NSA, CISA List Expectations for Industry on Data Governance in 5G Environments

Federal cybersecurity agencies are continuing to demarcate security roles for stakeholders in fifth-generation networking architectures with the release of guidance on the appropriate management of data in the cloud-based systems.  

“Data is an incredibly valuable resource driving every industry in the modern world,” Bob Kolasky, who leads Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, said in a press release Thursday. “This makes it an especially attractive target for adversaries. This paper highlights the importance of government and industry coordination in addressing the complex task of protecting our critical data. As with the previous two parts of this series, CISA encourages the 5G community to review this guidance and take actionable steps to help strengthen the nation's 5G cloud infrastructure.”

Parts one and two of the series CISA issued along with the National Security Agency focused on preventing and detecting unauthorized lateral movement across networks and isolation of network resources, respectively. The third installment released Thursday zooms in on data protection. The guidance lays out a significant list of actions users of cloud-based 5G systems—as well as the cloud service providers and mobile operators—should all take to protect data at-rest.

But for data in-transit, and data in-use, the recommended cybersecurity mitigations are all directed to the cloud service providers and mobile operators.

The guidance notes that while standards developed for 5G by the Third Generation Partnership Project make some capabilities a requirement, it’s still up to the operators to turn them on, and notes the importance of doing so.       

“User plane data confidentiality and integrity capabilities are required, but their use is optional at the discretion of the operator,” the agencies wrote regarding data in-transit, for example. “Some of the user plane threats, such as Person-in-the-Middle and privacy violations, may be mitigated through the required use of the optional confidentiality and required integrity capabilities discussed above. Others, such as routing and Denial of Service (DoS) attacks must be handled in the control plane and above and would benefit from the required use of both the optional confidentiality and integrity capabilities.”

The guidance coincided with a U.S. commitment to security and other attributes it wants to establish for 5G technology across the globe at a third conference on the issue held in Prague.

The conference began in 2019 when Rob Strayer, who was then the State Department’s leading cybersecurity official and now works for the Information Technology Industry Council, traveled to the city to promote the U.S. vision for 5G expansion. It was also attended by then-Federal Communications Commission Chairman Ajit Pai in 2020 and has become an annual event where the Czech Republic hosts invited government officials, academics, and representatives of international and regional trade and standards groups to focus on the security implications of the technology. 

“​​The stakes for securing these networks could not be higher,” White House National Security Spokesperson Emily Horne said in a release Thursday. “The United States believes 5G security can only be addressed effectively through a truly global approach and we are committed to engaging on this with all of our allies and partners to promote open, interoperable, secure, and reliable information and communications technology infrastructure supported by a supply chain of diverse, trustworthy suppliers.”

The Prague proposals don’t get specific about what controls would ensure the desired networking principles. And the group doesn’t name names regarding which suppliers of networking gear and services should be deemed trustworthy, but it emerged as part of a Trump era effort to be tough and assert power in U.S.-China relations, including by limiting the footprint of Chinese networking giants Huawei and ZTE across global markets.

The principles do list criteria for the governing countries of trustworthy suppliers, which would also capture regimes like Russia, where Kaspersky Labs—which is now banned for use by the U.S. government—is headquartered.

But the conference could be headed for weedier technical territory given the advent of a new breed of third-party cyberattacks this year—and more recent threats posed by entities based in allied governments—that has the Biden administration adjusting the U.S. approach to cybersecurity, particularly through the supply chain for information and communications technology.

“The United States supports these proposals, which build upon prior efforts with the G7 and the [Quadrilateral security dialogue among the United States, India, Australia and Japan] and we intend to promote them in our global engagements on 5G, which is the future of internet connectivity,” Horne said. “The United States further appreciates the leadership of the Czech Republic in identifying and seeking to address security challenges posed by the development and deployment of emerging and disruptive technologies and the release of the ‘Prague Proposals 2.0 on Cyber Security of Emerging and Disruptive Technologies,’ at the conference.” 

The standards conversations are also occurring as part of a new U.S-EU council on trade and national security.