The EU’s consolidated risk assessment of the cyber security of 5G networks is not just about Huawei. It highlights wider cyber security risks to 5G networks. Given the lack of market incentives to address these risks, regulation to safeguard 5G networks is becoming more likely.
Earlier this month, the EU’s Network and Information Security (NIS) Cooperation Group released its Coordinated Risk Assessment of the Cybersecurity of 5G Networks. The final report consolidates individual submissions from member states, which were not publicly released, into a comprehensive risk assessment of the international 5G threat landscape. It describes threats and threat actors, assets, vulnerabilities, risk scenarios and existing mitigation measures. The European Network and Information Security Agency (ENISA) is also compiling a private, more detailed mapping and analysis of the overall findings. Both efforts are part of the EU’s focus on the security of 5G networks. The next stage is a mitigation tool kit scheduled for release in December.
Initial public discourse about the EU assessment has, as expected, focused on the risks from non-EU suppliers and possible implications if the Chinese company Huawei supplies 5G network infrastructure components. The report identifies states and state-sponsored actors with offensive cyber capabilities as the most dangerous threat to 5G networks, based on the ‘combination of motivation, intent and a high-level capability’. Separately, it describes the threat from insiders or subcontractors who build or maintain 5G network components, ‘especially if leveraged by States’.
However, the cyber threat to 5G networks is not just from those who build and maintain them. While malicious state-led cyber activity from 5G infrastructure suppliers is an important consideration, the report highlights many additional risks that the public discussion, including initial media reports, has not sufficiently addressed.
5G Threat Actor Landscape
Both state and non-state actors pose a cyber threat to 5G networks. For the former, the report identifies state actors and insider threats as separate, albeit overlapping, categories, emphasising that, even if excluded from 5G infrastructure supply chains, state and state-sponsored actors retain the capability to threaten the ‘confidentiality, availability, and integrity of 5G networks’. As the NCSC has pointed out, Russia has hacked into UK systems numerous times without ever supplying telecommunications components. A narrow focus on Huawei, therefore, risks obscuring broader questions about the measures necessary to adequately secure 5G networks from a diverse set of adversaries.
The threat from non-state actors could come from organised crime, hacktivists, or individuals who seek personal financial gain. Once again, there is an insider threat from individuals within vendors providing 5G network components or maintenance.
As the cyber threat landscape is dynamic and unpredictable, the report devotes significant space to identifying 5G network vulnerabilities from poor engineering or the deliberate manipulation of components. It is important to note that these vulnerabilities could be exploited by all threat actors, not just those who build and maintain 5G networks. There are two major areas of vulnerability to consider: network design and security; and supply chains.
Decisions about architecture and network access are important ways to safeguard 5G networks. Segmentation and redundancy, for example, can help the network remain resilient should one or several components fail. The report gives examples of poor network design including the failure to: appropriately implement international standards; mitigate existing vulnerabilities in legacy networks; account for change management and software updates (including poor policies for remote access); and the failure to account for physical security risks to network components. In short, 5G networks are not only vulnerable to malicious state or non-state threat actors, but also to human error, natural disasters, or simple bad luck.
Supply chain risks relate to the location of manufacturing facilities and the quality of design protocols. So-called ‘trusted’ vendors are not immune to human error and the apparent national origin of any given product is in no way a reliable guide to where its components are actually designed or manufactured. Many equipment vendors with headquarters in other countries, including Nokia (Sweden) and Ericsson (Finland), have factories and subcontractors within China vulnerable to government pressure. Individuals at any level of the supply chain could also insert backdoors without the knowledge of the subcontractor, much less the final vendor, either independently or at the behest of a malicious state or non-state actor. While poor software development practices increase this risk, the scale of supply chains makes it impossible for operators to guarantee that network components are free from all vulnerabilities.
Finally, the report points out two overarching risks stemming from the small number of 5G suppliers. First, an operator or country could become dependent on one supplier, which could give the supplier considerable leverage; if the supplier is a state or state-sponsored actor, this could have political consequences. Second, the predominance of a single vendor’s equipment leaves the network open to a potential single point of failure or exploitation. While short-term measures such as purchasing equipment from multiple vendors or ‘vendor diversity’ throughout the network can mitigate this impact, only a few vendors can provide this equipment. The problem is therefore likely to require long-term solutions.
As a follow up to this risk assessment, the EU will release its tool-kit of proposed mitigation measures for member states in December. So far, though, consumers have been unlikely to pay a premium for a ‘more secure’ 5G service, while securing supply chains or designing resilient network architecture involves a considerable up-front investment. This lack of existing market incentives means government regulation will likely be necessary to secure 5G networks. As the report notes, the safety of these networks is a critical part of national security, particularly as 5G coverage and use expand throughout society. Governments therefore must either incentivise or compel companies and their shareholders to pay those initial up-front costs to ensure the security of telecoms infrastructure.
Further intervention from governments should seek to articulate the wider risks associated with 5G networks, not just those from one country or one company. Such risks are often highly technical and less accessible to a popular audience. This may be part of why the US has increasingly justified its ban on Huawei by emphasising China’s human rights record and unfair trading practices. They may also stem from less well-known actors. The EU’s 5G risk assessment and the scheduled tool-kit are positive steps in this direction, as are country-specific efforts like the UK’s Huawei Cyber Security Evaluation Centre. While approaches to 5G cyber risk management may well be based on political and economic considerations, policy decisions must also account for evidence-based cyber security concerns.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.