Nokia has strived to make cybersecurity a differentiator in 5G by building on the capabilities it acquired in Bell Labs when it took over Alcatel-Lucent in November 2016.
This deal strengthened its portfolio in that field with various technologies and patents. Since then, Nokia has maintained momentum through various initiatives, setting out not just to support emerging 5G security capabilities as they come along in the standards, but to offer additional layers of protection with the argument that 5G will expose operators and their customers to new threats and more concerted attacks from various quarters, including hostile states, organized crime, terrorists and lone actors.
The underlying thesis is that, as 5G rolls out around the world and converges with fixed services, the resulting infrastructure will become more critical than ever before and will become the focus of the most serious cyber-attacks, with increasingly adverse consequences when these succeed. Not only will these infrastructures become backbones for newer applications in remote control, autonomous systems and other departments of IoT, but also for existing service categories that currently still run over distinct networks, at least in part, including radio and TV.
Huawei has also set out its stall in this area, and so increasingly has Ericsson, having worked hard to narrow the cybersecurity gap on its competitors. Nokia hopes to elevate its cybersecurity profile once again with its latest announcement of its Advanced Security Testing and Research (ASTaR) lab in Dallas, Texas, claiming this to be the first end-to-end 5G testing lab in the USA focused solely on cybersecurity.
It is certainly a substantive facility, aiming to facilitate testing of defences against attacks on a large scale across national networks. Nokia indicated that hackers and state actors have more avenues of attack in 5G because of the proliferation in interworking endpoint types, as well as more extensive use of open source software that can introduce new vulnerabilities not addressed directly in 3GPP standards.
Nokia might also have mentioned the threats posed by opening up networks to multiple vendors through Open RAN, which has been a focal point for Ericsson. Nokia has indeed indicated the new lab will also address multivendor infrastructures based on Open RAN standards.
As the firm’s central lab dedicated solely to security forensics and research, ASTaR will develop and then use techniques to assess the security resilience of 5G networks, as well as the associated software, hardware and applications. ASTaR will then combine these assessments with insights gained through engagement with the wider cybersecurity community to identify emerging threat vectors and potential vulnerabilities, Nokia added.
“5G will enable countless new services for consumers, government and businesses, and the industry must be hyper-vigilant in ensuring these 5G ecosystems are secure,” said Nishant Batra, chief strategy and technology officer at Nokia. “To demonstrate our leadership and commitment to security, Nokia will be the first to inaugurate a lab in the US with the singular mission of identifying and preventing cybersecurity attacks. ASTaR lab will be an ideal testing ground to assess security in the larger context of network use and abuse scenarios.”
According to Batra, the lab will serve as a central repository for cybersecurity knowledge that will be shared across not just Nokia, but also its operator, enterprise and government customers. In addition, Nokia will partner with customers to consider attack scenarios against networks and observe how mitigation measures fare against real security incursions.
The new lab follows a series of 5G-related security announcements from Nokia over the last few years, some more directed at establishing groundswell, and others more technology related. A significant step came in November 2021 when Nokia announced its entry into the mobile software-as-a-service) field with a portfolio of products across several sectors, including cybersecurity.
This included the NetGuard Cybersecurity Dome, described as a cloud-native eXtended Detection and Response (XDR) for 5G security for operators to monitor, detect and manage incidents. This took Nokia into the realm of incident containment, analysis, automated remediation, and reporting for 5G security assurance, offering defence in depth on top of the standard 5G security features. The launch did come with the largely meaningless claim that NetGuard XDR demonstrated 70% increased effectiveness at blocking threats, which is of little value without context, but certainly brought some valuable capabilities, including machine learning algorithms for detecting signatures of unusual patterns or anomalies that might signal an attack was imminent, or already taking place.
Nokia has also stepped up efforts to promote awareness of 5G security risks and help instill the skills required to mitigate them. The company’s Bell Labs, in August 2021, launched an eight-hour course and certification in 5G security, focused on proactive and preventative measures as much as mediating technologies, according to the company’s chief security officer Geert Van Wauwe.
Huawei has also championed the dissemination of security awareness and skills, with the recent irony that the company has been widely deemed a source of threats rather than a provider of solutions to them. There is a distinction, though, between measures and technologies to counter threats and perceived longer-term risks at a geopolitical level. Various papers have been written that attempt to square this circle, one of the most illuminating and even-handed in the journal Development and Change, published by the International Institute for Social Studies based in the Hague, Netherlands. Entitled Huawei, 5G and Security: Technological Limitations and Political Responses (https://doi.org/10.1111/dech.12680), the paper attempts to unravel the intersection between technological capabilities and geopolitical conflicts.
The paper comes to the nub of the matter when it traces the historical context and makes the observation that trade of machinery and even military weapons has taken place routinely between parties or countries that do not trust each other. Such exchange has been facilitated through inspections based on transparency between the parties.
This led to the counter-argument against sanctions advanced by the Chinese that these same approaches could enable trade in 5G equipment, without any political changes or compromises on either side. Indeed, Huawei acted on this basis by making efforts to establish transparency of its systems and being open to inspections. It opened an information security lab in Germany, and the Huawei Cyber Security Evaluation Centre (HCSEC), to which regulators and government security officials were invited.
At first this appeared to satisfy US-allied governments, but in the end it was not just President Trump’s actions and exertions that illuminated concerns. In 2018, the board in the UK overseeing the issue wrote in its annual report, saying: “Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated. We are advising the National Security Adviser on this basis.”
This conclusion was supported in some other countries. The paper then dissects this argument, which centers on the question of whether the software underlying 5G infrastructures and especially the core had become so complex that full analysis of the code had become impossible.
The paper cited software updates as a particular issue for security, because they are usually issued throughout the lifetime of the underlying system. Ironically, such updates are often required precisely to fix vulnerabilities that have come to light after the code was written, rather reinforcing the argument that exhaustive code checking has long been impossible, or at any rate cannot guarantee insulation against threats as yet unconceived. The implication again is that the primary vendor must be trustworthy not just at the point of initial purchase, but throughout the lifetime of the system.
The paper goes on to distinguish between the approach adopted in the USA and maintained under the Biden administration of targeting and ringfencing China specifically, and the European approach of addressing the issue at a generic level without demonizing any single country.
The outcomes of these two approaches have converged, but arguably the Europeans, or at least the EU, have done less to antagonize China. This resulted in the Prague Proposals, which outline various options, including limits on the percentage of a network that could be produced in countries without specific bilateral security agreements, and impose geographical limitations on 5G RANs that included equipment from such a country, to protect particularly sensitive areas such as military bases or government offices.
The underlying point of the Prague Proposals was that equipment from companies based in countries without direct security agreements in place would be treated differently, which left the road clear for Ericsson, Nokia and Samsung for example, but obstructed Huawei and ZTE. The paper concluded that technical measures alone could not exclude risks of future espionage and sabotage, and that given that impossibility, deployment of 5G inevitably required trust between vendors and implementers.
The paper also noted that countries explicitly banning Huawei, such as the UK and Sweden, had paid a political or at least commercial price, while those that have remained on the fence while still severely limiting Huawei’s involvement in 5G had not.
Meanwhile, Huawei continues to trumpet its own security credentials at the technical and network level, making the company a sound choice for countries lacking those geopolitical concerns but anxious to guard against cybercrime and casual hacking, as well as attempts at espionage by state actors not linked to the supplier. Huawei has adopted a consistent top-down approach to security within its organization, orchestrated by its Global Cyber Security Committee (GCSC), which ratifies cybersecurity assurance and manages communication between Huawei and all stakeholders, including governments, customers, partners and employees, reporting directly to the CEO. This is integral to Huawei’s transparency argument, where that cyber security assurance system conducts internal audits and invites external certification from security authorities.
Ericsson has meanwhile beefed up its security credentials after earlier lagging behind Huawei and Nokia in this regard, with the help of partnerships as well as internal effort. For example, in May 2021 Ericsson started collaborating with Italian cybersecurity company Leonardo to develop 5G tools aimed particularly at industrial, public safety and critical infrastructure. The two companies have sought to identify threats and remedies specific to given use cases, such as video, extended reality (XR) and use of sensors on a large scale.
Cybersecurity has become, then, if not a battleground between the key 5G equipment vendors, then at least an area where they cannot afford to be lagging.