Spurred by US criticism of the Chinese telecom supplier Huawei, and especially its participation in 5G networks, the European Union began developing an approach to this key issue over the last year. As a first step, the European Commission asked all EU member states to conduct a cybersecurity risk assessment of their existing and planned 5G network infrastructure—the next generation of mobile broadband that is much faster than current 4G LTE technology and will be essential for the development of the Internet of Things (IoT) as well as many artificial intelligence technologies. The combined result of that survey, EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks, was published on October 9 by the NIS Cooperation group, comprised of the Commission, EU member states, and the European Agency for Cybersecurity. Over the next year, the Commission plans to use the risk assessment report as a foundation for developing a European toolkit to address these risks.
The report identifies the main vulnerabilities facing 5G
networks, including numerous technical issues, such as poor software
development, that may leave complex 5G networks open to cyberattacks. It also explicitly identifies state and
state-backed actors as among the most serious threats, and points to potential
dangers related to suppliers. The report notes that 5G suppliers may be
beholden to a non-EU country; a situation that could emerge if there was a
strong link between the supplier and its government, or if the supplier were
subject to legislation at home that was inimical to EU security and interests.
While the report does not mention any particular company, it is clear that
Huawei exhibits the high-risk characteristics that threaten the security of a future
5G network.
To date, the number of companies able to provide 5G–based network infrastructure is limited. In Europe, the EU could turn to Ericsson in Sweden, or Nokia in Finland, but Huawei usually offers a price advantage. And as the report states, with just a handful of options of 5G suppliers, the security risks increase: “At national and EU level, a lack of diversity of suppliers increases the overall vulnerability of the 5G infrastructure, in particular if a large number of operators source their sensitive assets from a supplier presenting a high degree of risk…” The report also notes that, “the presence of a limited number of suppliers on the market can decrease their incentives to develop more secure products. It can also have a negative impact on the leverage available to national authorities and operators to demand higher security guarantees, in particular for smaller MMember SStates or operators.”
How the EU will choose to mitigate the risks posed by hostile or suspect suppliers is far from clear. Many EU member states already have Huawei equipment in their networks and removing it will be tremendously expensive. While the EU is to make decisions about how to respond to supplier-based risks in 2020, the German Federal Network Agency has already determined that no equipment supplier should be specifically excluded. Instead, the Agency is confident that any risks could be mitigated by security procedures. However, the United States has already threatened to stop sharing intelligence with countries that use Huawei equipment, though there are conflicting reports about whether Germany will be excluded. Thus, for the moment, the EU has chosen not to ban any particular firm and instead outline the characteristics that would exacerbate risks. Whether these characteristics and the toolkit that is still to be developed will be sufficient and timely enough to protect the EU’s 5G network infrastructure—and to avoid further tensions with the United States—is anyone’s guess.
Frances G. Burwell is a distinguished fellow at the Atlantic Council and a senior adviser at McLarty Associates.