Why 5G Can Be More Secure Than 4G

This article originally appeared on Forbes by Andy Purdy.

For a technical subject, the rollout of 5G has captured the imaginations of pundits, politicians and others who sometimes incorrectly characterize it either as a race to some kind of technological finish line or as a looming threat to national security. While many of these commentators lack technical expertise, I think they’re right to focus on security.

But as one of the top security executives at a global information and communications technology company, and former director of national cybersecurity at the U.S. Department of Homeland Security, I can say confidently that there’s no reason to think 5G is inherently more vulnerable, or riskier, than previous generations of mobile technology. If anything, when it’s fully deployed, 5G can be more secure than 4G for comparable services and functionality.

5G makes use of 4G’s best defensive technology, while implementing new security protocols that address previously unresolved threats. Two examples are enhanced user authentication and stronger data encryption.

Authenticating users who want access to the network is the front line of cyber defense. In a 4G network, telecommunications operators authenticate users with a SIM card placed inside smartphones and other devices. However, because internet of things (IoT) connections vary in size and power consumption, as well as in the type and quantity of data they can send and receive, a single SIM from a single telecommunications operator can’t cope with the IoT’s diverse range of devices and requirements. 5G solves this problem by assigning unique identities to each individual device, eliminating the need for a SIM card and shifting responsibility for authentication from the operator to individual service providers.

5G also provides better roaming encryption. When a 4G phone connects to a base station, it authenticates the user’s identity, but does so without encrypting the information, leaving it vulnerable to attack. So although any subsequent calls or texts are encrypted in 4G, the user’s identity and location are not. 5G uses 256-bit encryption, a substantial improvement on the 128-bit standard used by 4G. With 5G, the user’s identity and location are encrypted, making them impossible to identify or locate from the moment they get on the network.

Core Vs. RAN 

One of the biggest worries I’ve heard from commentators relates to an aspect of 5G that’s widely misunderstood: the distinction between the radio access network (RAN) and the network core and whether the distinction will start to vanish as enhanced computing power moves closer to the network edge.

As its name suggests, the core is basically the network’s brain. It controls authentication, encryption and other elements vital to security and privacy, such as sensitive customer data. The RAN, on the other hand, is the network’s arms and legs. Sitting at the network’s outer edge, it takes signals from smartphones and other devices and transmits them back to the core, using cell phone towers or base stations.

Like 4G before it — and contrary to what some contend — 5G maintains a clear separation between RAN and core. A recent report that my company commissioned explains that “the 5G standards architecture relies on a clear modular separation between the 5G core network … and the radio access network.” Ericsson released a paper with similar assertions in 2016.

Even so, I’ve heard some say that 5G’s emerging applications will erode that separation as core functions begin migrating to the network edge. I believe this is a misunderstanding based on an element of truth. 5G will deliver many services that require extremely high speeds and stable network performance. Virtual reality and other applications all require heavy processing power and minimal latency, or delay. To achieve these performance characteristics, 5G will push computing resources closer to the network edge. This move toward “edge computing” has caused some confusion. Although some 5G applications do push computing power to the network edge, core resources remain distinctly separate from the RAN and subject to the core’s robust security protocols. Moving storage, memory or computing power closer to the edge does nothing to make the network less secure.

Why The Core/RAN Split Isn’t Likely To Vanish 

Some fear that although the RAN-core separation may persist for a while, it will disappear over time. This isn’t likely to happen, mainly for commercial reasons.

5G architecture maintains clearly defined boundaries described in detail in the standards promulgated by the 3rd Generation Partnership Project (3GPP), an extended network of experts who set standards for different aspects of 5G telecommunications, and other bodies. According to research from Heavy Reading, “to actually deliver services over a 5G RAN, however, also requires a system architecture and core network.” And, as asserted in the report we commissioned, “any mobile technology that broke with this separation would not be 5G and would not be compatible with 5G networks.” That’s significant: I don’t believe that a merged core/RAN system would be something operators could sell profitably to their 5G customers.

Another commercial consideration is that telecommunications operators are advised to use equipment from multiple vendors. Using more than one supplier in both the core and the RAN increases network resilience by eliminating the potential for a single point of failure. It also creates competition that can encourage suppliers to keep prices low and to provide more innovative forms of security assurance and more innovation of all kinds.

I believe that all communications networks need objective, transparent protections that hew to international standards. As we move forward, I think society must recognize that there’s no reason to believe that 5G will somehow make networks less secure than in the past. In fact, given the advanced new technology 5G brings to bear on network security, it can make networks more secure than they’ve ever been.