[ Music ]
>> Okay. So, we've heard from
S&T and we've heard from CISA
and now the next part
of this, is we also want
to provide an industry
perspective,
just one perspective.
But we have Demetrius Davis
from the MITRE Corporation here.
He's the Principal Systems
Engineer with supporting federal
and DOD enterprise mobility
initiatives in organizations,
specializing in mobile
security, policy,
security and acquisition.
He's also a Department
Chief Engineer
in the MITRE Systems
Engineering Technical Center,
responsible for strategy,
outreach, technical quality
and independent research
initiatives
for a 50 percent
technical staff.
So, I'll ask Demetrius
to come to the stage.
>> Let me take a second to write
down, "Never follow Robert Dew
and Kevin Briggs again."
Awesome. Before I get started, I
wanted to thank Megan, and Vince
and the rest of S&T for the
invitation, a great opportunity
to get out of D.C. for
a little while, come up
and visit our friends
up at Bedford.
We have some folks in the
area, so thank you for that.
To get started, I think
I have the clicker.
Okay. I'll jump straight
into it.
I'll try not to cover much
of the ground that's been --
we had a master class in
5G earlier, so I don't want
to retread a lot of that.
So, I'll try to skate
across some of the things
that have already been touched
on, get to new material.
So, really quickly, my
name is Demetrius Davis
of MITRE Corporation,
roughly about 8,500 employees,
a not-for-profit company,
for those that may not know
that we operate FFRDC's, about
seven of them, in particular.
One of them is for DHS, so,
that's one of our links, to DHS.
I've got a whole bunch
of talking points.
I was spraying a target, because
I didn't know exactly what would
be covered before I got up,
so now, I have a good idea how
to make adjustments as we go.
There's a little bit
of everything here.
I'll see, I have a
copy here, locally.
We'll touch on just
a little background.
Not too much, because
I think we all know --
if we didn't know
before, we know now.
Touch on a little bit of
the architectural elements
that are a part of 5G.
Security implications --
definitely want to
touch on that.
We already have heard a
lot about network slicing,
so I might skate over
that one, really quickly.
We've been introduced to some
of the heterogeneous networks,
so we'll just kind of
introduce some of the use cases
and how it applies
across the different type
of networking environments,
from personal area networks,
all the way up through
a wide area limitations.
And in one area I think
we've been talking around
but we didn't really get
into a standards discussion.
We've been touching on what's
happening with 3GPP and ATIS,
but, you know, I think we'll -
we have a couple slides on that
and to speak to specifically
what are those security features
that 3GPP is proposing
and looking at,
and see if we're mitigating
some of those issues
that we have in the 4G world.
Some of the things we have to
live with and carry forward,
we'll solve that another day.
But we have a lot
of those issues
that are really being addressed
in the next two releases.
And closing out, a couple
of MITRE 5G activities
that are going on,
that's related to 5G.
After that, if we have any
more time, I have a to do list
of things that -- within
the security community,
we really need to look at.
More specifically, within
the government community,
because I think the government
has special needs, specific DOD
and DHS type organizations that
we probably need to convene.
We have some working groups who
are standing up with the ATIS's
and other consortiums around
the beltway, as I would say.
To be able to try to
address some of those issues
that commercial industry really
doesn't care about, so we'll try
to see if we can
produce some type
of layered, defense mechanism.
Because we use a term
called "defense in depth."
Right? So, when we talk
about things like 5G,
we have to realize it's
not just a comms layer.
It's a lot bigger conversations.
The ecosystem, it goes
from devices all the
way back to the Cloud.
So, how do we -- you
know, even within there,
we have credentials, we
have identity management.
We have a lot of
different services.
And each one of those
typically brings us its
own vulnerabilities.
So, much like we've
been touching on some
of the questions and
more so on the speakers,
we have been hearing that
this is a complex system,
that we have to kind of
come up with new strategies
and techniques for trying
to mitigate some of
these challenges.
I promise not to
spend as much time
on the talking points
slide next time.
So, yeah, this is just
a pictorial that kind
of tells you, you know, 5G
is more than just comms,
at least the world
that I come from.
A lot of times when
people say --
some people come at it
from different angles.
It's a very big elephant,
so some of you may come
in from layer one, so if you're
talking spectral efficiency,
if you're taking
sayonara [phonetic],
like we heard earlier
on, you know, that's --
you come in from a RF layer.
That's fine.
But some people come at it
from a business objective.
What type of outcomes
can I expect?
What type of -- how
would I pay for it?
How do I buy 5G?
Is it going to be extra?
Is it going to be an
additional service?
I got to buy new phones?
So, some people come in
it from an acquisition.
We have business perspectives
from people looking at it
from an application
developer's perspective.
Do I have to write my
apps any different?
What type of libraries
do I've got to write,
to be able to take
advantage of low latency.
So, everyone's looking at
this really big elephant
from different angles.
The one thing we do know is that
the user is thinking that, man,
whenever all these wonderful
technologies come together,
it's going to be
something special.
We've been seeing it in all that
sci-fi movies, and, you know,
honestly, the way we look
at it is 5G is really more
than just the comms piece.
It's really how all this AI
stuff and machine learning
and all the pervasive and
immersive technologies --
how did that all come together
for the public safety folks,
for the vehicle to everything?
I want my car to talk to my
refrigerator and let my --
get my coffee cooking,
you know, going,
as soon as I get my
garage door to open.
And for some reason,
we associate all this
with this 5G era.
I'm not sure why.
We don't really need 5G
to make all that happen.
And then more specifically,
within the IT conversation,
most of IT capabilities
are available today,
but some people are still
waiting for 5G to come
to their town, so I can do IoT.
And I'm trying to tell
people, you don't have to wait.
It's available.
You can go build it today.
So, but for some
reason, you know,
5G has become this
catch-all buzzword,
which sort of represents
this new era in tech so,
what you have is all
your users are waiting.
They're all dressed and ready
for this big party to start.
But not realizing behind this
wall, or behind the curtain,
there are a whole lot of
administrators and cyber folks
that are trying to figure
out how do I address all
of these complex challenges
that are coming down the pike.
So, as much as we talk
about, hey, I want to be able
to have a phone or I want
to have some type of beam
that follows me around as I
walk through Central Park,
we've got to realize that behind
that comes a whole bunch of work
and we've got to realize that
threats that are coming in --
because a lot of this
stuff is now being done
in the software realm,
and for some reason --
I'm a software person, so I'm
biased -- but for some reason,
there's a belief that the more
software you put into a system,
the more someone can affect it.
As if hardware is infallible,
but that's a conversation
for another day.
So, one of the things
we're saying is,
how do we keep those threats
under some type of control.
And I guess the last question
was, what are you going to do,
to try to stop all these
different threat vectors
and all these threat actors
that are threatening all
of these prized parts
of our infrastructure.
And the reality is, the short
answer is, we have to learn how
to do risk management.
And that's a very nasty word.
We talk about -- we have a
risk management framework
within the government, that
we're being encouraged to apply.
But the reality is, it's really
hard to sit down and walk
through your entire ecosystem
and identify all the
things you care about
and prioritize what things
you want to take care of
and what things are you
willing to sacrifice for a cost,
and to be at a cost
and rank everything.
And that's a very
difficult activity.
So, it's hard to
secure everything,
and a lot of the things I do
on the side is to try to figure
out what type of soft defense
mechanisms can we apply.
Can we try trust modeling?
Can we do some type
of deception?
What else can we do, to help
with the IES's and firewalls
and anti-viruses and all
the other things we deploy
to secure our infrastructures?
So, those are techniques that
remind me to become more versed
and to try to figure
out, how do I trick.
How do I deter?
How do I delay, to
buy me some time,
to figure out where the
threat is really coming from?
And so, those are
some real challenges
that we're going to
have to deal with.
And we don't have them today,
even though the party's
starting.
We're starting to hear
the music, we're starting
to hear the hype, and people
are -- the momentum is building.
People are ready to
deploy applications,
and we haven't gotten everything
quite ready for the party yet.
So, we're going to, you know,
pick up the pace in some ways
and try to be able to come up
with strategies that can be able
to help all this wonderful
future, hyper-connected era,
activities to be able to go off
without too much of a hitch.
I'm definitely not going
to spend any time on here.
But this real quick point is
to let you know, you know,
this looks like it's -- we took
a straight line from 1G to 4G
to 5G, and it really
wasn't that way.
I just wanted to let you
know, there was a bit
of scattershot in
the early years.
But when we got around 3G,
ITU really sort of stepped
up as being the bell cow
that sort of pulled all
of our standards and our
requirements together.
And since they've sort of been
escorting us through the 4G
and into the 5G eras, so now
we have one sheet of music
that everyone's kind
of working from,
in a standards perspective.
And so, we'll touch
on some of those.
But just in a nutshell, we
had the three major use cases,
I believe, was touched
on earlier,
so we'll just maybe allude to
that lightly in the future.
Yeah, I'm just going -- I'm just
to skate through some of these,
just because I feel
like we've been --
as I say, we had a master class.
I don't need to recap
a lot of it.
But one of the big
challenges here is we're moving
from a more static, you
know, hardware, you know,
centric 4G infrastructure.
Now, we're moving towards a very
virtualized software intensive
core in the 5G era.
We're talking more about Edge.
We didn't talk about
Edge much on the 4G side.
We're talking about
virtual relation,
dynamic configurations --
all those things are things of
the 5G era, and so, that's going
to -- those things
are necessary,
to be able to create some
of the wonderful scenarios
that we're talking about
doing in the next few years.
So, I just want you to know
that there was a transition.
We were able to fix some
of the issues that came
with the 4G world, but
unfortunately, you know,
some of those things
are going to carry
on into the next
generation, maybe, into 6G.
I think we're starting 6G work
improve meetings, which is scary
and a dichotomy, like
you've got to be kidding.
And also, even a release
17 type of activity.
It seemed like some of the
stuff is more science fiction
than reality, but we've
got to get ready for it.
It's coming over
the horizon now.
So, security implications.
I believe we touched
on a lot of these.
So, I'm trying not to
rehash a lot of that ground.
But I'll just touch
on this notion
of 5G being this connectivity,
this unifying connectivity
fabric
for all these other
technologies.
And so, you have,
you know, as I said,
the AI, the Cloud, the Edge.
We have the immersive,
the technologies,
which is your virtual
reality, augmented reality.
Everyone's thinking, how can
I make all this stuff go.
I need some fuel to sort of
drive all of these technologies.
And so, we're looking to 5G
to sort of solve all that.
Even though I don't believe
it's really best suited
for every use case, but for
right now, we're just using it
as a catch-all term for those
that don't really
understand the differences.
So, we'll just keep the
conversation moving forward.
We've got to realize, with
this increased connectivity,
you're creating more
of a complex system.
So, as you get more systems,
you get more, you know, threats.
You get more cyber attacks.
And so, we have to deal
with botnets on our phones
in the future, that deal with
-- how do I deal with, you know,
devices being added
to the network
without the admin
knowing about it?
It's something we
have to do on the fly.
So, that automatic provisioning.
How much you want to automate
and let some software decide
what is secure and not secure,
versus having a person do it?
So, we've got a lot of issues
that we've got to address.
And I'm not trying to
pile on and let you know,
oh my God, we should be afraid.
We're not going to move forward.
I just want to let you know
there are some particular
security challenges
that we have to address.
And I think we have some
smart people working on this,
so we have some good hope
and belief that we're going
to be able to beat this.
We mentioned that the
infrastructure will be heavily
virtualized, which
brings its own issues.
But I think in some cases,
there's a belief that even
with something like a network
slicing, you know, hey,
it's basically like VPNs, right?
We can just chop it
up and pass it out
and let people run their
own little, you know,
networks, however they want to.
It's going to be their
own ownership models.
They've got their own KeyOS.
It can be just like,
you know, the old days.
Nothing's different,
but we've got to realize
that there are a lot
more nuances to this.
And you just can't just
automatically translate one
technology for another.
So, there's going to be some
new software, some new terms,
some new -- some of this stuff
is going to be a little custom,
even though we're
using standards,
and a lot of the standards
are really life saving,
because I can think a
generation ago, everything was,
you know, custom built.
I come from doing
raspberry pies, right?
So, IoT, a few years ago, was,
hey, I got three raspberry pies
that are talking together.
And I'm using it to feed my
dog when I'm not at home.
So, it's grown up quite
a bit in a few years.
So, now, we got to look
at all the possible ways you
can get these systems to act
and to be able to sense and
to be able to work together
without necessarily me
sitting there, pushing buttons,
and flipping switches.
It's a different way of
thinking, so it's going
to also trigger a different
way of defending, as well.
And supply chain.
I know we've touched on this,
but supply chain is a
much bigger issue than --
let me pull the threat on
the hardware to figure out,
all the way back to where
the rare earth can be pulled
out of the ground.
So, that lets me know that
the supply chain is clean.
And that needs to be, at
least, for my opinion,
that's what supply
chain really was.
Find out where all the pieces
come from and who built them.
Was this done in
an ethical fashion?
Did we have 12-year-olds
in mines?
Is that a problem?
From a business point of
view, you probably don't care,
but it does trigger
some other issues.
So, that's a technical or
a technology supply chain.
Well, there's also a
service supply chain.
So, one of the things
we're seeing overseas,
and I think it was
touched on lightly
in the last presentation,
and that is, if I go overseas
and I use a foreign
carrier network,
and I'm buying a service from
the provider, who is not banned
or considered non-compliant,
but they have a contract
with someone who has a contract
with someone who has a contract,
who uses non-compliant software.
So, now, we have a
service supply chain.
We're now going to say,
every service I buy,
I've got to follow that
little thread of, you know,
to figure out who all they
get their supplies from.
Not just the hardware,
not just the software,
but it's also service contracts.
And so, now, the question is,
this isn't something
the Department
of Commerce is dealing with
every day, to say, okay,
this guidance went out, but
now, how far does it go?
You know, how many hops
into the network do I have
to go before I can sleep at
night, knowing that I'm secure,
whatever secure really means?
So, supply chain gonna
open up some second
and third order effects
that we now have to look
at it a little differently
than just knowing
that it's a clean
technology supply chain.
There's a little bit more to it.
This -- I think we've touched
on this, even, a little bit.
But this is -- sort of shows
some of the challenges we see
in the RAN side of the equation.
So, in some cases, you can
have a rogue base station.
I think someone even had a
question on that, saying,
you know, if you have a IMSI
catcher and how will you deal
with that today, versus how we
envision doing it in the future.
So, you can have
an unsecure phone
or end user device
at a base station.
And, so, right now, there are
ways that you can say, hey,
the person sticks a
base station there.
You don't know who you're
connected to exactly.
And so, there's some changes we
can make, here, whether it's,
you know, adding some type of --
a key type of key management
construct or creating some type
of enhanced base station
technology, so you can be able
to verify that I
am you, you are me,
before we make a hard connection
and start passing information.
So this just shows
one way of doing it.
There's different ways.
There's -- 3GPP is
also looking at that.
This was actually part of the --
one of the minor contributions
to the last 3GPP, SA3 session.
I think I have a slide
on that, somewhere --
I might get to it in a second.
This is a recap of
the network slicing.
I feel like I'm skating through
a lot of this, because I feel
like we've already, you
know, been, you know,
schooled on it very well.
So, don't want to go
into it very deeply.
Anything I want to touch on?
No, I think we've been --
actually, that slide
looks almost just
like the slide from earlier.
So, I'll keep moving.
So, here, this is
just one depiction
of how the world might
look, right, from, you know,
which side of the
world you're on.
On one side, we looked at --
okay, I'm an application
developer
or I have a use case
I want to address.
I've got to figure out,
okay, for what I want to do,
I got to map that to what type
of environment I'm
going to be working in.
So, am I in the building?
Am I outside the building?
Am I in a personal area
network or am I doing something
that very specialized?
So, something like telesurgery,
that's going to say, Oh,
my gosh, I need to make
sure I have low latency.
So, that tells you, boom,
I need to be considering
something like a 5G.
So, this sort of tells
you 5G has enrollment
in a lot of different places.
I think there's some
battlegrounds we're going
to see somewhere,
especially in the building.
I personally don't believe
Wi-Fi is totally dead yet.
I think there's going to be --
especially Wi-Fi 6
and WP3 coming out.
I think it's going to be
an interesting battle here
on the end building sector.
But once you get into the
wide area environment,
so I think it's pretty much
going to be a 5G, even though,
when we talk about IoT,
we also got to realize
that IoT is not just
one thing either.
So, there's massive IoT, which
may be dealing with a lot
of low power, you know,
a lot of, you know,
we may run narrow band IoT
solution may work for you.
If you don't need to
have wireless webcams,
sitting somewhere,
collecting high res video,
then you might be able to get by
with a narrow band IoT solution.
But they can still tie
into the 5G fabric.
They can still move forward.
So, just letting you know,
there's different
ways of slicing this.
So, this is one way
of slicing it.
I believe that on the
personal area network piece,
I think there's going to be some
interesting activity there, too.
I mean, we always bring this
up in 802's category, right?
802.11 and .15.
So, I think this is just
one way of looking at it
from a use case point of view
and slice the pie according
to where is the failed
technology best applied.
[ Silence ]
Okay. Maybe I'm pushing
it wrong.
Oh, okay, next.
This one, I definitely
don't have to touch on,
because I think we've
analyzed --
I mean, as you look at the
three different use cases,
we kind of drew it on a spider
chart a bit, to kind of show you
where they're best used.
So, as we did in the last case,
on the last slide, we looked at,
okay, for a given cellular
solution, if they work well
in a wide area environment,
well, so, here in the case,
you may look at it and say,
for whatever I may need
from all these different
illities and attributes,
you know, depending on
what I want out of it,
will you tell me what type
of use case I want to apply?
So, when we step into 5G, at
least the first generation,
we're going to see mostly a
broad band type of approach.
We won't get really into the low
latency stuff until maybe the --
at least that's the
stuff in early 16
that will probably spill
over in release 17.
Oh wow. Time moves
quick up here.
Maybe it's Boston.
So, I'm just showing
you that, you know,
depending on what you're looking
for, it may tell you what type
of use case you may
want to consider.
Standards, really quick.
We have to touch on
this really quickly.
One of the things about network
splicing I think we think that's
going to be the - that
and beam forming are two
of the most popular features
that we typically hear
about when we talk about 5G.
But one of the keys to that is
you probably have to realize,
you have to have a true 5G
core to make that happen.
And so, one of the
things we learned
about in Release 15 is there's
two different architectures
that we're going to
probably promote,
which is a standalone
and non-standalone.
So, you've got to really have
a 5G standalone architecture,
to really make the
network splicing happen.
And, so, that's some of the
things that's being bandied
about and believe me, it's
not a pretty place to be.
I went out to Reno, back,
I guess, in the spring.
I like to take advantage of
anytime something is happening
in the country, so I don't
travel all around the world
and attend all these
working group sessions --
but there's a pretty good body
of work -- there's SA3 work,
which is mostly security center.
And there's also a
separate, you know,
five or six different
RAN working groups.
So, we're working through
ATIS to try, you know,
make sure we stay engaged with
some of those 3GPP activities.
Anything else?
One of the things
we also notice is
within the security
working group,
they don't really spend a
lot of time on supply chains.
We realize that may be a
second activity we have
to do outside of that.
So, we're setting up individual
supply chain working groups,
with that as hopefully,
get those started
in the next few weeks.
Here are a few of the
security features,
as you move from 4G to 5G.
Some are considered optional.
We've been trying to
make contributions,
to be able to say, hey, some
of these optional features
should be considered mandatory.
Most of them got rebutted,
so, we're going to try to see
if we can do that at the
ATIS level, which is more
or less focused on United States
and North America
type employment.
So, as you see here, if we had
our choice, be king for a day,
we would really want to push
getting the MC encryption,
you know, new generation,
we're calling it [inaudible],
some new terms you've got
to be able to adapt to.
These are contributions.
And the working -- we have a
secure profile working group,
actually our next meeting is,
I think, the first of August.
So, if anyone's interested,
this is an industry
and government consortium,
environment where we'll be able
to work through some of these
5G security issues together.
To do list, which I'll skip,
because we're out of time.
So I'll just jump
to any questions.
I'll leave this up, just in
case it reminds me of something.
Yes? Any questions?
That means I can talk longer.
I was just kidding.
Awesome. We're up
against a break, right?
Well thank you very much.
>> Thank you.
[ Applause ]
[ Music ]
[ Silence ]
