TLP: GREEN

National Cyber
and Information
Security Agency

Ref. No.: 2605/2019-NÚKIB-E/310  BRNO  26. SEPTEMBER 2019

THREAT ANALYSIS

FIFTH GENERATION NETWORKS: NEW

OPPORTUNITIES IN INDUSTRY AT THE COST
OF INCREASED RISKS FROM SUPPLIERS
SUMMARY
 Fifth-generation (5G) telecommunications networks represent the next stage in the development of mobile
communications. The use of new technologies as well as new, as-yet unused, parts of the radio spectrum will
bring more effective mobile data transmission and decreased latency, and enable significantly greater
numbers of devices to connect concurrently.
 Besides the immediate benefits, 5G networks will likely facilitate the broad development of automated
industry, autonomous transport and other sectors, which might consequently become important pillars of
national economies. Although developments in these technologies are currently hard to predict, countries are
supporting 5G and creating conditions for its development to ensure their early access to its potential
opportunities.
 The complexity and decentralised nature of 5G networks, however, makes it impossible to control all the
features effectively. An attacker could take advantage of them through key component suppliers if they have
a relationship with them or can influence them. The damage they could cause will be proportional to the
importance of the role of 5G in industry or other sectors and infrastructures.
 The Czech Republic does not have the capacity to become a 5G pioneer in the near future, either with respect
to its actual development or to its construction. Taking a long-term view, however, these networks can
become cornerstones of many sectors. The Czech Republic should therefore concentrate on a longer-term
strategy and build safe 5G networks in the first place, with emphasis on supplier trustworthiness, even if this
means higher costs and later rollout dates. It would be a much more difficult and costly process to try to ensure
the security of 5G networks retrospectively (by excluding already implemented technologies, for example).

WARNING: The information and conclusions in this analysis are based on information from partners of the
NCISA, publicly available information and information gained through NCISA activities at the time of its
publication. This cybersecurity analysis has been performed from the point of view of the NCISA and on the
basis of information available to it.

Fifth-generation (5G) networks are a successor to
contemporary mobile telecommunications networks.
Besides better services for mobile-phone users (such
as increased mobile data volumes and speeds), they
will bring new technological opportunities in industry,
transport and elsewhere. Such opportunities will likely
transform and strengthen the economies of the states
which use them. Many states around the world see 5G
networks as an advantageous investment for the
future.

Figure 1: A compact 5G network microwave antenna
Source: rcrwireless.com
At this point in time, the Czech Republic does not have
the preconditions to be a pioneer in 5G technologies
and benefit from the economic advantages resulting
from such primacy. The Czech Republic should
therefore prioritise security over the speed of
construction of these networks, which could become
an important future element of the Czech economy.
Considering the necessity to purchase 5G technologies
from foreign companies, the approach should
primarily be to choose reliable suppliers despite any
potential delay in implementation or increased costs.

www.nukib.cz TLP: GREEN Page 1 of 18

 TLP: GREEN
5G NETWORKS: A PROBABLE
BREAKTHROUGH FOR PHONES AS
WELL AS FOR INDUSTRY AND
TRANSPORT
Compared to contemporary networks, fifth-generation
telecommunications networks will bring dramatic
capacity increases.1 Such increases should take place
in four main areas:2 increased data rates, decreased
latency, increased number of devices which can
connect at the same time, and FWA (Fixed Wireless
Access), which could locally replace connections via
optical cable.3
Increased data rates and volumes represent the most
striking 5G aspects for ordinary mobile-phone users. As
such, they constitute a favourite marketing argument
for mobile operators.
Decreased latency is an area4 which does not bring any
important changes from the perspective of ordinary
users, but which is likely to enable mobile networks to
be used for new purposes. Decreased latency is seen
as a key prerequisite for the development of industrial
robots, autonomous vehicles, drone swarms and other
applications, which require the fastest possible
reaction times.
BOX 1: Latency
Latency is a term used to denote the time delay
between action and reaction. In informatics, it is
perceived as the delay between the entering of a
request and its execution. In the case of networks
and telecommunications, this delay also includes
the time spent by the request on its way to the place
of execution and the time spent by the executed
request on its way back.
The third area is the number of devices connected at a
time (and a smaller loss in transmission baud rates with
a large number of connected devices).5 Increasing the
number of devices which can be served at the same
time is crucial in the light of increasing population
densities (in South-East Asia in particular) as well as for
the development of the Internet of Things (IoT) -
devices communicating between themselves without
direct human participation. 5G networks will likely
create opportunities for extensive IoT connections,
enabling not only the development of industry through
new automation opportunities6 but also the easier
expansion of smart households, community services,
smart cities, etc.
www.nukib.cz TLP: GREEN
Fixed wireless access is the fourth area. This category
includes data transmission for static devices. In
practice, it means desktop PC and household modem
Internet connections. For short distances, 5G networks
should provide an alternative to physical connections
to fibre-optic lines wherever the construction of
densely connected optical networks would be too
costly (e.g. in urban conglomerations).
STATES SEEK THE ECONOMIC
POTENTIAL OF 5G
Apart from mobile operators, states are the main
promoters of 5G. Above all, they are motivated by
economic interests of both short- and long-term
nature.7 The states, which are the first to put 5G
networks into operation, can benefit from the related
advantages (“first-mover advantage”).8 The states
which first implement functioning and successful
technologies can consequently set an example and
become exporters of their know-how and technologies
to the rest of the world. An example can be found in
the Scandinavian states which, having pioneered 2G
networks, became the world leaders in
telecommunications technologies and still benefit
from this – albeit weakening – position to this day.9
China, on the other hand, is working to achieve the
same position in 4G and 5G networks. The USA, South
Korea, and EU countries are also endeavouring to gain
the status of 5G leader.10
BOX 2: 5G situation in the Czech Republic
Czech mobile operators are gradually preparing for
the construction of commercial 5G networks, the
first parts of which might be available to the public
after 2020. Vodafone and O2 have already
presented examples of 5G networks to the public
at local demonstrations. While Vodafone used
hardware from Huawei and Ericsson for its
demonstration, O2 only used hardware from
Ericsson.11 12
CURRENT 5G DEPLOYMENT: JUST
A FRACTION OF THE POTENTIAL
INNOVATIONS
Parts of 5G networks are already being tested around
the world and became publicly available earlier this
year.11 Yet these elements primarily focus on ordinary
mobile-phone and data users. So far, 5G
implementation has neglected other important
aspects of these networks, such as the effective
decrease in latency and larger numbers of connected
Page 2 of 18
 TLP: GREEN
devices.12 It should also be noted, that 5G networks are
not a single compact technology but a large group of
various components, and not all of them are ready for
full deployment yet (e.g. the microwave antenna
network infrastructure).13 It might take over ten years
to reach full 5G network development potential.
Most current tests are primarily performed at a
frequencies of around 3.4 GHz, i.e. the wavelength
closest to contemporary mobile frequencies, and rely
on the existing 4G infrastructure (“non-standalone“ 5G
networks).14 The subsequent public deployment of 5G
technologies can thus build on the existing 4G
infrastructure and technologies. High-performance
short-range microwave antennas have been tested in
the USA. This is something of a necessity, as the
frequency of around 3.4 GHz (used for testing in other
states around the world) is reserved for the army and
federal authorities in the USA, which rules out their
commercial use at the moment.15 Another issue in the
full deployment of 5G network is infrastructure, which
is not mobile network infrastructure per se. In order to
decrease latency, the 5G network design seeks to
transmit data via radio waves over the smallest
distances possible and then to lead them through fibre
optic cables, which are not limited by the radio
spectrum bands.16 This will require a fibre optic cable
infrastructure beyond the traditional scope of mobile
networks (and usually beyond the responsibility of
mobile operators) if the potential of 5G is to be
fulfilled.
TELECOM NETWORKS RISKS:
WATCH THE SUPPLIERS
For easier understanding, it is possible to divide
telecommunications networks (both 5G and its
predecessors) risks into two categories of potential
attackers: external cyber-threat actors (states,
hacktivists and cyber-criminal groups)
and suppliers (hardware or software suppliers and
service providers) with malicious intentions. External
actors are attackers without access to the
telecommunications network infrastructure, who
break into the network or penetrate it via a weakness
discovered independently of the producer. Suppliers
include phone operators and technology suppliers who
have or can have access to the network, granting them
a huge advantage as well as the ability to do significant
harm with less effort if they have criminal intentions. It
should be noted, however, that this division is not strict
and both groups of attackers can be interlinked. For
example, a state actor can misuse their influence on
www.nukib.cz TLP: GREEN
suppliers and thus penetrate a network through them.
Insiders – individuals working in the supply chain with
their own agenda, potentially for personal or economic
reasons, or resulting from the interest of external
actors, pose another risk. Looking at the risks through
the CIA Triad, the security of data sent via 5G networks
can be assessed as follows:17
Confidentiality: Confidentiality, i.e. ensuring that no
actor has unauthorised access to data, is a problematic
aspect of telecommunications networks – this applies
both to 5G and the preceding generations. The risk of
an attack from external actors is low,18 yet there is a
significant risk from some suppliers or from their links
to state actors with potentially problematic interests,
which could be against the interests of the Czech
Republic.
Even if communication is encrypted, network traffic
produces large volumes of metadata,19 which might be
valuable for an attacker. Another problem is the
possibility to retrospectively break encryption.
Encryption could also be broken in the future once the
appropriate technical means have been developed
(e.g. quantum computers).20 If an attacker saves the
data, they can be retrospectively accessed, and
information obtained in this way can still be
retrospectively valuable to the attacker. For a supplier
with harmful intentions, the structure and actual
nature of a telecommunications network are effective
tools for data collection.21
Integrity: Data integrity (i.e. the certainty that the data
have not been modified by a foreign actor) is the least
threatened aspect in telecommunications networks,
provided that end-to-end encryption is used.22 Data
are only in a network for a short time and are thus less
vulnerable. An attacker is only able to threaten data
integrity in real time if they have the encryption key or
another form of backdoor allowing fast decryption.
Figure 2: The CIA Triad for cybersecurity
Source: NCISA
Availability: Data availability is the primary vulnerability
of telecommunications networks. Although the
Page 3 of 18
 TLP: GREEN

decentralized nature of a network increases its are significantly lower. Potentially sensitive data can
resilience to external threats, the strengthened role of likely be run through any part of a 5G network and
a supplier increases the vulnerability of 5G networks to misused by a supplier.
them. Suppliers have a significant advantage in their
Another risk linked with 5G is the emphasis on the
potential efforts to disrupt data availability in the form
development of the Internet of Things (IoT). Allowing
of direct control over the network or the possibility to
large numbers of IoT devices into a network will likely
control any of its components via a backdoor, etc.23 If
mean a substantial vulnerability, as IoT devices have
an operator, supplier or attacker decommissions key
long had a problem with very low security standards. 29
parts of a network from outside, important data
Such devices connected to a 5G network can become
transmitted through the network will almost certainly
a weakness enabling attacks on other components.
become unavailable.
5G FUTURE: TRANSPORT AND
5G NETWORK STRUCTURE
INDUSTRY REVOLUTION
FACILITATES HIDING BACKDOORS There are more primary incentives for developing 5G
Although 5G networks do not come with any new
networks and to be the first to introduce them than
fundamental weaknesses and, on the contrary,
just the benefits of the networks per se. The
strengthen security features against external attacks24,
opportunities brought by 5G are important for the
they show increased vulnerability to abuse by
development of other technologies. These are,
suppliers. This vulnerability mainly originates in the
however, downstream technologies, which are more
increased complexity of the computational devices
like concepts at this point of time, while the future
required for a 5G network to function.25 The devices
reality of their wide deployment may be limited by
may contain weaknesses of a both hardware and
many issues which cannot yet be fully anticipated.
software nature. Any unintentional or intentional
security weaknesses increase the risk of attack by According to 5G promoters, the decreased latency and
external actors and, above all, can be abused by expansion of possible connections are key for many
suppliers. As a report by the oversight board of the new technologies and industrial sectors, as well as a
Huawei Cyber Security Evaluation Centre (HCSEC) in potential building block for the new fourth industrial
the United Kingdom pointed out, even a developed revolution, known as “Industry 4.0”.30
country does not have the technological capacity to
Figure 3: Industrial revolutions in history
perform timely controls of a sufficient number of a
supplier’s products.26 Computational devices included
in 5G infrastructure could therefore contain
weaknesses intentionally hidden there by the supplier
and impossible to be effectively found and eliminated.
Yet these computational capacities are essential for
the operation of 5G networks. High computational
performance is required by the antennas which apply
signal beamforming, one of the key features of 5G
networks (see Annex 2).27 It is highly unlikely that a
state could test whether any of these devices contain
a software or hardware weakness hidden there by its
Source: NCISA
supplier. Consequently, it must rely on the trust in its
supplier of those technologies. A dramatic increase in the number of connected
devices will provide space for the development of the
Another problematic security aspect is the absence of Internet of Things. The application of these principles
effective division into edge and core to decrease in industry (IIoT – Industrial Internet of Things)
latency.28 The new decentralized structure makes it combined with very low latency will provide potential
impossible to divide networks into core and edge, for unprecedented production and logistics
which enabled the preceding generations of networks automation opportunities. While automation still
to prevent the introduction of untrustworthy suppliers applies to individual processes and production lines,
into sensitive parts of a network (core) and to allow 5G networks could facilitate the development of
them to participate on the edge only, where the risks entirely automated factories. The individual elements

www.nukib.cz TLP: GREEN Page 4 of 18


of the factory will communicate with each other,
automatic warehouses will distribute raw materials,
and control units will continuously evaluate the state
of production. Besides reducing employee demands,
such a degree of automation will bring dramatic
increases in efficiency and optimization.31
Transportation is another sector which might be
significantly changed by 5G networks. Autonomous
vehicles already exist, but their characteristics and
situation awareness could significantly improve thanks
to the connectivity and low latency of 5G networks.32
Today’s autonomous vehicles primarily depend on
onboard sensors and hence only see their immediate
surroundings. The fast mobile data transmission, low
latency and connectivity of 5G networks could change
this. Vehicles (both autonomous and human-driven)
could share information from their onboard sensors
with each other and hence increase the situation
awareness of road users. Similarly to IIoT,
interconnected vehicles, new opportunities will open
up for optimization – route adaptation based on
reported traffic jams, departing from lanes in advance
to let emergency vehicles pass, etc.33
We still need to consider, however, that latency is
crucial for autonomous vehicles (tenths of seconds can
play an important part in traffic) and 5G technologies
have a very short range for communication with low
latency (microwaves, approx. 24 GHz). Sceptics point
out that this is impractical and unreliable for vehicles
moving fast and over long distances.34 Consequently
there is also a realistic possibility that there will be no
autonomous driving revolution based on 5G networks.
Besides the motor vehicle transport sector, 5G
promoters also expect development in drones and
drone swarms (as with road vehicles, the ability to
quickly share data is vital here), virtual reality and
remote surgery. However, we should also consider
that, as with road vehicles, these technologies also rely
on microwave antennas, whose blanket use may be
problematic due to their very short range and poor
throughput.35
Figure 4: A scheme of transport coordinated using 5G
network microwave antennas
www.nukib.cz
Source: Techspot.com
TLP: GREEN
NEW TECHNOLOGIES WILL COME
WITH NEW RISKS
The development of new technologies based on 5G
networks will highly likely pose new risks, such as
industrial espionage or the possibility to bring traffic to
a standstill. Industry 4.0 will likely be vulnerable
through entirely new opportunities for industrial
espionage. Supposing that interconnectivity and
automation will provide entirely new opportunities in
optimization and production efficiency, they will also
make these procedures a valuable industrial-
espionage target. It is highly likely that in the future
control software and schedules of service robots will
be of greater value to an attacker than the actual
know-how of product manufacturing. The disruption
of 5G networks would likely allow valuable data about
the operations of automated facilities to be obtained
(even if communication is encrypted – the metadata
generated by operations can be of great value in such
cases). The worst possible scenario sees whole
factories stolen and copied – if an attackers were able
to copy all the software and subsequently acquire the
appropriate hardware, they could in theory completely
copy entire production plants without any knowledge
or expertise in the given field of production.36
Disrupting the security of a 5G network transmitting
signals for autonomous transport could provide
significant offensive opportunities. The disruption of
5G services could impair the flow and safety of traffic.37
In the worst case scenario, traffic would be sabotaged
and traffic accidents intentionally caused. Although
such a possibility is unlikely, it could have significant
impacts if it materialized.38 Similar disruption of
operation might also be applied to drones relying on
the 5G infrastructure if massively deployed.
TLP: GREEN Page 5 of 18

IMPLICATIONS FOR THE CZECH
REPUBLIC: SUPPLIER
TRUSTWORTHINESS AS A such as the time required for awarding a building
PRIORITY
The Czech Republic does not have the capacity to
develop 5G technologies of its own and will need to
rely on imports. It is not in a position to gain
advantages from pioneering either. The best option is
therefore to prioritize long-term security, to construct
5G networks with deliberation, and to carefully choose
suppliers.
This situation is nothing rare either around the world
or in Europe because 5G technologies (and modern
telecommunications technologies in general) are
highly sophisticated products and only certain
companies will be able to supply them.39 The Czech
Republic will therefore need to import the
technologies and have to accept the standards of such
imported technologies. This decreases the potential of
the Czech Republic to become a 5G-network pioneer
with the related opportunities and economic benefits.
In addition, the companies producing 5G components
are at different levels of development with respect to
the various aspects of 5G networks.
Map 1: World’s leading 5G technology suppliers
Note: Qualcomm supplies key components such as processors and
miniature radio antennas, but not comprehensive 5G solutions
Source: Technavio.com
www.nukib.cz
TLP: GREEN
Choosing a supplier based on their trustworthiness
may thus translate into higher prices of some
components and later delivery dates. Other factors,
permit, also do not favour fast 5G implementation in
the Czech Republic.40 5G networks will require massive
extension of fibre optic cable infrastructure, where the
Czech Republic is already lagging behind.41
BOX 3: Different 5G technology suppliers offer
various options
Today, only a limited number of suppliers offer
technologies for constructing 5G networks (see
Map 1). The prices offered by these suppliers and
their technological levels differ (some companies
will be able to deliver 5G networks sooner). They
also come from different states, meaning their
legal systems imply various security and economic
impacts.
It is therefore possible that the most trustworthy
supplier is neither the cheapest nor the fastest.
Although the number of suppliers will likely grow in
the future, the current ones are likely to remain the
leaders and shape the final 5G standards.
5G networks are an investment for the future. If their
potential is fulfilled, they are likely to become the
cornerstones of the economy, transport and other
sectors in the coming decades. It is therefore better for
the Czech Republic to construct 5G networks with
deliberation and maximum emphasis on security, even
though this might imply higher costs or longer
deployment. It would likely be much more costly and
also extremely difficult to try to secure the 5G
networks retrospectively.42Although the Czech
Republic is unlikely to be able to directly influence the
development and construction of 5G networks
through technological development, it can still
participate in the international process of regulating
the secure development of 5G networks. The Czech
Republic has already made the first important step in
this aspect by holding an international conference on
5G security in Prague at the beginning of May 2019
(see Annex 3).
TLP: GREEN Page 6 of 18
 TLP: GREEN

RECOMMENDATIONS
The Czech Republic does not have the prerequisites to
become a 5G leader in the near future. Over the long-
term, however, these networks will likely play an
important role in many Czech sectors. The Czech Republic
should therefore concentrate on a longer-term strategy
and ensure that secure 5G networks are constructed in
the first place; such networks will provide reliable support
for the future development of the Czech Republic.
 The new opportunities provided by 5G networks
will likely facilitate massive developments in
production automation, autonomous transport,
commercial drones and other applications
currently hard to predict.
Since the Czech Republic will need to import the 5G
network technologies and considering their potential
future importance for the running of the state and
economy, it is essential to secure a group of suppliers
which are as reliable as possible, which supply a quality
product and which will not abuse their power.
 5G networks cannot be controlled effectively.
The number of computational features and
sophisticated functions practically prevent the
state from testing the individual components.
Supplier trustworthiness is thus absolutely
crucial.
Supplier reliability should be preferred over both price and
delivery time because this is a strategic investment for the
future. Suppliers should therefore be selected not only on
the basis of price and delivery time, but also with respect
to security and trustworthiness. Above all, a supplier’s
motivation to carry out industrial espionage or hostile
military activity against the Czech Republic or its allies, and
their willingness or duty to cooperate with the intelligence
service of their home country should be considered.
 A conference on 5G-network security was held in
Prague on 2 and 3 May, resulting in a set of
recommendations on how to secure 5G
networks, including the approach to suppliers.
According to the recommendations, it is of key
importance to prioritize the security of 5G
networks, even if the costs are higher, to
emphasize supplier trustworthiness, and to
carefully analyse the risks related to individual
network components. By observing these
recommendations, both supplier and overall risks
can be reduced.

www.nukib.cz TLP: GREEN Page 7 of 18

 [Classification level or TLP: RED/AMBER/GREEN/WHITE]

ANNEX 1: HISTORY OF MOBILE NETWORK GENERATIONS

Mobile network technologies can be divided into several generations (“G”); each G brought about a qualitative leap
and the development of new services: wireless calling, SMS and two generations of mobile internet. This division is
not strictly rigid and to a large extent is a product of mobile operators’ marketing. Nevertheless, this division is
sufficiently accurate to provide an orientation in the basic features of mobile networks and their historical
development.

1G: The first network which can be Table 1: Evolution of mobile network generations
considered mobile was launched in
Japan in 1979. It was still intended for
phones in vehicles but already had some
features which are natural parts of
contemporary mobile networks. The
network had Tokyo divided into “cells”,
which served the mobile phones within
their reach, handing over the callers as
they passed from one cell into another;
they also worked without human
telephone operators. The first networks
for truly mobile calling were launched in
Norway and Sweden in 1981. In 1983,
the USA followed the Scandinavian
countries. These technologies then
spread to Malaysia and other countries.
Yet the first-generation networks
suffered from many problems. Being
purely analogue, they did not efficiently
work with the spectrum, did not allow
any form of encryption, and the phones
were heavy and impractical. They rather
served as a sign of social and corporate
status than a widely used technology.43 Source: NCISA and its partners

2G: In 1991, Finland was the first to launch a second-generation network and thus secured a dominant position in
telecommunications technologies as well as great economic success for itself and for Scandinavia for the following
decade. 2G networks brought more efficient digital transmission, the possibility for encryption, and the first data
transmissions allowing the sending of short text messages (SMS). By the end of the 1990s, phones were compact
enough for normal use, without external antennas, and at prices affordable for the public. The main difference in
the deployment of the first and second generation was the rise in international cooperation. While the first
generation brought forth many competing and mutually incompatible technologies, the 2G networks were
constructed according to the internationally accepted GSM (Global System for Mobile communications) standard
from the very beginning. This standard was accepted by most countries constructing 2G networks (the most
important exception being the USA). It was consequently possible to make calls to the networks of other operators
and to other countries. These possibilities made mobile telephones much more practical and, hand in hand with
miniaturization, led to mass deployment.44
3G: The third generation of mobile networks again took international cooperation in the creation of standards
further, through the 3GPP (“3rd Generation Partnership Project”). The main goal of the third generation was to
develop multimedia functions, such as video calls and mobile internet access. Despite certain progress in this area
already been made through technologies added later to the second generation (sometimes called 2.5G), 3G was
supposed to be a real leap in quality. The first 3G network was launched in Japan in 2001, yet in the end there was
near to no commercial interest in the functions of 3G networks. Mobile phones were still too impractical compared

www.nukib.cz [Classification level or TLP: RED/AMBER/GREEN/WHITE] Page 8 of 18

 TLP: GREEN

to larger devices for surfing the Internet efficiently, and data were expensive and limited by volume. The interest in
multimedia grew with the arrival of the Apple iPhone 3G, the first phone to offer a sufficiently large display and
comfortable control for Internet surfing. The resulting growing demands on the mobile Internet meant that the 3G
network was no longer sufficient.45
4G: Demand for larger mobile data volumes and speeds that could offer similarly comfortable surfing like on home
fixed connections triggered the creation of a new generation of mobile networks. Larger data transmissions were
made possible primarily through efforts leading to simplification and greater efficiency through “smart”
components, which allocated parts of the spectrum effectively according to demand. 4G networks uses the same
system of IP addresses as the Internet, so communication is not handed over to other systems as in the case of 3G
networks. Another change was adoption of the long-term evolution (LTE) approach, which preferred the gradual
development of networks over technological leaps. In 2008, the 3GPP group issued standards for fourth generation
networks. The first network of this kind was launched in Stockholm and Oslo in Sweden in 2009. Nevertheless, it
took several more years before the performance of 4G networks exceeded that of the existing infrastructure.46

www.nukib.cz TLP: GREEN Page 9 of 18

 TLP: GREEN

ANNEX 2: TECHNICAL SPECIFICATIONS OF 5G NETWORKS COMPARED

WITH PREVIOUS GENERATIONS

For fifth-generation networks to transmit larger volumes of data, decrease latency and increase connection
numbers, they need to employ several new technologies and procedures and be based on a different architecture
than the currently existing networks.
The first important innovation from existing networks is the use of new parts of the radio spectrum. In Europe,
5G networks will use the following three new parts of the radio spectrum: a long-wave radio band of about
700Mhz, a medium-wave band of about 3.4GHz, and a short- (micro-)wave band above 24GHz. Each of these
newly used frequencies has different properties to serve the individual aspects of various parts of 5G networks.
 700 MHz band: low frequency, known as “Sub6” in 5G terminology (i.e. under 6 GHz). Data transmission is
slow but the data penetrate almost anything and have long range. Ideal for IoT devices, which do not require
low latency.47
 3.4 MHz band: the communication band closest to the frequencies currently used. Most of the current 5G
development and the first launched networks work at frequencies around 3.4 GHz. The main novelty here is
not the frequency used but rather the communications technology, as “beamforming” is arriving on the
scene. The point is that antennas using this technology can direct a signal to a specific user and thereby make
network operation significantly more efficient.48
 24 GHz band: the first deployment of microwaves in mobile networks, known as “Millimetre Wave”.
Microwaves allow the transmission of enormous volumes of data with low latency to a large number of users.
Yet these benefits come at the cost of very short range. Regarding their properties, microwaves are similar
to light. In practice, this means that the range of microwave antennas is only a few hundred metres, and the
signal has problems penetrating not only walls but even vegetation or just heavy rain. To ensure stable
coverage, an antenna must be placed on every
streetlamp. This is very demanding from the Figure 6.: The difference in the range of short waves
logistics point of view as regards both antenna (24 GHZ) and long waves (700 MHz)
placement and the connection of every single
antenna to an optical fibre network. Such
extensive construction of antennas could also
face resistance from citizens. They are usually
sceptical regarding the construction of new radio
communication equipment and 5G networks are
already the target of hoaxes and conspiracy
theories. Hence there has not yet been any
extensive construction of microwave
infrastructure despite the fact that it could Source: media.defense.gov
eventually provide by far the most appreciable benefits for both ordinary users and industrial applications
(download speeds of multiple gigabits and very low latency).49

Another change compared to existing networks is emphasis on routing as much communication as possible
through optical cables underground. Since they are limited by neither the characteristics nor capacities of the
individual frequencies, efforts are being made to exploit this advantage as much as possible and to route
communication via radio waves only over the shortest possible sections. The existing networks also follow this
principle to a lesser extent. Although data are mostly transmitted between communication towers through (not
always optical) cables, 5G networks will take this trend significantly further. The reason for these efforts is the
physical limitations of radio waves with respect to the volume of transmitted data, speed and latency. Optical
underground cables have significantly better properties and capacities. The design of 5G networks therefore aims
to get data into optical underground cables as quickly as possible and to use these cables for as much of the route
as possible. Even the Fixed Wireless Access technology, which should partially replace optical fibre cables, only
aims to replace dense networks of connections. It only works over short distances and subsequently sends data
via an optical fibre network.50

www.nukib.cz TLP: GREEN Page 10 of 18

 TLP: GREEN

The third change is the absence of any division of the network into core and edge. With the existing networks,
this division ensures that all data received by base station towers on the edge travels to the core of the network,
are evaluated there and then sent through the edge to the addressee. However, this approach can no longer be
applied if the intention is to decrease latency. Even optical underground cables have their limitations (the speed
of light) and the route that the data have to travel must be shortened to a minimum. 5G data will therefore not
be sent through the network core but along the shortest route to the addressee. 5G network elements will also
have their own computational and cloud capacities so that processes which do not need to be performed at a
specific place can be carried out as close to the user as possible.51
The fourth change is the use of beamforming and beam Figure 7: Blanket coverage with the 4G network
steering. These technologies enable 3.4 GHz waves and signal and 5G beamforming technology
microwaves to form signal beams targeted directly at a
user and thereby save energy and spectrum capacity.
Consequently, the data volume which can be
transmitted increases. Beamforming however requires
significant computational capacity.52

Source: inverse.com

www.nukib.cz TLP: GREEN Page 11 of 18

 TLP: GREEN

ANNEX 3: PRAGUE PROPOSALS

Prague Proposals

Statement by the Chairman on the Cyber Security of Communications

Networks in a Globally Digitalized World

International 5G Security Conference Prague

Prague, 3 May 2019

www.nukib.cz TLP: GREEN Page 12 of 18

 TLP: GREEN

PREAMBLE: COMMUNICATION NETWORKS IN GLOBALLY DIGITALIZED WORLD

Communication is the cornerstone of our societies. It defines almost every aspect of our lives. Yet the rapid
development and scale on which we use communication technologies increases our dependency and vulnerabilities.

5G networks and future communication technologies will transform the way we communicate and the way we live
substantially. Transportation, energy, agriculture, manufacturing, health, defense and other sectors will be
significantly enhanced and altered through these next generation networks. High-speed low-latency technology is
expected to allow for a true digital evolution, stimulating growth, innovation and well-being. Automatization of
everyday activities and the use of the internet of things in its full potential will be made possible.

These developments, however, invoke major risks to important public interests and have national security
implications. Today, malicious actors operate in cyber space, with the intention to undermine cohesion of our
societies and paralyze the proper functioning of states or businesses. This includes attempts to control or disrupt our
communication channels and the information transmitted. In digitalized societies, this can have serious
consequences.

Security of communication channels has therefore become vital. Disruption of the integrity, confidentiality or
availability of transmitted information or even the disruption of the service itself can seriously hamper everyday life,
societal functions, economy and national security. Communication infrastructures are the cornerstone of our
societies, with 5G networks to become the building blocks of a new digital environment.

ON THE IMPORTANCE OF SECURITY OF 5G NETWORKS

Considering that security of 5G networks is crucial for national security, economic security and other national
interests and global stability, the chair believes that the architecture and functions of 5G networks must be
underpinned by an appropriate level of security.

EU Member States underline their own ongoing process aimed at defining a common EU approach on the issue of
cybersecurity of 5G networks as initiated by the European Commission with the publication of its Recommendation
published on 26 March 2019.

With the intention to support ongoing discussions how to decrease the security risks associated with developing,
deploying, operating, and maintaining complex communication infrastructures such as 5G networks, the chair
recognizes existence of the following perspectives:

Cyber security not only a technical issue

Cyber security cannot be regarded as a purely technical issue. A safe, secure and resilient infrastructure requires
adequate national strategies, sound policies, a comprehensive legal framework and dedicated personnel, who is
trained and educated appropriately. Strong cyber security supports the protection of civil liberties and privacy.

Both technical and non-technical nature of cyber threats

When dealing with cyber security threats, not only their technical nature, but also specific political, economic or
other behaviour of malicious actors which seek to exploit our dependency on communication technologies should
be taken into account.

Possible serious effects of 5G networks disruption

Due to the wide application of 5G based networks, unauthorized access to communications systems could expose
unprecedented amounts of information or even disrupt entire societal processes.

Nation-wide approach

Policies and actions taken to ensure a high level of cyber security should not be aimed and carried out only by
primary stakeholders (i.e. operators and technology suppliers), but should also be reflected by all relevant
stakeholders in other areas and sectors which significantly influence the general level of security, e.g. education,
diplomacy, research and development, etc. Safeguarding cyber security of communication infrastructure is not solely
an economic or commercial issue.

Proper risk assessment essential

Systematic and diligent risk assessment, covering both technical and non-technical aspects of cyber security, is
essential to create and maintain a truly resilient infrastructure. A risk based security frameworks should be developed
and deployed, taking into account state of art policies and means to mitigate the security risks.

Broad nature of security measures

www.nukib.cz TLP: GREEN Page 13 of 18

 TLP: GREEN

Cyber security measures need to be sufficiently broad to include whole range of security risk, i.e. people, processes,
physical infrastructure, and tools both on the operational and strategic level.

No universal solutions

The decision on the most optimal path forward when setting the proper measures to increase security should reflect
unique social and legal frameworks, economy, privacy, technological self-sufficiency and other relevant factors
important for each nation.

Ensuring security while supporting innovation

Innovation is the main driver of development and economic growth in modern societies. It also fosters new security
solutions. Policies, laws, and norms, should allow security measures to be flexible to manage the interface between
security and specific national conditions. Through this flexibility, creativity and innovation should be encouraged.

Security costs money

Achieving a proper level of security sometimes does require higher costs. Increased costs should be tolerated if
security necessitates it. At the same time, security does not necessarily imply higher costs.

Supply chain security

Shared responsibility of all stakeholders should drive supply chain security. Operators of communication
infrastructure often depend on technology from other suppliers. Major security risks emanate from the cross-border
complexities of an increasingly global supply chain which provides ICT equipment. These risks should be
considered as part of the risk assessment based on relevant information and should seek to prevent proliferation of
compromised devices and the use of malicious code and functions.

Bearing in mind these perspectives, the chair calls upon a responsible development, deployment, and maintenance
of 5G networks and future communication technologies, considering the following proposals and best practices.

PRAGUE PROPOSALS

The Chairman suggests following proposals in four distinct categories in preparation for the roll out of 5G and future
networks.

A. Policy

- Communication networks and services should be designed with resilience and security in mind. They
should be built and maintained using international, open, consensus-based standards and risk-informed cybersecurity
best practices. Clear globally interoperable cyber security guidance that would support cyber security products and
services in increasing resilience of all stakeholders should be promoted.

- Every country is free, in accordance with international law, to set its own national security and law
enforcement requirements, which should respect privacy and adhere to laws protecting information from improper
collection and misuse.

- Laws and policies governing networks and connectivity services should be guided by the principles of
transparency and equitability, taking into account the global economy and interoperable rules, with sufficient
oversight and respect for the rule of law.

- The overall risk of influence on a supplier by a third country should be taken into account, notably in
relation to its model of governance, the absence of cooperation agreements on security, or similar arrangements,
such as adequacy decisions, as regards data protection, or whether this country is a party to multilateral, international
or bilateral agreements on cybersecurity, the fight against cybercrime, or data protection.

B. Technology

- Stakeholders should regularly conduct vulnerability assessments and risk mitigation within all components
and network systems, prior to product release and during system operation, and promote a culture of find/fix/patch
to mitigate identified vulnerabilities and rapidly deploy fixes or patches.

- Risk assessments of supplier’s products should take into account all relevant factors, including applicable
legal environment and other aspects of supplier’s ecosystem, as these factors may be relevant to stakeholders’ efforts
to maintain the highest possible level of cyber security.

- When building up resilience and security, it should be taken into consideration that malicious cyber
activities do not always require the exploitation of a technical vulnerability, e.g. in the event of insider attack.

www.nukib.cz TLP: GREEN Page 14 of 18

 TLP: GREEN

- In order to increase the benefits of global communication, States should adopt policies to enable efficient
and secure network data flows.

- Stakeholders should take into consideration technological changes accompanying 5G networks roll out,
e.g. use of edge computing and software defined network/network function virtualization, and its impact on overall
security of communication channels.

- Customer – whether the government, operator, or manufacturer -- must be able to be informed about the
origin and pedigree of components and software that affect the security level of the product or service, according to
state of art and relevant commercial and technical practices, including transparency of maintenance, updates, and
remediation of the products and services.

C. Economy

- A diverse and vibrant communications equipment market and supply chain are essential for security and
economic resilience.

- Robust investment in research and development benefits the global economy and technological
advancement and is a way to potentially increase diversity of technological solutions with positive effects on security
of communication networks

- Communication networks and network services should be financed openly and transparently using standard
best practices in procurement, investment, and contracting.

- State-sponsored incentives, subsidies, or financing of 5G communication networks and service providers

should respect principles of fairness, be commercially reasonable, conducted openly and transparently, based on
open market competitive principles, while taking into account trade obligations.

- Effective oversight on key financial and investment instruments influencing telecommunication network
development is critical.

- Communication networks and network service providers should have transparent ownership, partnerships,
and corporate governance structures.

D. Security, Privacy, and Resilience

- All stakeholders including industry should work together to promote security and resilience of national
critical infrastructure networks, systems, and connected devices.

- Sharing experience and best practices, including assistance, as appropriate, with mitigation, investigation,
response, and recovery from network attacks, compromises, or disruptions should be promoted.

- Security and risk assessments of vendors and network technologies should take into account rule of law,
security environment, vendor malfeasance, and compliance with

open, interoperable, secure standards, and industry best practices to promote a vibrant and robust cyber security
supply of products and services to deal with the rising challenges.

- Risk management framework in a manner that respects data protection principles to ensure privacy of
citizens using network equipment and services should be implemented.

SOURCES

www.nukib.cz TLP: GREEN Page 15 of 18

 TLP: GREEN

1 Talboth, David. 2016. 5G Wireless Is Coming, and It’s Going to Blow You Away. MIT Technology review.
https://www.technologyreview.com/s/601994/5g-wireless-is-coming-and-its-going-to-blow-you-away/
2 GSMA. 2018. 5G Spectrum GSMA Public Policy Position. GSMA. https://www.gsma.com/spectrum/wp-

content/uploads/2018/11/5G-Spectrum-Positions.pdf
3 Gemalto. 2019. Introducing 5G networks – Characteristics and usages. Gemalto.
https://www.gemalto.com/brochures-site/download-site/Documents/tel-5G-networks-QandA.pdf
4 Ibidem
5 Ibidem
6 Marr, Bernard. 2018. What is Industry 4.0? Here's A Super Easy Explanation For Anyone. Forbes.

https://www.forbes.com/sites/bernardmarr/2018/09/02/what-is-industry-4-0-heres-a-super-easy-explanation-
for-anyone/#24fc0d309788
7 Internal information from partners of the NCISA
8 EURASIA GROUP. 2018. Eurasia Group White Paper: The Geopolitics of 5G. EURASIA GROUP.

https://www.eurasiagroup.net/siteFiles/Media/files/1811-14%205G%20special%20report%20public(1).pdf
9 Internal information from partners of the NCISA
10 SDX Central. 2019. The Top Countries Most Likely to Launch 5G First. SDX Central.
https://www.sdxcentral.com/5g/definitions/5g-network-countries/
11 Fisher, TIm. 2019. 5G Availability Around the World. Lifewire. https://www.lifewire.com/5g-availability-world-

4156244
12 Internal information from partners of the NCISA
13 Microwave antennas enable high-rate data transmission but their range is very short. A very dense network of

such antennas will be required to fully exploit their potential.

14 Medin, Milo, Gillman, Louie. 2019. THE 5G ECOSYSTEM: RISKS & OPPORTUNITIES FOR DoD. Defense Innovation

Board https://media.defense.gov/2019/Apr/04/2002109654/-1/-1/0/DIB_5G_STUDY_04.04.19.PDF
15 Ibidem
16 Radio communication is limited by spectrum range as well as by the different properties of various wavelengths.
17 Doucette, Chris. 2018. What is the CIA Triad and Why You Should Care. Medium.
https://medium.com/ediblesec/what-is-the-cia-triad-and-why-you-should-care-b7592cc2d89a
18 It is difficult to attack telecommunications networks from the outside, and the resilience of 5G against external

cyberthreat actors will further improve thanks to its decentralised nature.

19 Metadata is information which is not part of the data sent, but which is created by the act of sending it, such as

file size or addressee.

20 Foremski, Tom. 2018. IBM warns of instant breaking of encryption by quantum computers: 'Move your data

today'. ZDNet. https://www.zdnet.com/article/ibm-warns-of-instant-breaking-of-encryption-by-quantum-

computers-move-your-data-today/
21 Internal information from partners of the NCISA
22 Internal information from partners of the NCISA
23 Internal information from partners of the NCISA
24 Through decentralization.
25 Internal information from partners of the NCISA
26Annual report. 2019. HUAWEI CYBER SECURITY EVALUATION CENTRE (HCSEC) OVERSIGHT BOARD.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCS
EC_OversightBoardReport-2019.pdf
27 Electronics notes. 2019. MIMO Antenna Beamforming. Electronics notes. https://www.electronics-

notes.com/articles/antennas-propagation/mimo/antenna-beamforming.php
28 Internal information from partners of the NCISA
29 Poremba, Sue Marquette. 2018. IoT Security: Still Bad. IT Buisness Edge.
https://www.itbusinessedge.com/blogs/data-security/iot-security-still-bad.html
30 Rojko, Andreja. 2017. Industry 4.0 Concept: Background and Overview. https://online-journals.org/index.php/i-

jim/article/viewFile/7072/4532
31 Ibidem
32 Gonzales, Carlos. 2019. Could 5G Be the Missing Puzzle Piece for Self-Driving Cars? Machine design.

https://www.machinedesign.com/motion-control/could-5g-be-missing-puzzle-piece-self-driving-cars
33 Kritsonis, Ted. 2019. The role of 5G in autonomous vehicles. Futurithmic.
https://www.futurithmic.com/2019/01/30/role-of-5g-autonomous-vehicles/

www.nukib.cz TLP: GREEN Page 16 of 18

 TLP: GREEN

34 Medin, Milo, Gillman, Louie. 2019. THE 5G ECOSYSTEM: RISKS & OPPORTUNITIES FOR DoD. Defense Innovation
Board https://media.defense.gov/2019/Apr/04/2002109654/-1/-1/0/DIB_5G_STUDY_04.04.19.PDF
35 Efficient microwave signal coverage would require a very dense network of antennas placed on most streetlamps,

for example.
36 Lee-Makiyama, Hosuk. 2018. Stealing Thunder. ECIPE. https://ecipe.org/wp-
content/uploads/2018/02/ECIPE_Occasional0218_HLM_V7.pdf
37 FBI. 2014. Autonomous Cars Present Game Changing Opportunities and Threats For Law Enforcement. FBI.

https://info.publicintelligence.net/FBI-AutonomousVehicles.pdf
38 Ibidem
39 Technavio. 2016. Top 5 Vendors for 5G Equipment until 2020. Technavio.
https://blog.technavio.com/pressrelease/top-5-vendors-5g-equipment-until-2020-technavio
40 Týden. 2018. Délka vyřízení stavebního povolení: Česko kleslo na 156. místo na světě. Týden.

https://www.tyden.cz/rubriky/domaci/delka-vyrizeni-stavebniho-povoleni-cesko-kleslo-na-156-misto-na-
svete_501546.html
41 Although one of the cornerstones of 5G networks – Fixed Wireless Access – should replace optical connections, it

can only do so over short distances. The core of a 5G network must comprise underground optical cables.
42 If a 5G network has been constructed by a supplier who subsequently proves untrustworthy, it will be very difficult

to replace that supplier. Such a process would de facto involve reconstructing large parts of the network.
43 Chan, Ai Sin. 2018. A brief history of 1G mobile communication technology. XOXZO.
https://blog.xoxzo.com/2018/07/24/history-of-1g/
44 Chan, Ai Sin. 2018. A brief history of 2G mobile communication technology. XOXZO.
https://blog.xoxzo.com/2018/08/01/history-of-2g/
45 Chan, Ai Sin. 2018. A brief history of 3G mobile communication technology. XOXZO
https://blog.xoxzo.com/2018/08/10/history-of-3g/
46 Chan, Ai Sin. 2018. A brief history of 4G mobile communication technology. XOXZO
https://blog.xoxzo.com/2018/08/15/history-of-4g/
47 Medin, Milo, Gillman, Louie. 2019. THE 5G ECOSYSTEM: RISKS & OPPORTUNITIES FOR DoD. Defense Innovation

Board https://media.defense.gov/2019/Apr/04/2002109654/-1/-1/0/DIB_5G_STUDY_04.04.19.PDF
48 Ibidem
49 Ibidem
50Laraqui, Kim et al. 2016. Fixed wireless access: On a massive scale with 5G. Ericsson review.

https://www.researchgate.net/publication/311767484_Fixed_wireless_access_On_a_massive_scale_with_5G
51 Internal information from partners of the NCISA
52Nordrum, Amy, Clark, Kristen. 2017. 5G Bytes: Beamforming Explained. IEEE Spectrum.
https://spectrum.ieee.org/video/telecom/wireless/5g-bytes-beamforming-explained

TERMS AND CONDITIONS FOR USING THE INFORMATION

The use of the provided information is governed by the rules stipulated in the Traffic Light Protocol methodology
(available at www.us-cert.gov/tlp). Information is marked with a flag which sets the terms and conditions for its use.

www.nukib.cz TLP: GREEN Page 17 of 18

 TLP: GREEN

The following flags are stipulated, along with a description of the character of the information and the conditions
for its use.

Colour Conditions of use

Red The information must not be used by another person than the specific person on
the recipient’s side to whom the information has been provided, unless other
TLP: RED
persons to whom this information may be provided are explicitly stated. If the
recipient considers it important to provide this information to other parties, they
may only do so after agreement with the provider of the information.
Amber The information may only be shared among workers of the recipient on a need-
to-know basis and only if the information is vital for solving the problem or threat
TLP: AMBER
mentioned in the information. Other persons than the above-mentioned may not
be provided with the information unless such other persons to whom this
information may be provided are explicitly stated.
Green The information may be shared within the recipient and potentially also with
other partners of the recipient, but not via publicly accessible channels. When
TLP: GREEN
passing it on, the recipient must ensure the confidential nature of the
communication. The recipient must not make the information publicly available;
however, they may submit it to other partners of the recipient providing that the
same protection conditions are complied with and ensured.
White The information may be provided and disseminated without limitation. This
provision is without prejudice to any potential limitations based on the
TLP: (WHITE)
intellectual property rights of the originator and/or recipient or of third parties.

PROBABILITY FORMULATIONS IN NCISA OUTPUTS

Terms and formulations expressing probability with their proportional values.

Formulation Probability
Almost certain 90-100%
Highly likely 75-85%
Likely 55-70%
Realistic probability 25-50%
Unlikely 15-20%
Highly unlikely 0-10%

www.nukib.cz TLP: GREEN Page 18 of 18