At the ETSI Security Conference 2025, we spoke with Bengt Sahlin from Ericsson about the emerging landscape of 6G security. Sahlin shared insights on the evolution of mobile network security from 5G to 6G, the unique challenges introduced by new technologies and use cases like integrated sensing, the importance of threat analysis and security-by-design, and the role of global collaboration between industry and policymakers in shaping secure and resilient networks.
Can you give us a bit of background about yourself, your role at Ericsson, and how it connects to the standardisation efforts for 6G security?
I’m actually driving the 6G security research at Ericsson, and I’ve been doing that since we started the research some years ago. The research we do forms the basis for our views on what should be standardised and in which standardisation forums.
I also have quite a long history in standardisation. Even before I joined Ericsson in the 1990s, I was already participating in the IETF. Since then, I’ve been active in 3GPP, GSMA, and so on.
What key lessons from 5G security should be carried forward, and how realistic is it that 6G will overcome some of the legacy weaknesses?
5G security is actually really good. It was designed based on the threat landscape we saw at that point in time, and it still holds up very well. What we should do in 6G is to evolve security based on what we have in 5G.
The main thing we need to consider is what’s changing in the threat landscape. There are new use cases, and those introduce new threats that we need to handle. Then there’s new technology, which also introduces new threats.
If we look at the communication protocols themselves, they’re quite stable. We have good protocols like IPsec and TLS from the IETF, and the radio protocols we’ve developed are solid as well. So the main challenges come from new use cases.
Regarding legacy, some of the weaknesses will of course go away when older generations are decommissioned. In fact, if you decommission 2G and 3G, most of the major weaknesses disappear.
At the same time, we discussed today in the seminar the idea of making a clear cut toward 6G. A good goal for 6G would be to make unintentional fallback to previous generations harder — that’s one way to mitigate those legacy weaknesses as well.
You mentioned new technologies and new use cases. What are you referencing, and what unique security challenges do they bring?
One example is integrated sensing and communication. The sensing part is an entirely new domain for the standardisation bodies that are going to work on it. Until now, we’ve been focusing on communication, and now we’re moving into sensing — that’s clearly an area where there will be new security challenges.
From our point of view, that will be one of the main challenges for 6G — ensuring security and privacy when you start sensing the environment. There are many interesting privacy issues that come with that.
Open RAN introduces openness and vendor diversity, which increases the attack surface. How should the realisation balance innovation with security assurance?
You still need to standardise security. The O-RAN Alliance is a good example — they actually started with a detailed threat analysis and then defined security requirements and solutions.
So even as you innovate, you need to put in place the security measures that can be standardised. They’re also working on security assurance, creating specifications that are part of the GSMA Network Equipment Security Assurance Scheme, the NESAS scheme. They’re now conducting tests so that components can be assured under that framework.
Today, in a more fragmented geopolitical landscape, how do you see standardisation bodies and industry players ensuring the same level of collaboration without compromising on security?
One very important thing is that we should always aim for global and open standards. That’s what 3GPP has been doing all along, and it’s crucial from a security point of view as well — because then the standards can be analysed by the entire security community, who can verify that they’re sound.
A very important starting point is always the threat and risk analysis. That needs to be done properly from the beginning. Based on that, you can create the security architecture. Threat analysis is actually a key part of security-by-design, which we’ve been discussing a lot as well. We’re still aiming to create global open standards. Let’s see how it goes, but that’s our hope — that we can continue along that path.
As networks evolve toward IMT-2030 objectives, how do you see resilience and trust being designed into the architecture from day one?
Again, it comes back to threat analysis. It’s very important to take a system-wide view to understand the entire network and identify what’s needed to build trust and resilience into it.
Resilience isn’t only about security per se. Unintentional events — like heavy storms, earthquakes, or other disruptions — can also impact the network. These aspects need to be considered as well. But fundamentally, we need to understand the threats and build the security architecture based on that.
It’s based on today’s threat landscape and the security and privacy expectations we have now, while also trying to anticipate future threats that we will need to mitigate — which isn’t always easy.
Speaking about today’s threat landscape and looking ahead, are there security risks that aren’t getting enough attention today but could become critical in a few years or with 6G?
That’s a difficult question. What we can do is use our experience to estimate what the relevant threats might be. But sometimes new technological advances change the landscape very quickly, and then we need to adapt.
Security isn’t strictly generation-dependent. When new threats arise, they need to be handled, which may require fixes mid-generation as well. That’s an important point to keep in mind.
If you could give any piece of advice to policymakers shaping the 6G agenda, what would it be?
From our point of view, the most important thing is to have an active dialogue between policymakers and industry, so both parties can understand each other. That understanding allows us to move forward together, and I think it will benefit everyone if we cooperate and work together.