5G Security Transparency

December 9, 2018

There is considerable rhetoric propagated today about 5G security. Some of the more blatant assertions border on xenophobia with vague assertions that the 5G vendors from some countries cannot be trusted and wholesale government banning is required. Existing treaty obligations are being summarily abrogated in favor of bilateral trade bullying. These are practices that the late President George H.W. Bush sought to eliminate a quarter-century ago through intergovernmental organization initiatives that relied on industry collaboration. Bush 41’s efforts were enormously successful and opened up a new world of global communication services, products, and economic growth — that are now being systematically undermined. As the world transitions to 5G global communications, the adverse effects of unilateral national isolationism will be profound.

Fortunately, open global industry collaboration is more active today than at any point in history — especially now for 5G security. It is that collaboration that also provides significant 5G security transparency today. That transparency is more essential than ever.

Metrics of 5G Security Collaboration

To provide some degree of transparency on the subject of 5G security and who is actually devoting resources to taking action, we are somewhat fortunate that there is one principal global industry venue that is intensively devoted to the subject — the 3GPP organization’s group SA3. Its remit is exclusively security, and there are 17 current Release 16 work items that are devoted to every aspect of 5G product and service security, including supply chain management.

As opposed to other standards bodies, 3GPP’s are essentially mandatory, and some are overseen by the industry’s global provider and vendor organization, the London-based GSMA. As a result of this stature, the work is extensive, dynamic, and globally inclusive.

During 2018, the SA3 held seven meetings lasting five days, roughly 60 days apart, in the U.S., Europe, and Asia. Arguably, the metrics of participation in these 2018 meetings are transparent indicators of the companies, agencies, and organizations interested and substantively involved in bringing about 5G security and willing to devote resources. In addition, because this open industry activity involves the participants making their Intellectual Property available for collective public use, the input metrics are indicative of the willingness of parties to share their 5G security IPR.

During 2018, 74 different companies (including their subsidiaries) plus a few agencies, sent technical experts to the seven SA3 meetings, expending 2,676 staff days and submitting 3,582 documents devoted specifically to 5G security specifications and liaison communications. The metrics for the top twenty participating entities are shown below and can be openly obtained from the SA3 portal site. These numbers are significant because they demonstrate who is willing to expend monies to have an employee present the most important industry 5G security meetings rotating across three continents, including three in the U.S.

Staff days Entity
305 Huawei
170 Ericsson
170 Qualcomm
140 China Mobile
125 Nokia
110 NEC
85 Motorola
75 InterDigital
70 BT plc
65 Orange
65 Samsung
55 Apple
50 Deutsche Telekom
50 ZTE Corp
45 Datang
45 Intel
45 Sony
45 Vodafone

Among government agencies, UK’s NCSC is found in the top 20. The three USGOV agencies — DHS, NIST, and FCC – together expended 60 staff days.

Another measure of substantive engagement — input document contributions to the 5G security standards and studies in 2018- is shown below. The numbers reflect the entity individually or collectively contributing a specification or study proposal or text. These numbers are significant because they indicate the degree of substantive engagement in 5G security provisions.

Contributions Entity
679 Huawei
626 HiSilicon
580 Ericsson
510 Nokia Shanghai Bell
204 Qualcomm
180 China Mobile
170 NEC
152 ZTE Corp
127 CATT
108 Motorola
95 KPN
90 Deutsche Telekom
89 Vodafone
86 Samsung
69 InterDigital
54 China Unicom
53 LG Electronics
42 Lenovo
37 Intel

Here also, many of the same parties are found in the top 20 because contributions require the attention of participant staff. Among USGOV agencies, NIST provided 9 submissions, and the FFRDC, MITRE, submitted 9.

5G Supply Chain Management

Among the many SA3 5G security standards, the one most related to contemporary security supply chain threat rhetoric is the Security Assurance Specification for 5G (SCAS_5G). The 3GPP activity is an extension of an initiative begun in SA3 nearly five years ago based on material from the Common Criteria Control Board to develop a global industry-driven mobile Network Equipment Security Assurance Scheme (NESAS) for equipment supply chain management using a Security Assurance Methodology (SECAM). The managing and accrediting body is the GSMA.

Here also, the contribution metrics show the stark reality both over the past five years as well as today – the U.S. government chooses to completely ignore the principal global activity for the supply chain management.

Fourteen parties participated in 2018 in submitting 92 input contributions for developing the 5G Security Assurance specification.

3 British Telecom
3 China Mobile
3 China Unicom
11 Deutsche Telekom
3 Ericsson
17 Hisilicon
21 Huawei
1 Intel
39 NEC Corporation
38 Nokia
14 Samsung
10 ZTE Corp

The FCC Supply Chain Proceeding and Advisory Committee

Global industry standards activities are not the only forum for treating 5G security. The FCC also instituted a rulemaking making proceeding in March 2018 to consider Commission rules related to supply chain management — especially 5G equipment. See WC Docket No. 18-89. Most of the 84 comments filed in the docket to date have expressed a preference for collaborative industry solutions rather than political-driven edicts.

Additionally, the Commission’s own industry advisory group, CSRIC, in its Final Report of the Network Reliability and Security Risk Reduction Working group in March 2018, “recommend[ed] that the industry continue to participate in industry and standards forums and adopt the GSMA recommended controls to address emerging security risks as part of their overall 5G and IoT security approach.”

New Threats to Global Industry 5G Security Collaboration

Decades ago, the United States was a leader in global ICT industry collaboration which including collectively developing the security specifications expanding the markets for worldwide growth and trade in equipment and services. That dynamic is alive and well today in 3GPP SA3 and many other venues, even if the participants have changed, and the U.S. government agencies have disengaged. There is an enormous amount of travel and personal sacrifice endured by the individuals involved.

Eight years ago, three Google executives while traveling in Italy, were apprehended because one of their company’s offerings allegedly violating local law. Their trial and imprisonment generated industry widespread outrage. Today, the same has recently occurred to another global ICT company executive from another part of the world. Such governmental actions are serious threats to everyone engaging in global industry security collaboration.