On day two of Mobile World Congress (MWC), CTIA hosted a panel on "Promoting Security in a 5G World." The panel discussed ongoing efforts by regulators and the ways that the wireless industry is responding to a changing cybersecurity ecosystem. Panelists from Ericsson, AT&T, Qualcomm, and SecureG provided expert insights into the complex cybersecurity regulatory environment.
When it comes to cybersecurity, the wireless industry is hard at work. The panel highlighted that the sector "works well with others," with several panelists stressing the importance of collaboration and public-private partnerships as particularly important. The industry has collaborated closely with the National Institute of Standards and Technology (NIST) on developing and updating the Cybersecurity Framework (CSF), with the Federal Communications Commission (FCC) regarding its customer proprietary network information (CPNI) rules, and the Cybersecurity and Infrastructure Security Agency (CISA) on its Cybersecurity Performance Goals (CPGs), among other things. As for public-private partnerships, panelists highlighted the important work of CISA's ICT Supply Chain Risk Management Task Force and the FCC's Communications Security, Reliability, and Interoperability Council (CSRIC).
Panelists also highlighted the security enhancements of 5G as a prime example of industry's work in action. Security is built into 5G from the start—it is not a "bolt on" concept or afterthought. And wireless stakeholders continue to focus on 5G security, such as CTIA's recently launched5G Security Test Bed, where recommendations from the CSRIC can be tested and validated.
One major theme of the panel was the need for harmonization of cybersecurity requirements. Panelists praised the Office of the National Cyber Director's (ONCD) recent Request for Information (RFI) on cybersecurity regulatory harmonization, as well as the Department of Homeland Security's (DHS) recently released report on harmonizing incident reporting, which will inform CISA's ongoing cyber incident notification rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). One panelist called for "regulatory humility," and another panelist explained that while harmonization is important, we need to ensure that any policymakers harmonize around the right security approach.
Another key theme from the panel was the need for emerging frameworks and approaches—including CISA's CPGs and forthcoming sector-specific goals—to remain voluntary, in line with NIST's CSF. Panelists agreed that it's generally best to leverage public-private partnerships around voluntary norms and practices on security issues.
Finally, the panel also discussed emerging technologies, such as Internet of Things (IoT) device cybersecurity, post-quantum cryptography (PQC), artificial intelligence (AI), and open radio access networks (Open RAN). Panelists explained these technologies can bring a lot of positive benefits, but can also be exploited and raise new risks. Of note, panelists praised NIST's publication of the AI Risk Management Framework earlier this year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.