author photo
By Bruce Sussman
Wed | Mar 13, 2019 | 4:17 AM PDT

The briefing was in a plain-looking room at RSAC 2019, and conference attendees had no idea it was going on.

Sitting up front were Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs (pictured below at left) and NSA Senior Cybersecurity Advisor Rob Joyce (on the right).

RSA-media-briefing-1

About 20 journalists filled the tables around them. 

China's cyber threat to the United States

The focus of the briefing was the Chinese cyber threat against the United States. And the security of the coming 5G infrastructure was front and center in this discussion.

If Chinese companies build the 5G infrastructure, will it allow them to increase their theft of intellectual property and other espionage activities against the U.S.?

How NSA cyber chief views 5G risk

The answer from these leaders was yes, it could.

However, the NSA's Joyce told us that in his opinion, many Americans misunderstand the 5G security risk landscape. And he made an interesting case for the way he and the NSA view this risk.

This is Rob Joyce, Senior Cybersecurity Adviser at the NSA, in his own words:

"For 5G, I want people to fundamentally understand it’s a different problem.

A lot of people talk about Chinese spying and 5G, but what I want people to understand is it's not just about the confidentiality of the information. It is about the things we’re going to host on those networks.

I bring it back three, five, even 10 years ago where we had these 'new' smartphones. The smartphones emerged and they didn’t have new technology in any one sense—they were able to text, they were able to connect to the web, they were able to access the data that lived in the cloud-based services, they had GPS—but they brought together all this stuff in an easily usable form.

So now at that point, what we found is new things and new creative technologies emerge. No one thought of services like Uber, but this integration of these technologies and the evolution of these technologies gave us new business opportunities and new things throughout society.

5G is going to give us more bandwidth, higher densities, lower latencies, and none of that is amazingly transformative on its own. But once we have that fabric, we’re going to innovate the way the American economy innovates on top of that fabric. And then we’re going to have to trust that fabric.

The question is, are you going to be able to trust the providers of the infrastructure inside that?

When I say trust, there’s a desire to examine it. We will work hard on standards and on examining products. But I can tell you with the two hats we have at NSA—both the information assurance, cybersecurity hat and the foreign intelligence hat—it is really hard with something of that size and magnitude to lock it down where it can’t be exploited.

So you need to have a trust relationship with the people who build the house. If it’s built without a solid foundation, you’re going to be unhappy with the way that turns out.

And that’s how we view it in the 5G discussion. It really isn’t about the ‘show me the smoking gun intelligence’ about how they’re going to steal my information, it’s ‘can I trust it and what are we going to rely on that for?'. It is going to be something so intertwined with our society."

How CISA is working on 5G risk

CISA Director Chris Krebs added to Joyce's comments on the 5G infrastructure risk. His comments were shorter and pointed:

"Trust doesn’t happen overnight; trust doesn’t happen with the right set of talking points. Actions speak louder than words.

I don’t know we necessarily have the trust framework in place for a number of these actors to clearly communicate where they are particularly with secure-by-design security.

We’re focused on a strategic risk assessment that is actually agnostic to any player, any company. But where are the points of introducing risk into the 5G environment, and what are the points of intervention?

Because let’s be clear, this is not about one country, about one company. This is about an infrastructure deployment that if something is introduced, by design, with leaky kit, it’s not just one player that’s going to take advantage of that; there will be a host of players. So we really want to drive down to secure fundamental planning.”

Top 3 cyber threats to the United States

So what are the top three cybersecurity threats to the United States? This press briefing reminded me of an interview I did at SecureWorld Detroit with the former Director of Operations of U.S. Cyber Command. 

Major General (Ret.) Brett Williams explains the differences between the cyber threats posed by China, North Korea, and Russia. Watch: 

[RELATED: 4 Strategies for Global CISOs and Security Teams

Comments