By Andrea Deckert, originally published in Rochester Business Journal on February 18, 2020.

With 5G comes increased awareness of bad actor opportunities

As Fifth Generation Mobile Network is implemented — offering faster speeds and greater conductivity for devices in industries ranging from transportation to public safety — individuals and businesses must remain vigilant with their cybersecurity measures, area experts say.

John Roman is president and chief operating officer of FoxPointe Solutions, an arm of The Bonadio Group that provides cybersecurity and risk management services.

He says despite security enhancements over previous network generations, it is unknown what new vulnerabilities may be discovered in 5G networks.

“With every new technology comes the chance for it to be exploited by bad people,” Roman says. “5G is no different.”

With more entry points for cyberattacks and more devices that make up the internet of things, the more opportunities there are for malicious hackers to break into systems, he notes.

The internet of things, or IoT, is the network of devices such as vehicles and home appliances that contain electronics, software, and connectivity that allows those things to connect, interact and exchange data.

5G is the next generation of wireless networks, building upon existing 4G infrastructure. It is expected to improve the bandwidth, capacity and reliability of wireless broadband services and meet increasing data and communication requirements, including IoT devices.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency assesses that 5G is expected to bring security improvements and a better user experience, but also notes there are challenges in certain areas, including supply chain, deployment and network security.

The effectiveness of 5G’s security enhancements will, in part, depend on proper implementation and configuration, local experts say.

“Anytime you connect a device to a network, information security becomes a concern,” Roman says.

He adds there are no guarantees against cyberattacks and it is an area individuals and businesses must take into account as the use of IoT devices evolve and 5G continues to expand.

Critical infrastructure will continue to be a high-risk target of cyberattacks, especially as the use of IoT devices in the industry grows, Roman says.

He believes more security measures are needed to keep those newly connected items safe.

“I’m not confident that the appropriate security controls are being implemented in those devices,” Roman says.

The shift to IoT and 5G in both residential and commercial applications will likely result in a different type of cybersecurity expert, Roman says.

“A higher level of expertise will be required to see how this will work,” Roman says. “I don’t see it being the IT security person of today.”

That is where the Global Cybersecurity Institute at Rochester Institute of Technology is expected to play a role.

Slated to open this fall, the institute’s mission is to bring together academia and industry to help tackle cybersecurity problems by expanding education and research, outreach and student-focused programs at RIT.

RIT is already nationally recognized for cybersecurity, having been designated as a National Center of Academic Excellence in Cyber Defense Education and Research by the National Security Agency and the Department of Homeland Security.

Steve Hoover, the Katherine Johnson executive director of RIT’s Global Cybersecurity Institute, says simply having more devices and more data will increase the risk of cyberattacks.

“There will be more entry points for people to do bad things,” Hoover says, but adds 5G is designed to be more secure than current cellphone technology.

Further adding to the increased cybersecurity risk is the fact that 5G technology incorporates a number of network functions in the software, which gives hackers a greater chance to infiltrate a system, he explains.

It is important for companies to implement any new technologies, including 5G, correctly, he says. That includes doing due diligence on firms from whom the company purchases equipment and services.

To make sure protections are in place on the job when it comes to cyber safety, employee training is also essential, Hoover says.

There also needs to be third-party testing of a company’s systems, Hoover says.

He recommends using white hat hackers who are computer security experts, who use hacking skills to identify security vulnerabilities in hardware, software or networks. They are also known as ethical hackers, as opposed to black hats, who are malicious hackers.

The Cybersecurity Institute can assist companies with the third-party testing, in addition to offering ways for working professionals to train and develop new skills and conduct an even broader range of research, Hoover says.

For example, a cyber range will allow the institute to simulate real world cyberattack situations, helping to provide a testbed for research and education to develop defenses and countermeasures to cyberattacks, Hoover says.

The institute will also be able to perform penetration testing, which is an essential action companies should take to protect their information, he adds.

Penetration testing confirms and classifies vulnerabilities on individual devices across networks, in web applications, social networks and on-premises during physical security tests.

Hoover notes it is common to have concerns over new technologies and 5G is no exception.

Companies do not need to avoid transitioning to a 5G network if they want to be early adaptors of the new technology, he says, but adds they could also hold off and wait until it becomes more commonly used.

FoxPointe’s Roman agrees it is often better to get some of the early-stage kinks worked out before implementation.

“I wouldn’t advise the 1.0 version of anything; wait until the 1.9 version,” he says.

Joel Thayer, an associate with Phillips Lytle LLP, focuses his practice on telecommunications, regulatory and transaction matters, as well as privacy and cybersecurity issues.

Thayer likens the increased use of IoT devices and 5G to adding more doors to a house. More doors mean more security measures have to be taken, he says.

“How many doors are now available for bad actors to hijack your network?” he says.

While there is more risk for an attack, there are steps that can be taken to mitigate the risk.

Such steps include making sure passwords are secure, dual verifications are used, employee training is up to date and the integrity of documents is maintained, he adds.

It is also important to encrypt any devices being used.

“Companies must practice general cyber-hygiene,” he says.