European cybersecurity authorities warned Wednesday that state hacking groups are a major threat to the security of 5G networks, increasing pressure on telecom operators to take action against new risks linked to telecom suppliers like Chinese equipment maker Huawei.
In an EU risk assessment report prepared by the European Commission and national cybersecurity experts, officials said that 5G networks would rely more heavily on software and suppliers, and that the biggest threat came from state-backed hackers from non-EU countries with cyber offense programs.
The report said that 5G “will bring numerous new security challenges” and will “increase the number of attacks paths that could be exploited by threat actors, in particular non-EU states or state-backed actors.” It also warned telecoms operators that procuring gear and services from vendors from such countries would increase the risk of getting hacked or spied on.
The assessment, drafted by the NIS Cooperation Group — which consists of national cybersecurity officials, the Commission and the EUs cyber agency ENISA — argues telecom networks will be increasingly vulnerable to hackers, in part because they rely on more suppliers and more software.
But it also raises huge political questions: Suppliers may be more risk-prone if there is a higher “likelihood of the supplier [of 5G network gear] being subject to interference from a non-EU country” through intelligence legislation, government control of a companys management or a lack of “democratic checks and balances in place” to counter such espionage attempts, the document said — implicitly pointing to China as a threat. POLITICO previously reported that EU authorities would be taking indirect aim at Beijing in the report.
Operators across Europe have procured equipment from Chinese vendors Huawei and — less so — its competitor ZTE, in the past decade.
The report will guide the creation of a “toolbox” by the end of the year, which countries can use to beef up their security requirements for vendors and operators. Both Wednesdays risk assessment and the upcoming toolbox are voluntary tools.
The European Commission worked with national representatives on the report in past months during a tense process in which the EU feared overstepping countries competences on national security.
Capitals, in turn, feared the economic impact it could have on their telecom market and even on diplomatic relations with China.
“This is the first time 28 authorities have come together to analyze these risks,” said Julian King, the EUs security commissioner. “Thats quite a big deal.”
Easing up on Huawei addiction
Operators across Europe have procured equipment from Chinese vendors Huawei and — less so — its competitor ZTE, in the past decade, as well as from European vendors Ericsson and Nokia.
Operators across Europe have procured equipment from Chinese vendors Huawei | Fred Dufour/AFP via Getty Images
4G networks in Belgium, Germany, the U.K., Spain and many other countries include large shares of Chinese gear. With 5G, operators were looking to close similar long-term deals with Huawei, but the political debate around 5G security has ruptured the market and forced these operators to reassess their plans.
“The report itself is already a signal to the market,” King said. The risk assessment makes it “very clear that it [5G procurement] isnt like buying a car. Its like joining a club,” he said.
He added: “5G networks will increase reliance on suppliers. That means we have to look even more carefully than weve done before at the suppliers, both from a technical point of view and for non-technical vulnerabilities.”
The EU also stressed that operators have to account for risks in the long term, including those caused by changing geopolitical relations with non-EU states and trade tensions between different economic blocs.
“Unintentional and intentional backdoors will be easier to introduce and harder to detect,” said King. As 5G powers more and more digital services, manufacturing and personal data, such backdoors and vulnerabilities will also “have a more severe and widespread impact,” he said.
US pressure on EU capitals continues
The EUs move to crack down on risks linked to the rollout of 5G comes after a yearlong diplomatic campaign by Washington to ban Huawei.
For suppliers like Chinas Huawei, the hope is that Europe drafts schemes of technical requirements, like standards and certification schemes.
U.S. security services have accused Huawei of corporate espionage and intellectual property theft as well as violating trade restrictions. The U.S. has also raised concerns over the long-term strategic risk of relying on Chinese companies to keep telecom networks from going down.
“If a country inserts untrusted vendors into its 5G networks, we will reassess how we are going to share information with them in the future,” Rob Strayer, the U.S. State Departments chief cybersecurity diplomat, told reporters in Brussels late last month.
Washington has expressed concerns about EU countries like Germany, the Netherlands and the United Kingdom — a fellow so-called Five Eyes country with which the U.S. has a regular exchange of intelligence — and recently flagged concerns about Belgium, the seat of EU institutions and NATOs headquarters.
King said the European Commission had maintained an open line to the U.S. all through the process of consulting EU countries in the run-up to the 5G risk report. He also said Brussels is talking to “like-minded countries” like Australia, Canada and Japan — all of which are reviewing their security requirements and two of whom have implemented stricter limits to Huaweis market access.
But, King added, “I think it is important to say we take a different approach to this than other countries like the U.S., because we didnt start by drawing the conclusion.”