Schneier: "It's really too late to secure 5G networks"

By Cory Doctorow

Bruce Schneier's Foreign Policy essay in 5G security argues that we're unduly focused on the possibility of Chinese manufacturers inserting backdoors or killswitches in 5G equipment, and not focused enough on intrinsic weakness in a badly defined, badly developed standard wherein "near-term corporate profits prevailed against broader social good."

Schneier points to a variety of factors contributing to 5G's intrinsic, irreparable unsuitability: first, the US government pushed for weaker security in order to ensure that it could conduct domestic surveillance; the standards themselves are so complex as to be impossible to implement securely; and the system calls for software running on dynamically configurable hardware, which "dramatically increases the points vulnerable to attack."

Moreover, 5G is backwards compatible with earlier protocols, inheriting all their insecurities, and generating new ones where these protocols' weak spots can be chained together to create attacks that each protocol was, in and of itself immune to, but which the system remains vulnerable to.

Schneier points to the degree to which security in 5G is both optional and an afterthought as reasons for this fundamental insecurity. He also suggests that merely using secure protocols -- end-to-end encryption, for example -- will not be sufficient to defend ourselves against the problems in 5G, as mobile operating systems, baseband radios and other components will remain vulnerable.

But keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards­the protocols and software for 5G­ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

5G Security [Bruce Schneier/Schneier on Security]