EU Commission report reignites debate over 5G security

15 Oct 2019

Image: © kinwun/Stock.adobe.com

A new report from the EU Commission surrounding 5G cyberthreats has reignited debates over Huawei’s involvement in developing infrastructure.

A number of EU member states, with the support of the EU Commission and the European Union Agency for Cybersecurity, have published a report on the coordinated risk assessment on cybersecurity in fifth-generation (5G) networks.

As the report explains, 5G networks “will provide virtually ubiquitous, ultra-high bandwidth and low latency connectivity not only to individual users, but also to connected objects”.

The report notes that due to this, 5G networks are expected to serve a wide range of applications and sectors, some of which will likely be essential to society, such as energy, transport, banking, health and industrial control systems.

In addition, the organisation of democratic processes such as elections is expected to become increasingly reliant on digital infrastructure and 5G networks.

A variety of technological novelties

The report highlights some of the technological features 5G will make possible, such as a move away from traditional network architecture towards software and virtualisation.

“From a security perspective, this may bring certain benefits by allowing for facilitated updating and patching of vulnerabilities. At the same time, such increased reliance on software, and the frequent updates they require, will significantly increase the exposure to the role of third-party suppliers and the importance of robust patch management procedures,” the paper continues.

Other potential 5G-related developments, such as network slicing and mobile edge computing, offer the chance to more efficiently utilise networks by enhancing functionality at their edges and allowing for the possibility of offering differentiated services over entire networks.

The report warns that these new features, though they could markedly increase our society’s technological capability, will also bring new security challenges and will bring additional complexity to the telecoms supply chain and will increase the attack surface of a network, which will likely increase instances of supply chain attacks.

Unique cyberthreats

Supply chain attacks are already a popular mode of attack in today’s complex threat landscape. In many ways, 5G doesn’t present many unique network threats.

However, the increased reliance on 5G that the report postulates means that the fallout from a cyberattack could much be graver than anything currently experienced.

There are a few unique vulnerabilities associated with some of the new technologies 5G will employ, and the report notes that securing technologies such as edge computing will prove challenging in coming years.

Huawei concerns

The release of the report has reignited the debate over whether Chinese telecoms company Huawei should continue to have a significant role in building global 5G core infrastructure.

The report notes that Huawei, Ericsson and Nokia are the main suppliers of 5G telecoms equipment. But Huawei has come to particular attention in recent months, repeatedly bucking horns with the US government, which maintains that the infrastructure the company provides presents security and espionage risks.

“The European Commission’s report makes clear that the vulnerabilities facing a Huawei 5G global network are systemic,” said Nate Snyder, senior counterterrorism official with Cambridge Global Advisors and a former advisor at the US Department of Homeland Security.

‘Because the 5G network is software-based and so vast, attempting to mitigate these vulnerabilities would be like plugging holes in an infinite wheel of Swiss cheese’
– NATE SNYDER

“Huawei networks are a house of cards supported by shoddy coding and a supply chain full of holes, with countless entry points for state and non-state actors, organised crime and terrorist groups — cyber-based and otherwise — to exploit.

“Because the 5G network is software-based and so vast, attempting to mitigate these vulnerabilities would be like plugging holes in an infinite wheel of Swiss cheese.”

Snyder has advocated that the EU and US set up their own interoperable standards, diversify supply chains and work with groups such as the O-RAN Alliance to “unlock the competitive potential of other global providers”.

Tom Ridge, former US Secretary of Homeland Security and 43rd governor for the state of Pennsylvania, has echoed these sentiments, claiming that the “certain non-EU countries” that present a “particular cyber threat”, as stated in the report, is a reference to China. Ridge recently revealed in a conference call organised by Global Cyber Policy Watch that, in his mind, Huawei has won the 5G race.

Ridge continued: “If countries needed more reason to implement stricter security measures to protect 5G networks, this comprehensive risk assessment is it.”

Commenting on the news, Huawei welcomed the risk assessment report and called it “an important step towards developing a common approach to cybersecurity and delivering safe networks for the 5G era”.

The Chinese firm added: “We are a 100pc private company wholly owned by its employees, and cybersecurity is a top priority: our end-to-end cybersecurity assurance system covers all process areas, and our solid track record proves that it works.

“As the EU moves from identifying risks towards elaborating the common security framework required to manage and mitigate these risks, we hope this work will continue to be guided by the same facts-based approach.”

Updated, 10:08am, 15 October 2019: This article was amended to include comment from Huawei.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com