By: Ts Mohd Shamir bin Hashim, Cybersecurity Malaysia, Permanent Secretariat of the OIC-CERT Co-chair, OIC-CERT 5G Security Working Group
The fifth-generation (5G) wireless technology represents a complete transformation of the telecommunication networks that will be able to cater for the demand from emerging and disruptive technologies such as Artificial Intelligence (AI), Internet of Things (IoT), and Cloud computing, to name a few. These technologies require extensive bandwidth to enable new applications usage where 5G will transform the digital landscape and serve as a catalyst for innovation, new markets, and economic growth. In fact, 5G will be critical towards realizing the objectives of the Fourth Industrial Revolution (4IR), where billions of devices will be connected to the Internet through this technology. It is estimated that there will be more than 1.7 billion 5G subscribers worldwide by 2025.
Societies today do not have a choice when it comes to these emerging technologies; they must embrace and adopt them or risk being left behind by the rest of the world. Countries that are slow in adopting the technology will move to the bottom of the food chain and be left at the mercy of others. In a world that is moving towards ubiquitous interconnectivity, security risks lie at the weakest link in which it would be the interest of all parties to ensure every link incorporates minimum security standards to protect, in this case, digital data transmission and management.
The 5G digital transformation will continue to introduce new dimensions of attack vectors, surfaces, and vulnerabilities through the connected digital systems. IoT, for example, will bring a new set of challenges, such as the security, safety, and robustness of cyber and physical systems. Novel types of attack will inevitably catch the industry by surprise. As such, more and more touchpoints will become attractive and easy targets for cybercriminals. Therefore, there’s the need to enhance cybersecurity measures proportionate to the threats emerging from digital technology advances.
Since the dawn of cybersecurity, cross-border collaboration has always been a pillar in mitigating cyber threats. One of these collaborations is the Organization of the Islamic Cooperation- Computer Emergency Response Team (OIC-CERT), a platform for information sharing and developing cybersecurity capabilities for members.
The OIC is said to be the second-largest global organization after the UN with 57 member countries. These many countries under one umbrella offer an excellent opportunity for digital interconnectivity. Still, weak cybersecurity is a significant concern and might hamper the rollout of technologies such as 5G to accommodate future development. Based on the International Telecommunication Union Global Cybersecurity Index (ITU GCI) 2020, which measures the cybersecurity commitment of 194 countries, only four OIC Member Countries (OMC) are ranked in the global top 20 while 27 fall below 100.
This raises the question of how to elevate cybersecurity and digital technology capability and capacity among the OMC. How will these members embrace emerging technologies such as the 5G?
The OIC-CERT was formed in 2009 to offer cybersecurity assistance to the OMC. Presently 28 of the OMC are members of the OIC-CERT. The ITU GCI 2020 report shows that the four OMC ranked in the global top 20 are also members of the OIC-CERT. Focusing just on the OIC community, 18 OMC in the top 20 OIC members are OIC-CERT members. Thus, the OIC-CERT can be an avenue for the OIC to elevate the cybersecurity capability and capacity of OMC to prepare them for 5G and other disruptive digital technologies.
The OIC-CERT recognizes that 5G marks the beginning of a new era, albeit with serious cybersecurity challenges that could hamper its progress. Thus, to address some of these challenges, the OIC-CERT has established the OIC-CERT 5G Security Working Group (WG), led by CyberSecurity Malaysia and Huawei UAE, who are the OIC-CERT Secretariat and a Commercial Member respectively. The WG will look at formulating a 5G cybersecurity framework that is systematic and effective to accelerate ICT development. This framework is mainly intended for the regulatory authorities of the OMC to assist them in making policies on regulating 5G equipment vendors, mobile network operators (MNOs), and the relevant service providers.
The OIC-CERT 5G Framework clarifies the different 5G cybersecurity areas, roles, and responsibilities. The WG, with the contribution from Huawei UAE, has developed an OIC-CERT 5G cybersecurity risk repository identifying the exact cybersecurity requirements to address 5G cybersecurity concerns. Considering the difference in cybersecurity capabilities among the OMC, the framework and security requirements are designed to provide a baseline foundation, which can be individually customized to guide each OMC in regulating their 5G cybersecurity requirements.
It is unrealistic to build and maintain secure and resilient 5G networks, application services, and reliable network equipment through an all-in-one framework. In addition, it cannot be achieved by one person, one organization, or one nation. All parties involved need to collaborate in addressing the challenges that arise from 5G rollouts. With the aim to establish the cybersecurity requirements for the OIC community to securely adopt new technologies, the OIC-CERT had announced the formation of the 5G Security WG at the GISEC Global 2021 in Dubai, UAE in May 2021, and is looking to present the completed OIC 5G security framework at GISEC 2022 edition in March next year.. To date, the WG has completed the technical development of the framework with the following major components:
The OIC-CERT 5G Risk Repository
The repository provides a risk-based approach towards 5G security in the framework. The repository will be used for risk assessment and management of 5G security risks in information security projects where it will include industry consensual threat landscape, attack methodologies, mitigation strategies, and measures for different stakeholders such as MNOs, network equipment vendors, application providers, and regulators
The Baseline Security Technical Specifications and Reference Standards
A tiered 5G security framework is defined to address the 5G security that also identified a layered security model to explicitly distinguish roles and responsibilities in securing the 5G equipment, networks, and various applications to build a new digital era. For each layer, corresponding baseline security requirements are given. For example, the Network Equipment Security Assurance Scheme (NESAS), jointly developed by GSMA and 3GPP, is recognized as a unified cybersecurity standard for the equipment layer.
A common certification scheme across the OMC
The WG had provided a compliance validation scheme for the OMC. We have defined the Accreditation Body (AB), Certification Body (CB), and Evaluation Body (EB), detailed the requirements and duties in the certification scheme, evaluation process and criteria, and other necessary components that are critical in establishing an open, transparent, and collaborative cybersecurity ecosystem. This ecosystem helps the OMC address pertinent concerns arising from adopting the 5G and corresponding applications and uses cases built on top of 5G, such as cloud computing, IoT, and AI. These are the keys that will unlock the value of 5G and define the applications for embracing 5G and beyond.