CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—released a Potential Threat Vectors to 5G Infrastructure paper. This paper identifies and assesses risks and vulnerabilities introduced by 5G.
The ESF 5G Threat Model Working Panel, a subgroup within the ESF, examined three major threat vectors in 5G—standards, the supply chain, and threats to systems architecture—to develop a summary and technical review of types of threats posed by 5G adoption in the United States and sample scenarios of 5G risks.
Please note, this paper represents the beginning of the ESF’s research and not the culmination of it. It is not an exhaustive risk summary or technical review of attack methodologies and includes public and private research and analysis.
Return to CISA’s 5G.
The fifth-generation (5G) of wireless technology represents a complete transformation of telecommunication networks, introducing a vast array of new connections, capabilities, and services. These advancements will provide the connection for billions of devices and will pave the way for applications that will enable new innovation, new markets, and economic growth around the world. However, these developments also introduce significant risks that threaten national security, economic security, and impact other national and global interests. Given these threats, 5G networks will be an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence. To address these concerns, the United States National Telecommunications and Information Administration (NTIA) developed the National Strategy to Secure 5G, a strategic document that expands on how the United States Government will secure 5G infrastructure domestically and abroad. The National Strategy to Secure 5G aligns to the National Cyber Strategy and establishes four lines of effort:
(1) facilitating the rollout of 5G domestically;
(2) assessing the cybersecurity risks to and identifying core security principles of 5G capabilities and infrastructure;
(3) addressing risks to United States economic and national security during development and deployment of 5Ginfrastructure worldwide; and
(4) promoting responsible global development and deployment of secure and reliable 5G infrastructure.
In alignment with Line of Effort 2 in the National Strategy to Secure 5G, the Enduring Security Framework (ESF) was identified to assist with assessing risks and vulnerabilities to 5G infrastructure. This included building on existing capabilities in assessing and managing supply chain risk. As a result, the ESF 5G Threat Model Working Panel was established.1 The preliminary focus of the 5G Threat Model Working Panel was to explore and prioritize potential threat vectors that may be associated with the use of 5G non-standalone (NSA) networks. The working panel reviewed existing bodies of work to identify and generate an aggregated list of known and potential threats to the 5G environment, determined and developed sample scenarios of where 5G may be adopted, and assessed risks to 5G core technologies. This analysis paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it. This product is not an exhaustive risk summary or technical review of attack methodologies and is derived from the considerable amount of analysis that already exists on this topic, to include public and private research and analysis.
1The ESF is a cross-sector working group that operates under the auspices of Critical Infrastructure Partnership Advisory Council (CIPAC) to address threats and risks to the security and stability of U.S. national security systems. It is comprised of experts from the U.S. government as well as representatives from the Information Technology, Communications, and the Defense Industrial Base sectors. The ESF is charged with bringing together representatives from private and public sectors to work on intelligence-driven, shared cybersecurity challenges.