Independent 5G Security Inspector needed to prevent mobile industry ‘marking its own homework’

With the mobile phone industry body the GSMA considering forming a European 5G Security Inspector, QinetiQ Fellow and 5G Lead, Mark Hawkins, gives his view on the newly proposed body.

5G

I see the purpose of the proposed GSMA 5G Security Inspector to be the trustworthy independent advisor to Mobile Network Operators (MNOs) to give them the confidence, reassurance and peace of mind they desire when rolling out 5G.

Consider the two big concerns for MNOs currently, as they plan their 5G roll-outs: variability of infrastructure and service provision. This could be in relation to current or new service providers in their supply chains, as well as operating more localised infrastructure – in public buildings or business parks – and services such as multi-access edge computing (MEC), or the need to make informed buying decisions regarding the security credentials of network equipment from vendors.

One simple and effective way in which the 5G Security Inspector could offer reassurance to MNOs is through security star ratings in the same way as cars receive EuroNCAP safety ratings which allow consumers to choose between makes and models based on safety.

However, in order to fulfil this function the body will need to be independent, technically competent and practically grounded.

An independent body is more likely to be an impartial one, which is trusted by all parties, and most importantly seen to be trusted outside the mobile industry. This means that the body needs to be more than an industry task group or broad committee, for two reasons.

First, the mobile industry should not be seen as “marking its own homework”, i.e. it should be independent of any actual or perceived vested interests.

Secondly it will only be trusted by network equipment vendors if it can show that it is impartial and will protect their IP (and therefore competitive advantage). This can only be achieved by an independent, impartial and trusted body – no vendor is going to submit their equipment for test if the body testing it is a competitor, or if they think that their IP will be leaked. To achieve this, the security inspector will need to be independent of the mobile industry, and possibly even independent of the GSMA itself.

Being independent is not enough. For the body to do its job and be trusted by the mobile industry it will need to be technically competent – both in 5G and cyber security. Moreover, it will ideally be technically competent in the application of cyber security to 5G. This will include aspects such as hardware, software, network configuration (after all 5G networks are highly virtualised Software Defined Networks), and extend to non-traditional cyber security areas such as the 5G NR interface itself, and supply chain governance. Technical competence will need to range from auditing of security processes and policy right the way through to security testing of 5G network equipment within a representative network environment.

This technical competence needs to be practically grounded, to deliver true value to the industry. To return to my starting point, the proposed 5G Security Inspector needs to allow MNOs to make informed buying decisions about 5G network equipment in terms of security. The practical way to do this is through testing, as proposed by the GSMA itself. 

Possible models from other sectors within the UK are Thatcham who test physical vehicle security systems and rate them based on how long it takes for them to be defeated; Which? the UK consumer association who carry out comprehensive independent testing on a wide range of consumer goods and services from washing machines to broadband providers, awarding simple star ratings; Defaqto who provide star rate insurance policies based on their features; and my original example of Euro NCAP safety testing for cars within Europe.

The two features of all of these examples is that they have a strong test focus and give clear recommendations in the form of ratings. A model such as the now defunct UK Independent Press Complaints Commission, which was seen as a self-regulating industry talking shop, simply won’t cut it.

The mobile industry needs the 5G Security Inspector proposed by the GSMA, in order to instil confidence that the industry can deliver 5G and its many benefits without compromising security. An independent, technically competent and practically grounded body with a strong focus on testing, and clear “star” ratings is required, and what the industry deserves.

To find out more and discuss how we could enable your organisation to achieve the commercial advantages of a secure 5G solution, contact our 5G Business Development team.