Category Archives: IoT

FBI Warns On Zoom Conference Security

Standard
Image: “Threatpost.com

FCW

As telework expands across the U.S., new users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.

__________________________________________________________________________

“The FBI is warning Zoom video-conferencing platform users to guard against “VTC hijacking” and “Zoom-bombing” by outsiders intent on making threats and offensive displays.

According to the FBI’s Boston Division, two Massachusetts high schools reported separate instances of individuals breaking into online classes in late March being conducted via Zoom teleconferencing software. In one incident, said the FBI, an unidentified individual dialed into a videoconference class, yelled out a profanity and the teacher’s home address. In the other, a school reported an unidentified individual with swastika tattoos dialing into a Zoom videoconference class.

FBI Special Agent Doug Domin told FCW that unauthorized participants are not just an issue on the Zoom platform. “Other providers have similar platforms,” he said, that are just as vulnerable to such intrusion if they’re misused.

“Organizations should have policies for VTC” and its associated software, as well as training on how to use it, said Domin. Individual session passwords should be used, even for audio bridges, he said. “The bigger the group, the bigger the possibilities” for unauthorized entry.

“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesman told FCW in an email. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining,” they said.

The Zoom for Government platform is on the General Services Administration’s buying schedule and also has that agency’s Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.

Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.

Zoom’s standard product has many newer users in public school environments, since company CEO Eric Yuan removed time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.

The company’s video teleconferencing offering has raised the hackles of some privacy experts, including Consumer Reports, who say it collects and sells user data to online advertisers. It revised its privacy policy on March 29 to say it does not sell personal data.

Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.

An IT manager FCW spoke with about Zoom said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform’s integrity.”

https://fcw.com/articles/2020/03/31/zoom-bombers-fbi-rockwell.aspx

Small Tech Companies Got $1 Billion At USAF Virtual South By Southwest

Standard

DEFENSE NEWS

The U.S. Air Force lost its chance to hang out at South by Southwest this week after the new coronavirus known as COVID-19 caused the cancellation of the festival.But the service still awarded nearly $1 billion in contracts during a virtual version of its event held March 12.

__________________________________________________________________________

“[The event], included keynotes from Air Force Secretary Barbara Barrett, a “Pitch Bowl” where companies delivered short pitches in the hopes of receiving small contracts from the Air Force, and other events meant to deepen the Air Force’s connection to small commercial tech firms.

The largest contracts — worth more than $550 million total — went to 21 companies to develop “big bet” technologies. Those companies are Aerial Applications, Analytical Space, Anduril Industries, Applied Minds, Elroy Air, Enview, Edgybees, Essentium, Falkonry, ICON Technology, Orbital Insight, Orbital Sidekick, Pison, Privoro, Shift.org, Swarm Technologies, Tectus Corp., Virtualitics, Wickr, Wafer and one company that the Air Force has not disclosed.

“For all these awardees, you’re on a four-year, fixed-price contract that we believe, if successful, will disrupt part of our mission in a way that will give a huge advantage for our future airmen,” said Will Roper, the Air Force’s acquisition executive.

The value of the contracts awarded by AFWERX may seem small compared to the multibillion awards for major defense programs. However, these awards go a long way in helping technology firms overcome the “valley of death” between technology development and production, when a lot of companies are vulnerable to failure, said Chris Brose, head of strategy for Anduril Industries, which specializes in developing artificial intelligence technologies.

“For a company like ours or companies of that size, It’s quite significant. It allows us to really kind of do more of the good work that we’re doing, to scale and grow and work with new partners, and it makes a huge difference,” Brose said.

Brose declined to detail the precise nature of Anduril’s contract with the Air Force, but said that the general objective is to prove that an unmanned aerial system can deliver a mass of swarming drones capable of performing complex missions. While a human would still be “in the loop” overseeing the network, certain tasks — such as steering the drones, moving their sensors and processing gathered data — would be automated.”

https://www.defensenews.com/industry/2020/03/13/small-tech-companies-got-a-combined-1b-at-the-air-forces-virtual-version-of-south-by-southwest/

Understanding The Challenge Of Short Attention Spans

Standard
Image – “Linked In” – Bristin Appukuttan

WASHINGTON TECHNOLOGY” – By Mark Amtower

Next time you have something to share, people are likely to remember that you make your point quickly, and they may be more likely to give you another look. Violate that by boring them with verbosity or rehashed ideas and you are toast.

_________________________________________________________________________

“From 1989 to 1995, HBO presciently produced a comedy that predicted a phenomenon beyond our control, the ever-decreasing attention span. The show, Short Attention Span Theatre, soon become known as SAST (representing yet another growing phenomena- the acronymization of our language…talk about a short attention span).

As one might surmise from the name, SAST was a series of short skits and interviews, many of which were LOL (sic) hilarious. Among the hosts was a rising comedic star, Jon Stewart. This was eminently watchable TV for the simple reason that things happened quickly, and if you only had a few minutes to spare, you could watch, laugh, and move on without fear of missing a plot twist. Look it up on YouTube- it stands the test of time

I did a little research on attention spans recently and found that some people’s attention spans were now under ten seconds. TEN seconds.

Our attention spans are getting shorter. I won’t speculate as to why except to say that with the various technologies available the craving for instant gratification continues to outdistance our desire for deeper understanding. I’d blame Gordon Moore (see below), but he was simply pointing out the obvious.

Not only are attention spans getting shorter, but the majority of people are multi-tasking, especially the younger ones, which further reduces the attention given to each task.

So now we get to the crux of this matter: in marketing “content is king.” Companies seeking to grow marketshare have an ever-increasing need to put content into the hands of people who make buying decisions. Unfortunately, it’s likely that their audience lacks the time to consume the tons of daily content that’s coming at them from multiple directions.

And, like most, they probably have a shrinking attention span.

So, we have the collision of short attention spans with the desire to get the attention of decision makers, an audience that may or may not pay attention to your content even if it crosses their screen or even lands in their inbox.

Add to this the fact that content is being produced and shared at a breakneck pace. Think of this as Moore’s Law(1) where computing speed is replaced by the amount of content being generated, and instead of doubling every two years (Moore’s original concept), now it takes maybe a couple of months to double the amount of content being generated. As Moore implied, this is not a reversible condition.

With this addition to our “content is king” premise, how do we get the attention of the audience we seek?

Many marketers understand that being concise is key. I call it the word-per-idea ratio (2) where you strive to keep the ratio as tight as possible while retaining the ability to convey a concept. This is why many business videos, podcasts and blog posts are short. It is why I try to keep most of my articles and blog posts to under 500 words. Make one good point and make it fast. Next time you have something to share, people are likely to remember that you make your point quickly, and they may be more likely to give you another look.

Violate that by boring them with verbosity or rehashed ideas and you are toast.

The biggest problem is getting your content in the queue of the decision makers, and this is never a given. Even if it gets in the queue, a variation of Heisenberg’s uncertainty principle(3) occurs: the timing– will it be found and read or will it miss being seen because it was not delivered in the venue (LinkedIn, Facebook, Twitter, etc.) when your prospect was present?

Short attention spans + so much content + timing issues = black hole absorbing unseen content.

There is no simple solution to this puzzle. However there are ways to increase the odds in your favor, including

  • Try to produce good content that is germane to your audience
  • Only one main idea per piece of content
  • Use a compelling headline or title that highlights the topic you will discuss
  • In written pieces, use graphics
  • Cite original sources as necessary and when you can link to those original sources
  • Hashtag people and companies mentioned
  • Re-purpose the content into multiple formats
  • Place the content in venues where it will most likely find the right audience
  • Place it in those venues more than once (retweeting is great, posting on LinkedIn in different places should work)
  • Send it directly to those you really need to reach IF you have a relationship with them
  • Generate content on a regular basis, not on rare occasion
  • Make certain the content is edited for clarity and grammar
  • Ask viewers and readers to share (“If you liked this, please share it with those who might find it useful.”)
  • Care and feeding of regular viewers/commenters – comment back on comments and remember to say thank you
  • All of your content (or links to it) should be in one location on your web site

Is this too much to keep in mind when producing content? Initially, yes, but most of it becomes muscle memory with practice.

If and when I come up with a more practical solution, I’ll call it Amtower’s Content Marketing Law.

AND, if you like this article, please share it….

This article is an expanded update of: https://www.linkedin.com/pulse/sast-meets-content-marketing-when-heisenberg-collides-mark-amtower/

(1) Moore’s law: IT executive Gordon Moore wrote in 1965 that the speed of computing would double every two years predicated on the number of transistors a microchip can hold.

(2) I first heard the phrase “word per idea ratio” from Chris Trelease, then with telemarketing firm Sturner and Klein. I worked there while in graduate school and a short time beyond that, and I met and worked with some great people.

(3) Uncertainty principle, also called Heisenberg uncertainty principle or indeterminacy principle, statement, articulated (1927) by the German physicist Werner Heisenberg, that the position and the velocity of an object cannot both be measured exactly, at the same time, even in theory.”

https://washingtontechnology.com/articles/2020/03/11/insight-amtower-content-overload.aspx

ABOUT THE AUTHOR:

Mark Amtower
Mark Amtower

Mark Amtower advises government contractors on all facets of business-to-government (B2G) marketing and leveraging LinkedIn. Find Mark on LinkedIn at http://www.linkedin.com/in/markamtower.

Tips On Finding That Perfect Mentor

Standard
Image: Micro Mentor https://www.micromentor.org/

MICROMENTOR

Congratulations! You’ve taken the leap and registered on the MicroMentor platform. Now you’re ready to find the perfect mentor to help your business grow and meet its goals. Now what? How can you make the most out of your MicroMentor experience? 

______________________________________________________________________________

  1. Create a strong profile: When creating your profile, be sure to give a simple explanation of your business. Be sure to include your business vision, mission, needs, and the problem you’re trying to solve. It’s also not a bad idea to upload a professional photo to invoke confidence for potential mentors. Entrepreneurs that follow these steps are 10 times more likely to find a mentor, so make sure you create the most compelling profile that you can.
  2. Be patient: Finding the perfect mentor may require patience. If you don’t receive a response from a potential mentor right away, don’t be discouraged. They are graciously donating their time and may be unable to get back to you due to busy schedules. It’s also advisable that you reach out to various mentors to improve your chances of finding the perfect mentor. Keep trying! It’ll be worth the wait.
  3. Don’t rush: Once you’ve identified a mentor, don’t rush through the “getting to know you” phase. Ask him or her questions about their experience and how they got to where they are today. Tell them more about yourself and why you decided to start your business or come up with your business idea. Building a solid foundation will help your mentor to better understand how to help you, and you’ll be more comfortable when you put into the action the next piece of advice to…
  4. Have a clear vision of what you want to gain from your mentor/mentee relationship: When you begin your search for a mentor, there’s a few questions you should consider. Think about what dynamic you hope to have with your mentor. How will both of you feel more comfortable communicating? And how often? How can they help you accomplish your business goals and the benchmarks you have set? How can they help you track your progress and reach your personal deadline? Your mentorship will be more productive and fruitful if you and your mentor can come to agreement on a game plan.
  5. Have an open mind and follow through: Our mentors are here to help you think outside of the box to solve your business problems. Keep an open mind when receiving their feedback, as they could encourage you to think outside of the box and offer you advice you need to better your business and help differentiate yourself from your competitors. Mentor Eleftheria Egel’s experience on MicroMentor has shown her the importance of being “open-minded, respectful and patient”. “There is no right and wrong. It is simply a different way of doing things. It may take a little more time to coordinate. However, if mentor and mentee are aligned in their vision and goals, the whole relationship and experience will run smoothly and successfully”, she explains.

MicroMentor understands that owning your own business, while rewarding, can be challenging. We also believe that mentoring is a powerful resource for entrepreneurs to receive the guidance they need so that they’re not navigating their journey alone. To learn more about how MicroMentor has already helped our community of entrepreneurs, have a look at our 2019 Impact Report.”

https://www.micromentor.org/blog/making-the-most/

Secure Teleworking Guidance From National Institute Of Standards And Technology (NIST)

Standard

“FCW”

The National Institute of Standards and Technology has issued  advice for organizations that must communicate remotely, warning that the lackadaisical security policies of the past will no longer cut it as hackers and spies seek to take advantage of the increased attack surface created by the surge in nationwide remote work.

______________________________________________________________________________

“Workers across the country are being sent home and told to telework as the coronavirus outbreak continues to spread. As virtual meetings and other online interactions become a reality for many federal agencies and businesses, so too do the related cybersecurity threats.

“Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop,” wrote Jeff Greene, director of NIST’s National Cybersecurity Center of Excellence. “Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively — and not the genesis of a data breach or other embarrassing and costly security or privacy incident.”

Greene laid out a number of suggestions for keeping virtual work discussions private and safe, most of which are simple and likely to already be specified (if not always heeded) in an organization’s existing policies.

Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn’t) supposed to be connected.

Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.

The Cybersecurity and Infrastructure Security Agency has also warned that widespread telework could open up new opportunities for digital compromise. The agency put out its own security guidance last week for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.”

https://fcw.com/articles/2020/03/17/nist-advice-virtual-online-meetings.aspx?oly_enc_id=

Spinning Up Telework Presents Procurement Challenges

Standard
Image: Eztalks.com

FCW

There’s good news and bad news for agencies looking to ramp up telework in the wake of the coronavirus pandemic, according to federal contracting experts.

The good news is federal acquisition contracts are set up for quick acquisition of essential telework equipment, such as laptops or tablets, said acquisition experts FCW spoke with. The bad news could be that online scammers are watching the expanding tele-workforce with great interest.

___________________________________________________________________________

“The emphasis on agency telework is growing, and although most agency employees are already assigned computers, there may be some hardware gaps to fill as workforces move to remote locations.

Federal governmentwide acquisition contracts, such as NASA’s Services for Enterprise-Wide Procurement, the General Services Administration’s ordering schedule and the National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) are set up to help quickly fill laptops, tablets and other IT commodity orders, they said.

“In general, SEWP is an agile acquisition vehicle that allows for quick turn-around times for quotes and provides points of contacts for all contract holders to facilitate quick communications,” Joanne Woytek, SEWP manager told FCW. The GWAC, she said, has not seen any specific increase related to teleworking support, so far.

“For laptops, tablets, printers, agencies have purchase cards,” Alan Chvotkin, executive vice president and counsel for the Professional Services Council, told FCW. “Orders placed on SEWP and federal schedules can get responses within 24 hours,” he said, adding that speedier responses could pump up costs.

SEWP posted a warning on its webpage at the beginning of March saying delays in some order could result from stresses on the supply chain.

In an email to FCW on March 11, Woytek again noted that delivery of technology “is limited by the capacity of industry.” She said order delivery “is going to be on a case by case basis and greatly dependent on the complexity, configuration and size of an order.”

However, the demand for laptop and tablet computers from federal agencies during the next few weeks, probably won’t be too steep, said Roger Waldron, president of the Coalition for Government Procurement.

Agencies, however, should be working diligently to “level set” their computer and network needs for the coming weeks, as well as keep informed on their existing IT contracts and how to leverage GWACs, such as SEWP, to back fill last-minute IT and IT commodity needs.

Even though agencies will probably have the resources to get any necessary computers for new telecommuters, another acquisition expert said they face a sneaky obstacle — telework-savvy cyber adversaries.

Bad actors are on the lookout for new teleworkers, as those workers open up a vulnerability to protected networks, said Evan Wolff, a partner at Crowell & Moring, who co-chairs the firm’s Privacy & Cybersecurity Group and is a member its Government Contracts Group.

Targeted phishing emails and other cyber crime techniques could be a challenge for federal IT managers with increasing numbers of telecommuters, Wolff told FCW in an interview.

Federal IT managers, he said, may not have appropriately secure infrastructure in place to lock down all communications. Additionally, simple things, such as shared living space with non-government employee roommates, could also present issues, if the federal teleworker has a sensitive post, he said.

“We’re already seeing a focus on customized phishing” aimed at non-government telecommuters as the coronavirus spreads, said Wolff. That wave of targeted remote worker phishing email is probably coming to new federal telecommuters too.

“Bad actors understand a target’s leadership and the types of appropriate email” that could temp them into taking the bait, he said.”


Government Must Make Sure Contracts Cover Remote Work And Classified Access Logistics

Standard
Image: “HRsolutions.com

DEFENSE ONE

‘It is really important to adjust and amend contracts so that contractors can continue to work with the government counterparts.’ If that’s teleworking, that’s teleworking, if it’s moving to a different location, it’s moving to a different location.”

______________________________________________________________________________

As millions of Americans prepare to work from home in an effort to slow the spread of the coronavirus, Defense Department managers and the companies that support them are waiting for guidance on just how they should be clearing their offices.

Set aside the workers who build planes, ships, tanks and other weapons on special assembly lines around the country. Plenty more are holders of security clearances who can’t do their jobs without special computers and facilities that protect classified information. Among them: analysts, war planners, and engineers designing next-generation weapons.

But the situation is murky even for the hundreds of thousands of government contractors who don’t need access to secret information. As the Pentagon begins sending nonessential employees home, it’s unclear what’s going to happen to them.

“There’s almost no guidance going out about contractors,” said David Berteau, a former Pentagon official who is now CEO of the Professional Services Council, an organization that advocates for government contractors. “Part of that problem is, contractors are managed on a contract by contract basis.”

And in many cases, these employees’ contracts don’t even mention remote work.

“You don’t want to change contracts from the top down,” Berteau said. “But you can send out guidance to contracting officers that says, ‘It is really important for you to adjust and amend contracts so that contractors can continue to work with the government counterparts.’ If that’s teleworking, that’s teleworking, if it’s moving to a different location, it’s moving to a different location.”

For years, the U.S. government has done drills and exercises to prepare for scenarios where workers cannot access secure facilities, said Berteau, who served as assistant defense secretary for logistics and materiel readiness during the Obama administration.

But: “We have not taken those lessons from the simulations seriously enough that we’ve done the preparation necessary to execute it,” he said. “So now we’re having to do it in real time. It’s important that we get it done. It’s important that we keep the government working. It’s important that contractors are part of that keep the government working goal. And it’s important that they have guidance [and] it’s integrated across the government in order to make that happen.”

As for the government workers and contractors who must access classified information, there’s no alternate, for now at least, to having a secure government facility.

“You can’t go home on your laptop and plug it in and get classified data,” Berteau said. “It’s my personal belief…that we could do a lot more than we are doing.”

But, he noted, it would likely cost a lot to buy the equipment needed to make that happen.

“We have got to be taking notes as we go about what we need to do better … so we’re more ready the next time it comes,” Berteau said. That would be a federal government, executive branch, responsibility, but it would also be a congressional responsibility to make sure it happens and that the resources are available to do it.”

https://www.defenseone.com/business/2020/03/when-your-work-classified-work-home-doesnt-work/163782/

Government Accountability Office (GAO) Joins 6 Other Agencies In GSA “Centers Of Excellence” Partnership

Standard
Image: SvetaZi/Getty Images

“FEDERAL TIMES”

“The Government Accountability Office is joining the GSA’s Centers of Excellence initiative to improve the GAO’s new Innovation Lab.

The GAO marks the seventh agency to partner with the Centers of Excellence, a program started by the GSA to speed up modernization projects at agencies.”

_____________________________________________________________________________

“The CoE’s work, run out of GSA’s Technology Transformation Services (TTS) office, will speed up the GAO’s authority to operate process for its new innovation lab, launched last year to develop enhanced data analytics and emerging technologies capabilities.

The partnership will also help the lab configure “flexible, scalable, and secure computational environment that is responsive to current and future needs.”

“Today’s announcement illustrates the momentum of the CoE to deliver outcomes that drive mission effectiveness,” said TTS Director Anil Cheriyan. “Putting innovation at the core of everything we do, we’re excited to engage with GAO and provide guidance along their exciting journey.”

The CoE program also works with the Departments of Agriculture; Housing and Urban Development; Labor; the Pentagon’s Joint Artificial Intelligence Center; the U.S. Consumer Product Safety Commission; and the Office of Personnel Management.

“With this latest CoE engagement, we look forward to building upon our prior work transforming federal IT to improve services to citizens,” said CoE Executive Director Bob De Luca. “Leveraging the CoE modernization approach will help GAO further its mission of helping the government save money and work more efficiently.”

https://www.federaltimes.com/acquisition/gsa/2020/03/03/here-is-the-new-partner-for-gsas-centers-of-excellence/#:~:text=The%20Government%20Accountability%20Office%20is,the%20GAO’s%20new%20Innovation%20Lab.

The Future Of Cybersecurity Maturity Model Certification (CMMC) For Defense Contractors

Standard
Image:  (castillodominici)

FIFTH DOMAIN

CMMC 1.0 was released at the end of January.  The Department of Defense official leading the overhaul of cybersecurity requirements for the Department of Defense contractors sees the model as being in a “constant state of evolution” over the next few years.

____________________________________________________________________________

“Katie Arrington, the chief information security officer for the Office of the Under Secretary of Defense for Acquisition and czar for the new Cybersecurity Maturity Model Certification, told Fifth Domain in an interview at the RSA Conference that work on CMMC will be a “perpetual thing.”

After the CMMC requirements are written into contracts around October, Arrington said she wants to “have some data to say ‘okay, these controls — are they really worth the return on investment? Do we need to tweak the model?’

Right now, Arrington said, she is working with staff to create the audit training. One of the challenges in building the training, like creating CMMC itself, is ensuring that it is simple and easy to understand.

Beyond CMMC, Arrington said that the “next big thing” she’s going to work on is supply chain illumination tools and adding continuous monitoring into “… those most vulnerable in our supply chain and the ones that are working on the most critical technologies,” she said. “I need to know how they’re doing acting day-to-day, how their supply chain looks.”

Arrington also told Fifth Domain that she expects CMMC to be adopted internationally in 2020 and 2021.

“Our Five Eyes partners are like, ‘hey, we’re right here with you,’” she said.

With the federal government facing constantly evolving attacks on its supply chain, Arrington said that CMMC needs to be able to adjust to new challenges.

“If it becomes a checklist, we have all failed,” she said. “It needs to become critical thinking about security and understanding that the threat today will not be the same threat that’s here a year or two years from now. And that we have to be constantly looking at how do we tweak? How do we bob? How do we weave?”

https://www.fifthdomain.com/dod/2020/02/28/the-future-of-defense-contractor-cybersecurity-standards/


Securing the 5G world

Standard
Image: (peshkov/Getty Images)

C4ISRNET

5G is set to revolutionize the mobile communications industry — offering high data rates, low-latency and ubiquitous connectivity with levels of reliability not previously seen.

As software-centric, virtualized networks change the communications landscape, delivering on the promise of 5G will require diligence and comprehensive security testing.

______________________________________________________________________________

“This will enable new services and use cases that go far beyond communication between individuals. The rapid progression of 5G deployments has huge potential for connecting economies at scale, while simultaneously exposing potential vulnerabilities that must be addressed.

Shift to software-centric, virtualized networks changing the communications landscape

To deliver higher performance and lower cost, 5G networks are leveraging technologies that are software-centric and virtualized, moving from custom hardware to software components running on commercial off-the-shelf (COTS) hardware. This increase in software content across 5G deployments continues to fuel an exciting faster development pace. But with this comes some challenges since these 5G technology innovations are also expanding the attack surface of the system. While 5G core network functions are making use of a new and different software architecture, common technologies like HTTP and REST APIs that are well known are replacing proprietary interfaces of the past. All of these things increase the potential for cybersecurity attacks and vulnerabilities.

Network Function Virtualization (NFV) will deliver far more scalability than traditional platform approaches. NFV relies on a software stack and infrastructure where network functions execute. While virtualization has significant advantages in terms of scalability and efficiency of the underlaying hardware resources, moving to a software platform that is made up of many different components from many different vendors, often including open-source, increases the risk of a vulnerability being exploited that could compromise the entire system. Additionally, with 5G network slicing, which makes extensive use of virtualization techniques, guaranteeing slice isolation and preventing data leakage between slices are key for the security of the 5G networks.

Another core assumption with 5G is related to the proliferation of connected devices that will become an essential part of our daily lives. 5G will enable new use cases, where an agreed upon quality of service is required to support the reliability, throughput, or latency requirements associated with critical infrastructures and real-time systems. While there are standards available (or being developed) to mandate and evaluate security across different sectors like automotive, health, utilities, etc., there is lack of standardization for general IoT devices. The effect of poorly secured devices, proliferated across the network, can easily disrupt essential and nonessential services enabled by 5G.

5G networks are incredibly complex and the deployment of infrastructure elements at the edge, make them more difficult to secure. Network operators faced with the complexity of these systems may rely on a third party for the configuration and management of their networks, giving administration privileges to potential adversarial actors. Poorly configured systems may compromise the networks, independent of the definition and use of security functions defined in the standard.

Delivering on the promise of 5G will require security diligence

The global technology ecosystem is taking steps to ensure we have a hardened infrastructure and has made significant progress. Governments are carefully analyzing the security risks of 5G networks and systems. In the EU, the NIS Cooperation group completed a coordinated risk assessment of the cybersecurity of 5G networks, followed by a threat landscape for 5G by ENISA (European Agency for Cybersecurity). Similar studies and activities are taking place in other regions. At the same time, the mobile communications industry has developed a Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, to facilitate improvements in security levels across the mobile industry. NESAS uses a comprehensive approach to assess the product development life cycle, as well as security test cases defined by 3GPP SA3 for network equipment.

However, given the increase in the attack surface, the level of emphasis on the security must be intensified, especially compared with previously deployed generations of mobile communications systems.

The security industry offers many categories of security assessment tools including endpoint, penetration test, vulnerability scanning, fuzzing, and identity and access management solutions. All of these should be collectively used to validate all aspects of the communications infrastructure.

Comprehensive security testing will become paramount

Even though 5G standards will improve the security mechanisms over previous generations, there will still be areas that require further work to achieve and maintain secured 5G systems. The complexity of 5G networks require proper configuration and management of the security aspects, as well as tighter security for third parties managing the networks, ultimately making for stricter control of the supply chain.

The increase in software content of 5G networks and the massive increase of IoT devices will drive a need for enhanced security controls. This must be a key area of focus for the industry as 5G scales. Security standards and best practices guides are becoming available for different sectors, covering all software development stages, from architecture and design to coding, testing, and release. With the evolving landscape of vulnerabilities and threats, companies will need to carefully consider and adopt continuous security testing using automated tools that are regularly updated to the latest threats.”

https://www.c4isrnet.com/opinion/2020/02/24/securing-the-5g-world/