Schneier: "It's really too late to secure 5G networks"

Bruce Schneier's Foreign Policy essay in 5G security argues that we're unduly focused on the possibility of Chinese manufacturers inserting backdoors or killswitches in 5G equipment, and not focused enough on intrinsic weakness in a badly defined, badly developed standard wherein "near-term corporate profits prevailed against broader social good."

Schneier points to a variety of factors contributing to 5G's intrinsic, irreparable unsuitability: first, the US government pushed for weaker security in order to ensure that it could conduct domestic surveillance; the standards themselves are so complex as to be impossible to implement securely; and the system calls for software running on dynamically configurable hardware, which "dramatically increases the points vulnerable to attack."

Moreover, 5G is backwards compatible with earlier protocols, inheriting all their insecurities, and generating new ones where these protocols' weak spots can be chained together to create attacks that each protocol was, in and of itself immune to, but which the system remains vulnerable to.

Schneier points to the degree to which security in 5G is both optional and an afterthought as reasons for this fundamental insecurity. He also suggests that merely using secure protocols -- end-to-end encryption, for example -- will not be sufficient to defend ourselves against the problems in 5G, as mobile operating systems, baseband radios and other components will remain vulnerable.

But keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standardsthe protocols and software for 5Gensure that vulnerabilities will remain, regardless of who provides the hardware and software.