Paul Bradley has an incredibly wide-ranging role – he has to keep up to date with the latest thinking around 5G, spot market trends 3-5 years out, and identify gaps in Gemalto’s range so that its teams can pursue the best mobile digital security initiatives. At the same time, he educates the company’s teams about 5G and motivates them to deliver its strategy. Naturally, his role involves a great deal of talking – especially with MNOs, over-the-top players and mobile infrastructure providers – and it shows. Concepts, industry jargon and opinions cascade from his lips in a rushing stream. His Irish accent shows little trace of a three-year stint in Texas or of his current posting in La Ciotat, France, which began in April 2013 (although he has been in his current role since January 2016).
One of Bradley’s main concerns is the security implications created by the shift to network function virtualisation (NFV) – the replacement of dedicated hardware within cellular networks with virtual machines running on generic/mass-markets servers to allow network operators to reduce their costs and speed up new services. “You can trust hardware because it’s physical. Tomorrow, when it’s replaced with software, you need to be able to trust that software hasn’t been manipulated or modified since it’s been installed and, if you do an update, you need to know it’s coming from the right entity. It becomes a challenging environment to secure.”
“Strong identities are going to be key to be able to ensure the virtual function you’re talking to is the one you’re expecting to be speaking with and not some rogue element that’s just been assigned the same identity by someone trying to do a man-in-the-middle attack or some kind of data manipulation attack.”
He says Gemalto can provide confidentiality and integrity protection for virtual functions and the means to improve the isolation between them (which is important from a security perspective). The company is already providing virtualisation security to major cloud services such as Amazon Web Services and Microsoft Azure, and is looking to bring it into the telecommunications sector.
Gemalto is also working on securing the interconnections between the core of a cellular network and “all the various multi-access edge data centres”. This will become increasingly important as data starts to be processed closer to the network edge to allow lower latency services and reduce the amount that needs to be sent to the cloud. “We have high-speed encryptor technology that can be used to isolate the data flowing through the fibre – you’re extending the network slicing isolation even through the tunnels between the data centres and it doesn’t impact latency – you have an almost zero latency, it may be a few microseconds, but it’s nothing like the typical IPsec tunnelling which is the classical way of doing interconnects between data centres. That’s where our focus on research and development has been.”
He is concerned that private network slicing may be delayed until 3GPP Release 16. “What is the logic is of releasing Release 15 as just 5G’s enhanced mobile broadband feature? 5G is about the slicing and the possibility to host a network that can enable disruptive business models. It’s more about that than just faster connectivity.”
He says one advantage of networking slicing is that rather than the current one-size-fits-all security framework used by today’s mobile networks, it will allow the level of security along with other characteristics such as latency to meet the application’s requirements – for example, something that directly impacts human life such as an automated vehicle could be given the highest security possible, while a temperature sensor could receive more basic security, although there would still be the need to ensure its data is protected.
He stresses the importance of initiatives like the 5G Automotive Association, as they are “an opportunity for industry to present their requirements to the teleco world and for the teleco world to show what they can do to the car manufacturers and share the challenges. If 3GPP were to go without that phase of listening to the industry and people who need this connectivity, it’s not good for anybody.”
5G is often referred to as a “network of networks” and Bradley says that “as we tie networks together, authentication is going to be key and making that authentication seamless is another key goal of 5G”. He says BT and Nokia have presented a system in which the authentication framework for a converged network could be centralised in a 5G network core “and then whether you’re connecting across 4G, 5G, Wi-Fi or whatever, the same seamless authentication would take place”.
He notes that while having a central control point for authentication helps from a security perspective, the shift to a “network of networks” means “authentication to access the resources that a device is entitled to access within this newly distributed network environment will need to be considered from mobile/radio and Wi-Fi hotspot/home Wi-Fi perspectives”.
He adds that as the attack surface increases due to many different devices accessing distributed resources, the more data and records are potentially put in peril (Gemalto produces an annual breach level index that shows how many records are breached). Bradley highlights the EU’s General Data Protection Regulation (GDPR), which will mean that companies that fail to protect their customers’ data could be fined up to four per cent of their annual worldwide revenue.
The NHS recently suffered from a massive ransomware attack enabled by the fact that it had not migrated many of its computers from Windows XP, which is no longer supported by Microsoft. Bradley says he understands its position given the “fortune” it costs to migrate so many computers over to a new operating system, while noting the typical one year’s notice given by Microsoft when support for one of its operating systems is coming to an end. “It’s a matter of risk. Security is an insurance policy – you take the risk of having an attack or you protect yourself and that often requires spending money.” He also emphasises the need to build awareness of the cybersecurity issues throughout an organisation.
“99.9 per cent of cyber attacks are done using exploits that have been known for a year. If you’re a malicious user and you’re looking for those exploits, you can leverage them because they somehow fall into the public domain. [The ease at which the community can learn about them is] a good thing in terms of knowledge and awareness.
“If you’re an enterprise, making sure your data is stored encrypted is vital, as is having good perimeter security. Unfortunately, if they breach the perimeter, they could still carry out a ransomware attack, because even if your data is encrypted, they could re-encrypt it with another key. But at least your data isn’t going to fall into their hands – it’s one thing them charging you a ransom, it’s much worse if they can threaten to release it if you don’t pay or if they can use it against you for malicious intent.”
He says a good cybersecurity system “has a bit of everything” and stresses the importance of monitoring, active risk management and being able to detect when a system’s behaviour is “out-of-band”. He says a blockchain/distributed ledger approach would be a perfect means to ensure that companies can trace the “legacy structure of a given device: who manufactured it, what components were used, and its origin. It may not be perfect for real-time authentication, but it could be perfect for proving that this a legitimate, authentic device, showing who it’s come from and providing traceability.”
He says eavesdropping is the biggest concern and that while data and voice is protected from a radio perspective, mobile network operators don’t provide end-to-end connectivity encryption and confidentiality protection by default. “If you don’t have a https connection or some kind of security, then you’re open.”
Bradley says that Gemalto recommends security by design and if the data involved is sufficiently valuable, “some kind of hardware anchor”, as it believes this to be one of the lynchpins of strong security. He says Gemalto is working with the GSMA and it has published some IoT security guidelines with a self-certification process for IoT device manufacturers. While he welcomes this, he says it doesn’t go far enough as it isn’t mandatory and some kind of process is required to ensure the IoT moves away from the “wild-west” we know today as far as its cybersecurity is concerned.
It’s not surprising to hear that 5G will create problems of its own. Given that its proponents seek to bring new vital industries onboard, it’s reassuring to know that people like Bradley are looking ahead to spot security issues before they can be exploited by cyber-criminals.
CV – Paul Bradley
After studying a degree in computer science and software engineering at the Dublin Institute of Technology, Bradley began his career in IT at AOL in 1997. A year later, he moved to Paris, where he was a training manager for Schlumberger, before becoming a project manager for Axalto (which merged with Gemplus to form Gemalto in 2006) in 2002, where he implemented security solutions for some of the first 3G networks. Bradley became technical manager for the UK, Ireland, the Netherlands and Scandinavia in 2004; technical manager – telecommunications Europe in 2006; and technical director – telecommunications North America in 2010. He became NFC (near field communication) deployment co-ordinator – North America in 2013. Bradley was then a multi-tenant SIM product line manager, before taking on his current role last year.