Finally, the EU 5G risk assesment!

10/10/2019_Nice to know the EU is following my blog!!

Shortly after i completed my post yesterday wondering how much longer we have to wait for the EU’s 5G roll-out risk assessment report , it got published!

What is the report’s conclusion? Well, just read some of its crucial passages below.

As the report states the market for 5G telecom equipment “is mainly characterised by a handful of global companies capable of supplying large telecommunications operators with the technology required. From a market share perspective, the main suppliers are Huawei (PRC), Ericsson (Sweden) and Nokia (Finland). Other suppliers include ZTE (PRC), Samsung (South Korea) and Cisco (USA)”.

The Report

What follows is some of the more striking stuff, i have added the bold myself.

“The deployment of 5G networks is taking place in a complex global cybersecurity threat landscape, notably characterised by an increase in supply-chain attacks. Overall, threats considered most relevant are the main traditional categories of threats: this concerns threats related to the compromise of confidentiality, availability and integrity. Threats posed by States or State-backed actors, are perceived to be of highest relevance. They represent indeed the most serious as well as the most likely threat actors, as they can have the motivation, intent and most importantly the capability to conduct persistent and sophisticated attacks on the security of 5G networks…..In relation to State and State-backed actors, a particular threat stems from cyber offensive initiatives of non-EU countries...It is also noted that insiders or subcontractors can in certain circumstances also be considered potential threat actors, especially if leveraged by States as they could be used as a channel for a State to gain access to critical target assets

5G networks can be associated with a range of generic technical vulnerabilities, which may affect software, hardware or arise from potential deficiencies in the security processes of any of the various stakeholders. Furthermore, in the early stage of deployment, vulnerabilities in the existing 3G and 4G infrastructure shall also be duly considered.

In particular, as 5G networks will be largely based on software, major security flaws, such as those deriving from poor software development processes within equipment suppliers, could make it easier for actors to maliciously insert intentional backdoors into products and make them also harder to detect. The risk profiles of individual suppliers can be assessed on the basis of several factors, notably:

The likelihood of the supplier being subject to interference from a non-EU country. This is one of the key aspects in the assessment of non-technical vulnerabilities related to 5G networks. Such interference may be facilitated by, but not limited to, the presence of the following factors: a) a strong link between the supplier and a government of a given third country b) the third country’s legislation, especially where there are no legislative or democratic checks and balances in place, or in the absence of security or data protection agreements between the EU and the given third country c) the characteristics of the supplier’s corporate ownership; the ability for the third country to exercise any form of pressure, including in relation to the place of manufacturing of the equipment.

A large degree of reliance on a single supplier (monoculture) creates a dependency on specific solutions and makes it more difficult to procure solutions from other suppliers, especially where solutions are not fully interoperable. As a result, EU-based operators who become overly dependent on a single equipment supplier are exposed to a number of risks caused by that supplier coming under sustained commercial pressure, whether due to commercial failure, being subject to a merger or acquisition, or being placed under sanctions.

The technological changes introduced by 5G will increase the overall attack surface and the number of potential entry points for attackers:

  • Enhanced functionality at the edge of the network and a less centralised architecture than in previous generations of mobile networks means that some functions of the core networks may be integrated in other parts of the networks making the corresponding equipment more sensitive

If some of the new use cases envisioned for 5G come to fruition, 5G networks will end up being an important part of the supply chain of many critical IT applications, and as such not only confidentiality and privacy requirements will be impacted, but also the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.

Together, these challenges create a new security paradigm, making it necessary to reassess the current policy and security framework applicable to the sector and its ecosystem and essential for Member States to take the necessary mitigating measures.

This requires identifying potential gaps in existing frameworks and enforcement mechanisms, ranging from the implementation of cybersecurity legislation, the supervisory role of public authorities, and the respective obligations and liability of operators and suppliers”

The Conclusion

In other words, the document doesn’t name China or Huawei at all, but it paves the way for regulatory measures to prevent overreliance on telecom equipment from a single supplier, especially if the latter is based in a country with poor democratic standards: read Huawei/China. The world’s most dangerous hackers are state-backed. Some of the most notorious hackers? China and Russia. The risk clearly expressed by the EU report is that non-democratic countries can attack and spy on EU countries from within. The EU report is bending towards the USA position on Huawei, but does not propose a complete ban of the Chinese company.

Why is Europe not just barring Huawei as the USA has done? First of all, the EU would like to show its independence of the USA in making its own 5G risk assessment: maybe as a kind of retaliation of the NSA eavesdropping scandal which rocked major European countries several years ago?? Secondly, the EU has tried to find a diplomatic way to not offend Huawei/China in public. Thirdly, as I have written before, in many European countries Huawei does already have a strong presence in the 3G and 4G infrastructure. 5G will be partly laid out on top of this existing network. In some cases it might be too expensive to replace the existing Huawei equipment, implementing additional security measures could be cheaper. Replacing older Huawei equipment could lead to (longer) delays in the 5G roll-out. Therefore Huawei could perhaps still play some part in the EU’s 5G future, but no doubt much smaller than anticipated and hoped for by the Chinese company.

Huawei’s Shaky Future in Europe

But things could get even worse for the Chinese. The EU commission will publish at the end of the year a “toolbox” of measures that countries can take to mitigate the risks, though it can’t force the individual member states to comply. Officials probably hope that by publicizing the risks and proposing ways to tackle them, countries taking a lax approach to security will be propelled into action by their citizens! Moreover, the report does give ammunition to those in and outside the EU (Trump!) who wish to see Huawei fully banned. Further escalations in the USA-China trade war, in Hong Kong or Chinese military aggression in the South China sea etc could also work against the company in the current political climate.

Over the past 10 months I have written several blogs on Dutch (local) initiatives with Huawei, in particular in the Amsterdam region. The publication of this report is likely to be followed by public discussion in parliament and society. All the on-going Huawei projects will be scrutinized, re-evaluated and perhaps adjusted, possibly limiting or even annihilating Huawei’s role in some cases. I do wonder what Amsterdam, Ajax and the Johan Cruijff Arena are going to do!