A new white paper published by the UC Berkeley Center for Long-Term Cybersecurity examines the implications of “open radio access networks,” or Open RAN, a movement focused on “unbundling” the hardware and software in wireless telecommunication systems to reduce dependence on a small number of suppliers.
The report, Impacts of Open Radio Access Networks for Operators, Policymakers, and Consumers, was authored by Jon Metzler, Continuing Lecturer in the Haas School of Business at UC Berkeley. The report builds on Metzler’s previous CLTC white paper, Security Implications of 5G Networks, published in 2020.
“Radio access network (RAN) equipment refers to equipment in a wireless telecommunications system that provides the wireless access link with the customer handset (e.g., smartphones), and also manages radio resources,” Metzler explains in the report’s introduction. “The high levels of concentration in the RAN supplier market led network operators in multiple regions around the world to investigate Open RAN as a means of nurturing alternatives to current suppliers.”
Metzler’s paper on Open RAN was inspired in part by the April 2023 release of the National Security Council’s “Principles for 6G,” which stated that the 6G standard should be “open and resilient by design.” Additionally, Metzler observed that the 5G standard had reached widespread adoption (suggesting that 6G would be forthcoming), the U.S. Government was promoting broadband access and increasing RAN supplier diversity, and the National Telecommunications and Information Agency published an Open RAN Security Report. “In aggregate, these developments indicated that a robust assessment of Open RAN was timely— for network operators, for policymakers, and for network equipment suppliers themselves,” Metzler writes.
Open RAN marks an approach to achieving the dual goals of an “open and resilient” network, as it “seeks to promote greater hardware and software interoperability between different elements in RAN, which marks a change from previous generations, which were generally provided by one supplier,” Metzler says. The new standard aims to “disaggregate what historically had been monolithically provided by one supplier…, facilitate greater interoperability between supplier hardware and software…, and create greater supplier diversity in the RAN market.”
Between April 2023 and November 2024, Metzler conducted interviews with a range of network operators, network equipment suppliers, analysts, and policymakers, with a goal of understanding how Open RAN will fit into the new telecommunications landscape. His research focused on a range of key questions, including: what is the significance of Open RAN for network operators that are making 5G supplier decisions, or that are beginning to plan for 6G? What is the current state of supply in the RAN? Who are significant suppliers? What actions can policymakers take to facilitate supplier diversity in the RAN? And what would be the consequences of lack of action, or sporadic action?
Security Risks Unique to Open RAN
Part of Metzler’s paper focuses on security risks that could accompany the adoption of Open RAN, including whether “clearly defining interfaces between RAN elements, or putting elements of the RAN into the cloud, [could] create any new risks.” He notes that “the cloud offers potentially increased operational resilience and flexibility, but centralizing resources in the cloud may create new vulnerabilities, or create honeypots attractive to potential attackers.”
“Recent reporting on cyber intrusions into multiple US telecommunications networks (e.g., Salt Typhoon) highlights (a) vulnerabilities from interconnectedness (e.g., vulnerabilities in one network can lead to other networks that interconnect with it being compromised) and (b) the importance of network modernization,” Metzler writes. “Reporting indicates hackers may have exploited interfaces used for lawful intercept to gain access to traffic and call detail records (CDRs) from persons of interest. This highlights the need to modernize network operators (e.g., move to 5G Standalone) and ensure law enforcement equipment and operational practices are modernized.”
Recommendations for Industry, Policymakers
In his conclusion to the report, Metzler offers a range of recommendations to help ensure the efficient, timely adoption of Open RAN. For example, he suggests that network operators should invest in network modernization, rather than forcing new suppliers to invest in support of legacy features, and should re-invest in their network integration capabilities “to enable more robust services and to mitigate dependency on a concentrated set of suppliers.” He also suggests that the industry establish a “Telly Mac,” similar to Freddie Mac, to foster liquidity in the smaller network operator market and support investment and spectrum purchases.
Metzler’s report also includes recommendations for the National Telecommunications and Information Administration (NTIA), including a call to renew the Public Supply Chain Wireless Innovation Fund and use Small Business Innovation Research (SBIR) solicitations to nurture small business and startup suppliers. He also calls on the Federal Communications Commission (FCC) to measure the state of RAN and telecom equipment supply as part of its broad measurement process, and to fund network modernization efforts to make networks more open and resilient.
He additionally calls for an effort similar to “Operation Warp Speed” (the accelerated effort to develop a COVID vaccine) to drive rapid innovation and adoption of Open RAN across the telecom industry. “If governments truly want open, resilient wireless networks for 5G or 6G, more concentrated guidance and support could help deliver this outcome,” Metzler writes.
