NSA, CISA Weigh in on Shared Responsibility for Cloud Security in the 5G Era

Key federal agencies have released the first in a series of reports detailing their expectations for providers of fifth-generation networking equipment and services which they see increasingly serving as a vector for cyberattacks if they’re not properly secured.

Addressing cloud providers and mobile operators, the National Security Agency and the Cybersecurity and Infrastructure Security Agency said, “5G networks should assign unique identities to all elements (and preferably to each interface) that will communicate to other elements in the 5G network,” for example.

The report released Thursday focuses on preventing and detecting lateral movement so that if one cloud resource is affected the entire network doesn’t become compromised. Lateral movement has been a major concern amid recent attacks including those by the hackers believed to be behind SolarWinds.

Fifth-generation networking is inherently cloud-based and the recommended mitigations go far beyond the implementation of multifactor authentication to validate user identity. As the SolarWinds hackers demonstrated, emerging network architectures presented ways to bypass MFA.  

“5G cloud deployments will introduce more opportunities to move laterally in this manner because they support new implementations such as Service-Based Architecture (SBA), containers, and [virtual machines] that result in more element-to-element communications than in previous networks that utilized physical appliances and point-to-point interfaces,” the report reads. 

But overcoming confusion around the shared responsibility model for cloud security has been part of the challenge. “Cloud providers and mobile network operators may share security responsibilities in a manner that requires the operators to take responsibility to secure their tenancy ‘in the cloud,’” as the report puts it. 

The report emerged from the Enduring Security Framework, which is a Critical Infrastructure Partnership Advisory Council on threats and risks to national security systems. CIPACs are groups organized at the Department of Homeland Security to bring government and industry representatives together under exemption from the Federal Advisory Committee Act, which requires providing the opportunity for public participation and reporting.

The administration has been emphasizing an evolving public-private partnership, particularly through the Joint Cybersecurity Defense Collaborative at CISA. Many of the plank-bearing companies of the JCDC—cloud providers like Microsoft and mobile operators like Verizon—are the ones that the recommendations in the report series will apply to.

The report is the first of four the Enduring Security Framework group plans to publish on the issue after hosting two months of study sessions this summer with relevant representatives from government and industry. The next installment will focus on securely isolating network resources and the third and fourth will address data protection—in transit, in use and at rest—and infrastructure integrity, respectively.

Together the publications aim “​​to document 5G cloud security challenges, threats, and potential mitigations, to include guidance, standards, and analytics,” according to the first report which includes recommendations for service providers and the system integrators building and configuring 5G cloud infrastructures, as well as the customers such as government agencies. Throughout the series the reports will specify whether recommendations are meant for core network equipment vendors, cloud service providers, mobile network operators or integrators, which the study group said should provide “a layered approach to building hardened 5G cloud deployments.”  

“This series exemplifies the national security benefits resulting from the joint efforts of ESF experts from CISA, NSA, and industry,” NSA Cybersecurity Director Rob Joyce said in a press release Thursday. “Service providers and system integrators that build and configure 5G cloud infrastructures who apply this guidance will do their part to improve cybersecurity for our nation.”