5G: A secure technology?

Around two thirds of the world’s population, or roughly 5 billion people, are mobile subscriber and use the third generation (3G) or the fourth-generation (4G) wireless networks1. It enables the consumer to capture the full potential of smartphones and other smart devices. Nowadays the next generation (5G) is attracting a lot of public interests.

October 10, 2019

Dr. Patrick Kolb

Fund Manager, Credit Suisse Asset Management

header image showing man looking at laptop in a data center

5G promises to transform the way people are using the internet. This technology has the ability to improve efficiencies at every level, increasing network bandwidth, speed and reach, while simultaneously lowering latency across almost in every area. Equipment makers and telecom operators are already rushing to test and roll out this next generation of wireless networks, which will be as much as 100 times faster than the today’s 4G standard. The new 5G networks are expected to enable the steering of driverless cars or doctors to perform complex surgeries remotely. Critical new services can emerge, such as remote health care, emergency response, and wide-ranging industry applications that will leverage the Internet of Things (IoT). All these novel services will depend on communication networks, and IT security is in our opinion the key enabler. We believe this will open up vast new possibilities for consumers, businesses as well as for governments. While the economics of 5G are still being worked out, proponents say the potential payoffs can be immense: Companies that own patents stand to make billions of dollars in royalties. Countries with the largest and most reliable networks will have a head start in developing these technologies, enabled by faster speeds. And the dominant equipment suppliers could give national intelligence agencies and militaries an advantage in spying on or disrupting rival countries’ networks.

Is 5G secure?

The most exciting part of 5G is how speed will change the internet. So far, it is simply about transporting data from point A to point B. Today’s internet-connected cars may be able to get driving directions sent to it, but it is essentially the same as getting an email, and that’s nothing else than the one-way transportation of pre-existing information. The autonomous car is vastly different: The 5G network allows computers to orchestrate a flood of information from multitudes of input sensors for real time decision-making. According to Richter (2017), connected cars can create up to 25 gigabytes of data per hour. As Fig. 1 shows, this amount of data is equivalent of nearly 30 hours of HD video streaming or more than a month’s worth of 24-hour music streaming .


Fig. 1: Data generated by connected cars compared to data usage of online activities (per hour)

Sources: Credit Suisse, Richter (2017): Big Data on Wheels, in: Statista, Feb. 9th. 2017, URL:; last accessed on June 12, 2019

Building 5G is not just simply building a network, but it is also about whether that network will be secure enough for the innovations it promises. Let’s take the example of autonomous vehicles again: When 5G enables autonomous driving, do we want those cars and trucks crashing into each other just because somebody has hacked the network? If 5G will be the backbone of breakthroughs such as remote surgery, should that network be vulnerable for somebody breaking into a surgical procedure?

In our opinion the evolving relationships between 5G networks, computing resources and end users will have a huge impact on IT security. The connective power of 5G means a greater number of network endpoints, resulting in more possible openings through which an attacker may penetrate the network. Once compromised, these openings can be exploited at a new speed and scale. 

Potential threats range from critical infrastructure connected to a 5G network, including the electrical grid, water systems and fuel pipelines, and a breakdown of communications and massive service outages to unauthorized access to sensitive and private data. As processing power migrates to the edge of networks (i.e. edge computing) to serve new mission critical business applications2, the number of intrusion points will expand massively. As a consequence the security stakes are rising: With today’s 4G networks a large botnet could be used to mount a large-scale Distributed Denial of Service attack (DDoS attack) on websites. But in tomorrow’s 5G world the same botnet could take out an entire network of self-driving cars. The vast number of remote sensors and smart devices connected to global supply chains will radically increase the complexity of security networks. This combined with the enormous amount of data created by 5G will make it even more difficult to spot anomalies3. Recent studies have identified potential vulnerabilities in 5G network architecture that threaten to undercut its promises to drive a new era of innovation. In this context we want to highlight three papers:

  • According to scientists from the ETH Zürich, the University of Lorraine/INRIA, and the University of Dundee, a new Authentication and Key Agreement (AKA) flaw was recently discovered that would allow cybercriminals to intercept 5G communications and to steal data. The AKA vulnerability could also cause a user to get wrongfully charged for a third party’s usage of the 5G network4.
  • Another study conducted by the European Union for Network and Information Security (ENISA) identified flaws with two signaling protocols in 2G, 3G and 4G networks (so-called SS7/Diameter), which could also appear in 5G networks. The signaling protocol’s vulnerabilities could allow the network traffic to be eavesdropped or spoofed, location intercepted, or used to disconnect a target’s phone from the network. Additionally, ENISA warns that the use of common internet protocols (such as HTTP) in 5G networks means that when vulnerabilities in those protocols are discovered, the software flaw could be transferable to mobile networks as well5
  • Finally, Positive Technologies Inc., a global provider of enterprise security solutions, examined the vulnerability of mobile networks. According to the authors currently no mobile network is secure, subscriber data is in jeopardy and no operator (either big or small) can guarantee a secure network. In their study the researcher launched several cyber attacks and managed successfully to execute 80% of Denial of Service attacks (these attacks lead to a disruption of operations), 77% of data leakage attacks and 67% of fraudulent actions6.

Implications and conclusion

5G could open up new security challenges. As this new mobile network begins to roll out, organizations are increasingly looking for service providers who are able to offer a resilient network with robust cybersecurity mechanisms in place to secure their connected customers and make sure applications and services that come across their networks are clean and secure. In a survey conducted by Ericsson, which included the Top 20 global mobile service providers, 90% of the respondents identified IT security as a key differentiator in 5G adoption7. 5G security vulnerability fuels operators’ business risk to offer reliable and secure availability of life-critical consumer applications and business-critical enterprise mobile services. Establishing a high reputation will be critical for mobile network operators. Therefore we think there are two implications for investors:

  • First, the growing awareness of novel 5G security vulnerabilities will surely accelerate the efforts to protect the communication networks. The current challenges are unspecified cybersecurity goals and there is a lack of precision in the definition of standards8. In our opinion key 5G security initiatives should include tools based on artificial intelligence (AI) with the aim of identifying threats quickly. Other open areas that need to be addressed are questions about access control and how an integrated security architecture can adapt to the changing network environment. 
  • Second, 5G security requires a new holistic and transformative approach: Prevention becomes more critical than ever. An increasing level of security automation is needed as well as the integration of big data analytics. As of today we believe the rollout of 5G is unchartered territory and unforeseen consequences might happen. Therefore we think new 5G security solutions will directly benefit specialized IT Security companies.

In our opinion IT security is a fundamental enabler for 5G. With its proliferation we think new companies with cutting edge technologies are well positioned to capture market share from established incumbents. We expect these trends highlight the need for a best of breed approach. Very often the providers of such products and services are young and innovative companies in the small and mid cap world. We think IT security-related issues are becoming increasingly omnipresent in our daily lives and the implications from the ongoing digitization of our society are becoming more critical.

As long-term oriented investors we think the theme security and safety in general are compelling long term secular growth themes for patient investors. Based on these convictions we are shareholders of a number of young and  innovative companies which are developing novel security solutions in 5G and IoT. Companies that delivers cloud-grade scalability, visibility and control with advanced protection for mobile networks as well as in the field of next-generation firewalls are in our opinion well positioned. 

1 Source: GSMA (2017): Global Mobile Trends 2017, URL:; last accessed on June 12,2019
2 The idea behind edge computing is that compute/storage will increasingly occur closer to the end-device. It helps to reduce latency and transportation costs and pushes applications, data and computing power away from centralized points to locations closer to the end user. Reduced data volume, traffic and the distance the data must travel are the main advantages. 
3 Source: CPO Magazine (2019): 5G and the Future of Cybersecurity, in: CPO Magazine, April 4th 2019, URL:; last accessed on June 12, 2019
4 Source: Basin et al. (2018): A Formal Analysis of 5G Authentication, Conference Paper, in: ETH Zürich Research Collection, Oct. 15th 2018, URL:; last accessed on June 12, 2019
5 Source: ENISA (2018): Signalling Security in Telecom SS7/Diameter/5G: EU level assessment of the current situation, March 2018, URL:; last accessed on June 12, 2019
6 Source: Positive Technologies (2016): Primary Security Threats for SS7 Cellular Networks, URL: 
7 Source: Ericsson (2018): Exploring IoT Strategies, paper, URL:; last accessed on June 12, 2019
8 „… We find that some critical security goals are not met, except under additional assumptions missing from the standard”, source: Basin et al. (2018)., p.1.


Fee Disclosure
Where permitted by law, we may receive fees, commissions or other monetary benefits in connection with this product from third parties. For details please refer to your Fee Schedule or contact your Relationship Manager.

If you are not a client of Credit Suisse UK Ltd
If you are not a client of Credit Suisse, please note that this document has been provided to you for information purposes only as an example of the type of products we are able to offer to you should you become a client of Credit Suisse. The provision to you of this document does not constitute an invitation or inducement to buy or sell any security or other financial investment, nor does it constitute an advice or personal recommendation. Should you wish to invest in any products, you will have to go through our account opening process which involves providing us with details of your personal and financial circumstances, risk appetite and investment objectives as well as selecting the most appropriate portfolio mandate for you. We can thereafter work with you to determine which investments are suitable or appropriate for you.

Marketing Disclaimer
This document is provided to you for your information and discussion only. It is not a solicitation or an offer to buy or sell any security or other financial instrument. Any information including facts, opinions or quotations, may be condensed or summarised and is expressed as of the date of writing. The information may change without notice and Credit Suisse (UK) Limited (“Credit Suisse”) is under no obligation to ensure that such updates are brought to your attention.

The price and value of investments mentioned and any income that might accrue could fall or rise or fluctuate. Past performance is not a guide to future performance. If an investment is denominated in a currency other than your base currency consult with such advisor(s) as you consider necessary to assist you in making these determinations. Nothing in this document constitutes legal, accounting or tax advice. Credit Suisse does not advise on the tax consequences of investments and you are advised to contact a tax advisor should you have any questions in this regard. Thek levels and basis of taxation are dependent on individual circumstances and are subject to change.

This document has been prepared from sources Credit Suisse believes to be reliable but we do not guarantee its accuracy or completeness and do not accept liability for any loss arising from its use. Credit Suisse reserves the right to remedy any errors that may be present in this document.

Credit Suisse its affiliates and/or their employees may have a position or holding, or other material interest or effect transactions in any securities mentioned or options thereon, or other investments related thereto and from time to time may add to or dispose of such investments. Credit Suisse may be providing, or have provided within the previous 12 months, significant advice or investment services in relation to the investment concerned or a related investment to any company or issuer mentioned. Some investments referred to in this document will be offered by a single entity or an associate of Credit Suisse or Credit Suisse may be the only market maker in such investments. This document is intended only for the person to whom it is issued by Credit Suisse. It may not be reproduced either in whole, or in part, without our written permission. The distribution of this document and the offer and sale of the investment in certain jurisdictions may be forbidden or restricted by law or regulation.

Investments may have no public market or only a restricted secondary market. Where a secondary market exists, it is not possible to predict the price at which investments will trade in the market or whether such market will be liquid or illiquid. Where such investments will not be listed or traded on any exchange, pricing information may be more difficult to obtain and the liquidity of the investments may be adversely affected. A holder may be able to realise value prior to an investment’s maturity date only at a price in an available secondary market. The Issuer of the investment may have entered into contracts with third parties to create the indicated returns and/or any applicable capital protection (in part or in full). The investment instrument's retention of value is dependent not only on the development of the value of the underlying asset, but also on the creditworthiness of the Issuer and/or Guarantor (as applicable), which may change over the term of the investment instrument. In the event of default by the Issuer and/or Guarantor of the investment and/or any third party, the investment or any income derived from such contracts is not guaranteed and you may get back none of, or less than, what was originally invested. Parties other than the Issuer or Guarantor (as appropriate) mentioned in this document (for instance the Lead Manager, Co-structurer, Calculation Agent or Paying Agent) do neither guarantee repayment of the invested capital nor financial return on the investment product, if nothing is indicated to the contrary.

You may have to accept smaller returns on an investment relative to a direct investment in the underlying index, basket, etc. because of the costs involved in providing the capital protection. Such capital protection normally only applies if the investment is held until maturity. The amount of initial capital to be repaid may be geared, which means that a fall in the underlying index or securities may result in a larger reduction in the amount repaid to investors. Where this document relates to packaged products (such as regulated collective investment schemes), any advice offered to retail clients is based on a selection of products from the whole of the market. Where this document relates to emerging markets you should refer to the Risk Disclosures section of the Credit Suisse Terms of Business. Additional information is, subject to duties of confidentiality, available from Credit Suisse upon request.

Hedge Fund strategies may include the use of leverage (borrowing) and derivative instruments resulting in certain risks, some of which are as follows: leveraged investments, by their nature, increase the potential loss to investors resulting from any depreciation in the value of such investments. Consequently, a relatively small price movement in a leveraged instrument may result in a substantially greater loss to the Hedge Fund. The market in some of the investments made as part of a Fund’s strategy may be relatively illiquid, giving rise to potential difficulties in valuing and disposing of such investments.

Information for determining the value of investments held by a Fund may not be readily available which has corresponding implications for the overall valuation of a Fund. Accurate risk profiling of the Fund

holdings may also not be readily available. Always refer to the Fund’s Prospectus and/or the Key Investor Information Document before making an investment.

Your personal data will be processed in accordance with the Credit Suisse Privacy Policy published at

Credit Suisse (UK) Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority for the conduct of investment business in the United Kingdom. The registered address of Credit Suisse (UK) Limited is Five Cabot Square, London, E14 4QR.

If you have any questions regarding the document, please contact your Relationship Manager.

© Credit Suisse (UK) Limited 2019.