Skip navigation
Like what you’re reading?

Keeping America Safe – Network Security is National Security

Safeguarding the U.S. starts in the very networks themselves. Ericsson agrees that network security is a key component of national security and is working closely with U.S. government agencies and industry groups to ensure that the latest generation of cellular networks are more secure than ever. To achieve this, we put security first in every facet of our business, from leadership in the development of 5G standards and best practices to our active participation in government task forces working to safeguard networks against future threats.

Vice President and Head of End-to-End Security, Ericsson North America

Hashtags
Hashtags
#security
Keeping America Safe – Network Security in National Security

Vice President and Head of End-to-End Security, Ericsson North America

Vice President and Head of End-to-End Security, Ericsson North America

Hashtags
#security

To solidify U.S. protection of critical infrastructure and keep pace with evolving cyber threats, government officials and all of us in the Information and Communications Technology (ICT) industry must be vigilant in maintaining our long-term focus on security. The ICT industry continues to be tested on a regular basis by new threat actors and exploits of all kinds. At Ericsson, we are guided by 3 key principles to protect critical infrastructure from cyberattacks:

  1. Secure network communication, end to end
  2. Uphold the integrity of the supply chain
  3. Ensure the resilience of the network

Log4j/Log4Shell – vigilance tested; crisis averted

In December of 2021, a new critical vulnerability in the Log4j tool, called Log4Shell, had just been discovered and our security community in Ericsson was mobilizing to understand its impact. Critical vulnerabilities were nothing new in our industry, but the scale that this open-source remote exploit demonstrated in the first 24 hours reminded many in the security community of Heartbleed, an OpenSSL exploit in 2014. By the end of that weekend, Ericsson realized the vulnerability had the potential to be even worse.

Log4j was a common component of Apache, which, in turn, was one of the most widely used (and scrutinized) open-source libraries around. Despite the thousands of eyes on Apache on a regular basis, this vulnerability had gone undetected for a decade, resulting in deep levels of dependency trees and underlying connections in software code. Solutions from many ICT vendors, including Ericsson, used these open-source software components across the network - and significant portions of the critical infrastructure were initially at risk in those early days.

U.S. DHS CISA Director Jen Easterly categorized the threat as the “most serious vulnerability she’s seen in her decades-long career” and most of the Nation’s top cybersecurity experts agreed. The next two weeks were a flurry of activity, with bleary-eyed engineers coding, patching and mitigating threats well into the holidays. In many cases, the telecom vendor community decided to recompile certain nodes from the ground up, as Log4j was embedded in some software like building blocks on the inside of a giant tower.

Looking back, I could not be more proud of how our company, our industry and our government responded during this time of crisis, with few impacts to National Critical Functions (National Critical Functions | CISA) or services. The Communications sector has been leading the way in cybersecurity, risk mitigation and resilience planning for a long time, along with our partners in the Finance and Power sectors. Together, these sectors make up the U.S.’ three-legged stool of critical ICT infrastructure, and that structure stood firm during the Log4j crisis.

A whole-of-nation response

Fast forward to early 2023 and a convergence point of ambitious initiatives across regulatory policy, next-gen technology and ICT standards grows closer. CISA Director Easterly and Exec AD Goldstein laid out their collaborative vision in the article Stop Passing the Buck on Cybersecurity, calling on technology companies to build security and safety into their products from day one. If Log4j was a live sample, a more virulent next phase must be prevented.

In February of 2023, the next round of the NIST Cybersecurity Framework (CSF) 2.0 workshop kicked off, bringing together thousands of subject matter experts in the largest overhaul to the CSF in almost a decade. CISA’s cross-sector Cybersecurity Performance Goals (CPG’s) will draw heavily on the updated Cybersecurity Framework of best security practices, while establishing new baselines for cybersecurity across the Nation’s Critical Infrastructure.

Most recently, in March 2023, the Administration released its National Cybersecurity Strategy (NCS) with the goal of creating “… a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences”. This reinforces previous guidance from the NIST Secure Software Development Framework (SSDF) that vendors should uniformly follow best security practices throughout the development life cycle.

Ericsson strategy for securing networks

These activities re-affirm Ericsson’s view of securing networks holistically, with a strategy that ensures meaningful impact across multiple critical sectors, as shown below.

Network Security in National Security


The three key principles Ericsson invests in to protect critical infrastructure from cyberattacks are: securing the actual communications over the networks, upholding the integrity of the supply chain, and ensuring that networks are resilient to disruptions and attacks.

Each of these principles are reinforced by three distinct pursuits across those areas.

  1. Policy: work collaboratively with government and industry to define and shape policies that will lead to higher levels of security across all three principles. Examples of this would be the Secure and Trusted Communications Networks Reimbursement Program (Rip and Replace) that funds removal of untrusted equipment from US wireless networks, as well as proposed rulemakings from the FCC and recommendations to the President from the National Security Telecommunications Advisory Committee (NSTAC).
  2. Technology: build software and hardware for networks that is secure by design and develop and implement technology that secures that underlying infrastructure. Design and deploy technologies that add to the resilience of the network, such as Zero Trust Architecture, network slicing and cryptographic roots of trust. Ericsson is a proud founding member of the first-of-its-kind 5G Security Test Bed, in collaboration with the University of Maryland, MITRE, AT&T, T-Mobile, US Cellular, SecureG and CTIA, which seeks to validate technology and best practices in a real-world environment.
    Ericsson w/ FCC Commissioner Simington @ 5G Security Test Bed

    Ericsson w/ FCC Commissioner Simington @ 5G Security Test Bed

  3. Standards: collaborate in relevant standards bodies to ensure security is considered across all areas of the network and built into the core standards by which network components will be designed and networks will be built. For instance, in 2022, Ericsson was a leading contributor to the O-RAN Alliance working group 11, improving the security posture of networks built on Open RAN principles, and to ATIS’ industry-first 5G Network Assured Supply Chain security standard. This year, we are working with industry and government experts on NIST’s first full update to its Cybersecurity Framework in almost a decade and on initial guidance from ATIS on Zero Trust in 5G and 5G Secure Profiles.

At Ericsson, network security has been integral to our global technology leadership for decades, and we play a key role in the ICT effort by contributing to numerous security communities and standards bodies and leading dedicated security organizations and task groups.
Here’s a closer look at the three key principles that must be followed to protect critical infrastructure.

1. Secure network communication, end to end

5G represents a new era of network security and is significantly improved from previous mobile generations like 3G or 4G/LTE, with security built into the standards themselves. 3GPP is the industry body that sets standards for mobile communications, and in 5G, these include new advancements for security, including enhanced subscriber privacy, greater interface protection, integrity protection of user traffic and improved authentication framework.
The ICT industry must assume that “the bad guys are already in the house” and adapt our defenses accordingly, working towards a zero-trust mentality. While most traditional security measures focus on external threats, the zero-trust model enhances security by both blocking unauthorized access to network resources and preventing lateral movement by an inside attacker. The heightened security features of 5G will enable the deployment of this “Zero Trust Architecture” (ZTA) across future networks.

Work is already underway in groups like the Communications Sector Coordinating Council (CSCC), where Ericsson is co-chairing the Emerging Technologies Committee, covering key topics like post-quantum cryptography, AI/ML in ICT networks and preparations for 5G-Advanced and 6G.

2. Uphold the integrity of the supply chain

Communications infrastructure is complicated, both in the way it’s assembled and how it’s produced. As the industry trends toward multi-vendor hardware solutions and more open, virtualized software, clear visibility into the supply chain is an important part of keeping the country’s 5G networks secure. A supply chain is only as strong as its weakest link, and as cyber criminals evolve, they will seek out vulnerabilities in ICT infrastructure they can use to attack everything from power plants to the banking system.

Ericsson 5G Smart Factory, Lewisville, TX

Ericsson 5G Smart Factory, Lewisville, TX

Ericsson’s 5G Smart Factory in Lewisville, Texas represents the company’s commitment to building the 5G networks that much of the country’s critical infrastructure will depend on. A secure supply chain must be built on trustworthiness, transparency, and traceability, and 5G is no exception.

Ericsson recognizes the importance of protecting the U.S. ICT supply chain. We are working with our customers and across industry to analyze and implement President Biden’s Executive Orders 14028 and 14017, which are designed to protect America’s critical supply chains from cyberattacks and other threats. Ericsson has provided significant input and leadership on software assurance, network security, trusted supply chains and risk management through many collaborative efforts between government and industry.

3. Ensure the resilience of the network

Beyond securing individual communications, the network itself must be resilient and reliable. This is more vital than ever as 5G begins to enable a new digital economy based on the superior speed, low latency and end-to-end security that it brings.

When fully deployed, many parts of 5G will be “virtualized” and “cloud-native,” meaning that many of the core network functions will happen within a cloud environment, offering improved resiliency and scalability. This will also allow for the implementation of new security solutions such as “network slicing” (dedicated sections of network architecture for different network, security or QoS functions) and AI-enabled security that maximizes availability and performance with automation and orchestration.

Furthering that effort, Ericsson co-led the NSTAC’s 2020-2021 “Report to the President on Communications Resiliency,” a year-long effort which recommended numerous ways that U.S. ICT infrastructure needs to be improved and protected over the next ten years. Additional contributions in recent years include “Software-Defined Networking,” “Software Assurance in the Information and Communications Technology and Services Supply Chain,” “Enhancing U.S. Competitiveness in International Communications Technology Standards,” and “Zero Trust and Trusted Identity Management.”

Ericsson is committed to securing critical infrastructure

So, why does Ericsson see collaboration across U.S. government, industry, and academia as a priority? We recognize that joint effort is essential to the success of 5G and have committed significant resources to ensure that networks are secure, resilient, and based on the highest standards of product integrity. We know that while our contributions to the ICT industry enable the U.S. to continue its network security leadership, this is bigger than just Ericsson’s products.

Ericsson’s 4 layers of holistic network security

Ericsson’s 4 layers of holistic network security

Well before the SolarWinds or Colonial Pipeline cyberattacks over the past few years prompted broad scrutiny of software assurance, all of Ericsson’s software was scanned, verified, cryptographically signed, and centrally distributed. This methodology, a key part of our “4 layers of holistic 5G network security,” guarantees that integrity is built in from the start. Our efforts to protect security and privacy throughout the development life cycle all the way to delivery follow an internal control framework known as the Security Reliability Model (SRM).

Ericsson’s core values center around creating connections that make the unimaginable possible and providing ubiquitous, secure connectivity for all – and that starts with having trustworthy, reliable systems that the public can depend on. This blog series will continue, examining the intersections of key areas of impact and opportunities to provide guidance on securing critical infrastructure. 

The Ericsson Blog

Like what you’re reading? Please sign up for email updates on your favorite topics.

Subscribe now

At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.