The EU Assesses Cyber Security and 5G Networks
The EU’s consolidated risk assessment of the cyber security of 5G networks is not just about Huawei. It highlights wider cyber security risks to 5G networks. Given the lack of market incentives to address these risks, regulation to safeguard 5G networks is becoming more likely.
Earlier this month, the EU’s Network and Information Security (NIS) Cooperation Group released its Coordinated Risk Assessment of the Cybersecurity of 5G Networks. The final report consolidates individual submissions from member states, which were not publicly released, into a comprehensive risk assessment of the international 5G threat landscape. It describes threats and threat actors, assets, vulnerabilities, risk scenarios and existing mitigation measures. The European Network and Information Security Agency (ENISA) is also compiling a private, more detailed mapping and analysis of the overall findings. Both efforts are part of the EU’s focus on the security of 5G networks. The next stage is a mitigation tool kit scheduled for release in December.
Initial public discourse about the EU assessment has, as expected, focused on the risks from non-EU suppliers and possible implications if the Chinese company Huawei supplies 5G network infrastructure components. The report identifies states and state-sponsored actors with offensive cyber capabilities as the most dangerous threat to 5G networks, based on the ‘combination of motivation, intent and a high-level capability’”. Separately, it describes the threat from insiders or subcontractors who build or maintain 5G network components, ‘especially if leveraged by States’.
However, the cyber threat to 5G networks is not just from those who build and maintain them. While malicious state-lead cyber activity from 5G infrastructure suppliers is an important consideration, the report highlights many additional risks that the public discussion, including initial media reports, has not sufficiently addressed.
5G Threat Actor Landscape
Both state and non-state actors pose a cyber threat to 5G networks. For the former, the report identifies state actors and insider threats as separate, albeit overlapping, categories, emphasising that, even if excluded from 5G infrastructure supply chains, state and state-sponsored actors retain the capability to threaten the ‘confidentiality, availability, and integrity of 5G networks’. As the NCSC has pointed out, Russia has hacked into UK systems numerous times without ever supplying telecommunications components. A narrow focus on Huawei, therefore, risks obscuring broader questions about the measures necessary to adequately secure 5G networks from a diverse set of adversaries.
The threat from non-state actors could come from organised crime, hacktivists, or individuals who seek personal financial gain. Once again, there is an insider threat from individuals within vendors providing 5G network components or maintenance.
As the cyber threat landscape is dynamic and unpredictable, the report devotes significant space to identifying 5G network vulnerabilities from poor engineering or the deliberate manipulation of components. It is important to note that these vulnerabilities could be exploited by all threat actors, not just those who build and maintain 5G networks. There are two major areas of vulnerability to consider: network design and security; and supply chains.
Decisions about architecture and network access are important ways to safeguard 5G networks. Segmentation and redundancy, for example, can help the network remain resilient should one or several components fail. The report gives examples of poor network design including the failure to: appropriately implement international standards; mitigate existing vulnerabilities in legacy networks; account for change management and software updates (including poor policies for remote access); and the failure to account for physical security risks to network components. In short, 5G networks are not only vulnerable to malicious state or non-state threat actors, but also to human error, natural disasters, or simple bad luck.
Supply chain risks relate to the location of manufacturing facilities and the quality of design protocols. So-called ‘trusted’ vendors are not immune to human error and the apparent national origin of any given product is in no way a reliable guide to where its components are actually designed or manufactured. Many equipment vendors with headquarters in other countries, including Nokia (Sweden) and Ericsson (Finland), have factories and subcontractors within China vulnerable to government pressure. Individuals at any level of the supply chain could also insert backdoors without the knowledge of the subcontractor, much less the final vendor, either independently or at the behest of a malicious state or non-state actor. While poor software development practices increase this risk, the scale of supply chains makes it impossible for operators to guarantee that network components are free from all vulnerabilities.
Finally, the report points out two overarching risks stemming from the small number of 5G suppliers. First, an operator or country could become dependent on one supplier, which could give the supplier considerable leverage; if the supplier is a state or state-sponsored actor, this could have political consequences. Second, the predominance of a single vendor’s equipment leaves the network open to a potential single point of failure or exploitation. While short-term measures such as purchasing equipment from multiple vendors or ‘vendor diversity’ throughout the network can mitigate this impact, only a few vendors can provide this equipment. The problem is therefore likely to require long-term solutions.
As a follow up to this risk assessment, the EU will release its tool-kit of proposed mitigation measures for member states in December. So far, though, consumers have been unlikely to pay a premium for a ‘more secure’ 5G service, while securing supply chains or designing resilient network architecture involves a considerable up-front investment. This lack of existing market incentives means government regulation will likely be necessary to secure 5G networks. As the report notes, the safety of these networks is a critical part of national security, particularly as 5G coverage and use expand throughout society. Governments therefore must either incentivise or compel companies and their shareholders to pay those initial up-front costs to ensure the security of telecoms infrastructure.
Further intervention from governments should seek to articulate the wider risks associated with 5G networks, not just those from one country or one company. Such risks are often highly technical and less accessible to a popular audience. This may be part of why the US has increasingly justified its ban on Huawei by emphasising China’s human rights record and unfair trading practices. They may also stem from less well-known actors. The EU’s 5G risk assessment and the scheduled tool-kit are positive steps in this direction, as are country-specific efforts like the UK’s Huawei Cyber Security Evaluation Centre. While approaches to 5G cyber risk management may well be based on political and economic considerations, policy decisions must also account for evidence-based cyber security concerns.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
Latest News from
Chief of the Defence Staff, General Sir Nick Carter's annual RUSI speech - 5th December 201906/12/2019 12:20:00
CDS' annual speech at the Royal United Services Institute, on the current state of Defence.
We Need to Relearn How to do Deterrence06/12/2019 11:20:00
Governments and military planners are obsessed with how much leverage adversaries can exert with coercive measures that don’t risk all-out war. But to win in the ‘grey zone’ requires being proactive, and defining its limits.
NATO Engages Press Release05/12/2019 16:05:00
Held in NATO’s inaugural home of London, and ahead of the NATO Leaders Meeting, ‘NATO Engages: Innovating the Alliance’ brought together some 1600 policy makers, officials from think tanks and universities, and members of the public – over 50% of whom were under 30 – at Westminster Central Hall.
The British Public Still Believes in NATO – Even if Most Cannot Say What It Does05/12/2019 12:20:00
New YouGov/RUSI polling portrays a kind of ignorant faith in NATO but also significant doubts that UK defence capability is fit for modern purpose.
Britain, Estonia and the Wider North28/11/2019 11:20:00
The UK is at the forefront of NATO’s efforts to secure its Baltic members.
Securing the Integrity of the EU’s Financial System is Overdue – Why is Progress so Slow?26/11/2019 14:15:00
Like the proverbial frog in boiling water, the EU knows something is wrong; it just can’t decide what to do.
A New Direction for EU Sanctions: The New Commission and the Use of Sanctions21/11/2019 15:15:15
As the new EU Commission takes office, responsibility for the EU’s sanctions portfolio appears to have moved between commissioners.
NATO and the ‘Disruptive’ French President19/11/2019 11:05:00
The contemptuous reactions from seasonsed analysts to Emmanuel Macron’s NATO comments actually reinforce the French president’s argument.