While 5G has been a hot topic at the annual Mobile World Congress (now shortened to just MWC Barcelona) event for the last few years, 5G security seems to have fallen by the wayside. There’s usually some panels on the topic, but the discussion has been dominated by the flashy, new technologies and apps that 5G will enable — not the myriad security risks that come with these pretty, sparkly things.
“Future IT environment will also need to secure many IoT devices that are starting to surround us,” said Check Point CEO Gil Shwed on his company’s earnings call last month. “Not to mention the mobile devices, which I believe are the No. 1 threat to our privacy and security nowadays. Overall, I believe the amount of assets we will need to secure will increase by tenfold in the coming three to five years, but it’s more than just the amount of assets we will need to secure.”
There’s also the scalability issue. “If you go from managing and securing 50,000 devices to 200,000 devices, now all of the sudden you have to know about different kinds of devices, different kinds of protocols, and follow the different vulnerabilities about those devices,” said Jon Olstik, a senior principal analyst and founder of Enterprise Strategy Group’s cybersecurity service. “We’re already in a profound cybersecurity skill shortage, so finding people who have that intersected knowledge of cybersecurity and IoT may be a difficult task.”
In addition to the sheer number of connected devices — Gartner forecasts 20 billion will be in use by next year, while Cisco puts the number at 50 billion — there are also challenges related to next-gen low-latency, high-bandwidth networks. While this makes it easier and faster for enterprises to move and access their data, it also allows the bad guys to steal this data at the speed of 5G.
“5G is delivering near-zero latency,” said Gary Davis, chief security evangelist at McAfee. “The fact that you have all this data going at this extraordinary high speed is going to make data exfiltration that much simpler and that much harder to defend against because it happens too quickly. It’s going to be an enabler for attackers to pull data out of an organization at a speed never before realized.”
Security should be a hot topic at MWC 2019. But will it?
John English, director of marketing for Netscout’s Service Provider Solutions business, predicts that this will be the year that 5G security takes center stage.
“From our conversations with mobile operators we know how seriously they’re taking security,” he wrote in an email. “In Barcelona this year, we will therefore see the operator community come together to discuss how to address critical security challenges. With 5G driving the adoption of virtualized network infrastructures such as containers and distributed cloud models, much of the conversation will focus on how carriers can secure and assure services in this increasingly complex environment.”
These discussions will focus on the need for a security model that provides deep insight on both service performance and security, he added. “Only by having visibility into the entire 5G environment, including both public and private cloud, will carriers be able to identify whether devices are behaving in a suspicious or malicious manner.”
English sounds like a glass-half-full kinda guy. Our friends at McAfee, however, take a more pessimistic view.
“Both CES and MWC are using the right words, they are talking about security and safety and privacy and all those things that matter,” Davis said. “But you look at what they are focusing their energy behind, you don’t see it manifesting itself. You don’t see a healthy balance of security-related topics blended with all the other keynotes. Security isn’t given the proper recognition other than lip service.”
McAfee Fellow and Chief Scientist Raj Samani says even when his company’s threat hunters find vulnerabilities on devices and disclose them to manufacturers, “it’s met with absolute apathy. Some completely ignore us.”
Samani looked at the MWC agenda and rattled off a list of panels: “monetizing IoT, structure versus innovation, a robotics master class, a Google master class, digital transformation … I get that these things are important,” he said. “But when we see a 77-percent increase in banking trojans targeting mobile devices and over 600 malicious cryptocurrency apps spread across 20 app stores in 2018 alone, how many devices at MWC alone will be mining for crypto and stealing credentials? The safety of the devices and the data on them is a really big miss for MWC.”
This is not to say that there are no security talks at MWC. A seminar on IoT Security Today and Tomorrow and a panel about How to Secure a Connected Digital Society look promising. But I think the robots and AR games will steal the show.