The European Union has published a report assessing the cybersecurity risks to 5G networks and there are many, with state actors leading the list.
The report was part of the implementation of a March 2019 European Commission recommendation on how to protect those networks across EU member states, with risk assessment input from member countries.
"Threats posed by States or State-backed actors, are perceived to be of highest relevance," said the report. "They represent indeed the most serious as well as the most likely threat actors, as they can have the motivation, intent and most importantly the capability to conduct persistent and sophisticated attacks on the security of 5G networks."
The U.S. has been grappling with how to treat Huawei and ZTE, Chinese telecoms who are major players in communications network and device tech, but who have been identified as 5G network security threats by U.S. intelligence agencies.
The EU cited the reliance on suppliers, particularly a limited number of them, as a definite point of vulnerability: "The risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country," it said. The U.S. is facing the lack of robust U.S. competition to Chinese telecom tech suppliers.
The report cites the following effects from the widespread rollout of 5G:
1. "An increased exposure to attacks and more potential entry points for attackers: With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert back doors into products and make them harder to detect.
2. "Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
3. "An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
4. "In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
5. "Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
6. "Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective."
The EU says its members must agree on a common "toolbox" of new security measures to counter those new threats.
"The new EU-wide 5G risk assessment further validates warnings from the cybersecurity community, which has been waving a red flag regarding Huawei’s involvement with next-generation wireless networks for many months," said Tom Ridge, former Homeland Security secretary and a board member of Global Cyber Policy Watch. Ridge was in Britain back in July trying to make the case for extreme caution when it comes to Chinese telecom Huawei and 5G networks.
Current Secretary of State Mike Pompeo has told Britain that if it makes a deal to use Huawei tech in its telecom systems, the U.S. may not be able to share intelligence information with its historic partner. Pompeo said China was trying to divide the Western Alliance through bits and bytes rather than bullets and bombs.
"The group of ‘certain non-EU countries’ referenced by the report that represent a ‘particular cyber threat’ to ‘national interests’ identified by ‘several member states’ clearly includes China," said Ridge. "If countries needed more reason to implement stricter security measures to protect 5G networks, this comprehensive risk assessment is it."
"Because the 5G network is software-based and so vast, attempting to mitigate these vulnerabilities would be like plugging holes in an infinite wheel of Swiss cheese," added fellow board member Nate Snyder, a former senior counter terrorism official with the US Department of Homeland Security.
“Europe is finally understanding how single vendor systems pose grave threats to 5G security," said Roger Entner, founder of Recon Analytics. "5G networks have more points of attack. The differentiation between edge and core is disappearing as the edge is being absorbed into the core. Single-vendor deployments are exposing operators to incalculable risks as operators tie their success to the viability of their vendors. Furthermore, it becomes necessary to trust in the vendors to an even greater degree, as some are vulnerable to state actors and sponsors, including those who don't share our democratic principles. The next step is to translate the concerns the European Commission has into binding rules that prevent 5G networks from becoming controlled by criminal and state actors alike.”