5G fears: The EU weighs its options

A logo of the upcoming mobile standard 5G is pictured at the Hanover trade fair, in Hanover, Germany March 31, 2019. REUTERS/Fabian Bimmer/File Photo

Spurred by US criticism of the Chinese telecom supplier Huawei, and especially its participation in 5G networks, the European Union began developing an approach to this key issue over the last year. As a first step, the European Commission asked all EU member states to conduct a cybersecurity risk assessment of their existing and planned 5G network infrastructure—the next generation of mobile broadband that is much faster than current 4G LTE technology and will be essential for the development of the Internet of Things (IoT) as well as many artificial intelligence technologies. The combined result of that survey,  EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks, was published on October 9 by the NIS Cooperation group, comprised of the Commission, EU member states, and the European Agency for Cybersecurity. Over the next year, the Commission plans to use the risk assessment report as a foundation for developing a European toolkit to address these risks.

Subscribe

Sign up for the “Plugged In” newsletter, which showcases updates and analysis from the Transatlantic Digital Marketplace Initiative on the latest information and thinking on digital policymaking in Europe and its potential impact on the United States.


The report identifies the main vulnerabilities facing 5G networks, including numerous technical issues, such as poor software development, that may leave complex 5G networks open to cyberattacks. It also   explicitly identifies state and state-backed actors as among the most serious threats, and points to potential dangers related to suppliers. The report notes that 5G suppliers may be beholden to a non-EU country; a situation that could emerge if there was a strong link between the supplier and its government, or if the supplier were subject to legislation at home that was inimical to EU security and interests. While the report does not mention any particular company, it is clear that Huawei exhibits the high-risk characteristics that threaten the security of a future 5G network.

To date, the number of companies able to provide 5Gbased network infrastructure is limited. In Europe, the EU could turn to Ericsson in Sweden, or Nokia in Finland, but Huawei usually offers a price advantage. And as the report states, with just a handful of options of 5G suppliers, the security risks increase: “At national and EU level, a lack of diversity of suppliers increases the overall vulnerability of the 5G infrastructure, in particular if a large number of operators source their sensitive assets from a supplier presenting a high degree of risk…” The report also notes that, “the presence of a limited number of suppliers on the market can decrease their incentives to develop more secure products. It can also have a negative impact on the leverage available to national authorities and operators to demand higher security guarantees, in particular for smaller MMember SStates or operators.”

Read more from the Transatlantic Digital Marketplace Initiative

The Atlantic Council’s Transatlantic Digital Marketplace Initiative seeks to foster greater US-EU understanding and collaboration on digital policy matters and makes recommendations for building cooperation and ameliorating differences in this fast-growing area of the transatlantic economy.

Read More

How the EU will choose to mitigate the risks posed by hostile or suspect suppliers is far from clear.  Many EU member states already have Huawei equipment in their networks and removing it will be tremendously expensive. While the EU is to make decisions about how to respond to supplier-based risks in 2020, the German Federal Network Agency has already determined that no equipment supplier should be specifically excluded. Instead, the Agency is confident that any risks could be mitigated by security procedures. However, the United States has already threatened to stop sharing intelligence with countries that use Huawei equipment, though there are conflicting reports about whether Germany will be excluded. Thus, for the moment, the EU has chosen not to ban any particular firm and instead outline the characteristics that would exacerbate risks. Whether these characteristics and the toolkit that is still to be developed will be sufficient and timely enough to protect the EU’s 5G network infrastructure—and to avoid further tensions with the United States—is anyone’s guess.

Frances G. Burwell is a distinguished fellow at the Atlantic Council and a senior adviser at McLarty Associates.

Further reading: