Tokyo Olympics Postponed, But 5G Security Lessons Shine

Threatpost Senior Editor Tara Seals is joined by Russ Mohr, engineer and Apple evangelist at MobileIron along with Jerry Ray, COO at SecureAge, for a discussion about the now postponed Tokyo Games and its use of 5G and the myriad of security concerns Japan is preparing for.

The 2020 Summer Olympics in Tokyo were officially postponed this week amid the ongoing, pandemic spread of the coronavirus that causes COVID-19. The Games will be moved to 2021, but in the meantime, technological innovation around the event will continue.

More specifically, postponed or not, the Tokyo Olympics will be the world’s greatest testbed for 5G. It will showcase all of the power and promise that the next-gen mobile technology offers, including enabling everything from flying cars (yes, really!) to widespread facial recognition and security-scanning robots to cover 8 million people. Japan hopes to win the gold medal in the internet of things category, in other words.

Most importantly, Japan’s 5G ramp-up also offers a raft of important security lessons for everyday businesses. Important use cases emerging at the Games translate to the wider world (automated authentication for physical access to facilities, for instance — or smart applications like low-latency robotics that can apply in factory settings). And along with that, the cybersecurity measures that Japan has taken — like applying artificial intelligence/machine learning, zero-trust and advanced encryption — are also important object lessons for everyday enterprises.

On a webinar last week, Threatpost senior editor Tara Seals was joined by Russ Mohr, engineer and Apple Evangelist at MobileIron; and Jerry Ray, COO at SecureAge, for a discussion about all of the cool things that Tokyo Games have planned for 5G, overall 2020 5G use cases, the next generation of security concerns, and what we can learn and apply from Japan’s experience so far.

Please see below for the replay. A transcript of the webinar follows. And, readers can directly access the video on YouTube, here: Amid Olympics Uncertainty, 5G Security Lessons Emerge.

 

Tara Seals:

Hello everyone, this is Tara Seals, senior editor at Threatpost. I’d like to thank everybody for joining us today for our webinar, “5G, the Olympics and Next Generation Security Challenges.” Today, we are going to be hearing from a couple of experts in the arena: Russ Mohr who is an engineer and Apple Evangelist at MobileIron; and also Jerry Ray, who is a COO at SecureAge – he works in Tokyo quite a bit, so he will have some feet-on-the-ground information for us, which is great.

Something to note about our agenda, clearly: The hook here is that we’re going to use the Tokyo Summer Games as a jumping off point to discuss what’s possible with 5G technology rolling out. Clearly, it’s an enormous test bed. There’s been a lot of innovation going on. ramping up to the event. And clearly with the coronavirus pandemic, there are concerns about whether or not the Olympics will go on as scheduled.

They might be postponed, possibly even as long as a year or two. We’re just not sure. Right now, the IOC and the Japanese government are both saying that the show will go on, but that of course remains to be seen, so fingers crossed. But nonetheless, we think that regardless of cancellation or not, this is going to be a very interesting discussion because again, what they’re doing in advance preparation for the Olympics is absolutely amazing from a technological standpoint. Obviously, that brings along a lot of security concerns. We’re going to talk about some of those and we’re going to bring this back where it’s applicable to you guys in the audience, into your businesses, and talk a little bit about what the security concerns from a macro-perspective are and how they relate to your businesses. And also provide some points and best practices for how they can develop their 5G strategies as we go forward.

With that, I am going to pass the ball over here for our first presenter, who is Russ Mohr with MobileIron. Russ, welcome to our webinar. Thank you very much.

Russ Mohr:

Thank you, Tara. Appreciate the intro.

Threatpost, thanks so much for having myself and Jerry Ray here today. We’re really excited to talk to you about the upcoming Tokyo 2020 Olympics. As always, you can reach me @rhmohr on Twitter, R-H-M-O-H-R. I do tweet a lot, especially about 5G security these days. Tokyo Olympics, really something to look forward to if they do happen. As Tara mentioned, there is some risk right now. But we should see around 11,000 athletes there. It looks like there are almost 8 million tickets that are going to be sold for this event ,and there’ll be 33 different sports in Tokyo.

But that’s not what interests us today. We want to talk a little bit about the technology we’re going to see. To start off, this is a Toyota self-driving car, and we’re going to be seeing a lot of this at the Olympic games. This one might actually be used to escort an athlete or a staff member onto the field. I think this only actually holds one or two people in it, but that’s not the only autonomous driving that we’re going to be seeing at the games. We’re going to be moving people around in autonomous vehicles. Obviously these are going to need connectivity. They are not going to be able to connect to Wi-Fi networks. We’re going to be leveraging 5G networks, built primarily by NTT DoCoMo, for the games.

Also, some 5G cars from another carrier and Toyota. This particular vehicle I think can move around 12 people at once or so. But the real prize of the show, if we see this, and this is still rumored, is Toyota is going to show their flying car at the game. Codenamed Morizo, announced as far back as 2017, but we’re really hoping that we would be able to see an autonomous flying vehicle at the 2020 Olympics.

Lots of different applications for 5G technology. Some of them include big investments from companies like a NEC, Panasonic and others. In this particular case, we’re seeing facial recognition. At these events, I mentioned there’s 11,000 athletes, but with all the staff and all the tertiary requirements for people moving in and out of the stadiums, they expect to have 300,000 authorized personnel working at the Olympics. We’re still going to have the lanyard that this young lady is holding in her hand, but we’re also going to have an additional security mechanism, which is facial recognition. These are going to be all over the place, spread throughout Tokyo at the different venues, and they’re going to be amassing a lot of personally identifiable information (PII) about these people. At least a data set of 300,000 records of personal information that are now presumably going to be stored somewhere in the cloud. We’ll have additional security, but we’ll also be creating some new honeypots of highly secure information at these names.

Another thing that we’re definitely going to see is a lot of augmented reality, virtual reality, and especially, we’re going to see mixed reality. One of those technologies for mixed reality is going to be called 3DAT, a.k.a. 3D Athlete Tracking. Another one is actually the virtual arena. A virtual arena is also sometimes referred to as a digital twin. What they’re actually able to do is make an exact copy of an arena where an event is going to take place, and then have staff or even athletes walk through that arena, interact with that arena, make plans about where they’re going to be, what the best viewing point is in that arena.

That’s going to require lots of edge compute power to show those graphics in real time, but also, it’s going to require very little latency. You’re going to be able to need to react in real time with that stadium.

The other thing I mentioned is 3DAT. I actually want to show you what this looks like. This is 3D Athlete Tracking in action. What we can see over here is, we have three leaders in this race clearly, and we are able to actually track them and we’re actually be able to point at who the winners are. That’s even in advance of the Olympic officials saying, these were the winners. We at home using the 3DAT technology, we’ll be able to track where a swimmer is in a race, where a runner is in a race. Often, these races are won within just a few milliseconds. That’s going to be really important. That’s one of the main things that 5G brings to us: Ultra-reliable low latency connections that allow us to have as low as one millisecond of latency. Another reason why 5G is going to be very important for these games.

Of course, a lot of these events are going to be transmitted in 8K digital video this year. That’s also going to require a lot of bandwidth and a lot of low-latency connections. What you see here actually is an image from PyeongChang a few years back when we had the winter Olympics, and what you’re looking at, that Olympic logo, is actually drones. Drones are going to play a very big part in these games. For instance, Panasonic will be offering technology around crowd control.

NEC will also be in the mix. They’ll be monitoring the crowds, [looking for], is there suspicious activity happening in that crowd, but also be reporting and broadcasting video from these drones. Drones are going to have a very big role in the 2020 Japan Olympics, but at the same time, we also need to protect our drones and protect the attendees and the athletes at these events. It’s a safe assumption that there will not only be friendly drones collecting information and broadcasting events, but there will also be another kind of drone that’s able to take out a rogue drone, for example. We should expect that both of those will be present at the 2020 games.

Of course, drones need very low-latency communications. They need to react very quickly. That’s something 5G gives us.

I couldn’t complete this presentation about technology we’re going to see at the 2020 games without showing you guys some cute robots. These robots are going to help visitors, so we should expect to see them in the airports, in the subways. They can give you directions in multiple languages, and at the same time, they can also scan the crowds for suspicious activities. They’ll have more than one role. We are expecting to see quite a few of these robots deployed for the 2020 games.

Now that I talked to you about some of the technology that we’re expecting the Olympics to unlock, how does that relate 5G? What are the technologies that are specifically relevant to what we’ve been talking about? First off, I’d just like to level-set and let you know that 5G’s in order of magnitude faster than 4G. Up to 10 gigabits down – and using some multiplexing technologies, even up to 20 gigabits downstream speeds.

There are two specific technologies I’d like to call out that will be really important: Enhanced mobile broadband isn’t on this slide, but that’s actually what consumers will see on their devices. On the Samsung phones, on the Huawei phones that already have 5G chipsets. On the iPhone, that’s going to be announced in the fall. We’re expecting it to have a 5G chip set on that device as well. Those speeds won’t be quite as high as the 20 gig down. There’ll be a little slower. As we roll out over the years, we’ll see speeds increase.

The really important technology that is part of the 5G spec put out by the 3GPP is MMTC, which is massive machine type communications. That just means that we can have an extremely high density of devices riding on a 5G network, many more devices than we can have on a 4G network, for example. This is the high frequency low delay part of 5G. This is the spectrum that allows us to actually hit the sub one-millimeter bandwidth delay.

Another piece of technology that we’re going to see carved out and in the 2020 Olympics is the radio access network, commonly referred to as network slicing. Many of the carriers have offerings around this already. This is where you can actually provision a private 5G network with quality of service. You could say, “Look, those robots, they only need 30 millisecond delay. I will configure a network slice for them, but those drones are going to need two milliseconds of delay. They need to react quickly, so I’m going to create another network that has that quality of service on it.” That is leveraging URLLC, ultra-reliable low latency communications.

Finally, another technology we’re going to see that’s going to be very important in the games is MEC: Multi-access Edge Computing. We’ve seen a lot of partnerships with Intel at the games are around this, and this is really just compute power. This is the idea of bringing the application closer to the application server. When we’re running a drone network, when we’re running autonomous vehicles, they might need to communicate more quickly with a server. Even if you have an AWS, it might be somewhere in the very core of that network, so we want to get that to the edge of the network. We want to have the compute power as close to the end devices as we can, and that’s what MEC is all about. I’m sure you’ll be reading a lot of announcements around partnerships around MEC over the coming years.

Now that we talked about what are the applications and what’s the technology enabling them, let’s just talk quickly about what the risks are. There are a few risks with 5G. Number one is, we have protocol vulnerabilities. We had some announced at Black Hat last year. We had some researchers from Purdue and the University of Iowa build a tool called the 5G reasoner, that found that 5G networks, in theory, were susceptible to all sorts of attacks, including man in the middle, replay attacks that run up your phone bill, and actually hijacking the paging channel.

In the U.S., we would call this an Amber Alert – so you could broadcast your own Amber Alert. There are some vulnerabilities that need to be addressed by the 3GPP governing body. The good news is, 5G’s the most secured a wireless cellular protocol to date. However, it takes some time to roll out, it takes some time to go live in networks around the world, especially when a new revision is released.

Another risk is 4G interdependence. We’re not going to see standalone 5G everywhere in 2020. As a matter of fact, it’s probably going to be closer to 2025 when we see pure 5G networks. That means that we will sometimes fall back to 4G or even slower technologies when 5G is not present or when we move away from a 5G small-cell tower.

Other risks are supply-chain trust. This one has been in the news a lot. In Japan, I believe that they don’t trust Huawei at all. They don’t have Huawei in their networks, at least in the 5G portion for KDDI, DoCoMo, Rakuten and SoftBank. But in other countries, we do have this issue where there may be a company that we don’t trust in the network. In particular, Huawei has been accused of leveraging the lawful-intercept interface, which is what a law-enforcement agency would use to tap into. In the U.S., they would require a warrant to do this, but they could do things like access call-detail records, see when and where a call was placed or even listening to a phone call. So…we’re not sure we can trust every network in every country.

[Another risk is] just the pure density of it. 5G uses small cells. Small cells are about the size of a shoe box. There’ll be a lot of them out there. Just the fact that there’s going to be so much of this, it’s going to be a little bit easier for hackers to hide in plain sight. There’s off-the-shelf technology that they can buy called Stingrays, also referred to as dirt boxes or MZ catchers, that can grab information about your device, including location sometimes, and be used to launch exploits.

Finally, we’re going to see user behavior change a lot. Hey, if you’re an employee walking into your company and you have a much faster network that you’re already connected to on 5G and the applications that you’re using are cloud applications like Office 365 or Slack or Workday, you might not ever actually connect to a network that sits behind the firewall that your company can control. There’ll be less connecting to Wi-FI.

What can we do to address some of that? One of the things I love to talk about is the zero-trust model. This was first coined by an analyst named John Kindervag back in 2010. The essential principle of zero-trust is, we actually never trust and we always verify. We actually have to assume that because of all those vulnerabilities and risks that I just showed around 5G, that we might not actually be able to trust that network.

By the way, there’s going to be a bunch of new sports in the 2020 Olympics, and one of them is skateboarding, which is going to be super-fun to watch. But also on this slide are some of the things we need to consider when it comes to building zero-trust defenses for 5G. One of them is, a lot of the primary devices connecting to them (and a lot of the data) is going to reside on devices like iOS and Android. Maybe Windows 10 and Mac OS as well when they have 5G chips. We need to make sure that we can trust the device. We need to consider how are we going to analyze data from lots of different types of devices that are running different operating systems, and we don’t really have a way to control them.

We might need to think about agentless internet of things (IoT). How can we take the data from hundreds of thousands, or millions, or tens of billions of devices and analyze that data in the cloud using AI to look for anomalies? Another thing we should really be considering is conditional access. Once we decide whether we trust the IoT device or the iPhone or Android device, we need decide if we trust you, are we going to allow you into the network? Or if we don’t trust you, maybe you can’t have access to the 300,000 facial recognition imprints that I am storing up in the cloud.

Conditional access, we need to be able to make a decision about that. Network segmentation is very important. Once you get access to a network that sits beyond 5G, like a corporate network or an internal Olympic network, we need to make sure that you actually can’t get very far once you’re in there.

Then, basic security sanity, we need to have encryption. We need to encrypt those 300,000 records of athlete identity and staff identity. We also need to encrypt it in transit. Leveraging SSL, leveraging off-the-shelf VPN technology would be important.

Then lastly, I think we need to decide who has access to that data, where’s that data going to be stored. Most likely in the cloud. We need to really think about how we do rule-based access control to sensitive data that sits in the cloud. Those are some of the things that I think we should be thinking about for 5G, and that I think the Olympic committee should be thinking about. With that, I would like to pass it off to Jerry Ray to continue with the presentation.

Jerry Ray:

Thank you very much, Russ. Thank you for that lead-in as well. You ended with a comment about encryption, encrypting the data. That’s my background and somewhat my purpose and really where the focus of the work I do here for the government and military of Singapore, and what the government of Japan is focused on: Just securing that data.

With that in mind, for all the listeners, where Russ’s was just tremendously visual and showing all the exciting things that 5G is bringing to life at the Olympics, mine is precisely the opposite. It’s dealing with that data on the backside, the things that can’t be seen, the massive troves of generated data that are going to come about from each one of those devices. With that, don’t expect too much visually here. I’ll be talking a bit about what it is to secure this data and what type of mindset it took for Japan to put things in place to secure the data.

The challenges that 5G bring about are ones that are perfectly attuned to Japan’s vision for the society 5.0. They want to bring together this mesh of technology and devices, not just the standalone information of society 4.0, but in 5.0, make sure these devices, these IoT pieces, are everywhere and that they are accessible. And it’s 5G that’s making that possible. But to get there has not been an easy battle for Japan. Cybersecurity there has had a number of issues for quite some time, and the Olympics were just the perfect mechanism to launch them into a new era of that. Just as 5G is coming about for mobility, the Olympics themselves are bringing Japan to a new era in security mindset. I’m going to focus a bit on that as we move on and talk some more about encryption as well.

Forgive the bullet points here, but Japan is just like any other place, and many of the issues it was facing leading up to the Olympics now and before are once that everyone else is seeing: Technology is just rapidly increasing and overwhelming us.

Security rarely gets the attention it needs. It’s the backend piece that was thought of after all of the exciting pieces Russ showed us visually were built and configured. At the very end, we’re going to throw some security on. As well, what do we buy? What do we use? There are so many claims in so many categories, whether it’s EDR, EDP. It’s just, which is the right tool to protect this particular piece of data? Data at rest? Data in motion? This streaming data that’s going to be coming from the tools and products that we’re going to see at the Olympics [and elsewhere] are going to make those questions even more complex.

Now, how do we secure the facility’s gates? How do we secure the filmography from the drones? What about the facial-recognition systems, and what about the pure data that’s up in the air that’s allowing all the communications to take place in these massive, massive pipelines of streaming data?

We’re also seeing that cybercriminals and nation states, they get a much bigger bang for their money in 5G when they want to attack things, and the Olympics is the high-profile moment in any country’s existence, and it’s also the perfect time to put a black eye on it. We saw that somewhat in PyeongChang two years ago, a cyberattack right on the outset. We saw it in Brazil two years before that. It’s very easy for people to come up with low-cost ways, low-barrier ways to do something. Just make things go awry, embarrass the host as much as they can.

We’ve also seen a long history of security tools that were just simply ineffective despite the growing number of tools that are out there for people to protect themselves. The number of breaches are expanding even more quickly than those. Japan has to deal with all of these. It’s got Olympics to organize, but on top of that it’s got its own history that it has to deal with. For quite some time they’ve been lagging in legislation. They just haven’t had mandates there for things like disclosing cyberattacks or data breaches to the citizenry. They’ve got inherently a tremendous level of trust and reliance on systems. Whether these systems are social or technical, Japan believes that they simply work.

When you’ve got people who are intentionally trying to undermine these systems, and again referring back to the nation-states or motivated hackers, it’s hard to envision that these systems are ones that people would actively try to tear down when they were so thoughtfully put up in the first place.

There’s also some issues with leadership in Japan, and not that the leadership is poor, it’s just the way they put people in leadership positions to make these cybersecurity decisions. Japan is quite famous for having rotating jobs within companies and this expands onto the government as well. Two-year rotations, three-year rotations, and these rotations don’t necessarily follow expertise or education. As people are moving forward in their career, they can take on a variety of different jobs and get training, very relevant and solid training within their companies, but not quite enough that would allow them to spearhead something as significant as cybersecurity.

With these Japan-specific cyber-challenges, it’s really something that they were able to recognize this, use the Olympics and the rollout of 5G as the impetus to make it all better. They’ve really done a great thing in putting things in line, having run through a great number of iterations of trials since 2014, hoping they would get the games. Once it was announced, they immediately got busy. Knowing that Olympics is that spectacle, the equivalent to the world’s fair to show who you are. Tokyo hasn’t had this opportunity since 1964 and they wanted to make the most of it, but it was just brilliant that they did what they did in terms of security. They enacted some new legislation and they have this IoT cybersecurity action program that they put into place in 2017.

IoT is one of the biggest concerns for them. They even took it upon themselves in 2019 to create a mandate to attack IoT devices of the citizens of Japan. Whether the whole citizenry knew it or not, these attacks were undertaken and Japan learned a great deal about the vulnerability of most types of IoT devices and what they should be putting in place to protect the ones that will be either running the games or protecting the critical infrastructure of Japan throughout the period of the games and thereafter. Japan has also allocated a great deal of funding from the government to allow these advances in security to take place. They set up a National Cyber Training Center. They increased cyber security drills from six to 10 times a year. They’ve also made an effort to put government and private industry together to create these entities, such as the cybersecurity factory, which is a collaboration between NEC and the government.

Finally, they’ve invested heavily in training. Training at the university level and on through companies and other entities. It’s really something that Japan was able to put together in a way that, spending most of my adult life in Tokyo, seeing that only Japan can. It’s highly organized. When it puts its mind to any task, it does it extraordinarily well.

Again, I pointed just a few moments ago about IoT and critical infrastructure being those two target areas that Japan is worried about most. It’s 5G that’s making this all come about. 5G is bringing IoT devices to life in a way they haven’t been, and critical infrastructure will be relying on sensors and other tools that can be connected rapidly and at greater distances via 5G.

This is another vulnerability that’s being imposed. Most of what Japan’s done, it’s all going to protect IoT and critical infrastructure. The ways it’s protecting it, my particular focus and interests will always be on the actual data itself, because all of these devices, everything in critical infrastructure is generating data that is now giving us a nonstop tap. Everything is going to constantly be in motion. Everything’s going to be increasing. The datasets we have will be more complex, but also more rich. The things we can do with them, well, they’ll only be meaningful if we can protect that data.

The other piece that’s going to come up within IoT and critical infrastructure protection is artificial intelligence (AI) itself. There’s going to be a great deal of reliance on what AI can do. Russ mentioned it a bit ago in terms of sifting through the data sets, but also protecting it, recognizing threats, doing things that couldn’t be done from any manual attempts by humans, regardless of their level of expertise. Just by the mass exposure that AI will have to the different threat vectors and actions by nation-states and otherwise. The real catch here on the AI portion is that it takes training and it takes time. The amount of time, the amount of opportunities for training for AI that are going to be involved with IoT and critical infrastructure — I worry a bit that nothing’s yet going to be really robust enough to handle some of the security issues that are going to come up within just a couple of months — if indeed the Olympics happen in a couple of months. It’s something that I think everyone will face, whether it’s an Olympic-bound issue or not.

That brings me back to what I was speaking a bit ago about – how products and tools are going to be something that Japan and every other country is going to struggle with as they look to secure these 5G networks. How can you have tools that are going to be secure, without really limiting all the advances and the engagement that viewers can have when enjoying these advanced augmented reality and virtual reality opportunities from 5G.

Also, the straightforward implementation. These are complex. 5G is going to just multiply the complexity of things, particularly as various IoT devices come on board, each with their own operating system, each with their own security protocol.

Finally, regulatory compliance is something that has to be considered and tools have to be available, simply for covering all the different regulations that address either particular populations or particular pieces of data.

GDPR from the EU: We’ve got to consider the EU residents who will have any interactivity here at the Olympics and beyond. It’s quite a challenge.

With that, I’d like to opening it up to different questions, hopefully more for Russ, and have Tara join in.

Tara Seals:

Great. Thank you, Jerry. Okay. Yes. We can move to our Q&A session. I’d like to thank both of you for those two absolutely fascinating presentations, lots of great content in there for sure. There’s room to talk about other things as well

Let me ask, from just a purely real-world standpoint, if I’m a U.S.-based business, what are some of the initial 5G use cases that I might want to implement within my corporate world that will change the game for security. Russ, maybe you can take a stab at that.

Russ Mohr:

Yeah. So, is the question from the standpoint of a business or the standpoint of just a consumer?

Tara Seals:

From a business standpoint. Corporations and even SMBs, I would think would find rich ground for making use of some of the step-changes in 5G that we’re going to see, right?

Russ Mohr:

Yeah. Well, they absolutely will. I’m located in New York, in the U.S., and I work with carriers quite a bit in my day-to-day transactions. I’m seeing a big push, especially in the U.S. from Verizon and AT&T, around selling 5G services to the enterprise. The main thing that they are pushing is last-mile backhaul. A lot of them invested a lot of money putting fiber in the ground, which has a very long rate of return. It takes a long time to get that money back. Backhaul services over 5G networks are much faster than what they’ve been doing traditionally and much cheaper for them.

Then, the other thing we talked about was network slicing. We especially see a lot of this in manufacturing. You have an autonomously guided vehicle, an AGV – let’s say you’re Ford Motor Company and you’ve got a factory with an assembly line and you’ve got a forklift that needs to be able to stop in 20 or 30 milliseconds. 5G’s a really good fit for you, especially on an ultra-reliable low latency private 5G network, because you have that low latency and you’re able to make decisions quickly enough so that somebody doesn’t get hurt.

Also, in the enterprise, like take car manufacturing. If you had an assembly line and you want it to analyze data very quickly to see if something was going to break soon on that assembly line and stop it before you had to shut down for a day, then that would also be really interesting for you.

You might combine it with MEC or you might combine it with AI in the cloud. Those are two really big use cases that I see for it in the enterprise.

I also think that the enterprise networks are going to change, the whole traditional boundary of the firewall, that’s just not going to exist anymore because of user behavior changes, so enterprise needs to think about, what is the security approach for that? As I mentioned, Gartner has something called SASE, which stands for Secure Access Service Edge. Forrester calls it zero-trust. I really think the enterprise needs to take some time thinking about like shifting to that model instead of making the traditional security investments that they’ve been making.

Tara Seals:

Okay, great. Thank you. Okay. A related question to that, what are some of the ways that hackers may try to penetrate someone’s 5G footprint? Are there new attack vectors to be considered there? Or is it just sort of more of the same IoT security story that we’ve seen a lot of. What’s different? What’s new?

Russ Mohr:

I mentioned in the presentation that, first of all, there are vulnerabilities. There are vulnerabilities and there’s off-the-shelf equipment that allows you to exploit known vulnerabilities in the 4G network and possibly the 5G network. Companies make them and sell them. There’s kits that you can download off the internet that allow you to very cheaply start intercepting things like your personal subscriber information that might allow you to know location and stuff like that. Those are some of the attack vectors. I don’t think we know all of them yet, and that’s one of the things about zero trust. We just don’t know yet, so we need to really look at behavior.

One of the things that a hacker might do that got access to a 5G network is, they might use it to implant malware on a device. You have this perfect spying device, like an iPhone or an Android device. It’s got a radio, it’s got a camera. It can record. It knows your passwords. All this stuff is a perfect spy device, and now you’ve got malware on it.

There are things that we can do to protect against behavior like somebody trying to get elevated access on a device. The same goes for IoT, so we can look at data en mass and use machine learning or AI to analyze that data and look for the anomalies. Those are some of the vectors, but there are things that we can do about it today, with the technology that’s available today.

Tara Seals:

Great. Jerry, here’s a question for you, on data security. With 5G, the volumes are going to be much, much higher thanks to the higher throughput and the lower latency. You guys have both mentioned the role of AI and slicing and dicing some of the threat Intel and things like that to try to make security defense a little bit more manageable. What would you say would be some top best practices? Just broad brush for companies going forward as they embrace 5G?

Jerry Ray:

Sure. That’s a terrific question, and one I’m pondering all the time myself too. The good thing about the data is that it is still data. And encryption, additional approaches to protecting the data are still in effect. If you look toward data at rest, data in motion, we’re going to be looking at ultra-fast algorithms and protocols that allow us to encrypt those data streams. But traditional algorithms are still fine for those troves of data at rest. Something that is also coming right about the same time are some post-quantum algorithms that people may want to consider. It might be the opportunity now to see how those fare with these large data sets.

As far as best practice, if I can just sum that up by saying use encryption, find tools that offer the encryption. If we’re looking at the IoT devices themselves and the threat vector on those, those sitting as critical infrastructure components or IoT devices in the home, smart cities or elsewhere. I think encryption is going to be something that helps out there too, but in the form of an SSL, VPN type of plans.

Say you’ve got a home with a smart refrigerator, radio, television, or other monitoring devices. If there is some type of appliance, a VPN appliance there, that takes the security burden away from all the IoT devices and forces the attacker to just hit that VPN appliance and the encryption that’s inside of there, it may be a much better approach than trying to somehow secure all the disparate operating systems and standards that exist on those individual IoT devices themselves.

Tara Seals:

Gotcha. That’s great. Thank you. Okay guys. Well, we’re getting to the end of our time here. To wrap up, do you have any last thoughts or lessons learned that we didn’t talk about that you think are important when it comes to either 5G security for enterprises or when it comes to the Olympics?

Jerry Ray:

For my part, I’m just hoping they happen. I think the whole planet needs some type of enjoyment and a break from this weird reality we’re all facing. On the other hand, I know that motivated hackers, nation-states, hacktivists and otherwise aren’t going to let it just be play time for everybody. It’s a good thing we’re discussing this here, and I’m really thankful that you made this webinar happen.

Tara Seals:

Thanks so much. You have any thoughts for me, [Russ], before we let everybody go?

Russ Mohr:

It’s okay. I just want to piggyback on one thing Jerry said. No free pass. I think that’s something really important. Now that the world is a little bit more vulnerable, that doesn’t mean the attackers are going to let up, and if anything, remote infrastructure becomes that much more critical. A ransomware attack when everybody is working from home and is accessing resources on a corporate network becomes that much more crippling. I think it’s a time for increased vigilance. We may not be in our offices anymore, in certain parts of the world, but we need to really stay vigilant right now because we’re vulnerable and the attackers aren’t going to slow down. Jerry, I think that was really very well said.

As far as the Olympics go, I’m not sure. I’m hoping that they’ll happen. I’m very excited by the innovation that they unlock. I’m very excited about 5G, and I think the need 5G is now accelerated also, but so much remote work happening. Although I’d love to be able to watch them this summer from the comfort of my home, I think the world needs to go on timeout for a little bit right now. Like I said, we should stay very vigilant.

Tara Seals:

Great. Okay guys. Well, I think we’re going to have to leave it there. I’d like to let our listeners know that if you have any questions for these guys or any feedback on our event today, please feel free to contact me. That’s my email address there and we will certainly get back to you. Jerry and Russ, thank you very much for your time and thank you to all of our attendees who took some time to learn about the Olympics and 5G today.

Jerry Ray:

Thank you, Tara.

Russ Mohr:

Thank you. Thanks for staying up so late, Jerry.

Jerry Ray:

My pleasure.

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles