Policy Studies Cybersecurity Policy

5G and Zero Trust Networks


Kathryn Waldron
Former Resident Fellow, Cybersecurity and Emerging Threats
Jim Baker
Former Director, National Security & Cybersecurity; Resident Senior Fellow

Key Points

Protecting the global digital ecosystem is crucial to national security.

Switching to a zero-trust network paradigm is imperative to protecting the digital ecosystem.

To truly adopt a zero-trust network approach, the government needs to embrace strong encryption.

Press Release

Can We Trust the Internet? Examining 5G and the Zero Trust Model


As the public health and economic crises resulting from COVID-19 have revealed, global society depends heavily on a complex and multifaceted digital ecosystem. Such dependence may be existential; that is, society would be crippled and lives lost if it collapsed for a significant period of time. At the very least, governments would find it exceedingly difficult to protect the health, safety and welfare of their citizens, while public and private sector entities would struggle to meet basic needs, such as food delivery and the provision of electricity, water, heat and cooling. In particular, the most vulnerable people in society—the elderly, young children and those who are infirm or disabled—might not survive a prolonged and widespread internet failure. All of this is especially true in the current crisis where society is under tremendous strain. In light of this, ensuring the safety and security of the digital ecosystem and the confidentiality, integrity and availability of the communications and other data transmitted, processed and stored on that ecosystem is an essential government function. However, governments cannot go it alone, as they depend heavily on the private sector companies and individuals who own and operate most of the internet.

As a result of the ongoing rollout of fifth-generation (5G) wireless technology, the digital ecosystem will undergo significant changes. At this early stage, it is difficult to ascertain exactly what these changes will look like and what broader impacts they will have on society. But, given the vast improvements 5G will bring, the ability to receive more data, faster will likely make us even more dependent on technology, while increasing the need for data security. As a result, network providers, operators and device manufacturers will have to respond in various ways.

The inherent design of global 5G networks will include numerous security enhancements over prior generations of wireless technology. For example, they will employ highquality encryption to protect the content of—and certain metadata associated with—wireless communications as they are transmitted. This will close a long-standing security gap that enabled malicious actors to acquire unique identifying information about devices transmitting on wireless networks. Nevertheless, several unresolved 5G security gaps likely will exist with respect to both hardware and software elements of the network. As a result, from a risk-management perspective, it makes sense to presume that some important parts of the network will be untrustworthy.

Addressing this trust gap effectively requires rethinking internet security in some fundamental ways, including the adoption of a Zero Trust approach to some elements of the internet itself, and consistently using strong—that is, well-designed and properly implemented—quantum-proof, endto-end encryption of all data on 5G networks. This includes encrypting the content of communications and as much of the external routing and metadata as possible.

Accordingly, the present study discusses the application of the Zero Trust Network (ZTN) concept to 5G wireless technology. In particular, it focuses on employing a Zero Trust model combined with strong encryption to help mitigate some of the risks associated with the confidentiality, integrity and availability of data—three important concepts in the field of information security—in a 5G environment.

To do so, we use the National Institute of Standards and Technology’s 2017 Risk Assessment strategy to assume (rather than debate) these threat vectors. We then propose the “Zero Trust plus strong encryption” model as a methodology for reducing cyber risk more effectively going forward.

Featured Publications