As the European Union races to embrace the rollout of 5G networks across the continent, its Member States are also becoming much more aware of the potential 5G security risks involved with those networks. In March 2019, the European Commission tasked each of the Member States to outline potential cybersecurity risks they might be facing with 5G networks. And now, more than six months later, those same EU Member States have published a joint risk assessment report on 5G security.
While acknowledging that this joint risk assessment was necessarily a high-level review of potential risks facing 5G network operators across the EU, the European Commission has make a lot of headway in starting to outline some of the major security risks that Member States are already starting to face. As noted within the European Commission report, 5G is a fundamentally different type of technology than 4G, and as a result, requires a “new security paradigm” that takes into account those differences. Ensuring a high level of cybersecurity preparedness will have to take that into account.
The Huawei problem and its relation to 5G security risks
Notably, the EU joint risk assessment into 5G networks managed to allude to the Chinese tech giant Huawei without actually mentioning the company by name. The report used a bit of clever diplomatic language to describe Huawei, referring repeatedly to tech companies from a “non-EU state or state-backed actor.” This left no doubt that the European nations are growing increasingly dubious about relying on Huawei to build out the EU’s 5G networks.
Governor Tom Ridge, former U.S. Secretary of Homeland Security and 43rd governor of Pennsylvania, makes clear that Huawei remains a distinct cybersecurity threat for Europe: “The new EU-wide 5G risk assessment further validates warnings from the cybersecurity community, which has been waving a red flag regarding Huawei’s involvement with next-generation wireless networks for many months. The group of ‘certain non-EU countries’ referenced by the report that represent a ‘particular cyber threat’ to ‘national interests’ identified by ‘several member states’ clearly includes China.”
In fact, the whole process of coming up with a 5G network security assessment was a direct consequence of the European Commission attempting to deal with U.S. pressure to boycott Huawei and all of its 5G networking equipment. Back in March 2019, the U.S. was ramping up pressure on the European Commission to stop doing business with Huawei, and as a result, the European Commission tasked each of the individual member nation states to deliver their own national risk assessments about how best to maintain the cybersecurity of their own 5G networks. If enough member states complained about Huawei and other non-EU actors in their national risk assessment of 5G network security then, presumably, it would make it much easier for the European Commission to comply with U.S. wishes on the matter.
Nate Snyder, senior counterterrorism official with the U.S. Department of Homeland Security and the Countering Violent Extremism Task Force under U.S. President Obama, says that the report is further proof that Huawei is a massive security threat: “The European Commission’s report makes clear that the vulnerabilities facing a Huawei 5G global network are systemic. Huawei networks are a house of cards supported by shoddy coding and a supply chain full of holes, with countless entry points for state and non-state actors, organized crime, and terrorist groups (cyber-based and otherwise) to exploit. Further, due to the single supplier nature of the architecture, it leaves the Huawei-based 5G network open to attack – essentially a sitting duck – meaning critical infrastructure such as electrical grids could be shut down or held hostage. These threats and vulnerabilities just scratch the surface.”
Other 5G security risks
However, the potential Huawei 5G security risk was not the only problem or concern covered by the joint risk assessment. For example, another major concern was the potential dependence on a single supplier for all 5G networking equipment. This presents its own share of cybersecurity risks, since any interruption to the supply chain of that 5G supplier would have immediate ripple consequences. For that reason, the joint statement suggested a preference for suppliers, vendors and partners with a wide range of 5G technology partners and suppliers. In that way, any interruption or delay with a single vendor could be mitigated by turning to other network partners. The reality, though, is that only a relatively small handful of companies – among them Nokia, Ericsson, Deutsche Telekom – have the power and capability to build out 5G networks across the EU.
Roger Entner, Founder and Lead Analyst of Recon Analytics, emphasizes the importance of having multiple 5G security vendors: “Europe is finally understanding how single vendor systems pose grave threats to 5G security. 5G networks have more points of attack. The differentiation between edge and core is disappearing as the edge is being absorbed into the core. Single vendor deployments are exposing operators to incalculable risks as operators tie their success to the viability of their vendors. Furthermore, it becomes necessary to trust in the vendors to an even greater degree, as some are vulnerable to state actors and sponsors, including those who don’t share our democratic principles.”
For that reason, the 5G security report also suggested that all of the Member States begin to build up “European industrial capacity,” in terms of companies and other entities or organizations that are capable of providing software, networking equipment, lab testing capabilities, and conformity evaluations. What this means in practical terms is that a single large tech giant – such as Huawei – will not be able to force its will upon any of the Member States by the sheer fact of its overall market power. Far better to rely on a trusted European vendor than a potentially untrustworthy non-EU vendor, right?
Of course, the 5G security report outlined many of the classic cybersecurity risks facing any 5G network rollout, albeit at a very high level. For example, the report specifically noted that 5G networks are very dependent on software for their working, and thus, Member States should pay particular attention to potential software flaws or security weaknesses. In addition, the report specifically noted that the very nature of 5G network architecture meant that some networking equipment – such as base stations – are potentially overly sensitive and need to be monitored with much greater oversight.
The 5G security report also called out the increasing number of entry points for hackers in any 5G network. That’s because billions of objects will eventually be hooked up to 5G networks, all of them “talking” with each other. This vastly increases the overall size of the attack surface for hackers. Instead of trying to break into super-secure corporate networks protected by an impenetrable perimeter, hackers will have their choice of “soft targets” far outside the corporate IT perimeter.
And, finally, the 5G security report noted that “integrity” and “availability” were still major concerns, and need to be taken into account with the same regard as security and privacy concerns. In other words, it really doesn’t matter how fast the throughput of network traffic on a 5G network might be if the network is not always up and running.
Next steps for the European Commission
This joint risk assessment for 5G networks is only the next step in the process that kicked off in March 2019. Next up is a December 31 milestone, in which the same Member States need to come up with a matching set of “mitigating measures” to deal with all of the cybersecurity concerns noted in the 5G security report. The idea, quite simply, is to come up with a relevant “toolbox” of measures that each of the Member States can use as part of an approaching to securing 5G networks and thereby guarantee national security.
After these mitigating measures have been developed, the next step will come in October 2020. Member States will need to announce which mitigating measures they have begun to implement, as well as to come up with new recommendations (if any) for future action. One overarching theme to look for is how the Member States will begin to implement the “new security paradigm.” With 5G security, it’s not just a case of applying and adapting the same 4G security approaches.
And, on a parallel track, the European Agency for Cybersecurity, which is specifically tasked with maintaining the cybersecurity of 5G networks, is finalizing a threat map for 5G networks. This threat map will highlight the major threat actors, as well as some of the tactics and strategies they might use to destabilize 5G networks.
Taken together, these measures should provide the European Commission with a measure of confidence that the “digitised economies and societies” of the European Union will not be at major risk of disruption due to the rollout of 5G networks. Thanks to the advance planning represented by this coordinated risk assessment for 5G security, it’s now possible to imagine a 5G future for the European Union that will be as safe and secure as it is efficient, fast and powerful.