EU report on 5G security spotlights suppliers

News

EU Member States have published a co-ordinated risk assessment report on cybersecurity in 5G networks, although no supplier is singled out.

The report is based on the results of national cybersecurity risk assessments by all EU Member States. It will provide the basis for identifying mitigation measures to be applied at national and European level.

The integrity and availability of 5G networks are set to become a national security concern, the report finds, as 5G networks become the backbone of many critical IT applications.

The publication notes that due to new characteristics of 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations and network management tools.

Therefore, the “risk profile of individual suppliers will become particularly important”, including the likelihood of the supplier being subject to interference from a non-EU country.

Threats from non-EU states or those which are state-backed are flagged as the most serious concerns and the most likely to target 5G networks

Single-supplier risks

Further, the report highlights a growing risk from dependencies on a single supplier, saying this increases the threat of service interruption.

“It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk,” the summary finds.

The report also notes the risk of increased exposure to attacks and more potential entry points for attackers due to the fact 5G networks are increasingly based on software.

“Risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect,” it warns.

Elephant in the room

Huawei was not singled out, but its dominance of the telecoms network equipment market and leading position in 5G, mean, according to Financial Times [subscription needed], "The US and EU are right to look at ways to counter it". A Dell'Oro report published in September found Hauwei had accounted for 28% of the market for the last quarters.

And then of course there are all the allegations of Huawei's industrial espionage, busting international trade sanctions, an obligation to use its equipment to spy on other countries for the Chinese state if asked, huge pressure from the Trump Administration to keep Huawei kit out of 5G networks and its being in the eye of the Sino-American trade war.

Next steps

By 31 December 2019, the EU Commission’s Cooperation Group will agree on a series of mitigating measures to address the identified cybersecurity risks at national and EU level. By 1 October 2020, Member States must assess the recommendations to determine whether further action is needed.