The security of mobile networks is national security. Today’s 5G networks are critical infrastructure that provides the foundation of society - supporting economies, public safety, healthcare, utilities, and our everyday lives. It is the shared goal of network operators, their hardware and software suppliers, and the US Government1 to provide secure, resilient networks. 6G will build on 5G to enable new use cases across telecom, business, and society. 5G is the most secure generation to date, and 6G is expected to be more secure than 5G.
6G will bring together new emerging technologies including Artificial Intelligence (AI), Post Quantum Cryptography (PQC), Integrated Sensing and Communications (ISAC), and Non-Terrestrial Networks (NTN). These emerging technologies will expand the attack surface, as Network Slicing, Cloud, and Open RAN did for 5G. It is important that we, as the industry’s cybersecurity leaders, establish security principles for 6G to ensure our communications across critical infrastructure and mission critical networks are resilient against increasingly sophisticated cyberattacks.
Toward this goal, the US Federal Communications Commission (FCC) Communications Security, Reliability, and Interoperability Council (CSRIC) IX directed Working Group 3 (WG3) to study and report on threats, risks, and mitigation strategies for 6G networks. As stated by the FCC, “the purpose of CSRIC is to provide recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems“.2 CSRIC is a great example of public-private partnership with government and industry’s shared goal to secure communications critical infrastructure.
While 6G is nascent, the technologies that will enable it are here today and the report from CSRIC IX WG33 provides an early analysis of 6G to achieve a strong security posture. The 6G security analysis performed by CSRIC highlights traditional mobile threats, risks inherited from 4G and 5G, and 6G’s expanded attack surface due to new capabilities and use cases. It is expected that traditional threats to mobile networks will continue in 6G, including Advanced Persistent Threats (APTs) for lateral movement4, Man-in-the-Middle for eavesdropping or message injection, Volumetric Flooding with Distributed Denial of Service (DDoS), and Application Denial of Service (DoS). In addition, 6G will inherit risks from 4G and 5G including False/Rogue Base Stations, Insecure APIs, Supply Chain, and Virtualization/Cloudification.
6G enables new use cases through emerging technologies, but increased device diversity, native AI, ISAC, and NTN could also expand the attack surface. Agentic AI will drive innovative use cases, service enhancements, and operational efficiencies in mobile telecommunication networks while introducing the new insider threat with its own persona and autonomy for perceiving, reasoning, deciding, and acting5. ISAC could introduce new security risks related to unauthorized sensing, compromise of sensors, corruption of sensing data, and exposure of sensitive information. The 6G security posture will need to rely upon a zero trust architecture that is built-in to 6G standards.
Additional considerations for 6G security are PQC, Open RAN and spectrum. Evolving quantum computing will require PQC algorithms to be specified in 6G standards and in the protocol specifications used in those standards, including TLS version 1.3. The telecom industry is expecting its investment in Open RAN to be re-usable in 6G and this CSRIC report recommends the 6G standardization process leverages the progress made in existing O-RAN architecture and security specifications. Spectrum allocation is critical to 6G, especially for ISAC. This CSRIC reports recommended the FCC work with other branches of government to ensure ISAC spectrum requirements will be met.
6G is still early in its standardization process and will continue to evolve in the coming years. Security analysis of the preliminary direction of 6G has highlighted the traditional threats, risks, and mitigations to establish a strong security posture. Technologies, such as Agentic AI, ISAC, and NTN require a zero trust architecture approach to defend against external and internal threats.
The CSRIC report concludes with the following important recommendations for industry:
- CSRIC IX recommends industry influence 3GPP’s 6G standardization process to strive for alignment with O-RAN specifications while preventing contradicting disaggregated RAN standards that would result in bifurcation.
- CSRIC IX recommends industry influence the 6G standardization process across all relevant standards bodies to build-in ZTA across the 6G end-to-end architecture, including air interface, RAN, Core, and Management and Orchestration.
- CSRIC IX recommends industry formalize security standards to promote secure use of AI in communications critical infrastructure.
- CSRIC IX recommends industry to build support for PQC algorithms in 5G/5GA and 6G networks and accelerate standardization of PQC algorithms in SDOs to help ensure product support along USG expected timeline.
- CSRIC IX recommends vendors support and operators use TLS/mTLS 1.3 for 6G deployments.
- CSRIC IX recommends industry perform a detailed 6G threat analysis to inform normative security requirements in its standards.
6G will bring new capabilities and use cases. It is important to secure the users and their information on the network. While 6G is in the early stages of standardization, the FCC’s CSRIC report has identified potential risks and the path forward to mitigate them. As with previous generations of mobile technology, Ericsson is committed to standardizing and building secure products for network operators to build secure networks. Participation by Ericsson and US network operators in CSRIC, in partnership with the FCC and other government agencies, further demonstrate this commitment to secure communications critical infrastructure. Ericsson will continue to lead on 6G security research and standardization, a foundational principle of a strong security posture for critical infrastructure6.
