Cybersecurity in the age of 5G technology: the EU’s response
by Deirdre Ní Cheallacháin
As there are significant benefits from 5G technology for internet users, such as wider coverage, more stable connections as well as higher download and upload speeds, its application in critical sectors such as transport, health and energy will be wide-ranging in scope and transformative in impact. 5G denotes the fifth-generation version of mobile internet connectivity.
There are two chief stakeholders in 5G network infrastructure: i) telecom equipment suppliers; and ii) telecom network operators. The main global telecom equipment suppliers are Huawei, Ericsson and Nokia. While Ericsson and Nokia are European, Huawei, the world’s largest telecom equipment supplier, is a Chinese company. Other suppliers include ZTE, Samsung, and Cisco.
Discussions of the development and the roll out of 5G technology have centred on the potential security threat posed by suppliers headquartered outside the EU, particularly by Huawei. The fear is that the integrity of Huawei’s telecom equipment could be compromised as China’s National Intelligence Law requires Chinese citizens to support the state’s intelligence gathering practices. Although founder and President of Huawei, Ren Zhengfei, has stated that Huawei’s employees would not comply with this law, concerns have not been allayed.
Leaked information from a meeting of the United Kingdom’s National Security Council in April 2019 energised this discussion, as it indicated that the UK government had agreed to let Huawei develop parts of the UK’s 5G network infrastructure. Tom Tugendhat, the chair of the House of Commons Foreign Affairs Select Committee, likened the UK’s decision reached in the report to allow Huawei to build a 5G network to “nesting a dragon”. The US, Australia, New Zealand and Japan have already expressly banned the involvement of Huawei in building a 5G network in their respective countries.
The EU’s response
At the EU level, the European Commission launched the 5G Action Plan in September 2016 which sets out a roadmap for the funding of 5G technology infrastructure in the EU. The Action Plan includes an EU-wide deadline of the end of 2020 for the launch of commercial 5G networks.
Heads of EU Member States and Governments concluded at the European Council on 22 March 2019 that the EU’s future reliance on 5G networks warrants investigation into the security risks their development and deployment pose. On 26 March 2019, the European Commission released a Recommendation on Cybersecurity of 5G networks in which it advocates a concerted EU approach to ensure a high level of cybersecurity of 5G networks in Europe.
The implementation of this recommendation can be divided into four phases:
- National assessments
By 1 July 2019, 24 Member States, had completed and submitted a national risk assessment which was based on a questionnaire. The questionnaire was designed to identify the main vulnerabilities affecting 5G networks. Member States were expected to update their existing security requirements for network providers and include conditions for ensuring the security of public networks. Technical and non-technical vulnerabilities were identified. While technical vulnerabilities refer to deficiencies in software, hardware or security processes, non-technical vulnerabilities pertain to the purposeful interference with the integrity of the network. National cybersecurity and telecommunication authorities, security, and intelligence services were consulted during the national assessments.
- The EU’s risk assessment report
Based on the national cyber-risk assessments, the European Commission published a report on the risk scenarios and threat actors associated with the 5G network infrastructure in the EU. The report is entitled “an EU Coordinated Risk Assessment of the cybersecurity of 5G networks” and was published on 9 October 2019. While the report notes that the technical makeup of 5G network infrastructure means that certain vulnerabilities in 3G and 4G versions will be mitigated, other vulnerabilities will be augmented as the 5G technology is more operationally complex. Most significantly, however, the report states that there are “important security challenges” to be considered in the development of secure 5G network architecture related to the intent of telecom suppliers and operators, as well as those posed by “certain non-EU countries” which have jurisdiction over them.
The most salient points of the report are as follows:
- The report finds that there are “threat actors”, in particular “non-EU state or state-backed actors”. While it identifies risk profiles of threat actors, for example a supplier that is subject to pressure from a non-EU country, it is important to note that no country or company is expressly named in the report.
- The report consolidates the finding in numerous national assessments that there are technical as well as non-technical vulnerabilities to be considered in the development and deployment of 5G technology in the EU.
- The “degree of dependency on individual suppliers” is also flagged as a security risk. As such, consideration should be given to the development of Europe’s industrial capacity, namely software, equipment manufacturing, laboratory testing and conformity evaluation.
To compliment this report, the European Union Agency for Cybersecurity (ENISA) is also preparing a threat landscape mapping specifically relating to 5G networks to compliment this report and to cover certain technical aspects in more detail.
- A toolbox of risk mitigation measures by 31 December 2019
The report will serve as a basis for the preparation of a toolbox of possible risk mitigation measures. Member States are called on to agree on a toolbox by 31 December 2019. Discussions to achieve this aim will be carried out within the Network and Information Systems (NIS) Cooperation Group, the EU’s cross-agency body responsible for cybersecurity. The toolbox will consist of “appropriate, effective and proportionate possible risk management measures” to minimise cybersecurity threats. However, this may prove difficult as 5G networks have not been fully rolled out in EU Member States and, consequently, the identification of best practices in risk management may be limited.
- Assessment of the recommendation’s implementation by 1 October 2020
As set out in the recommendation, Member States, in concert with the European Commission, should assess and determine whether there is a need for further action to ensure high-level cybersecurity of 5G network infrastructure by 1 October 2020. This assessment should be based on i) the outcome of the coordinated European risk assessment; and ii) the effectiveness of the toolbox.
Potential geopolitical implications
As outlined in the European Commission’s recommendation of March 2019, an EU Member State has the right to exclude certain equipment suppliers from their markets “for national security reasons”. This could have considerable geopolitical implications for EU Member States. While the US has withdrawn its declaration from earlier this year that it would scale back intelligence sharing with countries in which Huawei have supplied 5G equipment, it remains unclear how concerted EU Member States’ approach will ultimately be in addressing the challenges that non-EU based suppliers represent. Irish Minister for Communications Richard Bruton had responded to the US declaration by affirming that Ireland would liaise with other EU Member States before making a decision. At the height of discussions with the US, a spokesperson for the Irish Department of Foreign Affairs had stated that ensuring the cybersecurity of 5G networks would “mesh with the work already under way in the context of the next National Cyber Security Strategy and Comreg’s existing roles around the security and integrity of the telecommunications networks”, which is due to be released in November 2019. In August 2019, when 5G was launched in five locations in Ireland, Vodafone used Ericsson equipment.
However, in Germany for example, telecom network operators Vodafone Germany and Deutsche Telekom have recently launched 5G networks using Huawei equipment, which has given rise to much debate. The head of Germany’s foreign intelligence service, Bruno Kahl, stated on 29 October 2019 before a parliamentary committee that Huawei should not be involved in the development of core 5G network infrastructure.
5G technology has the potential to revolutionise society and the economy for the better in many ways. However, due to its fundamental difference from 4G, a new cyber-security paradigm will be necessary to minimise both technical and non-technical risks associated with this technology. The EU’s risk assessment report concludes that there are “non-EU state or state-backed actors” that pose risks. It characterises a dependency on a single supplier as a security risk. The cybersecurity of 5G networks is thus central in ensuring the strategic autonomy of the European Union as an overreliance on one supplier could leave 5G networks overly exposed to systemic shortcomings and, potentially, to intentional exploitation. Huawei currently has the largest share of the global telecom equipment supplier market, at 29% in 2018.
The effectiveness of the toolbox of risk mitigation measures, as well as its efficacy in ensuring a high level of cybersecurity across 5G networks in the EU, remains to be seen and will be evaluated by 1 October 2020 when the effectiveness of the measures taken will be evaluated by Member States.
The European Union Agency for Cybersecurity (ENISA) is also preparing a threat landscape mapping, and will develop a certification framework to cover 5G networks and equipment throughout the EU, which Member States are encouraged to adopt.