Spurred by US criticism of the Chinese telecom supplier Huawei, and especially its participation in 5G networks, the European Union began developing an approach to this key issue over the last year. As a first step, the European Commission asked all EU member states to conduct a cybersecurity risk assessment of their existing and planned 5G network infrastructure—the next generation of mobile broadband that is much faster than current 4G LTE technology and will be essential for the development of the Internet of Things (IoT) as well as many artificial intelligence technologies. The combined result of that survey, EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks, was published on October 9 by the NIS Cooperation group, comprised of the Commission, EU member states, and the European Agency for Cybersecurity. Over the next year, the Commission plans to use the risk assessment report as a foundation for developing a European toolkit to address these risks.
Subscribe
The report identifies the main vulnerabilities facing 5G
networks, including numerous technical issues, such as poor software
development, that may leave complex 5G networks open to cyberattacks. It also explicitly identifies state and
state-backed actors as among the most serious threats, and points to potential
dangers related to suppliers. The report notes that 5G suppliers may be
beholden to a non-EU country; a situation that could emerge if there was a
strong link between the supplier and its government, or if the supplier were
subject to legislation at home that was inimical to EU security and interests.
While the report does not mention any particular company, it is clear that
Huawei exhibits the high-risk characteristics that threaten the security of a future
5G network.
To date, the number of companies able to provide 5G–based network infrastructure is limited. In Europe, the EU could turn to Ericsson in Sweden, or Nokia in Finland, but Huawei usually offers a price advantage. And as the report states, with just a handful of options of 5G suppliers, the security risks increase: “At national and EU level, a lack of diversity of suppliers increases the overall vulnerability of the 5G infrastructure, in particular if a large number of operators source their sensitive assets from a supplier presenting a high degree of risk…” The report also notes that, “the presence of a limited number of suppliers on the market can decrease their incentives to develop more secure products. It can also have a negative impact on the leverage available to national authorities and operators to demand higher security guarantees, in particular for smaller MMember SStates or operators.”
How the EU will choose to mitigate the risks posed by hostile or suspect suppliers is far from clear. Many EU member states already have Huawei equipment in their networks and removing it will be tremendously expensive. While the EU is to make decisions about how to respond to supplier-based risks in 2020, the German Federal Network Agency has already determined that no equipment supplier should be specifically excluded. Instead, the Agency is confident that any risks could be mitigated by security procedures. However, the United States has already threatened to stop sharing intelligence with countries that use Huawei equipment, though there are conflicting reports about whether Germany will be excluded. Thus, for the moment, the EU has chosen not to ban any particular firm and instead outline the characteristics that would exacerbate risks. Whether these characteristics and the toolkit that is still to be developed will be sufficient and timely enough to protect the EU’s 5G network infrastructure—and to avoid further tensions with the United States—is anyone’s guess.
Frances G. Burwell is a distinguished fellow at the Atlantic Council and a senior adviser at McLarty Associates.
Further reading:
Mon, Oct 28, 2019
Von der Leyen, new Commission take aim at AI legislation
By legislating the use of this key technology, the European Union will likely become the leading regulator for AI, as it has for privacy with the General Data Protection Regulation (GDPR). But the challenge for von der Leyen will be developing legislation that reflects European norms and values while also avoiding overregulation that might hinder innovation and investment.
Blog Post by
Wed, Oct 2, 2019
Europe’s new commission: The outlook for digital policy
A quick look at how the new European Commission will line up on digital policy.
New Atlanticist by
Tue, Oct 22, 2019
The emerging EU regulatory landscape for digital platform liability
As concern skyrockets over political disinformation, hate speech, and terrorist incitement on the Internet, legislators across Europe are scrambling for regulatory answers.
New Atlanticist by