Home / Blogs

5G Security Transparency

There is considerable rhetoric propagated today about 5G security. Some of the more blatant assertions border on xenophobia with vague assertions that the 5G vendors from some countries cannot be trusted and wholesale government banning is required. Existing treaty obligations are being summarily abrogated in favour of bilateral trade bullying. These are practices that the late President George H.W. Bush sought to eliminate a quarter century ago through intergovernmental organization initiatives that relied on industry collaboration. Bush 41’s efforts were enormously successful and opened up a new world of global communication services, products, and economic growth—that are now being systematically undermined. As the world transitions to 5G global communications, the adverse effects of unilateral national isolationism will be profound.

Fortunately, open global industry collaboration is more active today than at any point in history—especially now for 5G security. It is that collaboration that also provides significant 5G security transparency today. That transparency is more essential than ever.

Metrics of 5G Security Collaboration

To provide some degree of transparency on the subject of 5G security and who is actually devoting resources to taking action, we are somewhat fortunate that there is one principal global industry venue that is intensively devoted to the subject—the 3GPP organization’s group SA3. Its remit is exclusively security, and there are 17 current Release 16 work items that are devoted to every aspect of 5G product and service security, including supply chain management.

As opposed to other standards bodies, 3GPP’s are essentially mandatory, and some are overseen by the industry’s global provider and vendor organization, the London-based GSMA. As a result of this stature, the work is extensive, dynamic, and globally inclusive.

During 2018, the SA3 held seven meetings lasting five days, roughly 60 days apart, in the U.S., Europe, and Asia. Arguably, the metrics of participation in these 2018 meetings are transparent indicators of the companies, agencies, and organizations interested and substantively involved in bringing about 5G security and willing to devote resources. In addition, because this open industry activity involves the participants making their Intellectual Property available for collective public use, the input metrics are indicative of the willingness of parties to share their 5G security IPR.

During 2018, 74 different companies (including their subsidiaries) plus a few agencies, sent technical experts to the seven SA3 meetings, expending 2,676 staff days and submitting 3,582 documents devoted specifically to 5G security specifications and liaison communications. The metrics for the top twenty participating entities are shown below and can be openly obtained from the SA3 portal site. These numbers are significant because they demonstrate who is willing to expend monies to have an employee present the most important industry 5G security meetings rotating across three continents, including three in the U.S.

Staff daysEntity
140China Mobile
70BT plc
50Deutsche Telekom
50ZTE Corp

Among government agencies, UK’s NCSC is found in the top 20. The three USGOV agencies—DHS, NIST, and FCC - together expended 60 staff days.

Another measure of substantive engagement—input document contributions to the 5G security standards and studies in 2018 are shown below. The numbers reflect the entity individually or collectively contributing a specification or study proposal or text. These numbers are significant because they indicate the degree of substantive engagement in 5G security provisions.

510Nokia Shanghai Bell
180China Mobile
152ZTE Corp
90Deutsche Telekom
54China Unicom
53LG Electronics

Here also, many of the same parties are found in the top 20 because contributions require the attention of participant staff. Among USGOV agencies, NIST provided 9 submissions, and the FFRDC, MITRE, submitted 9.

5G Supply Chain Management

Among the many SA3 5G security standards, the one most related to contemporary security supply chain threat rhetoric is the Security Assurance Specification for 5G (SCAS_5G). The 3GPP activity is an extension of an initiative begun in SA3 nearly five years ago based on material from the Common Criteria Control Board to develop a global industry-driven mobile Network Equipment Security Assurance Scheme (NESAS) for equipment supply chain management using a Security Assurance Methodology (SECAM). The managing and accrediting body is the GSMA.

Here also, the contribution metrics show the stark reality both over the past five years as well as today - the U.S. government chooses to completely ignore the principal global activity for supply chain management.

Fourteen parties participated in 2018 in submitting 92 input contributions for developing the 5G Security Assurance specification.

3British Telecom
3China Mobile
3China Unicom
11Deutsche Telekom
39NEC Corporation
10ZTE Corp

The FCC Supply Chain Proceeding and Advisory Committee

Global industry standards activities are not the only forum for treating 5G security. The FCC also instituted a rulemaking making proceeding in March 2018 to consider Commission rules related to supply chain management—especially 5G equipment. See WC Docket No. 18-89. Most of the 84 comments filed in the docket to date have expressed a preference for collaborative industry solutions rather than political-driven edicts.

Additionally, the Commission’s own industry advisory group, CSRIC, in its Final Report of the Network Reliability and Security Risk Reduction Working group in March 2018, “recommend[ed] that the industry continue to participate in industry and standards forums and adopt the GSMA recommended controls to address emerging security risks as part of their overall 5G and IoT security approach.”

New Threats to Global Industry 5G Security Collaboration

Decades ago, the United States was a leader in global ICT industry collaboration which including collectively developing the security specifications expanding the markets for worldwide growth and trade in equipment and services. That dynamic is alive and well today in 3GPP SA3 and many other venues, even if the participants have changed, and the U.S. government agencies have disengaged. There is an enormous amount of travel and personal sacrifice endured by the individuals involved.

Eight years ago, three Google executives while traveling in Italy, were apprehended because one of their company’s offerings allegedly violating a local law. Their trial and imprisonment generated industry widespread outrage. Today, the same has recently occurred to another global ICT company executive from another part of the world. Such governmental actions are serious threats to everyone engaging in global industry security collaboration.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

The author is a leader in many international cybersecurity bodies developing global standards and legal norms over many years.

Visit Page

Filed Under


You say "Fourteen parties participated in 2018 Larry Press  –  May 24, 2019 10:29 PM

You say “Fourteen parties participated in 2018 in submitting 92 input contributions for developing the 5G Security Assurance specification,” but the following table shows a count of 171. Does the table include prior years?

metrics explanation Anthony Rutkowski  –  May 26, 2019 4:40 AM

The numbers in the table are “disaggregated” participation values.  A number of the 92 input contributions were joint submissions.  The table reflects a process of taking all 92 and breaking up the joint submissions and then adding up the resulting submitter values.  The table only includes 2018.  In addition, the specification is only one of many security specifications, albeit directed specifically at security assurance.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign