The U.S. federal government is ahead of other industries in the adoption of multicloud, which is imperative to mission success.
To say the U.S. federal government has made significant digital strides in recent years would be an understatement. As one of the few industries responsible for managing an overabundance of sensitive data and mission-critical applications that hundreds of millions of constituents depend on—all while using and modernizing decades-old legacy IT infrastructure to do so—the U.S. federal government’s rapid acceleration of its digital transformations is quite phenomenal.
Especially impressive are the federal government’s strides in public cloud and multicloud IT infrastructures. Findings from the fourth annual Public Sector Enterprise Cloud Index from Nutanix show that the federal government and public education sub-sectors lead the charge in the adoption of public cloud services—which deliver IT services to organizations directly over the internet—as well as the deployment of multicloud—an IT environment that embodies two or more different clouds, private and/or public. With federal agencies now racing ahead of other industries in cloud-smart agility, they have the opportunity to meet soaring increases in demand, new mandates and new missions, as well as collaborate with global mission partners to protect and serve the public. However, there are two key challenges posing a threat to their cloud-smart progress that agencies should tackle in the year ahead:
Manageability
The ECI revealed that the federal government has unusually high multicloud usage with a penetration level of 47%—11% higher than the global average. This is a promising sign as multicloud promotes agility, performance, cost savings and time savings to ultimately allow agencies to be responsible stewards of resources.
However, management across cloud borders is complex and remains a major challenge for public sector organizations, with 85% agreeing that to succeed, their organizations need to simplify the management of multiple clouds. To address this challenge, 75% agree that a hybrid multicloud model, an IT operating model with multiple clouds both private and public with interoperability between, is ideal. In the year ahead, federal government organizations should look to hybrid multicloud solutions.
Application mobility
Moving an application to a different IT infrastructure, or application mobility, is a critical multicloud and cloud-smart optimization enabler. At the same time, application mobility is also cited by nearly two-thirds (63%) of federal government ECI respondents as a multicloud challenge. With the majority of ECI respondents saying that moving apps can be time-consuming and costly, it’s expected that the adoption of containers and other AI-driven, hybrid multicloud tools will rise alongside multicloud deployments to enable apps to run and move nearly anywhere. Looking ahead, by the time most federal government ECI respondents are ready for these tools on a large scale, they’ll likely have more options available than are on the market today.
As federal government and other public sector organizations continue their cloud journeys, it’s clear that there is no one-size-fits-all approach to the cloud, making hybrid multicloud the ideal IT environment according to 75% of ECI respondents. This model will help address some of the key challenges of multicloud deployments by providing a unified cloud environment on which security and data governance policies can be applied uniformly.
Chip George is the vice president of Public Sector at Nutanix. He has more than 20 years’ experience working in government markets for various technology companies and started his career in the United States Navy as a Nuclear Submarine Officer on the USS Philadelphia (SSN 690).
Software-defined networking could get Army’s data moving faster
by John Shotwell and Amy Walker
As part of its tactical network modernization strategy, the Army has begun development, integration and Soldier-driven assessments to determine whether work integrating commercial off-the-shelf solutions could support the potential use of software-defined networking in tactical military environments. Similar to the way cloud computing improves capability by moving data storage from a device to a centralized data storage facility, software-defined networking is a network modernization approach that relocates and centralizes local network routing control functions at a secure remote location.
The Army’s software-defined networking goals include:
Reducing complexity for the tactical user while simplifying network management for communications officers.
The ability to rapidly provision (load software) and re-provision network nodes based on mission to prepare them for operational use on the network.
Improving network resilience, including an automated primary, alternate, contingency and emergency routing plan.
Increasing network security.
A software defined networking architecture is a more dynamic design that could make network management, administration and signal prioritization easier, more flexible and effective.
WHAT IS SOFTWARE-DEFINED NETWORKING?
As part of the basic networking, before information is transmitted, it is broken up into smaller digital data packets. The network then chooses the best path, or route, to send each data packet, and once they reach their destination, the network reassembles them. The network performs two basic processes on the data packets—one process focuses on forwarding the packets to their destination and is referred to as the “data plane,” and the other process focuses on routing the packets and is referred to as the “control plane.” In the Army’s current traditional network, these two process planes are located and implemented together at a local level by a tactical network node’s hardware and proprietary networking operating systems. On the other hand, in a software-defined networking design, these two process planes are separated. The forwarding functions (the data plane) remain with the local network device, but the routing control functions (the control plane) are extracted, turned into more dynamic software, and centralized at a network operations facility, or in a campus network environment, where they can be managed collectively by experienced signal Soldiers.
The remote routing controller knows all of the nodes that it can manage, and it can sense when there is congestion in the network or when there are dropped data packets, due to things like bad satellite connections or even enemy jamming. Through metrics embedded in the software, this intelligent controller can sense the most efficient path available and tell the nodes in the network to route around the issues. The Army’s current software-defined networking efforts are setting the stage to optimize routing even further by leveraging machine learning in the future, when the required technology becomes available.
Soldiers from the 1st Armored Brigade Combat Team (ABCT), 3rd Infantry Division (ID) undergo new equipment training of “prototype” at-the-halt tactical network transport upgrade equipment, September 2019, at Fort Stewart, Georgia. (U.S. Army photos by Amy Walker, PM Tactical Network/PEO C3T Public Affairs).
RAPID TASK REORGANIZATION AND CYBER OPERATIONS
To accomplish certain missions in today’s fight, commanders may need to reassign certain units, such as moving a company, to a different battalion. Unfortunately, such a move requires signal Soldiers to re-provision the unit’s vast number of network systems with new data and software, including new applications, firewall configurations and initialization data products. Initialization data products are assigned to each unit before deployment or training events to enable the systems to run on the network, but when a unit is reassigned, new data products are needed to support the new assignment. These products include unique identifiers, roles and Internet Protocol addresses, taking into account a unit’s specific mission, personnel footprint and mix of networked mission command systems. The Army refers this process as unit task reorganization.
In the face of potential peer and near-peer threats, the Army needs dynamic and flexible network re-provisioning capabilities to reflect changes in mission and assigned units. In the past, signal Soldiers manually conducted the provisioning and re-provisioning process one device at a time, with physical cables connecting each node to the network, which took many weeks, depending on the equipment and size of the unit. More recently, new Army capabilities are enabling over-the-air provisioning and security patching, which could, for example, speed the time it takes to provision a brigade’s worth of on-the-move, network-equipped vehicles from two weeks to three days, without having to take the entire system offline in the process. The implementation of an Army software-defined networking design could speed that process even further, cutting the time down to hours.
In a similar respect, the Army is also looking to leverage software-defined networking to increase security in the tactical network by enabling rapid response through centralized changes to security policy, patching and configurations in support of offensive and defensive cyber operations. This would enable the Army to defend itself against enemy cyber threats across the network and push security updates to units all over the world, simultaneously, from the remote centralized network operations center.
OVERCOMING A DEGRADED NETWORK ENVIRONMENT
A software-defined networking design could enhance system and network simplicity for tactical users, since it moves some of that network complexity to a centralized network operations center. However, the Army will have to leave enough of the routing control functions locally, within the tactical device, to get through network challenges found in degraded signal environments. These degraded network challenges include network transport environments that are highly latent (slow), disconnected, intermittent and with low bandwidth, which the Army refers to as DIL environments.
The tactical network is an interconnected mesh design, with different sized line-of-sight and beyond-line-of-sight systems that exchange data over different frequencies and multiple transmission paths. Together these unified systems enable secure network connectivity and data exchange across the force, from a large command post down to the Soldier on the ground with a handheld device. Unfortunately, degraded network challenges are inherent in the Army’s tactical network, and not just because of its size, breadth and complexity. Connectivity issues can also be caused by topography like mountains or buildings that block signals; on-the-move communications; or, more increasingly, enemy jamming.
In recent pilot efforts with operational units, the Army has been experimenting with both software-defined networking and software-defined wide area networking. These laboratory experiments and operational unit pilots are underscoring the need for solutions to detect and route around network interference and congestion, and to load-balance flows across multiple transmission paths, to increase network speed, performance and reliability.
If the Army switches to a software-defined wide area network design, the remote centralized network controller will need to include software that implements a strong and automated primary, alternate, contingency and emergency routing plan, so that it can automatically route and reroute signals over multiple transmissions paths, choosing the strongest available paths for optimal connectivity and resilience. The Army wants to ensure continuity of operations, to enable network routing to be seamless and transparent to the tactical user, so Soldiers can focus on the mission and not the network.
Additionally, the network will need to have a fallback to compensate for degraded network emergencies, when the tactical network systems on the battlefield can’t “talk” to the remote network routing controller. To offset these scenarios, software-defined networking solutions will need to incorporate capabilities such as initialization data products and basic router configurations that reside locally, which the tactical network system can leverage until stronger network connections to the remote intelligent routing controller are restored.
Soldiers from the 1st Armored Brigade Combat Team (ABCT), 3rd Infantry Division (ID) undergo new equipment training of “prototype” at-the-halt tactical network transport upgrade equipment, September 2019, at Fort Stewart, Georgia. (U.S. Army photos by Amy Walker, PM Tactical Network/PEO C3T Public Affairs).
THE SEARCH FOR TAILORED SOLUTIONS
Under an other-transaction authority rapid acquisition process, which leverages Soldier feedback, experimentation and prototyping, the Program Executive Office for Command, Control and Communications – Tactical (PEO C3T) is experimenting with commercial software-defined networking technologies at its integration facilities at Aberdeen Proving Ground, Maryland. Additionally, in late September 2019, supported by the 1st Armored Brigade Combat Team, 3rd Infantry, the Army assessed prototype software-defined networking and software-defined wide area networking software loaded onto the unit’s new at-the-halt tactical network hardware (fifth-generation technical insertion prototypes that the unit is currently piloting), at Fort Stewart, Georgia. Results from this experimentation effort are helping to inform software-defined networking design decisions and use cases—a set of possible sequences reflecting how users will employ the capabilities.
As the efforts evolve, PEO C3T plans to leverage an open-standard design for easy integration—and to avoid proprietary designs or commitment to particular vendors—to spur innovation while keeping costs down through increased competition. System developers from the Army acquisition and research communities are working closely with industry to ensure they understand the degraded signal challenges in the Army’s network, which are much greater than in commercial networks, as well as other specific objectives so that they can provide us with more tailored solutions. These objectives include:
Assisting the Army in rapidly provisioning tactical network nodes.Software-defined networking experimentation has shown decreased provisioning time, especially when paired with virtualization and containerization, which further reduces the overall data size and speed of provisioning.
Supporting rapid unit task reorganization. The Army needs dynamic, flexible re-provisioning to reflect changes in mission and assigned units. This functional gap extends beyond the traditional software-defined networking capabilities and needs to allow for the tailoring of each tactical network device.
Optimizing routing in the tactical network. There is a need for software-defined networking to behave opportunistically. Because of the Army’s degraded network challenges, software-defined wide area networking solutions must enhance the network when the remote network controller is available, and enable nodes to operate independently when it is not available.
Simplifying network management.Experimentation reveals that centralizing and automating network configuration changes makes it easier for the network node operators on the ground. However, network management, including configurations changes, can still be quite complex for the centralized signal Soldier team to execute. There is opportunity to automate many of these functions.
Increasing security in the tactical network. The Army is looking at software-defined networking to assist in rapid cyber response through centralizing the ability to conduct changes to security policy, patching and configurations to support defensive cyber operations. This would enable Soldiers at the remote centralized controller location to send out patches or updates throughout the entire network.
The Army understands that to receive better, more tailored solutions from industry, it needs to share open application programming interfaces and use cases in areas that could potentially be supported by commercial off-the-shelf products. These include interfaces for accessing initialization data; integrating to network operations tools; accessing network health information; application-aware routing that allows applications to respond to the network’s availability; and application self-provisioning.
CONCLUSION
PEO C3T is educating industry whenever possible on the tactical network environment and its challenges, as well as software-defined networking business opportunities. Working together with modular, open-system architectures and application programming interfaces, the Army and industry partners have the potential to make a real impact in network modernization, reducing complexity for users at the tactical edge and arming them with the network capabilities they need to defeat increasingly advanced adversaries.
JOHN SHOTWELL is the director of technology management/chief engineer for PEO C3T. Since 2003, he has supported PEO C3T in various engineering capacities as a subject-matter expert in Army tactical networks and served as lead systems engineer for multiple projects. He graduated from the Naval Postgraduate School with an M.S. in systems engineering and the New Jersey Institute of Technology with a B.S. in mechanical engineering. He is a member of the Army Acquisition Corps and Level III certified in engineering.
AMY WALKER has been the public affairs lead at Project Manager Tactical Network for the last nine years, and was the public affairs lead at PEO C3T for the previous two. She has covered a majority of the Army’s major tactical network transport modernization efforts, including Army, joint and coalition fielding and training events worldwide. She holds a B.A. in psychology, with emphasis in marketing and English, from the College of New Jersey.
Two new challenges added this year focus on technological dominance and data as a strategic asset. Tech like hypersonics, microelectronics, AI, 5G and biotechnology were also highlighted.
The Defense Department faces three new major management challenges heading into fiscal year 2021, and two out of the three deal directly with technology and information issues.
The Defense Department Office of Inspector General announced its annual reportsummarizing the biggest management and performance challenges the department faces for the next fiscal year, identifying a total of 10 new and enduring issues, last week. Emerging technologies, managing and securing information systems, and data all featured prominently in the report.
The two new technology-oriented management challenges relate to the need for DOD “dominance” in emerging technologies—such as 5G and artificial intelligence—and transforming data into a strategic asset.
DOD needs to be able to push out innovative technologies at a faster pace than it currently does, according to the section on technological dominance.
“The potential of emerging technologies, and the challenges for the DOD, may be reflected in the new ways of warfighting,” the report reads. “Autonomous intelligent machines and applications can rapidly accelerate the speed of decision making and action, improve the DOD’s understanding of the battlespace, and enable new missions not yet conceived.”
The report highlighted issues related to deployment of several major DOD tech priorities to include hypersonics, microelectronics, AI, 5G and biotechnology. For microelectronics and 5G, OIG indicated it planned to conduct further evaluations into DOD activities related to their deployment.
In 2021, OIG intends to “evaluate whether the DOD has plans and procedures in place to manage and mitigate risks as it transitions from a trusted foundry model to a zero trust model for procuring microelectronics,” according to the report. It will also examine whether DOD has appropriate plans and policies to secure 5G as it is developed and deployed, according to the report.
The Pentagon also needs to do a better job of protecting the emerging technologies it is developing, according to the report.
On the data front, OIG determined the volume, velocity, variety, and veracity of DOD’s data makes it difficult to turn data into actionable information.
“Cultivating a culture that understands how to use data, recruiting and retaining the right skills for data management and analysis, and training the DOD workforce are critical to increasing data‑driven decision making in the DOD,” the report reads.
One key DOD development in the area of data is the publication of the agency’s first enterprisewide data strategy, released in October, which was built with the goal of turning the Pentagon into a data-centric organization. Chief Data Officer David Spirk, shortly after the release of the strategy, saida lack of enterprise data management and systems interoperability are some of the main barriers to implementing the data strategy. The OIG report does not mention the new data strategy.
One existing challenge OIG identified as a persistent problem that also deals with technology is the need to enhance DOD cyberspace operations and capabilities so that it can secure its information systems, network, and data.
OIG identified four main areas for improvement when it comes to cyberspace and securing defense networks: coordinating effective cyberspace operations; defending and securing DOD systems, networks, devices, and data; modernizing legacy systems, networks, and devices; and building and maintaining an evolving cyber workforce.
“To protect the DOD Information Network (DODIN) from cyber threats, the DOD must continuously assess, acquire, and adapt its cyberspace capabilities and employ a skilled cyber workforce to defend the DODIN, as well as the networks and systems operated by non-DOD entities, the Defense Industrial Base, and U.S. allies,” the report reads.
Technology popped up in other areas of the report as well, including under challenges related to supply chain security and financial management and budgeting.
DOD needs to protect acquisitions by preventing intellectual property threat and cyber attacks in order to secure the supply chain, according to the report. The Cybersecurity Maturity Model Certification Program is an important line of effort in this area, and OIG said in the report it would perform oversight of the program once it has been fully implemented.
OIG also plans to conduct audits to ascertain the security of DOD information stored by contractors, academic institutions, and research institutions, according to the report.
Financial audits revealed the Pentagon suffers from IT problems as well, mostly around system controls, according to the report. Auditors found issues with security controls, access rights and responsibilities, a lack of monitoring of configuration changes to IT systems, and a lack of necessary reconciliations to ensure data being transferred is complete and accurate.
While DOD has taken some steps to address inadequate IT operations, the department “continues to have difficulties with confirming that controls exist to ensure that DOD data is shared completely and accurately between systems, and auditors continue to find control weaknesses related to the processes of sharing information between financial‑related systems.”
WASHINGTON — The U.S. Army program office responsible for developing defensive cyber tools is beginning to fielda new platform to installations.
Col. Mark Taylor, the project manager for defensive cyber operations at Program Executive Office Enterprise Information Systems told C4ISRNET that the new platform — called the Garrison Defensive Cyber Operations Platform — is heading to the war fighter in the next year.
A spokesperson for PEO EIS said the platform allows for integration into the global enterprise fabric,an Army enterprise computing environment,and will allow soldiers to work remotely. The Garrison effort started in early 2016, and the platform is being fielded to the Project Manager Defensive Cyber Operations’ Cyber Platform and Systems office.
Also in the works at PEO EIS, which has an annual budget of $4.3 billion, are plans to stand up a new network to help cyber defenders collaborate with development teams to fix technological issues while in the field. The new network, called the Defensive Cyber Operations Development Environment Network, will be stood up in the next year, according to Lt. Col. Peter Amara, product lead for applied cyber technologies. The team is still working on the architecture of the platform.
“It is a network or an infrastructure that’s supposed to enable our deployed forces to collaborate with development teams back here and industry and academia, etc.,” Amara told C4ISRNET in an interview before the annual Association of the U.S. Army conference. “When we have teams go out on mission and they encounter issues or problems, how do they talk back to developers to ensure that we actually fix, remediate, take care of that issue immediately without them, you know, actually coming back here before that issue is corrected?”
The Forge and the Armory
Another project under Project Manager Defensive Cyber Operations is the Forge. It was stood up a few years ago to quicken acquisition and innovation while building a stronger relationship with industry. In its first year, the Forge downsized a defensive cyber kit from 100 pounds to a deployable platform that could fit into an airplane’s overhead bin. In the last year, the Forge delivered another dozen software prototypes, Amara said.
The Forge works closely with another little-known project manager capability, called the Armory, which serves as storage for software tools developed by the Forge. When the Forge develops patches for software products, it’s the Armory that installs them.
“This central repository makes it much easier for the[program manager]
to work with the operational forces to keep that weapon system up to date,” Taylor said. “It also provides cost-control measures: Instead of having all those weapons systems all deployed out, we can effectively and efficiently use our resources to provide the cyberwarriors that are out on mission with the most up-to-date capability possible.”
The Armory operates like a traditional arms room for an infantry battalion, but instead of storing weapons, it keeps the deployable defensive cyber operations systems kits. At the Armory, the kits’ software and hardware are maintained so they are ready for deployment. That includes updating licenses, patching software, ensuring proper configurations and repairing some of the hardware that might come back from a mission in disrepair in order to ensure that when the system needs to deploy again, it’s ready.
“All that needs to be on the right configuration so it’s all working together properly, [because] when a soldier or cyber defender is out on mission, it could be for an extended period of time,” Taylor said. “When that system comes back, It probably needs to be looked at and maintain[ed].”
The Armory fielded more than 100 requests for the deployable defensive cyber operations kits during the coronavirus pandemic, Amara said. “We want to lean forward and do more” by fielding the kits across the regular Army, Reserves and National Guard, he added.
Because it bridges the gap between the Forge and operational forces, the Armory also plays a “critical role” in gathering soldier feedback on systems, Amara said. He explained that when cyber defenders return kits to an Armory location, his team knows the tools that soldiers used, how much they used them, what worked and what didn’t work, and then use that information for future software development cycles.
“By virtue of that contact with the cyber defenders, the Armory plays a critical role as that customer feedback interface for the Applied Cyber Technologies office. Really integrating the Forge with the Armory, the Forge has been able to respond rapidly to the needs of cyber defenders. As those kits are looked at, information that is generated from that process is then sent back to the Forge, [so] if there’s something that we need to develop quicker to make sure that the latest version of the software is enhanced on the kits for the next mission,” Amara said.
Industry and COVID-19
Since its establishment, the Forge has relied on vendors coming to Fort Belvoir, Virginia, to demonstrate products. But the COVID-19 pandemic accelerated a process that leadership at the program office already wanted to implement: virtualizing the demonstration process to protect soldiers, acquisition officials and industry from illness.
But a lot of that meant vendors physically coming to Fort Belvoir to showcase their products. Still, the pandemic has driven more vendors pitch their solutions.
“Now we’re setting up a way to virtually meet with these stakeholders,” Taylor said. “That has really opened up the aperture and reduced the barriers to entry on innovation and collaboration, where a lot of vendors that wouldn’t normally have the money and the time to pay somebody to come meet face-to-face, now they can meet virtually to show us the capabilities they have to meet whatever requirements that we need to fill.”
During the pandemic, vendors are using an outward-facing platform hosted by the Forge where they can input their code for evaluation.
“They can actually input it into our pipeline, and it will go through our DevSecOps process,” Amara said. “And then we can see if the tool works, first of all, with any of our systems and where it’s broke. If it doesn’t make it to the end state, we can then, you know, send it back to the vendor.”
The Pentagon is pushing ahead on a variety of 5G projects with more proposal requests on the way despite concerns over what role the Defense Department should have in building and controlling 5G networks.
Defense Undersecretary for Acquisition and Sustainment Ellen Lord said Tuesday the DOD will issue two 5G broad agency announcements in early 2021. The first BAA will be for 5G security prototyping and experimentation, and the second will be “for more fundamental research and development into beyond 5G technologies,” Lord said at a MITRE Corporation event launching a new 5G consortium.
Lord’s pre-recorded remarks come after some of the Pentagon’s requests for information on 5G have raised eyebrows among lawmakers, Nextgov reported last month. GOP lawmakers including Sen. John Thune, R-S.D., and Democrats including Reps. Frank Pallone, D-N.J., and Rep. Mike Doyle, D-Pa., objected to language in one solicitation suggesting DOD is considering owning and operating its own 5G network.
On Tuesday, Lord painted the Pentagon as more of a champion of industry 5G efforts than a usurper, particularly as it pertains to setting security standards for the technology. She also enumerated some military technology applications she sees as dependent on 5G, including drones and autonomous vehicles. 5G is a technology that will transform military operations by facilitating movement of data across a complex web of sensors and systems, Lord said.
“This massive amount of data is a key to unlocking further technological gains in the form of artificial intelligence and machine learning,” Lord said. “Low latency communications will enable new generations of unmanned and autonomous weapon systems across all domains, empowering the warfighter with far richer access to data at the tactical edge, so that even small units can achieve strategic effects.”
The announcement of more requests for proposals comes a month after DOD announced $600 million in contract awards for the creation of 5G testbeds at five military bases over three years. Lord said Tuesday she expects testbeds at Hill Air Force Base, Utah; Joint Base Lewis-McChord, Washington; Marine Corps Logistics Base Albany, Georgia; Naval Base San Diego, California; and Nellis Air Force Base, Las Vegas, Nevada to come online within the first year, with full-scale experimentation for dual-use applications likely in the second year.
Solicitations for prototyping and experimentation at another seven military bases are underway, Lord said. Three bases have already released requests for information and more are imminent, she added.
In addition, the Pentagon will publish new guidance on supply chain security for microelectronics, which support 5G technology, Lord said. DOD is developing standards together with the commercial industry, she added. Lord did not specify when this guidance will be released.
“I am proposing a step by step process for reconstituting the U.S. micro electronics supply chain for components critical for national security,” Lord said. “The approach will target key verticals, where the supply and demand gap is large, and technologies are important to DOD systems critical infrastructure and important commercial needs.”
The introduction of 5G network technology helps restore military readiness, builds a more lethal force, expands and strengthens alliances and partnerships and brings business reform to the department, a Defense Department official said.
Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord, spoke today about the future 5G network technology remotely from the Pentagon to MITRE Engenuity.
5G will transform the way the military operates, she said, noting that it supports fires, command and control, intelligence, movement and maneuver, protection, sustainment and information.
“Tomorrow’s warfighters will use local and expeditionary 5G networks to move massive amounts of data to connect distant sensors and weapons into a dense, resilient battlefield network. This massive amount of data is a key to unlocking further technological gains in the form of artificial intelligence and machine learning, as well as unmanned and autonomous weapons systems across all domains,” she said.
The deployment of 5G will also enable a new generation of the knowledge economy, increasing productivity, growing new businesses and spurring innovation, Lord said.
The technology is vital to maintaining America’s military and economic advantage and the DOD is heavily invested in 5G to test and demonstrate various applications and use of these emerging technologies to support the National Defense Strategy, she said.Spotlight: National Defense Strategy
The department’s focus on 5G, Lord said, involves large-scale experimentation and prototyping. Currently, five installations will be used as a 5G test-bed.
Trusted 5G communications systems require secure software, firmware and hardware as well as reliable microelectronic technology. These require a closer working relationship with both traditional defense sector partners and non-traditional partners in sectors such as telecommunications, she said. The commercial and government sectors are working together to establish processes and standards that will ensure the security of all three areas.
It is also critical to re-shore the microelectronics industrial base, used in the manufacture of communications equipment, Lord said, meaning bringing manufacturing back to the U.S.
Current microelectronics and telecommunications manufacturing is being done largely overseas, mostly in Asia, she said.
That puts U.S. national security at risk, she said. For instance, the Chinese could install backdoors and malicious code into the electronics. Also, overseas manufacturing means a loss of employment opportunities and economic growth here in the U.S. The department is hoping to change that, she said, adding that “the U.S. must lead in 5G development.”
Tom Wheeler recently appeared on the Lawfare Podcast to discuss the cybersecurity of 5G networks with Brookings Fellow Margaret Taylor. You can listen to the podcast episode here.
“The race to 5G is on and America must win,” President Donald Trump said in April. For political purposes, that “race” has been defined as which nation gets 5G built first. It is the wrong measurement.
We must “fire first effectively” in our deployment of 5G. Borrowing on a philosophy Admiral Arleigh Burke coined in World War II: Speed is important, but speed without a good targeting solution can be disastrous.[1]
5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.
Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.
“As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications.”
The new capabilities made possible by new applications riding 5G networks hold tremendous promise. As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications. To build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.
Hyperfocus on Huawei
Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G.
The purpose of this paper is to move beyond the Huawei infrastructure issue to review some of the issues that the furor over Huawei has masked. Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.
Such a review of 5G cyber threat mitigation should focus on the responsibilities of both 5G businesses and government. This should include a review of whether current market-based measures and motivations can address 5G cyber risk factors and where they fall short, the proper role of targeted government intervention in an era of rapid technological change. The time to address these issues is now, before we become dependent on insecure 5G services with no plan for how we sustain cyber readiness for the larger 5G ecosystem.
The after-the-fact cost of missing a proactive 5G cybersecurity opportunity will be much greater than the cost of cyber diligence up front. The NotPetya attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks did not exist at that time, of course, but the attack illustrates the high cost of such incursions, and it pales in comparison to an attack that would result in human injury or loss of life. We need to establish the conditions by which risk-informed cybersecurity investment up front is smart business for all 5G participants.
China is a threat even when there is not Huawei equipment in our networks. From the successful exfiltration of highly sensitive security clearance data in the Office of Personnel Management breach commonly attributed to China, to the ongoing China-linked threat actor campaign against managed service providers, many of China’s most successful attacks have taken advantage of vulnerabilities in non-Chinese applications and hardware and poor cyber hygiene. None of this goes away with the ban on Huawei. We cannot allow the headline-grabbing focus on Chinese network equipment to lull us into a false sense of cybersecurity. In a world of interconnected networks, devices, and applications, every activity is a potential attack vector. This vulnerability is only heightened by the nature of 5G and its highly desirable attributes. The world’s hackers (good and bad) are already turning to the 5G ecosystem, as the just concluded DEFCON 2019 (the annual ethical “hacker Olympics”) illustrated. The targets of this year’s hacker villages included key parts of the 5G ecosystem such as: aviation, automobiles, infrastructure control systems, privacy, retail call centers and help desks, hardware in general, drones, IoT, and voting machines.
5G expands cyber risks
There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:
The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.
Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”
Fifth-generation networks create a greatly expanded, multidimensional cyberattack vulnerability. Therefore, the redefined nature of these networks requires a similarly redefined cyber strategy. (Credit: Tom Westbrook/Reuters)
5G service providers are the first ones to tell us that 5G will underpin radical and beneficial transformation in what we can do and how we manage our affairs. At the same time, these companies have publicly worried about their ability to address the totality of the cyber threat and have described the future challenge in disturbingly blunt terms. The president’s National Security Telecommunications Advisory Committee (NSTAC)—composed of leaders in the telecommunications industry—told him in November, “The cybersecurity threat now poses an existential threat to the future of the [n]ation.”
The nature of 5G networks exacerbates the cybersecurity threat. Across the country, consumers, companies, and cities seeking to use 5G are ill-equipped to assess, let alone address, its threats. Placing the security burden on the user is an unrealistic expectation, yet it is a major tenet of present cybersecurity activities. Looking to the cybersecurity roles of the multitude of companies in the 5G “ecosystem of ecosystems” reveals an undefined mush. Our present trajectory will not close the cyber gap as 5G greatly expands both the number of connected devices and the categories of activities relying on 5G. This general dissonance is further exacerbated by positioning Chinese technological infection of U.S. critical infrastructure as the essential cyber challenge before us. The truth is that it’s just one of many.
What have we learned thus far?
5G has challenged our traditional assumptions about network security and the security of the devices and applications that attach to that network. As officials of the Federal Communications Commission (FCC), the authors struggled to deal with these challenges only to be confronted by:
Industrial-era procedural laws that make rulemaking activity cumbersome and non-rulemaking activity less than optimal.
The incentive of bad actors to overcome any solution that is typically greater than the incentive to maintain the protection.
Industry stakeholder fear of exposing their internally identified risk factors at precisely the time when sharing information about attacks would be of greatest value for a collective defense.
At the same time, those who know the networks the best—the network operators—exist under business structures that are not optimal for effective risk reduction. As an FCC white paper concluded three years ago:
As private actors, ISPs (internet service providers, such as 5G networks) operate in economic environments that pressure against investments that do not contribute to profit. Protective action taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job efficiently.
The FCC report’s finding—that market forces alone would not address society’s cyber risk interests—highlighted the ISPs over which the agency had primary jurisdiction. The report additionally examined the larger ecosystem and concluded that the motivation to solve the problem generally gets worse when consumers do not link a purchasing decision with a cyber risk outcome. This, unfortunately, is all too often the case, as service providers as well as device and application vendors do not make meaningful security differentiators public and don’t compete on any verifiable security indicators.
“None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged.”
In 2016, for instance, hackers shut down major portions of the internet by taking control of millions of low-cost chips in the motherboards of video security cameras and digital video recorders. That the internet could be attacked this way reflected the reality of digital supply chains: Because consumers didn’t consider cybersecurity in their purchase decisions of low-cost connected devices (they were the means, not the target of the attack), retailers didn’t prioritize security in their decisions of what to stock. As a result, manufacturers didn’t emphasize cyber in the components they purchased and thus chip and motherboard manufacturers did not include cyber protections in their product. None of companies defined a role for themselves for sustaining post-purchase product cyber readiness and, by and large, that’s still the case.
New industry verticals are bringing 5G-enabled capabilities to a market where good faith efforts are insufficient. There is no evidence that the business priorities of the suppliers of devices and applications are any different than those attributed to network operators in the FCC report. A 2018 report by the Trump administration’s Council of Economic Advisers, for instance, warned of, “underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”
None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged. Continuation of corporate and governmental policies that are not keeping up with today’s cyber risk do not bode well for a volumetric expansion of the attackable network and data surface of 5G networks. There is a crying need for coordinated efforts to achieve targeted expectations.
Two keys to winning the real “5G race”
The real “5G race” is whether the most important network of the 21st century will be sufficiently secure to realize its technological promises. Yes, speedy implementation is important, but security is paramount. To answer that overriding question requires new efforts by both business and government and a new relationship between the two.
The recommendations that follow are both important and not without cost. In normal times, such suggestions might be judged too much of a departure from traditional practices. These are not normal times, however. The outlook for a future that relies on 5G and other new digital pathways is cyber-defined. Our nation has moved into a new era of non-kinetic warfare and criminal activity by nation-states and their surrogates. This new reality justifies the following corporate and governmental actions.
Key #1: Companies must recognize and be held responsible for a new cyber duty of care
The first of this two-part proposal is the establishment of a rewards-based (as opposed to penalty-driven) incentive for companies to adhere to a “cyber duty of care.” Traditionally, common law established that those who provide products and services have a duty of care to identify and mitigate potential harms that could result. There needs to be a new corporate culture in which cyber risk is treated as an essential corporate duty and rewarded with appropriate incentives, whether in monetary, regulatory, or other forms. Such incentives would require adherence to a standard of cyber hygiene which, if met, would entitle the company to be treated differently than other non-complying entities. Such a cyber duty of care includes the following:
Reversing chronic underinvestment in cyber risk reduction
Proactive cyber investment today is the exception rather than the rule. For public companies, the Securities and Exchange Commission (SEC) and others are driving change from the corporate board-level on down through management. A favorite entrance point for cyberattacks, however, remains the smaller companies, many of which are outside of the scope of these efforts. Unfortunately, the SEC’s efforts impact only the less than 10% of American companies that are publicly owned. At the very least, where companies have a role in critical infrastructure or provide a product or service that, if attacked, could imperil public safety, there must be the expectation that cybersecurity risks are being addressed proactively.[2]
Implementation of machine learning and artificial intelligence protection
Cyberattacks on 5G will be software attacks; they must be countered with software protections. During a Brookings-convened discussion on 5G cybersecurity, one participant observed, “We’re fighting a software fight with people” whereas the attackers are machines. Such an approach was like “looking through soda straws at separate, discrete portions of the environment” at a time when a holistic approach and consistent visibility across the entire environment is needed. The speed and breadth of computer-driven cyberattacks requires the speed and breadth of computer-driven protections at all levels of the supply chain.
Shifting from lag indicators of cyber-preparedness (post-attack) to leading indicators
A 2018 White House report found a “pervasive” underreporting of cyber events that “hampers the ability of all actors to respond effectively and immediately.” The 5G cyber realm needs to adopt leading indicator methodology to communicate cyber-preparedness between interdependent commercial companies and with government entities charged with oversight responsibilities. There are a number of good examples to pull from. Shared cyber risk assessments are increasingly a best practice for cyber-mature companies and their supply chain. Several accounting and insurance firms have developed lead metrics to inform cyber risk reduction investments and underwrite policies. The Department of Homeland Security has resiliency self-assessment standards to motivate long-term community disaster preparedness improvement.[3] Such a model should be extended to the 5G cyber realm in order to shift oversight from lag indicators to lead indicators.
A regular program of engagement with boards and regulators using cybersecurity lead indicators will build trust, accelerate closing the 5G readiness gap and lead towards more constructive outcomes when cyber attackers do succeed. Underreporting of lag indicators, as highlighted in the 2018 White House report should be addressed, but with the primary purpose of closing the feedback loop, improving the quality of lead measures and the investment decision process they inform.
Cybersecurity starts with the 5G networks themselves
While many of the large network providers building 5G are committing meaningful resources to cyber, small- and medium-sized wireless ISPs serving rural communities have been hard pressed to rationalize a robust cybersecurity program. Some of these companies have fewer than 10 employees and can’t afford a dedicated cyber security officer or a 24/7 cyber security operations center. Still, they will be offering 5G services and interconnecting with 5G networks. About one-third of these companies have ignored government warnings about the use of Huawei equipment and are now petitioning Congress to pay for their poor decisions and pay to replace the non-Chinese equipment. Any replacement must include the expectation that the companies will establish sufficient cybersecurity processes that sustain protections. All the networks that deliver 5G—whether big brand names, small local companies, wireless ISPs, or municipal broadband providers—must have proactive cyber protection programs.
Insert security into the development and operations cycle
For many application developers, a core agile development tenet has been sprinting to deploy a minimum viable product, accepting risk, and committing to later providing consumer-feedback-driven upgrades once the product gains a following. Software companies and those providing innovative, software-based products and services are beginning to insert cybersecurity in the process as a design, deployment, and sustainment consideration for every new project. Such security by design should be a minimum duty of care across the commercial space for innovations in the emerging 5G environment.
Best practices
The National Institute for Standards and Technology (NIST) Cybersecurity Framework has established five areas for best practice cybersecurity management that could become the basis of industry best practices: Identify, protect, detect, respond, and recover. For instance, NIST’s “identify” initiative focuses on determination of a company’s cyber universe, threats, and vulnerabilities in order to identify cyber risk reduction investments. While not limited only to the NIST framework, Congress should establish a cybersecurity standard of expected performance and accompanying incentives for its adoption by companies. While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry and continue to place the burden on poorly informed consumers to know whether the best practices are being fulfilled. The Consumer Technology Association (CTA)—representing the $377 billion U.S. consumer technology industry—helped produce an anti-botnet guide that outlines best practices for device manufactures, but there is no way for a consumer to easily tell if it’s being followed.
“While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry.”
Unfortunately, publication of optional cybersecurity best practices without full industry buy-in may be an attempt at responsible behavior and good public relations, but often do little to change the cyber risk landscape. While CTA has additionally published a useful buyer’s guide to explain cyber risk issues and improve household cyber hygiene, one wonders how many consumers of low-cost network connected technologies even know of its existence. Shifting cyber risk burdens to poorly informed consumers has limited utility. The 5G commercial sector needs to acknowledge the limits of consumer-based actions, own the residual risk, and work together with government oversight to assign cross-sector mitigation responsibilities.
Key #2: Government must establish a new cyber regulatory paradigm to reflect the new realities
Current procedural rules for government agencies were developed in an industrial environment in which innovation and change—let alone security threats—developed more slowly. The fast pace of digital innovation and threats requires a new approach to the business-government relationship.
More effective regulatory cyber relationships with those regulated
Cybersecurity is hard, and we should not pretend otherwise. As presently structured, government is not in a good position to get ahead of the threat and determine detailed standards or compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to de-escalate the adversarial relationship that can develop between regulators and the companies they oversee. This would replace detailed compliance instructions left over from the industrial era with regular and fulsome cybersecurity engagements between the regulators and the providers at greatest risk as determined by criticality, scale (impact), or demonstrated problems (vulnerabilities) built around the cyber duty of care. It would be designed to reward sectors where participants have organized and are clearly investing ahead of failure to address risk factors.
Conversely, where sectors are ignoring cyber risk factors, graduated regulatory incentives can change corporate risk calculus to address consumer and community concerns. These activities would be afforded confidentiality and not be used by themselves to discover enforcement violations, but instead to help both regulators and the regulated better spot trends, best practices, and collectively and systematically improve their sector’s approach to cyber risk. DHS can have a supporting role for this, but at the end of the day, the balance between security, innovation, corporate means, and market factors is inherently regulatory. Absent the ability to impose a decision, government involvement can only be hortatory.
Recognition of marketplace shortcomings
Economic forces drive corporate behavior. Of course, there are bottom-line-affecting costs associated with cybersecurity. Even when such costs are voluntarily incurred, however, their benefits can be undone by another company that doesn’t make the effort. The first of this paper’s two recommendations suggests what companies can do to exercise their cyber duty of care. History has shown, however, that the carrot accompanying such efforts often needs the persuasion of a standby stick. This is only fair to those companies that step up to their responsibility and should not be penalized in the marketplace by those that do not step up. A rewards-based policy would amplify the value of cyber duty of care participation, especially when others fall short. It would also provide forward-looking incentive for risk reduction and a more useful feedback loop when breaches invariably occur.
Consumer transparency
Consumers have little awareness and no insight with which to make an informed market decision. The situation is analogous to the forces that resulted in the establishment of nutritional labeling for foods. Consumers should be given the tools with which to make informed decisions. “Nutritional labeling” about cyber risks or a cyber version of Underwriters Laboratories’ self-certification will help focus the attention of all parties on its importance.
Inspection and certification of connected devices
For years, the FCC has overseen a program to certify that radio-signal-emitting devices do not interfere with authorized use of the nation’s airwaves. Whether cellphones, baby monitors, electronic power supplies, or Tickle Me Elmo, the FCC assures the design and assembly of transmitting devices are within standards. The industry then organizes underneath that construct to self-certify devices in a cost-effective means baked into their production and distribution processes. At the time of the 2016 DYN attack that took control of millions of video cameras, the authors proposed a similar regimen to review the cybersecurity of connected devices. If we protect our radio networks from harmful equipment, why do we not protect our 5G networks from cyber-vulnerable equipment?
Contracts aren’t enough
Both the executive and legislative branches have focused on using government acquisition standards and pathfinder contracts to impose cybersecurity requirements where government contracts can compel commercial actions. This is an important, proven practice, but it can only go so far. Federal acquisition policies do not reach non-government suppliers that in an interconnected network can wreak havoc by simply connecting to the network. The majority of small and medium 5G network providers are not bound by any of these government contracts.
Stimulate closure of 5G supply chain gaps
For years government review of mergers and acquisitions has typically failed to appreciate the potential negative impact on critical supply chains. Moving companies and processes offshore or to joint ventures with foreign ownership/control has created wholesale gaps in the supply of crucial 5G components and the absence of domestic procurement options. Country of origin/ownership concerns must become relevant to both the corporate calculus that led to offshoring purchase decisions as well as to the market conditions that led to the destruction of a national capability in the first place. 5G supply chain market analysis must be continuous with regular engagement between regulators, industry, and the executive and legislative branches to properly incentivize globally competitive domestic sourcing alternatives.
Re-engage with international bodies
At present, the standards setting process for 5G is governed by the 3rd Generation Partnership Project (3GPP), an industry group that makes decisions by consensus based on input from its members, including Chinese 5G equipment companies. (Huawei reportedly made the most contributions to the 5G standard). The Obama FCC engaged directly with 3GPP to identify public safety and cybersecurity risk considerations applicable to the U.S. market. It additionally opened a notice of inquiry to ask the nation’s best technology brains how to implement cybersecurity risk reduction as part of the development and deployment cycle. The move was opposed by some industry associations and the Republican commissioners. Shortly after the beginning of the Trump administration, the new FCC cancelled the Obama FCC’s cyber initiatives.
The FCC should re-engage with international bodies like the 3rd Generation Partnership Project to have more agency in the worldwide debate over 5G cybersecurity. (Credit: FCC/U.S. government work)
There needs to be informed third-party oversight early in the 5G industry’s design and deployment cycle in order to prioritize cyber security. The nation, our communities and our citizens should—through their government—have some degree of agency in the process. The FCC and Commerce Department should participate in 3GPP and the U.S. feeder group as observer stakeholders. This will allow for earlier issue identification and the opportunity to submit concerns, without changing the basic governance of standards setting. The representatives of American citizens should have the option to escalate engagement on matters of national security and public safety concern.
Conclusion
It is an amazing turn of events when the U.S. Senate, currently led by Republicans, feels it necessary to introduce legislation instructing the Trump administration “to develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure.” The 5G cybersecurity threat is a whole-of-the-nation peril. We should not be lulled into complacency because the newness of the network has masked the threat. We must not confuse 5G cybersecurity with international trade policy. Congress should not have to pass legislation instructing the Trump administration to act on 5G cybersecurity. The whole-of-the-nation peril requires a whole-of-the-economy and whole-of-the-government response built around the realities of the information age, not formulaic laissez faire political philosophy or the structures of the industrial age.
“People are going to be put at risk and possibly die as we increasingly connect life sustaining devices to the internet,” was the stark warning from one of the experts participating in a Brookings roundtable on 5G cybersecurity. This cold reality is because the internet’s connection to people and the things on which they depend will increasingly be through vulnerable 5G networks. It is an exposure that is exacerbated by a cyber cold war simmering below the surface of consumer consciousness.
Early generation cyberattacks targeted intellectual property, extortion, and hacked databases. Today, the stakes are even higher as nation-state actors and their proxies gain footholds in our nation’s critical infrastructure to create attack platforms lying in wait. Any rational risk-based assessment reveals that the favored adversary target is our commercial sector. Companies that provide critical network infrastructure or provide products or services connected to it represent the likely and potentially most dangerous enemy course of action in the ongoing cyber cold war.
“If you’re asking me if I think we’re at war, I think I’d say yes,” the former commandant of the Marine Corps, Gen. Robert Neller, told an audience in February. “We’re at war right now in cyberspace. … They’re pouring over the castle walls every day.” While our adversaries, no doubt, see positive outcomes for high-profile direct attack, they also are perfecting less-risky positive outcomes in a steady pace of low-level attacks intended to erode U.S. public confidence in our cyber critical infrastructure and the digital economy it underpins. The low-intensity cyber war is already ongoing as our adversaries risk very little in these attacks and stand to gain much.
Into this attack environment has come a software-based network built on a distributed architecture. With its software operations per se vulnerable, and a distributed topology that precludes the kind of centralized chokepoint afforded by earlier networks, 5G networks will be an invitation to attacks. Given that the cyber threat to the nation comes through commercial networks, devices, and applications, our 5G cyber focus must begin with the responsibilities of those companies involved in the new network, its devices, and applications. The cyber duty of care for those involved in 5G services is the beginning of such proactive responsibility.
“Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.”
At the same time, the federal government has its own responsibility to create incentives for 5G companies to focus on the cyber vulnerabilities they create. This is especially the case when there may be a corporate or marketplace lack of motivation to prioritize a maximum cyber effort. As outlined in this paper, this will necessitate replacing the rigid industrial-era relationship between government and business with more innovative and agile means of dealing with the shared problem.
Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.
The moment is now for a bipartisan call to action to not just address the current 5G exposures, but also to address the structural shortfalls that have allowed the cyber readiness gap to continue to grow. What got us here won’t get us to a secure 5G-enabled future.
Tom Wheeler was the 31st chair of the FCC from 2013 to 2017. Currently, he is a visiting fellow at the Brookings Institution. Rear Admiral David Simpson, USN (Ret.), was chief of the FCC’s Public Safety and Homeland Security Bureau during the same period. Currently, he is a professor at Virginia Tech’s Pamplin College of Business.
The Brookings Institution is a nonprofit organization devoted to independent research and policy solutions. Its mission is to conduct high-quality, independent research and, based on that research, to provide innovative, practical recommendations for policymakers and the public. The conclusions and recommendations of any Brookings publication are solely those of its author(s), and do not reflect the views of the Institution, its management, or its other scholars.
Microsoft provides general, unrestricted support to The Brookings Institution. The findings, interpretations, and conclusions posted in this piece are not influenced by any donation. Brookings recognizes that the value it provides is in its absolute commitment to quality, independence, and impact. Activities supported by its donors reflect this commitment.
Tools have little use if employees can’t access them. That’s where the Army’s Defensive Cyber Operations Resource for Updates, Innovation and Development (DRUID) comes in.
Defensive Cyber Operations Resource for Updates, Innovation and Development
The project is designed to improve how the Army’s Cyber Mission Force trains and conducts missions. DRUID is part of the Applied Cyber Technologies portfolio managed by the Program Executive Office for Enterprise Information Systems’ Defensive Cyber Operations.
“Up until now, the Army hasn’t had a publicly accessible developmental environment that can be used to find innovative solutions for our critical cyber problems,” said Lt. Col. Pete Amara, product lead for Applied Cyber Technologies. “DRUID solves this legacy problem in the Army’s IT infrastructure by applying modern continuous integration processes and workflows to legacy systems and deployment models.”
DRUID allows the Army to keep a common baseline for all Defensive Cyber Operations systems. It also reduces the need for “boots on the ground” for certain technical repairs and streamlines the process for adding tools to the environment, thereby bringing continuity to the Army’s systems and incorporating new workflows without requiring more infrastructure.
Although still technically in development, DRUID’s functional infrastructure is helping the Army address many of its legacy IT problems, including the lack of a publicly accessible development environment designed to solve critical cybersecurity problems.
The Force of Knowledge 