Surveillance and security risks related to supply chain components and undersea fibre cables are among concerns outlined in a report produced by Natural Resources Canada and the Canadian Electricity Association this summer.
Got a tip? Click here to email me at firstname.lastname@example.org.
Digestible version (full story below):
- A joint report by Natural Resources Canada and the Canadian Electricity Association this summer has outlined a number of hot-button issues with Canada’s 5G networks, including potential risks from suppliers of its components and undersea fibre connections where surveillance can occur.
- The report primarily deals with the interplay between the networks and critical infrastructure, such as electrical grids. 5G is expected to make that infrastructure connected to it more efficient, but at increased risks because of its ubiquity.
- Christopher Parsons, a security expert with the University of Toronto’s Citizen Lab, said 5G enlarges the security threat environment because there are more things to hack and use to surveil, such as internet-connected devices that are expected to balloon in the coming years.
- The report notes that network components that are, either wittingly or unwittingly, compromised may be taken and rebranded under reputable companies, after which it would be very difficult to swap them out if the political environment shifts.
- Parsons said this could refer to the changing climate with China and Chinese companies including Huawei and ZTE.
- It also discusses risks to undersea cables, which could be another surface for surveillance.
What this story contributes:
This story shows that Natural Resources Canada and the Canadian Electricity Association provided insights into 5G network risks and their impact on critical infrastructure.
As the federal government weighs the security of Canada’s 5G networks and the possible exclusion of Chinese telecom giant Huawei in them, an internal report this summer to the deputy minister of Natural Resources Canada outlines a number of risks with foreign infiltration in the system.
Called 5G Wireless Technology: Opportunities, Challenges and Risks for Canada’s Electricity Sector and obtained through a public records request, the report suggests the possibility that nefarious risks to 5G networks exist in supply chains that deliver some of the components of the infrastructure.
The report, a joint effort of Natural Resources Canada and the Canadian Electricity Association (CEA), warns about the “risk of foreign direct investment in 5G technology, both internationally and domestically.”
The NRC said in an email that many of the risks outlined in the report were provided by the CEA. While the report doesn’t say what assessment the NRC makes in it, a briefing note explained broadly that the “paper presents NRCan’s and the [CEA’s] analysis and perspectives” on the opportunities and risks of 5G on the utilities and manufacturing industries.
This is important because the government has been hush-hush about where it’s leaning on whether to ban Chinese telecom equipment giant Huawei from Canada’s 5G networks. Huawei has been accused by several countries as being a surveillance threat because of its ties to the Chinese communist party. A parallel assessment about the security of 5G networks in general is ongoing.
The report notes the Huawei decision will consider “foreign relations, economic, national security, and technical implications.”
The NRC deferred other questions to Public Safety, which said it cannot comment on specific companies, but “an examination of emerging 5G technology and the associated security and economic considerations is underway.”
The Globe and Mail reported this month that Natural Sciences and Engineering Research Council, a federal agency, is collaborating with Huawei on studies related to communications technology.
Huawei has been lobbying the federal government on just that opportunity: “industry and academic collaboration opportunities such as [NSERC], and partnership work with the National Research Council, as well as the Radio Advisory Board of Canada (RABC),” according to the federal registrar.
Huawei representatives met with Innovation Canada, which is the ministry responsible for NSERC, in February of last year.
The NRC and CEA report largely addresses 5G networks and their interplay with critical infrastructure, such as energy grids. It is expected that the new networks will allow for better management of power distribution, remote monitoring of processes like outages, and more efficient manufacturing in many industries, such as agriculture.
That’s a result of 5G’s faster download speeds, lower latency so machines and devices communicate in real-time, and connectivity devices in more places, such as on traffic light poles and bus shelters.
The report outlines problems including foreign proprietary products in the supply chain that are “rebranded by more reputable suppliers” and then “being dependent on and unable to switch from a technology during times of economic or political instability.”
For example, underlying Telus Business Meetings is video software from Zoom. Early last year, Zoom was the subject of a U.S. privacy lawsuit that named Telus Business Meetings as a compromised software.
The CEA did not respond to a request for comment.
Christopher Parsons, a senior research associate at the University of Toronto’s Citizen Lab, told the downUP that he suspects the supply chain concern comes from a politically-volatile climate with China.
“I suspect that, at least in part, ‘…then branded more reputable suppliers…’ is a reference to changing political attitudes towards Chinese vendors, such as Huawei and ZTE, which had until recently been regarded as permissible in Canadian/American telecommunications networks,” Parsons said.
“This position on the permissibility of using such companies’ products has, obviously, shifted significantly over the past several years.”
Canada’s Five Eyes partners — United States, Australia, New Zealand, United Kingdom — have all, in some way, taken action against Huawei participating in their 5G networks.
As a general example, fully-built computers sold in stores are often made up of many components — chips, memory modules, motherboards — that are supplied by foreign companies from countries including China.
Cybersecurity experts in Canada and U.S. Senators have been calling for the federal government to make strict import standards for devices to ensure they don’t come into the country compromised. That would include eliminating easy-to-remember default passwords — “admin” for both username and password — on security cameras, for example, and forcing the user to put in their own unique password before using the device.
Worse yet, highly connected critical infrastructure like power plants and wind farms can be compromised if an internet-connected device is on the network.
The federal government works with industry to ensure the networks are secure. The Canadian Security Review Program has, since 2013, worked with the telecoms to mitigate cyber security risks from companies like Huawei.
The document also cautions about “legacy vulnerabilities,” which are not explained in the report. “While the design of 5G is more secure, 5G’s specifications and protocols stem from previous networks that contain legacy vulnerabilities,” the report said.
“Some of these legacy vulnerabilities, whether accidental or maliciously inserted by untrusted suppliers, may affect 5G equipment and networks despite the integration of additional security enhancements.”
The next-generation mobile networks will largely rely on the fibre backbone of the previous generation. However, Canada’s major telecoms are also in the midst of launching standalone 5G networks that don’t rely on the 4G infrastructure.
When presented with the report, Canada’s largest telecoms had nothing to say. All the major Canadian carriers are working with either Ericsson or Nokia, while Quebecor’s Videotron will work with Samsung, on their 5G rollout.
While it is not explained in the report, in 2017, news of a telephone vulnerability known as Signaling System 7 (SS7) made the rounds when a telecom company in Germany reported people using the protocol to intercept two-factor authentication codes sent by their banks, allowing the hackers to drain their bank accounts. In light of those revelations, then Public Safety Minister Ralph Goodale said the department was prepared to assist the telecoms with any security issues they may experience from those vulnerabilities.
“Existing weaknesses or vulnerabilities in current telecommunications weaknesses could potentially be exploited to detrimentally affect associated 5G networking systems,” Parsons said.
“There have been regular, and highly successful, efforts to intrude into non-5G networks—e.g., targeting lawful interception functions— as well as supply chains—e.g., SIM manufacturers to obtain cryptographic materials, vendors supplying critical telecommunications systems to telecom providers, etc—and there’s no reason to expect that well resourced operators will cease undertaking such operations in the future.”
Law enforcement has in the past come under fire for using surveillance technology known as Stingrays, which mimic cell towers that trick cellphones into communicating with them for the purpose of tracking citizens.
Telecom companies sometimes work with law enforcement to retrieve cellular information for people of interest; in other cases, law enforcement will go to court to obtain a “tower dump” — essentially a list of phone numbers that communicate with certain cell towers at certain times to try to identify suspects at crime scenes.
The report also notes risks with undersea fibre cable connections, where foreign cables also lie and through which the vast majority of internet traffic flows. The federal government has so far pledged to fund at least two big undersea cable runs for broadband, one along British Columbia’s coast and one initially slated for a connection from Nunavut to the sovereign island of Greenland.
The Nunavut government, however, is in the midst of possibly moving away from the Greenland route, partly out of concern for the security of the cable. Reuters reported in October that Greenland’s undersea cables pose a hacking security risk.
Parsons said undersea cabling threats, which are well-documented, include mass surveillance undertaken by members of the Five Eyes “and its extended alliance partners, as well as competitor nations where they have equivalent access” through “legal arrangements or through cyber intrusions into key networking equipment.”
Read the full report:5G-Opps-and-Risks
“Receipts” is a series of stories based on financials, documents from sources or public records requests