Prague proposals: Officials agree 5G security recommendations

News

Global security leaders agreed a set of non-binding proposals on Friday, aimed at securing 5G networks.

Participants from 32 countries met in Prague at a conference. Four unnamed operators also attended.

The conclusions from the event, published by the Czech government, included a recognition of concerns about equipment supplied by vendors that might be at risk of state influence.

China did not attend the conference and no companies were mentioned by name. However, the gathering came amid ongoing global debate about whether Huawei’s equipment should be used in 5G networks, following allegations from the US it could be used by the Chinese government to spy. Huawei vociferously denies these claims.

The conference conclusions note: “The overall risk of influence on a supplier by a third country should be taken into account, notably in relation to its model of governance, the absence of cooperation agreements on security, or similar arrangements, such as adequacy decisions, as regards data protection, or whether this country is a party to multilateral, international or bilateral agreements on cybersecurity, the fight against cybercrime or data protection.”

Recommendations

The recommendations include that communication networks and services should be designed with resilience and security in mind, meaning they are built and maintained using international, open, consensus-based standards and risk-informed cybersecurity best practices.

The recommendations also say that stakeholders should regularly conduct vulnerability assessments and risk mitigation within all components and network systems before product release and during system operation, and should promote a culture of rapidly deploy fixes or patches.

The attendees agreed that risk assessments of suppliers’ products should take into account all relevant factors, including the legal environment and other aspects of a supplier's ecosystem.

Reuters quotes diplomatic sources as saying that countries participating at the conference were not ready to sign anything there and then because discussions within their own governments were still ongoing, but they urged participants to "seize on the momentum moving forward”.

EU members are assessing cybersecurity risks related to 5G and must complete this process by the end of June.  The European Commission and the European Agency for Cybersecurity (ENISA) will complete a coordinated risk assessment by 1 October 2019. Using this, EU countries would then have to agree measures to mitigate risks by the end of the year.