5G Security – Metrics of the Engaged

April 19, 2020

This past month on 03-06 March, the global industry sub-group that exists at the center of 5G security met virtually. It is known as SA3 within the 3GPP organization, and it met over a period of five days to deal with some of the most important 5G security requirements.

3GPP is a “partnership” created among all the world’s major standards bodies, which over several decades has cooperatively developed and evolved by far the largest and most successful global electronic communications network. Its secretariat services are provided by the largest of the global standards organizations known as ETSI — based in Sophia Antipolis, France. The meeting was given the designation of #98bis-e — the second part of the 98th meeting done electronically.

Like all the 3GPP global industry meetings, the participation, documents, and meeting information are open, and participation is driven by the level of interest in the technology and marketplace. Participants contribute their innovations and intellectual property royalty-free. The resulting plans, studies, and specifications are freely available to the public on-line.

The work is intense — occurring almost constantly with meetings almost every month. The 3GPP specifications are designated by Releases — similar to computer operating systems — and essentially obligatory for anyone in the 5G business. Release 16 is full “stand-alone” 5G. The most engaged companies have memberships resulting from their different subsidiaries. Because the work is actually spread across numerous other global industry standards bodies that are regularly meeting, a considerable effort is spent in constantly engaging in outreach liaison communications with those other bodies. The 3GPP has remained a proven, successful engine of global innovation and marketplace success for everyone worldwide.

So, a relevant question today — given the alt-truth rhetoric that swirls around some political realms about 5G security — who is actually engaged in the work? The engagement metrics help reveal what is occurring.

5G Security Engagement Metrics in SA3#98bis-e

At the outset, it should be underscored that metrics do not always equate to substance or measure innovation. On the other hand, what is patent is that if a company or agency is not present, they are, by definition, not engaged at all. If it doesn’t submit contributions or speak, it has no say in any of the work or the resulting security platforms and specifications — the work proceeds by consensus.

What is especially useful about the current 5G security meetings is that because they don’t involve travel, and the level of effort to minimally engage is so low, there are effectively no barriers.

The basic metrics of the SA3#98bis-e meeting are:

213 documents treating 11 important 5G Rel. 16 platforms, submitted by 31 organizations. 85 people registered as participants from 49 different organizations. Over the period of the meeting, there were 1012 meeting emails generated by 63 people from 36 different organizations.

The organizations involved are attributable to 12 different countries, plus Hong Kong.

Country Organizations
CA Bell Mobility
CN CATT, China Telecom, Futurewei, Huawei, Nanjing Ericsson, UNISOC, ZTE
DE BMWi, Deutsche Telekom
FI Nokia
FR Ministère Economie Finances, Thales
HK TD Tech Ltd
IT Telecom Italia
KR LG Electronics, Samsung
NL Philips International, TNO
SE Ericsson
UK BT, NCSC, Tencastle, Vodafone
US Apple, AT&T, Broadcom, CIS, Hewlett-Packard, Intel, InterDigital, Juniper, Mavenir, Motorola, PCCW Global, Perspecta Labs, Qualcomm, Sectra, Sprint, T-Mobile, US CISA ECD, US DOD, US LTS, US NIST, US NTIA, Verizon,

Additionally, Airbus, CableLabs, GSMA, and ETSI itself were present and substantively participating.

A sum of all the different metrics by country/zone is reflected in the following table.

Country Documents Emails Organizations Registrations
CA 1 1
CN 109 311 7 18
DE 22 3 3
FI 17 54 1 3
FR 5 7 2 2
HK 1 1
IT 14 1 1
JP 1
KR 15 132 2 3
NL 1 3 2 3
SE 25 180 1 10
UK 45 4 7
US 61 181 22 30

The contributions by the subject matter are reflected in the following table.

No Agenda item description
48 Authentication and key management for applications based on 3GPP credential in 5G (Rel-16)
40 Security Aspects of 3GPP support for Advanced V2X Services (Rel-16)
29 Study on User Plane Integrity Protection (Rel-16)
23 Security Aspects of the 5G Service Based Architecture (Rel-16)
18 Evolution of Cellular IoT security for the 5G System (Rel-16)
15 Security aspects of Enhancement of Network Slicing (Rel-16)
11 Security of the enhancement to the 5GC location services
11 Mission Critical security (Rel-16)
7 Security for NR Integrated Access and Backhaul (Rel-16)
6 Security of the Wireless and Wireline Convergence for the 5G system architecture (Rel-16)
2 Security aspects of SEAL (Rel-16)

The top ten contributors of documents were:

No Source
43 Huawei/Hisilicon
25 Ericsson
18 Qualcomm
18 ZTE
17 Nokia
17 Nokia Shanghai Bell
14 Motorola
12 Apple
12 Vodafone
11 Samsung

Clearly, some participants contribute far more than others and account for the preponderance of the work.

Among the government agencies engaged, the UK’s NCSC — which has been consistently, broadly engaged in the activities — generated 4 emails, and the US NIST one. The US government agencies finally demonstrated sufficient cognizance to register, if rather lacking in substantive engagement. The FCC embarrassingly remains inert without even minimal cognizance.

The U.S. government wasn’t always in such a pathetic state of dis-engagement in industry network security activities. Thirty-five years ago, during the Reagan Administration, NSA led the global industry community by creating and implementing the most innovative and comprehensive cybersecurity initiatives ever undertaken. The FCC had dedicated staff and even Commissioners who participated in the ongoing standards activities and led some of the work — specifying in its rulemaking proceedings the required standards. The National Communications System (NCS) was located in the White House under the National Security Council and provided an umbrella for very active engagement in global standards activities among 23 different federal agencies. NCS leaders published annual reports on its strategic international initiatives and activities — while chairing the Federal Telecommunication Standards Committee. The CIA’s DDS&T and DDI provided extensive, politically-neutral assistance to other agencies in understanding the most important strategic technology developments and states-of-the-art. Many of the US Federal agencies also pro-actively facilitated private-sector engagement in strategically important global cybersecurity standards activities.

The plain facts today of 5G security engagement speak for themselves for everyone to see. If the U.S. government wants to see any desired 5G capabilities or more U.S. company engagement, it needs to do more than just register for meetings. It also needs to remove senseless barriers to participation by U.S. companiesPost COVID-19, this has become more important.