Q&A with Dr. Charles Clancy, executive director of Virginia Tech’s Hume Center for National Security and Technology, engineering professor, and author
TPG: Tell us how you’re involved in cybersecurity for telecommunications.
CC: I have been working at the intersection of cybersecurity and telecommunications for the past 20 years. When I was a PhD student, WiFi technology was new and the research group I worked with at the University of Maryland was on the forefront of exposing many of the design flaws in early WiFi encryption. These early experiences led me to work in standards bodies to correct many of these flaws and conduct research on how future telecommunications systems could get ahead of security issues.
5G is particularly exciting because the focus put on security as part of its development is head-and-shoulders above its predecessors. Not only does it significantly improve security of the 5G network itself, it also creates an environment wherein 5G networks will help tackle cybersecurity threats to consumers of the technology.
TPG: What can be done to block robocalls and spam calls?
CC: Robocalls are a huge nuisance. Networks and phones cannot easily block them because there is no security behind Caller ID. With telephony infrastructure now being almost entirely digital, spammers can put software in the cloud that can originate calls and spoof whatever source phone number they want.
Tackling this problem is multi-faceted and includes both technology and regulatory components. An early success is the “do not originate” list, which is a set of phone numbers that should never make outbound calls. For example, the IRS 1-800 number never makes outbound calls, but scammers who spoof that number can make people believe they really are the IRS. Using a “do not originate” list, networks can block these calls.
There are a wide range of new reputation smartphone apps that can help warn you when you receive an inbound call from a spammer, but they all rely on Caller ID. New framework entitled SHAKEN and standard entitled STIR (collectively known as “SHAKEN/STIR”) use public key infrastructure (PKI) to digitally sign Caller ID records at the origination telco, and then can verify that signature at the point of termination. This provides the phone call equivalent of the “verified” checkmark in social media, allowing apps to better inform citizens as to the legitimacy of calls.
TPG: Tell us about how communications are dependent on PKI.
CC: Certainly, the Internet has relied on PKI as a core to its security since the advent of the Secure Socket Layer (SSL) protocol and its successor Transport Layer Security (TLS) protocol. This has led to the well-known web-PKI and vast network of Certificate Authorities (CAs) that serve as the roots of trust on the Internet. These technologies have become standard across most all Internet communications.
However, PKI has historically not been used as part of the control plane of telecommunications infrastructure. Historically, pre-shared symmetric keys (PSKs) have formed the basis of trust for everything from securing roaming interfaces among carriers (IPsec and Diameter) to SIM cards used to mutually authenticate cell phones and wireless carriers.
5G however breaks this paradigm. Market-specific “slices” of 5G can choose to use other types of security, such as EAP-TLS for authentication. For example, a slice designed for connected and autonomous vehicles (CAVs) could issue PKI certificates to cars that are used to authenticate them to the 5G CAV slice. Certainly, traditional SIM cards will still be a major part of 5G, but PKI is an option now too for certain markets.
Additionally, 5G is a “cloud native” technology. The entire core network design is based on web services. Each logical component of the core network is a microservice running in an elastic cloud. Thus, 5G leverages HTTPS as the primary security model among core network services. This means that wireless carriers will need hundreds to thousands of PKI certificates within their core networks, and a new set of CAs will be needed to globally sign the security proxies that sit on the edge of the network and secure international roaming interfaces.
TPG: How else will 5G improve secure communications?
CC: 5G offers several key security improvements over older generations of wireless technologies. In addition to new subscriber authentication models and a completely redesigned core network security framework, 5G adds new subscriber privacy extensions to thwart IMSI catchers.
IMSI catchers are fake base stations that lure phones into connecting for the express purpose of harvesting the unique identifier from their SIM card, known as an IMSI. These devices can be used by law enforcement agencies and intelligence services to track individual devices and by extension, their owners. In 5G these identifiers can now be encrypted.
The approach uses a modified version of Diffie Hellman Ephemeral (DHE). The carrier has a fixed set of Diffie Hellman (DH) parameters that are digitally signed by a CA and stored on the SIM card. The device then picks random DH parameters and generates an ephemeral key used to encrypt its unique identity. As a result, the base station is never able to see that globally unique identity — another way that PKI is improving 5G security and privacy.
TPG: How is the U.S. faring in the global 5G race?
CC: One of the key concerns around 5G security is the security of our supply chain. Over the past two decades, the North American telecommunications OEM ecosystem has withered with giants like Motorola, Nortel, and Lucent all being broken up, going bankrupt, and being sold to foreign companies. The ecosystem has fragmented into the EU suppliers Ericsson and Nokia, and Huawei in China. Trends show Huawei’s market share continually increasing while the EU companies’ continually dropping. Chinese companies now dominate standards bodies like 3GPP.
This creates complex dynamics as the US and its allies seek to roll out 5G. There is considerable anxiety that global adoption of Huawei technology could leave the Internet fabric itself vulnerable to Chinese manipulation and exploitation. China does not have a good track record when it comes to hacking, censorship, and intellectual property theft.
The next few years will be interesting as questions of economic and national security, technology leadership, and global competitiveness collide. Legislation percolating through Congress anticipates developing a national strategy in 5G. Expect some significant investments in R&D that will help shore up US leadership in certain areas and help catapult us into having a global mandate for 6G.
TPG: What do you see as the biggest cyber threats to national security?
CC: The biggest threats sit at two opposite ends of the spectrum: basic cyber hygiene and digital literacy among the US population, and sophisticated nation-state attacks from Russia, China, and others.
The National Security Agency (NSA) has stated that over the past few years, none of the big data breaches have involved use of so-called “zero day” attacks, which leverage undisclosed vulnerabilities in software to hack into systems. Attacks have all relied on combinations of social engineering and exploitation of vulnerabilities that were known and for which patches were available. Thus, in some respects, the biggest threats are actually quite mundane: people need to not fall for phishing emails, and IT administrators need to make sure systems are patched and software is up-to-date.
At the other end of the spectrum, China and Russia in particular have developed sophisticated cyber arsenals. China has generally focused on stealing corporate intellectual property and national secrets to enable their economic objectives. Meanwhile Russia has sought to establish covert access to the US power grid and other critical systems, and use weaponized social media to polarize the US population against itself. Tackling these issues requires a national strategy and leveraging the full set of diplomatic, law enforcement, and national security tools.
TPG: What network security advice do you have for enterprises?
CC: Enterprises need to understand the difference between security and compliance. The past decade of cybersecurity best practices has focused on checklist-based compliance with the goal of establishing a threshold level of security across the Internet. Looking forward the next step is broad adoption of risk-based management (RBM) approaches to cybersecurity.
Every enterprise has a different risk profile. Probabilities of being targeted by sophisticated hackers vary, as do the financial, reputational, and other impacts if a breach does happen. RBM helps enterprises sort through these trades. MITRE ATT&CK is an example of a tool that can help enterprises tackle this domain.
TPG: Do you see PKI continuing to be a big part of security infrastructure?
CC: I think there are two big potential disrupters: blockchain and quantum computing.
Blockchain catapulted onto the scene a few years ago and new applications beyond cryptocurrency pop up every day. Fundamentally, the technology allows for a digital signature-like function without reliance on PKI. Undoubtedly the security for certain applications will migrate from PKI to blockchain in the coming years, but blockchain is not a panacea and there are many things that only PKI can do, or PKI can do better.
The other big disrupter is quantum computing. Projections show that between 2028 and 2035, quantum computers will be sufficiently powerful to crack RSA Encryption keys, the most common keys used in PKI today. If the complex math problems that relate a private key to a public key can be solved quickly, knowledge of someone’s public key allows a hacker to compute the corresponding private key. NIST is currently working on standards for new PKI ciphers like NTRU that are immune to quantum computing and expects to have them available in 2022. This leaves a narrow window to update all the PKI across the entire Internet.
One interesting scenario is to begin the process now to migrate software update security to blockchain. If the integrity of a software update can be validated using blockchain rather than a digital certificate, then we have a secure path to patch systems starting in 2022 with new quantum-resistant ciphers as they become available.
TPG: You have more than 20 patents and 200 academic publications. What is one that you’re especially proud of?
CC: My patents, publications, and Internet standards have all been a team effort supported by my colleagues and students. Some of my most notable contributions have included creating the first public-key encryption scheme that uses a biometric fingerprint as the private key, establishing the first threat model for attacking artificial intelligence algorithms used to control cognitive radios, and more recently the foundational publications on using deep learning techniques to perform signal processing much more efficiently than all the algorithms conceived over the past century of radio engineering.
TPG: As an avid entrepreneur, tell us a bit about your startups.
CC: Over the past several years I have had the opportunity to take innovative research happening at Virginia Tech and spin it out into companies that can advance the technology into commercial products.
My first startup, Optio Labs, developed a hardened version of Android that met all the military security requirements for storing and processing classified data, and was used to create the only Android device ever approved for classified communications. While it solved an important problem, the market for such devices was too small to make a profitable, sustainable company. Lots of lessons learned along the way.
Federated Wireless launched in 2012 with the goal of enabling spectrum sharing between military radars in the 3.5 GHz band and commercial wireless operators. Seven long years later, the FCC gave final approval to take the system operational in April 2019. Federated Wireless is now the cornerstone of enabling shared spectrum and as both US and international regulators begin looking at spectrum sharing in other bands, the company has a bright future in front of it.
HawkEye 360 was formed in 2015 and in December 2018, launched its first three satellites into orbit on a SpaceX Falcon 9 rocket. These satellites are equipped with software-defined radios that detect, identify, and localize wireless transmissions from the earth. They are able to quickly track down sources of interference, geolocate transponder beacons, and provide unique insights into markets like maritime shipping and logistics. Six more satellites are expected to be launched in the next year, which will allow the company to observe more parts of the earth simultaneously and reduce response times.