,201887).5G networks,by contrast,are designed to facilitate and suppor
197、t different deployments of MEC from the start.As noted above,cloud providers recognise MECs importance and have tailored offerings for edge computing(e.g.,AWS Wavelength,Google Cloud 5G edge computing solutions,Azure for operators).As Table 1 demonstrates,there have been several recent partnerships
198、related to edge computing between cloud providers and operators.Security implications Virtualisation and an increased use of cloud computing are interlinked technical trends that tend to cross-fertilise each other.It makes it difficult to precisely attribute security benefits and challenges to speci
199、fic developments such as NFV and MEC.They bring considerable benefits for the industry and society(e.g.more efficient and redundant communication networks),as well as improvements in terms of security,as discussed just below.These benefits,which go well beyond digital security,are driving the adopti
200、on of virtualisation and cloud computing by the industry.However,they also result in new and significant digital security challenges,that policy makers should consider.Overall,and as discussed above,this section should be understood as a balanced presentation of the impact of virtualisation and clou
201、d computing on the digital security of communication networks,rather than as arguments for or against their development.Security benefits Overall,virtualisation and the integration of cloud services can provide significant benefits for the management of digital security risk in communication network
202、s.They are likely to facilitate vulnerability scanning,enable more visibility on the network(e.g.identification of assets,detection of potential threats),allow for a higher level of automation of security controls,a more efficient use and allocation of security resources(e.g.deployment of security u
203、pdates,filtering)and better network segmentation through slicing and isolation.These benefits would significantly facilitate the implementation of the“defence-in-depth”principle and of a“zero trust”approach,which assume that a security incident has probably already occurred rather than only relying
204、on perimeter bound security measures(for a more detailed discussion,see the section below entitled,“Exploring the potential of zero-trust approaches”)More precisely,key security benefits from these technological evolutions include the following:Virtualisation has the potential to provide additional
205、protection through isolation and containerisation.In fact,it is more difficult for malware and viruses to spread across isolated containers and machines(ENISA,202088).Each network function can be dedicated to a different container or virtual machine,with its own anomaly detection process.Virtual mac
206、hines can provide a higher level of isolation than containers.SDN and NFV may allow for faster and facilitated scanning and patching of vulnerabilities(NIS Cooperation Group,201938).For example,container orchestration tools can make it easier to deploy security updates quickly and safely.A SDN contr
207、oller can define and apply tailored security policies,provide more network visibility,allow monitoring at interfaces within the network for possible security breaches or anomalies,and collect data for analysis to tailor or update security policies.Network slicing can enable operators to tailor secur
208、ity controls differently for each slice,according to specific use cases.20|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS Cloud-based networks can be more resilient as they can allocate resources dynamically and flexibly,including filtering and traffic shaping,e.g
209、.in case of a DDoS attack(ENISA,201289).They can also provide more redundancy.Physical security and access controls can also benefit from higher standards thanks to resource concentration(ENISA,201289).MEC allows network defenders to allocate security resources,such as threat monitoring and analytic
210、 tools,to where they are needed most:data can be scanned for security threats closer to where it originated,potentially allowing for faster remediation(CISA,202090).The increasing role of world-spanning cloud providers such as Amazon,Google,Microsoft or Alibaba,in the design and management of commun
211、ication networks comes with several benefits for managing digital security risk.Such companies provide on-demand access to cloud,networking and Internet services,and can provide highly scalable access to their infrastructures,for example,computing capacity and data centres(which is why they are some
212、times referred to as“hyperscalers”).Contracting and partnering with such firms can enable operators to benefit from advanced digital security resources,as those actors have developed significant capabilities to manage growing complexity,including the overlay of multiple logical and physical layers a
213、nd the development of far and near edge computing.Some communication network operators are partnering with such organisations because they often do not have such capabilities in-house.The digital security capabilities of large cloud providers often build on a specialised workforce with technical kno
214、w-how and experience,economies of scale,a strong culture of risk management and innovation as well as the recognition of digital security as a key concern for their clients.For instance,partnerships between operators and cloud providers can enable a more efficient roll-out of security updates across
215、 software and firmware platforms and better threat monitoring across the communication network.Security challenges Virtualisation and an increased integration of cloud services bring considerable changes to the way communication networks are designed,deployed and operated,and to the actors that mana
216、ge them.In particular,they result in an expanding attack surface,a growing complexity of network architecture and an increased role of infrastructure supply chain for digital security risk management.The attack surface is significantly expanding Overall,and as exemplified with 5G,communication netwo
217、rks are increasingly based on software,as opposed to“analogue”communication equipment that relied mostly on hardware14.As a result,the number of lines of code present in communication networks infrastructure is considerably increasing,and the attack surface(i.e.the set of points of a system or netwo
218、rk that are potentially vulnerable to an attack)of communication networks is expanding significantly.This increased attack surface derives from three factors,in particular:As the number of lines of code increases,more code vulnerabilities are inevitable(OECD,20218).With communication networks that a
219、re increasingly reliant on software,including for core network functions through NFV,SDN and MEC,a vulnerability in any software component can compromise the availability,integrity or confidentiality of the entire network.Virtualised environments are also subject to specific vulnerabilities that may
220、 not be present or significant in physical servers,such as hypervisor vulnerabilities or micro architectural vulnerabilities in processors(e.g.Intel Spectre/Meltdown).The supply chain of communication networks tends be complex and opaque.For instance,software products are rarely designed from scratc
221、h but rather built on commercial off-the-shelf(COTS)components and software libraries,including open source ones.In addition,operators may rely on different equipment providers and operate multiple generations of networks in parallel(e.g.3G,4G and 5G for mobile operators).This makes the assessment o
222、f the level of digital security of software products difficult,including for communication equipment(OECD,20218).ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|21 OECD DIGITAL ECONOMY PAPERS Vulnerabilities may arise at various stages of the communication equipment lifecycle(OECD,20218):o A
223、product can lack basic“security-by-design”features;o The producer may not have put in place effective vulnerability treatment policies,including for co-ordinated vulnerability disclosure(OECD,202114);o The network operator may have incomplete vulnerability management processes,including to deploy se
224、curity updates.The more critical and complex the infrastructure,the more difficult it is to ensure effective patching,as updates need to be tested to reduce the likelihood that they introduce new security risk(OECD,202114);o The network operator may use legacy products that have reached their end-of
225、-life(EOL),i.e.producers no longer support the product and will not patch any newly discovered vulnerability.The WannaCry attacks in 2017 highlighted the significant risk posed by the use of EOL products for critical functions such as operating systems(OECD,202191).The increasing complexity of netwo
226、rk architecture is a growing challenge for operators The trends outlined above also make it more difficult for network operators to manage digital security risk because of the growing complexity of network architecture,as networks are increasingly made up of multiple logical and physical layers and
227、involve a more diverse set of user categories,including Machine-to-machine(M2M)and IoT devices.Managing trust,identity and authentication across such a complex context is a key challenge for network operators,and significantly increases the risk of misconfigurations.In particular:Virtualisation and
228、network slicing,specifically,require network operators to manage multiple configurations,increasing the likelihood of misconfiguration.Misconfigurations are a common type of vulnerability,and according to some estimates,one-third of successful attacks during 4G network testing were due to misconfigu
229、rations(Positive Technologies,201992).New types of vulnerabilities affecting the technologies used in SDN and NFV,including cloud systems and their configuration,are likely to appear.Possible data leakages between multiple virtual environments or slices are an increasing source of concern(NIS Cooper
230、ation Group,201938).MEC and cloud-based architectures can expose communication networks to new vulnerabilities,such as cross-contamination of shared resources.Edge computing facilities may be more vulnerable to physical attacks as they are geographically distributed and therefore more difficult to m
231、onitor continuously and protect against physical intrusion,theft and physical damages.As more sensitive functions move closer to the edge of the network,significant investments will also be required to move security controls to the edge as well(NIS Cooperation Group,201938).At the same time,the cent
232、ralisation of network functions,enabled by virtualisation and cloud services,may create single points of failure.The complexity of MEC networks is also likely to make it harder for cloud providers to deliver the same level of security to their clients in hybrid environments as they can provide in pu
233、blic clouds.This increasing complexity may also hamper the effectiveness of incident response.Cascading failures in virtualised,monolithic,centrally managed cloud-based IT systems can be more difficult and time-consuming to manage than in systems built from standard network elements.The role of netw
234、ork operators supply chain for digital security risk is increasing significantly The increased complexity of network architectures is likely to result in the need for network operators to partner with third-party suppliers for managing digital security risk.These suppliers include equipment,software
235、 and service providers such as cloud providers and managed service providers(MSPs)that handle network management functions or provide digital security services.More broadly,all suppliers that provide equipment whose disruption could affect the availability,integrity or confidentiality of their custo
236、mers infrastructure will have an increased role in managing the digital security of communication 22|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS networks.Suppliers of services that attackers could exploit to access or disrupt part of their customers infrastruct
237、ure are also likely to have larger role in digital security risk management,including for vulnerability treatment(OECD,20218).The increased reliance of communication operators on suppliers results in a higher risk of falling victim to a supply-chain attack involving MSPs or critical software provide
238、rs,making the risk profile of suppliers increasingly important in communication operators risk assessments.The recent attacks against SolarWinds and FireEye showed that an attacker can target a single critical software to compromise thousands of its users,including in critical sectors(SolarWinds Cor
239、p.,202093;The New York Times,202094).Attackers increasingly target these suppliers to exploit the privileged access they often have to their clients information systems and to bypass most of these clients digital security measures.In 2017,a pervasive cyberespionage campaign called Operation Cloud Ho
240、pper targeted at least a dozen MSPs to compromise their customers(Forbes,202095;PwC,201796).The ransomware attack on software provider Kaseya in July 2021 shows that criminal groups seeking financial gain can also carry out supply chain attacks.In this attack,threat actors compromised the update of
241、a software used by MSPs to remotely manage their customers networks,breaching the availability of these networks and disrupting activities of between 800 to 1 500 firms.Besides the high-level challenges above,some stakeholders have also raised concerns regarding the impact of these technical trends
242、on confidentiality,in particular with the software-based implementation of mechanisms to enable lawful access to operators data.Such mechanisms could be used to circumvent end-to-end encryption and be abused by threat actors if improperly designed or managed(NIS Cooperation Group,201938).The global
243、supply chains of communication networks are also likely to raise concerns regarding applicable law and conflicts of jurisdiction,for instance,if operators data is stored within countries whose access to data rules are not interoperable.However,these concerns relate to the role of law enforcement aut
244、horities,which are outside the scope of this report.To summarise,the virtualisation of networks along with an increased use of cloud computing tend to increase the attack surface of communication infrastructure and the complexity of their architecture,resulting in an increased role of suppliers such
245、 as integrators and cloud computing providers to manage digital security risk.Towards more openness in networks The concept of openness has strong roots in communication networks and Internet protocols and has been spreading across the industry.The openness and interoperability of the Internet proto
246、col suite(e.g.,TCP/IP)was one of the enablers to allow the Internet to scale to current proportions by providing a standard way to exchange information and is increasingly used as the main communication technology in recent mobile network generations.The latest trend towards more openness is moving
247、away from networks based on proprietary hardware and software towards networks made up of more interoperable and software-defined components,made possible by some of the other trends outlined above.The move towards more openness encompasses a shift from network architecture that is made up of a prop
248、rietary solution provided by a single or limited number of suppliers,to one that is to a greater extent made up of interoperable components provided by multiple vendors.From a hardware perspective,the move towards more openness can be seen in a migration from proprietary equipment towards more commo
249、dity off-the-shelf(COTS),standardised hardware.From a software perspective,openness may refer to open source software,which has been used for many years and has historically been a part of the trend towards more openness in communication networks(see Annex 1,Annex 1.Open Source Software in communica
250、tion networks).Other aspects of more openness in software include the open interfaces between network components and open application programming interfaces(APIs),which together with the openness of hardware,are ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|23 OECD DIGITAL ECONOMY PAPERS ke
251、y elements of the trend towards more openness in communication networks.Importantly,these open interfaces and open APIs are based on industry-developed specifications.Such specifications and standards are developed in standards bodies such as the European Telecommunications Standards Institute(ETSI)
252、,3rd Generation Partnership Project(3GPP)and the Internet Engineering Task Force(IETF),among others,as well as in other industry-led organisations,such as the O-RAN Alliance.The common set of technical specifications and standards provides the technical basis to support interoperability and fosters
253、both the development of the equipment ecosystem and the deployment of new network architectures.While these trends coincide,it does not mean that all software in an operators network is open source,nor that every piece of hardware is from a different supplier or interoperable.In the case of open RAN
254、,while additional open interfaces are defined,the software at the network component level can still be proprietary.Indeed,there are still many cases where operators use proprietary hardware or software from a specific vendor,based on each operators preferences and specific network architecture.Some
255、of the motivating factors for operators to move towards more openness are,in general,more choice,modularity and flexibility in how they architect their networks.From a supply chain perspective,more choice and increased interoperability between network components(i.e.the ability to“mix-and-match”from
256、 different suppliers)allows for less dependence on one supplier and the option of a more diversified network equipment ecosystem.With the move toward commodity hardware and more open interfaces,new players can enter the market to supply these network components.This can promote competition with esta
257、blished players and drive innovation.A move towards more commodity hardware may result in lower prices,which may also be a result of greater competition.At the same time,network integration costs,due to increased complexity,may decrease the overall cost benefit that operators can expect.To facilitat
258、e understanding,the trend is presented from two use cases:i)openness in information and communication technology(ICT)elements and networking hardware equipment in the core network,i.e.“open networking”,and ii)openness in mobile networks,or“open RAN”.Open Networking While the definition of open netwo
259、rking differs within industry,the main characteristics often include interoperability and network disaggregation,use of open standards,SDN principles,and open source software in network components.Nevertheless,for the purposes of this section,“open networking”considers the move towards openness in t
260、he core network.This includes ICT elements associated with the core network,such as data centres,servers,and networking hardware equipment such as routers and switches,as well as their software components(e.g.,network operating system).While networking hardware equipment like routers and switches ar
261、e located throughout communication network infrastructure(e.g.,core network,backhaul,and access network),the focus will be those primarily found in the core network.Examples of industry-led initiatives for open networking include the Open Networking Foundation(ONF)and the Open Compute Project.The ON
262、F is a non-profit industry-led group,which aims to leverage“network disaggregation,white box economics,open source software and software defined standards to revolutionize the carrier industry”(Open Networking Foundation,202197).The term“white box”typically is used to describe commodity,off-the-shel
263、f hardware,which may not come with as many features and tends to be less expensive compared to purpose-built options(Nomios,202398).Off-the-shelf hardware running an open source operating system is easy to customise to meet specific business needs,given the many tools available for popular open sour
264、ce operating systems(e.g.Linux-based)(Nomios,202398).The Open Compute Project brings together a collaborative community to develop a fully open and disaggregated network technology stack.It has a module devoted to developing open and disaggregated networking hardware and software solutions and Linux
265、-based networking operating systems,among others(Open Compute Project,202199).The Broadband Forum is another industry-led group with 24|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS synergies to the work being carried out under the other bodies.For instance,the B
266、roadband Forum and the ONF are collaborating to help communication providers transition to become more open,automated and software-defined(Broadband Forum,2019100).Examples of open networking products include commercial offers to provide open networking software and infrastructure focused on the dat
267、a centre,such as NVIDIAs offer leveraging a Linux-based network operating system(NOS)and Ethernet switches(NVIDIA,2020101;NVIDIA,2020102).The infrastructure enables open networking across software and infrastructure to maximise flexibility,including by allowing applications to be added onto hardware
268、(Figure 2)(NVIDIA,2020102).Dell is similarly offering open networking solutions for data centres,which leverage its open networking Ethernet switches(PowerSwitch)and the Software for Open Networking in the Cloud(SONiC)operating system,originally developed by Microsoft for cloud environments.Dell cla
269、ims that its solution aims to automate much of the network configuration process,minimising errors and simplifying management and integration(Dell Technologies,2021103).These offerings build upon the advancements to open up the chip market,for instance,the move from proprietary solutions to more ope
270、n“merchant silicon”with the development of application specific integrated circuits(ASICs).ASICs are meant to be integrated into network systems,thereby supporting disaggregation in the network.ASICs play a key role in NVIDIAs open networking offer noted above;NVIDIA acquired Mellanox in 2020 and is
271、 leveraging Mellanoxs Spectrum Ethernet switch ASIC in its offers(NVIDIA,2020101).Figure 2.Example of an open networking solution for a data centre proposed by NVIDIA Source:NVIDIA(2020102),Lenovo and NVIDIA spark new era of open networking,https:/ open networking,networking hardware,such as switche
272、s,routers and firewalls,can be added onto existing hardware through open source applications,according to network needs(TechTarget,2022104).Networking hardware,such as routers and firewalls,can also benefit from open source tools;for example,FRRouting is an open-source Internet protocol suite for ro
273、uting(FRRouting,2021105).Freedom of choice is a driving motivation of open networking,allowing operators to adopt network architecture that best fit their needs,across hardware,software,network operating system,and application(eWeek,2020106).Openness also provides flexibility to program hardware bas
274、ed on specific needs or to meet evolving business demands,allowing customisation and giving more control over the network(eWeek,2020108).This flexibility also gives networks the ability to scale up or down according to demands and also upgrade ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|2
275、5 OECD DIGITAL ECONOMY PAPERS network components without waiting for a proprietary upgrade.Other benefits may include economic efficiencies in total cost of ownership(TCO),with higher capabilities.Open Radio Access Network(open RAN)Recently,the trend to open and disaggregate networks has also been e
276、xtending into the radio access network(RAN)of mobile networks.In previous generations of wireless networks,RAN architecture typically was“monolithic”,served by a single vendor proprietary solution.With the disaggregation of the RAN,innovations leveraging virtualisation(“virtualised RAN”)and/or open
277、interfaces(“open RAN”)have emerged that aim to give further flexibility and efficiency in networks.15 Box 1 provides more details on the evolution towards an open RAN.Box 1.From traditional RAN to open RAN A monolithic base station in the past was made up of a Remote Radio Unit(RU)that is connected
278、to a baseband unit(BBU)through a“fronthaul”interface.The BBU is composed of a Centralised Unit(CU)and a Distributed Unit(DU).The BBU contains digital modules that process signals from the RU and provides a communication interface to the core network,via backhaul.The RU is made up of antennas that re
279、ceive and transmit wireless signals from the air interface(i.e.,spectrum).Therefore,the BBU has both hardware and software elements,while the RU is composed of hardware.The 3GPP Release 15 disaggregated the baseband unit into a Centralised Unit(CU)and a Distributed Unit(DU),with a separate RU.A virt
280、ualised RAN introduces virtualised network functions for the CU and the DU in the baseband unit,thereby decoupling hardware and software.However,the interfaces between RAN elements in vRAN architecture may be vendor-specific and therefore may not interoperate.With open RAN,the open,non-proprietary,a
281、nd interoperable interfaces allow operators to select different vendors according to their needs.The figure below compares a traditional RAN deployment with an open RAN deployment,with a disaggregated functional split RAN from 5G 3GPP Release 15 and open interfaces,coupled with commercially availabl
282、e,off-the-shelf hardware(COTS).Traditional“monolithic”base station compared to an open RAN deployment Note:CU=Centralised Unit,DU=Distributed Unit,COTS=commercially available off the shelf equipment RUBBUCUDURemote radio unit(RU)antennas Hardware:Open“COTS”Open FronthaulinterfaceBaseband unit(BU)Sof
283、tware with virtualized functions(Proprietary)+Hardware:Open“COTS”serverBackhaulTerminaldeviceAir interface(spectrum)New functional split RAN of the BBU:CU&DU creating a“Mid-haul”interfaceB.Open RAN deployment(disaggregated functional split RAN+open interfaces)A.Traditional“monolithic”RANCore network
284、(4G)BackhaulRUBBURemote radio unit(RU)and Baseband Unit(BU)share Dedicated HardwareCore network(4G or 5G)TerminaldeviceAir interface(spectrum)26|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS Source:OECD based on Figures 9 and 10 of OECD(202223),Broadband Networks
285、 of the Future,https:/doi.org/10.1787/755e2d0c-en.Sources:Ericsson(2023107),Security considerations of Open RAN,https:/ Release-15:NG-RAN Architecture description(3GPP TS 38.401 version 15.2.0 Release 15),https:/portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=
286、3219;GSMA(2021109),Open and virtualised radio access networks:An explanatory guide,https:/ Networks of the Future,https:/doi.org/10.1787/755e2d0c-en.Open architectures have been promoted by industry-led bodies.The Telecom Infra Project,for example,was launched in 2016 to accelerate the development a
287、nd deployment of open,disaggregated,and standards-based technology solutions(Telecom Infra Project,n.d.110;Telecom Infra Project,2023111),.The O-RAN Alliance was established in 2018 to develop technical specifications for open RAN architecture(O-RAN Alliance,2018112).Both of them signed an agreement
288、 in 2020 to work together to develop interoperable 5G RAN solutions(O-RAN Alliance,2020113).Open RAN architectures may incorporate some open source software components.For example,the O-RAN Alliance and the Linux Foundation are collaborating to develop open source software to implement O-RAN specifi
289、cations,within the O-RAN Software Community(O-RAN Alliance,2023114).However,open RAN software components may also include proprietary elements.Implementing more open and interoperable network architecture can bring benefits as well as challenges,which are briefly presented below.The overall impact o
290、f open RAN architecture,considering both its benefits and challenges as well as the state of deployment,is a topic of much discussion.For example,a report from the EU NIS Cooperation Group notes“considerable uncertainty regarding scenarios of open RAN deployment in the short and medium term”(NIS Coo
291、peration Group,2022115).However,others point out that there is“intensive global activity across industry groups and companies to develop open RAN specifications and products”(DCMS,2022116).Open RAN architectures can bring several benefits.Some OECD members see the possibilities of open RAN to divers
292、ify the supply chain and allow for more new players to enter the market,drive competition and innovation in the RAN market segment,and ultimately lead to lower prices.Supply chain diversification could allow communication network operators to decrease or avoid depending on any one supplier,tying bac
293、k to networks increasing criticality to economies and societies.Within industry,some stakeholders and,in particular,network operators view open RAN as a way to lower costs,decrease vendor lock-in and reliance on specific vendors,and align with domestic governmental priorities and/or requirements.The
294、y expect that open RAN architectures will reduce cost by allowing operators to choose commodity off-the-shelf options and open interfaces that allow disparate RAN elements to interoperate.Also,the disaggregation of the RAN gives operators the flexibility to place the DU,CU,and RU in different locati
295、ons,according to their needs and plans to meet certain use cases(e.g.,low latency cases).However,Open RAN architecture could also bring some challenges in the area of competition.A report by the NIS Cooperation Group notes that while open RAN may encourage the entry of new players,there is a risk th
296、at“the market could also reconsolidate around a small number of suppliers,system integrators and cloud service/infrastructure providers,thus negating the diversification opportunity”,which“could lead to new critical dependencies in the mid-to long term”(2022115).That said,a thorough competition anal
297、ysis,including definitions of the relevant market,would need to be undertaken to assess the level of competition across the communication infrastructure supply chain.At the same time,an open RAN architecture introduces additional complexity,which will require integration and testing,especially in th
298、e early stages of deployment and given the relative immaturity of the approach.Furthermore,it may reduce supplier ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE|27 OECD DIGITAL ECONOMY PAPERS accountability in case of failures,given the larger possible number of responsible suppliers in an o
299、pen RAN deployment.Several providers of system integration(i.e.system integrators)have emerged to help operators address these challenges,including by managing the testing,integration,configuration,maintenance and ongoing support of the open RAN solution.This can include managing interactions with t
300、he various suppliers in the architecture to resolve issues.While service level agreements with individual suppliers will focus on the component level,a system integrator can assume responsibility to ensure the end-to-end solution upholds requirements in terms of quality and performance(NEC,2021117).
301、By extension,such an integrator could be charged with ensuring security standards are upheld by all its clients suppliers.However,system integrators do represent a cost to deploy an open RAN network architecture.At this stage,the overall impact of system integrators on managing the complexity of ope
302、n RAN deployment is a matter of debate.System integrators can have varying degrees of involvement and responsibility in the open RAN deployment.For instance,Fujitsu offers two models of support,with differences in terms of degree of involvement in the systems integration and the accountability for p
303、erformance and ongoing maintenance(Fujitsu,2020118).In addition,given the potential increased competition among suppliers in the open RAN environment,there may be more incentive to ensure accountability to their clients,in the face of lowered switching costs and decreased reliance on any one supplie
304、r.Open RAN,in particular,is being actively discussed internationally and nationally in OECD countries.The Prague Proposals on Telecommunications Supplier Diversity put forward at the 2021 Prague 5G Security Conference,include a call for governments to support the open and multi-stakeholder developme
305、nt of technical standards to enable openness and interoperability,such as through open RAN technologies(National Cyber and Information Security Agency(NKIB),2021119).The proposals have been supported by some OECD members,including the United Kingdom and the United States(DCMS,2021120;White House,202
306、1121).Several OECD countries and partner economies are also considering open RAN in national initiatives,including Germany,the United Kingdom,the United States and Brazil,and others have engaged in partnerships which include the promotion of open RAN technologies,such as Australia,Japan,Korea and th
307、e United States(see Annex 2.Open RAN initiatives in OECD countries for further details).Among industry,several initiatives aim to develop the open RAN ecosystem.Telecom Italia(TIM)signed a Memorandum of Understanding(MoU)with other European operators(Deutsche Telekom AG,Orange S.A.,Telefnica S.A.and
308、 Vodafone Group Plc)to promote,develop and implement open RAN technology in Europe(TIM,2021122).The group jointly published a report in November 2021 calling on European governmental and industrial stakeholders to“urgently prioritise”open RAN through five specific policy recommendations(Telefnica,20
309、21123).Simultaneously,operators are conducting trials and testing of open RAN architecture and some industrial stakeholders have established research and development(R&D)centres to development technologies needed to support open RAN deployments.The actual roll-out of open RAN deployments is at an ea
310、rly stage and is still taking shape.However,some operators have moved from the testing phase to actual live deployments or have plans underway.In 2020,NTT DOCOMO,one of Japans MNOs,adopted open interfaces for 4G,and successfully deployed the network.In the same year,Rakuten Mobile entered the Japane
311、se market and was the first to deploy an“open,virtualised,distributed radio access network”for its 4G“greenfield”network(i.e.establishing a network where none had existed before,as opposed to building on top of legacy networks)(Rakuten Mobile,2020124).In February 2022,Rakutens virtualised cloud-nati
312、ve open RAN network reached 96%coverage of Japans population(Rakuten,2022125).In June 2021,Deutsche Telekom announced its live deployment of open RAN in Neubrandenburg,with a multi-vendor architecture including Dell,Fujitsu,Intel,Mavenir,NEC and Supermicro(Deutsche Telekom,2021126).1&1 AG,together w
313、ith Rakuten Group,Inc.,and DISH Network with Dell Technologies,both announced plans for open RAN deployments(Rakuten,2021127;DISH Network Corporation,2021128).These are only a few examples of industry actions related to open RAN;further examples on trials,testing,R&D centres,and deployments can be f
314、ound in Annex 2.Open RAN initiatives in OECD countries.28|ENHANCING THE SECURITY OF COMMUNICATION INFRASTRUCTURE OECD DIGITAL ECONOMY PAPERS While many in industry see potential benefits in open RAN,some hurdles remain.For example,some industry players have argued that greenfield open RAN deployment
315、s pose fewer challenges than deploying the technology on existing networks(T-Mobile USA,2021129).To note,the open RAN deployments of Rakuten Mobile,1&1 and Dish are examples of greenfield networks,while Deutsche Telekom has a legacy network.16 Other stakeholders,while supportive of open RAN,also rec
316、ognise the challenges to maintain network reliability and performance when transitioning to open architectures(AT&T Services,Inc.,2021130).Security implications Increased openness can bring both possible benefits and challenges.Prior to discussing them,it is important to highlight the following cons
317、iderations.First,open architectures,such as open RAN,are not inherently more or less secure than traditional network architectures.In general,the level of digital security of an architecture model depends on several factors,many of which are not strictly specific to the model,such as the implementat
318、ion context,which can vary over time(e.g.changing threats)and space(e.g.applicable law).As always in digital security,the overall balance between security benefits and challenges of a particular model needs to be considered in context,as part of a generally broader risk assessment.This means that ma
319、ny of the possible high-level security benefits and challenges from increased openness described below are not automatic,nor systematic.They will rather depend upon many factors and may sometimes be mitigated(for challenges)or optimised(for benefits).Additionally,for the challenges in particular,som
320、e of these security considerations may be applicable to other network architectures and not unique to open RAN(NSA/CISA,2022131;FCC CSRIC VIII,2022132;Quad Critical and Emerging Technology Working Group,2023133).Second,the various aspects of the trend towards more openness are not necessarily interl
321、inked.For instance,the modularisation of networks does not necessarily entail the use of open source software.The development of open architectures could also result in operators using a mix of open and proprietary software.Similarly,integrated suppliers of communication equipment,which provide a mo
322、re traditional network architecture,often integrate open source components in their offer.Third,as the effective deployment of more open architectures is relatively new,it is difficult to gather sufficient empirical evidence and assess the long-term impact of this evolution on the digital security o
323、f communication networks at the time of writing.In the case of mobile networks,for instance,open RAN is still emerging and will likely co-exist alongside traditional RAN implementations for a significant period,which makes it challenging to analyse its impact on digital security in isolation(NIS Coo
324、peration Group,2022115).In addition,the pace and level of uptake of more open architectures by the industry in the short and medium term is uncertain,including for open RAN.As discussed above,different scenarios may occur,ranging from a relatively low adoption limited to some market players to a ver
325、y significant uptake by most operators across OECD countries.While increasing competition and reducing costs are often acknowledged as the main drivers of the development of open RAN,enhancing digital security appears to be a less prominent factor for industry,at least in the early stages of open RA
326、N adoption,even though it may evolve.Fourth,the deployment of open architectures is likely to result in a shift of digital security risk,however its overall effect on the risk level on the longer term is unknown.Whether this shift will result in higher or lower risk in the medium to long term will d
327、epend in part on how stakeholders will handle it and how threat actors will adapt to it.It is essential to recognise and understand this shift to make appropriate risk management decisions at the operational(e.g.design and implementation of open architectures)and public policy levels.ENHANCING THE S
328、ECURITY OF COMMUNICATION INFRASTRUCTURE|29 OECD DIGITAL ECONOMY PAPERS Security benefits The evolution towards more openness may bring a number of benefits for digital security risk management in communication networks.First,the trend towards more openness is enabling a diversification of the supply
329、 chain of communication networks,which is likely to reduce network operators dependency on a relatively small number of suppliers.This could limit the emergence of single points of failure and reduce systemic risk,which has been identified by many stakeholders as a key security challenge for communi
330、cation networks(ENISA,201936).In fact,supply-chain dependencies often lead to closed technical“monocultures”prone to systemic risk by increasing the likelihood that a single vulnerability creates a widespread outage simultaneously affecting many operators,causing cascading failures on other critical
331、 activities whose functioning relies on communication networks(OECD,2019134).Second,as more open architectures are expected to enable more competition in the supply chain of communication networks,they may also stimulate innovation,including to develop new tools for digital security risk management.
332、In fact,lower barriers to entry would likely result in a wider range of suppliers,which could use digital security as a market differentiator.Reduced switching costs,resulting from the interoperability enabled by open interfaces,could also further incentivise vendors to be more responsive to digital
333、 security risk,for instance regarding effective and timely vulnerability treatment and responsible end-of-life(EOL)policies(OECD,2021135).“White box”equipment could also facilitate the development of the market for specialist security firms(e.g.managed service providers)focusing on communication networks,if operators have appropriate incentives to invest in digital security.Another key potential s