28 February 2020

5G Cyber Security: A Risk-Management ApproachJames Sullivan and Rebecca Lucas


This paper argues that approaches to the security of 5G telecommunications networks should depend on national context, including the geographic location of equipment, national cyber security experience, vendor availability and cost. The main policy priority for states should be the implementation of pragmatic technical cyber risk management measures that protect against the majority of risks to 5G networks. In January 2020, the UK’s National Security Council made the decision to exclude Huawei technology from the most sensitive parts of the UK’s 5G network, while allowing it to supply peripheral components such as mobile phone masts and antennae. From a purely technical perspective, this was a practical and realistic decision that adheres to the principles of cyber risk management and reflects the expert view of the UK’s national technical authority, the National Cyber Security Centre.

This research identifies a range of measures to manage risk to 5G networks, including resilient network architecture, access management, testing and monitoring, and cyber security standards. The findings demonstrate how core and edge functions do remain technically distinct in 5G networks and highlight multiple ways to isolate and localise risks. It recognises that 5G poses new challenges for cyber security practitioners, owing to technical concepts such as virtualisation and low-latency communication, but concludes that there are measured ways to manage the risk.


The paper acknowledges that for some states, political and economic considerations may end up being the overriding factors that lead to the decision to ban a particular vendor from a particular state. This may be an entirely legitimate national approach. However, states must be clear about the extent to which political, rather than technical, factors inform their decision-making relating to 5G and other technology. Otherwise, it confuses the argument and undermines the authority of national technical experts.

Finally, the paper argues that 5G is one instance of a much wider set of issues around the globalisation of technology relating to the pivot of technology innovation from West to East. It recommends that states should rapidly identify those advanced technology areas where greater vendor diversity and/or sovereign technology is required and develop an industrial strategy to address these gaps.

James Sullivan is a Research Fellow in cyber threats and cyber security and leads RUSI’s cyber-related research programme. His research interests include cyber security, the spread of terrorism and violent extremism in cyberspace, online disinformation campaigns, and the role of emerging technology in defence and security.

Rebecca Lucas is a Research Analyst in cyber threats and cyber security. Her current research focuses on cyber security policy, including the global spread of technology and associated national security risks. Her research interests also include the intersection of technological innovation, including cyber, and defence policy.

No comments: