|
Core and Radio Access network
5G networks core part are deemed “critical,” as well as Radio Access Network (RAN). For the last, the degree of sensitivity may vary according to number of factors, however the document states that with 5G the traditional fewer sensitive parts of the network are gaining importance and become more sensitive. It is mentioned that, when edge competing is introduced, certain core network functions are expected to be physically placed farther out in the network closer to access site.
This approach is a political argument against the Netherlands and U.K. position to allow Huawei to sell base stations for mobile connections but keep its role in core parts limited.
Management systems and supporting services and network orchestration (MANO)
Both are considered as important and MANO as critical. Even though these systems do not carry traffic, they control important network elements and can therefore be used to conduct malicious acts. The loss of availability and integrity cans disrupt significantly the functioning of 5G networks.
This analysis could be relayed by the “tool box” to be drafter later on and affect a wide range of players, as software and hardware providers which offer management systems with their products.
Vulnerabilities
Software
The assessment particularly addresses the vulnerability related to software and tackles “the poor software development processes within equipment suppliers, [which] could make it easier for actors to maliciously insert intentional backdoors into products and make them also harder to detect.”
Standards
The Commission has identified a lack of compliance with 3GPP standards or incorrect implementation of standards which could lead to ineffective baseline security measures. The document points out that standardisation activities around 5G is still ongoing and will aim to be more secure than previous mobile wireless communication standards.
Third-party suppliers
When it comes to supplier-specific vulnerabilities, the report deems that the growing number of third-party suppliers is leading to a greater exposure. The likehood of the supplier to be subject to any form of pressure from a non-EU country, is to be considered. Moreover, EU-based operators who become overly dependent on a single equipment supplier are exposed to many risks caused by that supplier coming under sustained commercial pressure. The lack of diversity on the market can decrease the incentives to develop more secure products.
Security measures
3GPP SA3 has addressed several 5G security-related concerns, and advocated for end-to-end encryption. The report enjoins mobile network operators to apply already existing technical measures (e.g. encryption, authentication, automation, anomaly detection) or process-related measures (e.g. vulnerability management, incident and response planning, user-privilege management, disaster recovery planning).
Further political developments
Non-binding toolbox in the making
Based on the document, the Member States, the Commission, ENISA and BEREC – the body of EU electronic communication regulators, will issue a toolbox by the end of 2019.This document intends to help capitals impose stricter measures on telecom companies
Certification
According to Security Commissioner Julian King, "certification in my view is relevant to mitigate the risks. It is not going to be a golden bullet. But it can help." The EU’s cyber agency ENISA could look into 5G certification, but countries are on the fence on whether this would help. Telecom experts have cast doubts over the effectiveness of software testing, source code disclosure, product certifications and other measures under consideration.
The drafting in Europe of schemes of technical requirements, like standards and certification schemes would help non-EU suppliers to be compliant with the European requirements.
Legislative and binding measures: monitoring and controlling foreign investments
King mentioned the foreign direct investment screen mechanism in strategic sectors like like telecommunications, and public procurement tools that Member States can use.
In the past weeks, Poland and Romania both signed memorandums of understanding with the United States that imply these countries would largely restrict Chinese equipment vendors from selling to national operators.
EU capitals have also started to work on a political, binding text for next December's Council conclusions, which would help the next EU Commission draft stricter rules on supply chain security tool.
From the US point of view
U.S. Cybersecurity State Department warned If a country inserts untrusted vendors into its 5G networks, US will reassess how they are going to share information with them in the future. Washington has expressed concerns about EU countries like Germany, the Netherlands and the United Kingdom.
However, the European Commission want to take a different approach than the US one, “because we didn't start by drawing the conclusion." King said. The Commissioner explained that the EU is talking to "like-minded countries" like Australia, Canada and Japan, which are reviewing their security requirements. |
