1、The Globalisation of Technology ������Occasional Paper Royal United Se�������rvices Institute for Defence and Security Studies 5G Cyber Security A Risk-Management Approach James Sullivan and Rebecca Lucas 5G Cyber Security A Risk-Management Approach James Sullivan and Rebecca Lucas The Globalisation of Technolog
2、y RUSI Occasional P������aper, February 2020 Royal United Services Institute for Defence and Security Studies ii5G Cyber Security: A Risk-Management Approach 189 years of independent thinking on defence and security The Royal United Services Institute (RUSI) is the worlds oldest and the UKs leading defenc
3、e and security think tank. Its mission is to inform, influence and enhance public debate on a safer and more stable world. RUSI is a research-led institute, producing independent, practical and innov�������ative analysis to address todays complex challenges. Since its foundation in 1831, RUSI has relied on
4、 its members to support its activities. Together with revenue from research, publications and conferences, RUSI has sustained its political independence for 189 years. Roy�����al United Services Institute for Defence and Security Studies Whiteh���������all London SW1A 2ET United Kingdom +44 (0)20 7747 2600 www.ru
5、si.org RUSI is a registered charity (No. 210639) The vie�����ws expressed in this publication are those of the author(s), and do not reflect the views of RUSI or any other institution. Published in 2020 by the Royal United Services Institute for Defence and Security Studies. This work is licensed under a
6、 Creative Commons Attribution Non-Commercial No-Derivatives 4.0 I��������nternational Licence. For more information, see . RUSI Occasional Paper, February 2020. ISSN 2397-0286 (Online); ISSN 2397-0278 (Print). Printed in the UK by Kall Kwik.����� Contents Executive Summary v I. Introduction 1 Background 2 What i
7、s 5G Technology? 4 II. 5G Cyber Security: A Risk-Management Approach 11 Risks to 5G Infrastructure 12 Measures to Mitigate 5G���� Risk 17 Huawei and Cyber Security 23 The Role of Governments in 5G Cyber ������Security 26 III. Conclusions 29 About the Authors 31 Executive Summary T HIS PAPER ARGUES that approa
8、ches to the security of 5G telecomm������unications networks should depend on national context, including the geographic location of equipment, national cyber security experience, vendor availability and cost. The main policy priority f��������or states should be the implementation of pragmatic technical cyber ri
9、sk management measures that protect against the majority of risks to 5G networks. In January 2020, the UKs National Security Council made the decision to exclude Huawei technology from the most sensitive parts of the UKs 5G network, while allowing it to supply periphera�����l components such as mobile ph
10、one masts and antennae. From a purely technical perspective, this was a practic��������al and real�����istic decision that adheres to the principles of cyber risk management and reflects the expert view of the UKs national technical authority, the National Cyber Security Centre. This research identifies a range
11、of measures to manage risk to 5G networks, including resilient network architecture, access management, testing and monitoring, and cyber security stand�����ards. The findings demonstrate how core and edge functions do remain technically distinct in 5G networks and highlight multiple ways to isolate and
12、localise risks. It recognises that 5G poses new challenges for cyber security practitioners, owing to technical concepts such as virtualisation and low-latency communication, but concludes that there are measured ways to manage the risk. The paper acknow���ledges that for some states, political and eco
13、nomic considerations may end up being the overriding factors that lead to the decision to ban a particular vendor from a part�������icular state. This may be an entirely legitimate national approach. However, states �����must be clear about the extent to which political, rather than technical, factors inform th
14、eir decision-making relating to 5G and other technology. Otherwise, it confuses the argument and undermines the authority of national technical experts. Finally, the paper argues t����hat 5G is one instance of a much wider set of issues around the globalisation of technology relating to the pivot of tec
15、hnology innovation from West to East. It recommends that states should rapidly identify those advanced technology areas where greater vendor diversity and/or sovereign technology is required and de������velop an industrial strategy to address these gaps. I. Introduction T HIS PAPER EXAMINES high-l������evel cyb
16、er risks relating to 5G telecommunications infrastructure and assesses to what extent a risk-management approach could mitigate them. The analysis in this paper is based on extensive research of academic literature, media reports, open so���urce government documents and in-depth semi-structured intervi
17、ews with senior cyber security experts. For these interviews, experts were chosen based on �����their subject-matter expertise and experience, using a non-probabilistic (selective) sampling method. Interviewees included government officials, law enforcement, private sector experts and academics.1 Intervi
1���8、ews reflect the perspectives of ������these individuals and should not be interpreted to represent the positions of corporations or governments. Research findings and recommendations also draw on academic and policy literature relating to 5G, open source government documents, media reports and consultatio
19、n with experts at roundtable events. As with any qualitative research study, there are some limitations. The interview findings inevitably reflect the perspectives, insights and experiences of participants. Furthermore, research is largely limited to informa�����tion available in the public domain only.
20、This research is the first in a series of papers to be published as part of a RUSI research project, The Glo������balisation of Technology. The series examines the cyber security implications of the growing presence of foreign-made components in Western telecommunicat��������ions infrastructure, how governments p
21、erceive the accompanying risks and the actions they are taking in response. Subsequent pape�������rs in the series will look beyond 5G to wider risks from the globalisation of technology. The paper comprises five sections. First, it provides background on the nature of 5G technology and the security threat
22、 it could pose. Second, it details overarching risks to 5G networks for policymakers to consider. Third, it examines methods of risk mitigation. Fourth, it addresses the specific question of Huawei. Finally, this report examines the role of government in add��������ressing these challenges and provides a se
23、t of recommendations for policymakers to consider. The primary������ purpose of this paper is to inform policymakers and cyber security practitioners of the range of factors to consider when mak������ing policy decisions linked to the rollout of 5G infrastructure, including decisions regarding vendor selection.
24、 1. Throughout this report, an anonymised coding system is used to refer to interview data. The prefix UK G is used to refer to UK government officials, US G is used for US government officials, T is used for members of the telecommunications sector, and A refers to academic experts. ����The views expre
25、ssed by members of government are not intend����ed to represent the governments official position. The views expressed by members of t������he telecommunications sector are not intended to represent any corporations official position. The views expressed by members of academia are not intended to represent an
26、y institutions official position. 25G Cyber Security: A Risk-Management Approach Background Governments are struggling to determine how to best protect new 5G telecommunications networks, some of which are classed as critical national infrastructure (CNI) in the UK.2 In particular, gl������obal debate con
27、tinues as to how governments should manage the presence of Chinese technology in the rollout of 5G infrastructure. Citing national security concerns, some governments advocate a blanket ban of Chinese companies like Huawei. Others have decided no�������t to restrict Huaweis participation in 5G networks at
28、all. In January 2020, the UKs National Security Council made the decision to exclude Huawei technology from the most sensitive parts of the UKs 5G network, while allowing it to supp������ly peripheral components such as mobile phone masts and antennae. In addition, their UK market share of peripheral 5G c
29、omponents will be capped at 35%.3 This approach �������acknowledges that Huawei is a high-risk vendor (HRV), but the risk is deemed to be manageable. As with any complex network, 5G networks tend to have vulnerabili�����ties.4 As they require regular updates, operators frequently grant network access to third p
30、arties.5 Original network components, as well as software updates, are the product of complex, int�����ernational supply chains that are difficult to trace. The apparent national origin of a product is not a reliable guide to where its components were designed or manufactured. Meanwhile, technology to co
31、mprehensively map networks and their components does not yet exist.6 Risk management is the process of identifying threats and risks in a pa����rticular context and taking action to prevent or reduce them.7 Cyber risk management is no different. It acknowledges that it is impossible to e�����radicate risk, e
32、specially in complex, multifaceted technology-dependent activities. Instead, the challenge is to set a realistic risk tolerance or level of acceptable risk and develop mitigation methods typically involving people, processes and technology that 2. The UK government def����ines critical national infrastr
33、ucture as those facilities, sys����tems, sites, information, people, networks, and processes necessary for a country to function and upon w�����hich daily life depends In the UK, there are 13 national infrastructure sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finan
34、ce, Food, Government, Health, Space, Tran�����sport, and Water. See Centre for the Protection of National Infrastructure, About: Critical National Infrastructure, , accessed 20 January 2020. 3. Department for Digital, Culture, Media and Sport (DCMS), New Plans to Safeguard Countrys Telecoms Network and P
35、ave Way for Fast, Reliable and Secure Connectivity, press release, ������28 January 2020, , accessed 31 January 2020. 4. Authors interview with T1, member of the telecommunications sector, 27 September 2019. 5. Ibid.; au�������thors interview with UK G1, UK government official, 29 October 2019. 6. Authors notes
36、from a techUK event, 30 September 2019. 7. Collins, Risk Management, , accessed 28 January 2020. Sullivan and Lucas3 have the g�����reatest likelihood of supporting that risk tolerance. Cyber risk-management decisions are fundamentally informed by the degree������� of confidence in the security of components an
37、d infrastructure. This is not a binary objective. There is no such thing as full confidence in equipment, or trustworth�������y vendors in any context.8 In re�������lation to 5G, some states argue for a pragmatic cyber security risk-management approach.9 Such an approach could keep technology where there are lowe
38、r degrees of confidence around security, such as from China, out of the most sensitive parts of th�����e n�������etwork. However, such an approach could still permit the use of Chinese technology in less sensitive or less critical areas. For others, a blanket ban on Chinese equipment is asserted to be the only
39、way to manage the security risks resulting from using Chinese technology in 5G. The US has pressed its allies to ban Chinese companies, primarily Huawei, from providing any 5G network components, originally citing an extremely low degree of confidence in ���the security of Chinese technology. It has sp
40、ecifically raised concerns about vulnerabilities in Huawei equipment that could give the company, or the Chinese government, access to 5G networks.10 The US government has been vocal about its preference that all countries implement a full ban. It has threatened that it will no longer share int������ellig
41、ence with countries which include Huawei in their 5G networks.11 US officials have alleged that, should the UK include Huawei components in 5G networks, it would put our information at risk.12 They hav�����e even gone so far as to say that the US could not base resources, such as a military base or an em
42、bassy, in a country that uses Huawei equ������ipment.13 These statements are part of an ongoing effort to pressure the UK, and other countries, to exclude Huawei entirely from their 5G networks. The 5G debate is not just about cyber security. It has become part of a wider geopolitical conversation. It rel
43、ates to political perceptions of Chinas place in t���������he world, as well as to economic factors, including Western reliance on Chinese technology and manufacturing, 8. Authors interview with UK G1, UK government official, 29 October 2019; authors interview with UK G3, UK government official, 8 November 2
44、019; authors interview with UK G4, UK government official, 11 November 2019. 9. For a detailed explanation of countries approaches to 5G, see the written evidence submitted by RUSI for the Joint Committee on the National Security Strategys inquiry, Ensuring Access to “Safe” Technology: The U�������Ks 5G In
45、frastructure and National Security Issue, , accessed 30 January 2020. 10. Authors inter������view with US G1, US government official, 15 October 2019. 11. Zak Doffman, US Threatens UK On Huawei and Intelligence-Sharing, Forbes, 29 April 2019. 12. David Bond et al., US Cyber Chie����f Warns UK Against Giving H
46、uawei “Loaded Gun”, Financial Times, 24 April 2019. 13. The Economist, Britain Lets Huawei �����into Part of Its 5G Networks, 24 April 2019. 45G Cyber Security: A Risk-Management Approach advanced Chinese innovation in technology and fears t�����hat the West is falling behind.14 There are also human rights co
47、ncerns, including about how Chinese technology companie�����s have enabled the Chinese �����government to suppress its citizens.15 Many countries have found themselves caught between the US and China and have yet to make a definitive decision on Huawei.16 Meanwhile, the deployment of 5G infrastructure is ongo
48、ing in many countries, often using Huaweis low-cost equipment or building on existing previous-generation Huawei infrastructure.17 There is a business cost to ripping out Huawei equipment and starting again.18 However, there is more to 5G networks than Huawei.1�����9 An overwhelming focus on one technolo
49、gy, one company and one state while understandable masks broader issues about the proliferation of technology and innovation, and how best to manage the accompanying risks, for 5G and beyond. All 5G networks, whether they include Huawei equipment or not, face common technical risks and challenges. While both technological and geopolitical factors could shape risk-management decisions on 5G, research has evidenced the importance of clearly di�������stinguishing between the two.20 The use of geopolitical and economic criteria may be a legitimate national approach
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产建筑
传统产业
英文报告
其它
扫码登录
手机快捷登录
账号登录
