Spurred by US criticism of the Chinese telecom supplier Huawei, and especially its participation in 5G networks, the European Union began developing an approach to this key issue over the last year. As a first step, the European Commission asked all EU member states to conduct a cybersecurity risk assessment of their existing and planned 5G network infrastructure—the next generation of mobile broadband that is much faster than current 4G LTE technology and will be essential for the development of the Internet of Things (IoT) as well as many artificial intelligence technologies. The combined result of that survey, EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks, was published on October 9 by the NIS Cooperation group, comprised of the Commission, EU member states, and the European Agency for Cybersecurity. Over the next year, the Commission plans to use the risk assessment report as a foundation for developing a European toolkit to address these risks.
Sign up for the “Plugged In” newsletter, which showcases updates and analysis from the Transatlantic Digital Marketplace Initiative on the latest information and thinking on digital policymaking in Europe and its potential impact on the United States.
The report identifies the main vulnerabilities facing 5G
networks, including numerous technical issues, such as poor software
development, that may leave complex 5G networks open to cyberattacks. It also
To date, the number of companies able to provide 5Gbased network infrastructure is limited. In Europe, the EU could turn to Ericsson in Sweden, or Nokia in Finland, but Huawei usually offers a price advantage. And as the report states, with just a handful of options of 5G suppliers, the security risks increase: “At national and EU level, a lack of diversity of suppliers increases the overall vulnerability of the 5G infrastructure, in particular if a large number of operators source their sensitive assets from a supplier presenting a high degree of risk…” The report also notes that, “the presence of a limited number of suppliers on the market can decrease their incentives to develop more secure products. It can also have a negative impact on the leverage available to national authorities and operators to demand higher security guarantees, in particular for smaller M
Member States or operators.”
How the EU will choose to mitigate the risks posed by hostile or suspect suppliers is far from clear. Many EU member states already have Huawei equipment in their networks and removing it will be tremendously expensive. While the EU is to make decisions about how to respond to supplier-based risks in 2020, the German Federal Network Agency has already determined that no equipment supplier should be specifically excluded. Instead, the Agency is confident that any risks could be mitigated by security procedures. However, the United States has already threatened to stop sharing intelligence with countries that use Huawei equipment, though there are conflicting reports about whether Germany will be excluded. Thus, for the moment, the EU has chosen not to ban any particular firm and instead outline the characteristics that would exacerbate risks. Whether these characteristics and the toolkit that is still to be developed will be sufficient and timely enough to protect the EU’s 5G network infrastructure—and to avoid further tensions with the United States—is anyone’s guess.
Frances G. Burwell is a distinguished fellow at the Atlantic Council and a senior adviser at McLarty Associates.
Mon, Oct 28, 2019
By legislating the use of this key technology, the European Union will likely become the leading regulator for AI, as it has for privacy with the General Data Protection Regulation (GDPR). But the challenge for von der Leyen will be developing legislation that reflects European norms and values while also avoiding overregulation that might hinder innovation and investment.
Blog Post by
Wed, Oct 2, 2019
A quick look at how the new European Commission will line up on digital policy.
New Atlanticist by
Tue, Oct 22, 2019
As concern skyrockets over political disinformation, hate speech, and terrorist incitement on the Internet, legislators across Europe are scrambling for regulatory answers.
New Atlanticist by