translate

Wu Shen Quan

Executive director, International Center for network rule of law, Beijing Normal University

Hu Han

Graduate student, School of criminal science and law, Beijing Normal University

[note]

The Prague 5g security conference was held in the Czech capital on May 2-3, 2019, presided over by Prime Minister Andrei Babis and foreign minister tomash petrecek. Government officials from more than 30 countries around the world, as well as representatives from the European Union, the North Atlantic Treaty Organization and industry, participated in discussions on important national security, economic and business concerns.

The main points of the meeting are as follows: 1. It is very important to protect telecommunication infrastructure of all countries from network threats. 2.5G network will be implemented all over the world. 3. Countries must have the highest level of trust in the reliability and security of 5g networks. 4. This meeting will explore approaches implemented by countries related to 5g networks and identify best practices in the areas of policy, security, technology and business.

The purpose of the meeting is to make countries have a basic understanding of the challenges and opportunities of 5g network and national security, explore the future direction and corresponding countermeasures, and make a summary of the four aspects of policy, security, technology and economy, including key points, non binding policy recommendations and best practices for implementation as the "Prague proposal". As the highest level government meeting on 5g security so far, which will have a significant impact on 5g governance policies around the world, I hereby translate the full text of "Prague proposal" for readers to review and judge——

Communication network in the global digital world

Communication is the cornerstone of our society. It defines almost every aspect of our lives. However, the rapid development and scale of our use of communication technology has increased our dependence and vulnerability.

5g network and future communication technology will change our way of communication and our way of life. Transportation, energy, agriculture, manufacturing, healthcare, defense and other sectors will be significantly enhanced and changed through these next-generation networks. High speed and low latency technology is expected to achieve real digital change, stimulate growth, and achieve innovation and well-being. It will enable the automation of daily activities and the Internet of things to give full play to its potential.

However, these developments have brought significant risks to important public interests and have an impact on national security. Today, malicious actors operate in cyberspace with the aim of undermining the cohesion of our society and paralyzing the normal functioning of the state or enterprise. This includes attempts to control or disrupt our communication channels as well as the information transmitted. In the digital society, this will have serious consequences.

Therefore, the security of communication channels becomes crucial. Destroying the integrity, confidentiality or availability of the transmitted information or even interrupting the service itself will seriously hinder daily life, social function, economy and national security. Communication infrastructure is the cornerstone of our society, 5g network will become the cornerstone of the new digital environment.

On the importance of 5g network security

Considering that the security of 5g networks is essential to national security, economic security and other national interests, as well as global stability, the chairman believes that the architecture and functions of 5g networks must be based on an appropriate level of security.

EU member states have highlighted their own ongoing process aimed at identifying a common EU approach on 5g cybersecurity, as published by the European Commission in its proposal dated 26 March 2019.

In support of the ongoing discussions on how to reduce security risks associated with the development, deployment, operation and maintenance of complex communications infrastructures such as 5g networks, the chair recognized the following views:

Network security is not only a technical problem

Network security cannot be regarded as a pure technical problem. A secure, reliable and resilient infrastructure requires appropriate national strategies, sound policies, a comprehensive legal framework and appropriately trained and educated professionals. Strong cyber security supports the protection of civil liberties and privacy.

The technical and non-technical nature of network threat

When dealing with the threat of network security, we should not only consider its technical nature, but also examine the specific political, economic or other behaviors of malicious actors who make use of our dependence on communication technology.

Serious impact of 5g network interruption

Due to the wide application of 5g based network, unauthorized access to communication system may expose unprecedented amount of information, and even destroy the whole social process.

Access at the national level

Policies and actions to ensure a high level of cybersecurity should not be implemented only by major stakeholders (i.e. operators and technology providers), but should be reviewed by all relevant stakeholders in other areas and sectors that significantly affect the overall level of security, such as education, diplomacy, research and development. Protecting the network security of communication infrastructure is not only a simple economic or commercial problem.

Proper risk assessment is essential

Systematic and continuous risk assessment, covering both technical and non-technical aspects of network security, is essential for creating and maintaining a truly resilient infrastructure. A risk-based security framework should be developed and deployed, taking into account existing technology policies and means to mitigate security risks.

Universality of safety measures

Cyber security measures need to be broad enough to cover the overall range of security risks, i.e. people, processes, physical infrastructure and tools at the operational and strategic levels.

No general solution

In developing appropriate measures to improve security, the choice of the best path should reflect a unique social and legal framework, economy, privacy, technological self-sufficiency and other relevant factors that are important to each country.

Ensure security while supporting innovation

Innovation is the main driving force of modern social development and economic growth. It also promotes new security solutions. Policies, laws and norms should allow security measures to flexibly coordinate the interaction between security and specific national conditions. Creativity and innovation should be encouraged through this flexibility.

Safety needs cost

Achieving the right level of safety sometimes requires a higher cost. Increased costs should be tolerated if security is needed. At the same time, security does not necessarily mean higher costs.

Supply chain security

The shared responsibility of all stakeholders is to promote supply chain security. Operators of communication infrastructure often rely on technology from other suppliers. The main security risk comes from the cross-border complexity of the increasingly global supply chain that provides ICT equipment. These risks should be considered as part of the risk assessment based on relevant information and efforts should be made to prevent the penetration of harmful devices and the use of malicious code and functions.

Taking these points into account, the chair calls for responsible development, deployment and maintenance of 5g networks and future communications technologies, taking into account the following recommendations and best practices——

Prague proposal

The chairman suggested the following in four different categories in preparation for 5g and the coming of the future network.

A. policy

Flexibility and security should be considered in the design of communication networks and services. International, open, consensus based standards and risk oriented cybersecurity best practices should be used to build and maintain them. Clear global interoperable cybersecurity guidelines should be promoted to support cybersecurity products and services and enhance the defense capabilities of all stakeholders.

Under international law, each country is free to set its own national security and law enforcement requirements that respect privacy and comply with laws that protect information from improper collection and abuse.

Laws and policies regulating networks and connectivity services should follow the principles of transparency and equity, taking into account the global economy and rules of interoperability, and fully monitor and respect the rule of law.

Consideration should be given to the overall risks of third countries' impact on suppliers, in particular with regard to their governance model, the lack of security cooperation agreements or similar arrangements (such as the determination of the adequacy of data protection), or whether the country is a party to multilateral, international or bilateral agreements on cybersecurity, combating cybercrime or data protection.

B. Technology

Prior to product release and during system operation, stakeholders should regularly conduct vulnerability assessment and risk resolution in all components and network systems, and foster a culture of facilitating discovery / fix / patch to resolve identified vulnerabilities and quickly deploy fixes or patches.

The risk assessment of the supplier's products should consider all relevant factors, including the applicable legal environment and other aspects of the supplier's ecosystem, as these factors may be related to the efforts of stakeholders to maintain the highest possible level of cybersecurity.

When building resilience and security, it should be considered that malicious network activities do not always need to exploit technical vulnerabilities, for example, if insider attacks occur.

In order to increase the benefits of global communications, countries should adopt policies to achieve efficient and secure network data flow.

Stakeholders should consider the technological changes that accompany 5g networks, such as virtualization of network / network functions using edge computing and software definition, and its impact on the overall security of communication channels.

Based on existing technology and relevant business and technical practices, customers - whether governments, operators or manufacturers - must be able to understand the source and pedigree of components and software that affect the security level of products or services, including transparency in the maintenance, update and remediation of products and services.

C. economy

A diverse and dynamic communications equipment market and supply chain are essential for security and economic recovery.

Strong investment in R & D is conducive to global economic and technological progress, is a way to increase the diversity of technical solutions, and has a positive impact on the security of communication networks

Standard best practices in procurement, investment and contracting should be used to fund communication networks and network services in an open and transparent manner.

The support, subsidy or financing of 5g communication networks and service providers sponsored by the state should follow the principle of open market competition, take into account the trade obligations, respect the principle of fairness, be commercially reasonable, and be carried out openly and transparently.

Effective supervision of the major financial and investment instruments that affect the development of telecommunication networks is essential.

Communication networks and network service providers should have transparent ownership, partnership and corporate governance structures.

D. Security, privacy and resilience

All stakeholders, including industry, should work together to promote the security and resilience of national critical infrastructure networks, systems and connected equipment.

The sharing of experience and best practices should be facilitated, including the provision of assistance, as appropriate, as well as resolution, investigation, response and recovery from cyber attacks, damage or disruption.

Security and risk assessment of suppliers and network technologies should take into account the rule of law, security environment, supplier malfeasance and compliance with open, interoperable, security standards and industry best practices, so as to promote the supply of dynamic and strong network security products and services and meet the rising challenges.

The risk management framework should follow the principle of data protection to ensure the privacy of citizens using network devices and services.