Resource Data

NSA and CISA List Industry Expectations for Data Governance in 5G Environments


Federal cybersecurity agencies continue to demarcate stakeholder security roles in fifth generation network architectures with the publication of guidance on the proper management of data in cloud-based systems.

“Data is an incredibly valuable resource that drives all industries in the modern world,” said Bob Kolasky, who heads the National Risk Management Center of the Cybersecurity and Infrastructure Security Agency, in a press release Thursday. “This makes them a particularly attractive target for opponents. This document emphasizes the importance of coordination between governments and industry to tackle the complex task of protecting our critical data. As with the previous two parts of this series, CISA encourages the 5G community to review this guide and take concrete steps to help strengthen the country’s 5G cloud infrastructure.

Parts one and two of the CISA series published with the National Security Agency focused on preventing and detecting unauthorized lateral movement through networks and isolating network resources, respectively. The third installment published on Thursday focuses on data protection. The guide presents an important list of actions that users of cloud-based 5G systems, as well as cloud service providers and mobile operators, should all take to protect data at rest.

But for data in transit and data in use, the recommended cybersecurity mitigation measures are all directed at cloud service providers and mobile operators.

The guide notes that although the standards developed for 5G by the third generation partnership project impose certain capabilities, it is still up to operators to activate them and notes the importance of doing so.

“User plane data integrity and privacy capabilities are required, but their use is optional at the discretion of the operator,” the agencies wrote regarding data in transit, for example. “Some of the user plane threats, such as person in the middle and privacy breaches, can be mitigated through the required use of optional confidentiality and required integrity capabilities described above. Others, such as routing and denial of service (DoS) attacks must be managed in the control plane and above and would benefit from the required use of optional confidentiality and integrity capabilities.

The guidelines coincided with a commitment by the United States to security and other attributes it wants to establish for 5G technology across the world at a third conference on the issue held in Prague.

The conference began in 2019 when Rob Strayer, then the State Department’s senior cybersecurity official and now works for the Information Technology Industry Council, traveled to the city to promote America’s vision of the expansion of 5G. In 2020, the then chairman of the Federal Communications Commission, Ajit Pai, also attended and became an annual event to which the Czech Republic invited government officials, academics and representatives of international groups. and regional on trade and standards to focus on the implications of security technology.

“The stakes in securing these networks could not be higher,” White House National Security spokesperson Emily Horne said Thursday. “The United States believes that 5G security can only be effectively addressed through a truly global approach and we commit to engage with all of our allies and partners to promote an information and communications technology infrastructure. open, interoperable, secure and reliable supported by a supply chain of diverse and trusted suppliers.

The Prague proposals do not specify which controls would guarantee the desired networking principles. And the group doesn’t give names regarding providers of networking equipment and services that should be considered trustworthy, but it has emerged as part of a Trump-era effort to be tough and assert its power in US-Chinese relations, especially by limiting the Chinese footprint. network giants Huawei and ZTE in global markets.

The principles list criteria for governing countries to be trusted suppliers, which would also encompass regimes like Russia, where Kaspersky Labs – whose use is now banned by the US government – is headquartered.

But the conference could be heading into more complex technical territory given the advent of a new generation of third-party cyberattacks this year – and more recent threats posed by entities based in allied governments – that force the Biden administration to adjust the US approach to cybersecurity, in particular throughout the information and communications technology supply chain.

“The United States supports these proposals, which build on previous efforts with the G7 and the [Quadrilateral security dialogue among the United States, India, Australia and Japan] and we intend to promote them in our global commitments on 5G, which is the future of internet connectivity, ”said Horne. “The United States further appreciates the Czech Republic’s leadership in identifying and seeking solutions to the security challenges posed by the development and deployment of emerging and disruptive technologies and the publication of the ‘Prague 2.0 Proposals on cybersecurity of emerging and disruptive technologies, ”at the conference.

Conversations on standards are also taking place under a new US-EU Council on Trade and National Security.