This week, I had the opportunity to speak at a National Telecommunications and Information Administration (NTIA) industry listening session on the U.S. federal government’s strategy for 5G policy.
The agency’s consistent commitment to working with private sector stakeholders allows for thoughtful exploration of knotty questions, like whether and how a pivot to open 5G network architectures impacts the security of those networks. The thrust of my message today was that we believe that well-designed open architectures can actually yield security benefits—and that federally-funded research is a critical step on that path.
Concerns have been raised that openness may have a negative impact on security. This represents an area where focused research would improve our understanding of whether and how open interfaces impact risk and what steps would be useful in terms of mitigation. Industry is now far enough along in developing Open RAN that security research is timely and meaningful. Our belief is that the learnings that result will significantly improve security as compared to closed architectures.
At the outset, it is worth noting that there is some confusion among policy makers about the distinction between “open source” and “Open RAN.” When we speak of Open RAN, we are describing a wireless network architecture that by virtue of leveraging open, defined, standards-based, interoperable elements can be decomposed into modular “swappable” components —potentially even from multiple vendors. Those modular components can include proprietary “closed box” or open source technologies—or any combination of the two. It will be up to the market to decide which products and services are the winners in each segment of the network.
Realizing this vision of an advanced wireless network will allow sourcing technology from multiple vendors—and even the ability to disaggregate the technology stack allowing for hardware, software, and services to be teased apart. We anticipate that this approach should lower barriers to entry that promote increased competition, vender diversity, and innovation.
The ability to put these pieces together like “Lego blocks” and yield a fully functioning network stack does, however, result in new “seams” where the “blocks” come together—changing the threat surface area.
Some of the claims about the nature of these threats and complexity of managing them effectively are real—some are exaggerated. And this is where the government can help.
When the authorization for R&D funding included in this past year’s NDAA is appropriated—and we hope that happens quickly—NTIA could usefully fund research to help industry better understand what threats are real and how best to mitigate them and what claims of threats are exaggerated and should not impede the speedy roll-out of modular 5G networks.
Open RAN adds auditable security through modularity and open interfaces. The research that I am calling for today will help focus attention on techniques that will most benefit from those capabilities.
Taken together, we believe these factors offer the prospect of increased visibility and control in a well-designed “open” 5G network architecture that should deliver significant security benefits over prior generations of mobile networks that relied on closed architectures.