On 26 March 2019, the European Commission published its Recommendation on cybersecurity of 5G networks. Lacking a harmonised Union law on the matter, the initiative serves to establish a robust risk-based common approach to the control and assessment of 5G equipment to provide security of critical services that will rely more and more on 5G digital infrastructure; these include energy, transport, banking, health and industrial control systems. The European Commission recommendations on 5G security will act in coordination with a range of EU instruments already in place and will provide the basis for a future cybersecurity certification framework for 5G networks and equipment.
With faster technologies comes greater responsibility
The ongoing worldwide debate on whether or not to allow the rollout of Chinese equipment (Huawei and ZTE in particular) for the new 5G digital revolution acted as a wake-up call for European countries (see also the recent NATO CCD COE paper ‘Huawei, 5G, and China as a Security Threat’). Although the US call for a blanket ban on Chinese 5G suppliers has had little appeal for European Union Member States, the warning has not fallen on deaf ears. Despite the deep EU engagement with China, the security of the Union remains at stake, raising concerns over the implementation of 5G technologies in critical infrastructure. Since 5G networks will form the backbone of the European network system, the EU considers it an absolute priority conducting a thorough examination of all the equipment in 5G networks and securing the supply chain for such critical components. The guidelines to achieve a credible degree of protection have been given in the recently published European Commission 5G recommendations.
The Commission might have concluded that, as 5G is going to connect all aspects of our lives, the Union will need to adopt a similar interconnected approach by crafting minimum common criteria built on national cybersecurity schemes in an attempt to harmonise heterogeneous practices and collectively tackle risks derived from the use of the new technology. A concerted approach is certainly needed, since, as pointed out by Vice-President of the European Commission Andrus Ansip, ‘5G technology will transform our economy and society and open massive opportunities for people and businesses. But we cannot accept this happening without full security built in. It is therefore essential that 5G infrastructures in the EU are resilient and fully secure from technical or legal backdoors.’
Member States and ENISA are going to be the driving force for 5G security
The European Commission considers EU Member States and the European Union Agency for Cybersecurity (ENISA) crucial protagonists for ensuring a diligent approach to the Commission’s recommendation on 5G. This aspect result clear when observing the stringent timeline set by the European Commission document: by 30 June 2019, Member States shall carry out a national risk assessment of risk related to 5G networks. Subsequently, by 15 July 2019, Member States should transmit their risk assessment to ENISA, and the latter should produce a ‘5G threat landscape’ for supporting countries, delivering a coordinated risk assessment by 1 October 2019. Finally, a common Union Toolbox will be agreed by 31 December 2019 which will advise the Commission on minimum common requirements and possible mitigating measures for products, services and suppliers that might pose a security risk. The outcomes of the coordinated Union risk assessment and the Union toolbox will be assessed by 1 October 2020.
Thereafter, a brief description will be provided on how Member States will have to compile their national risk assessment according to the EC recommendation. Threats analysis related to 5G infrastructures is to be based on a two-pronged analysis.
A two-pronged risk analysis…
The Recommendation requires Member States to proceed with the national risk assessment analysis in 5G security, taking into account two main factors: technical and ‘other’ (page 4 of the document).
For technical factors, a correct risk analysis of the new generation equipment should scrutinise the whole life-cycle of the 5G network, namely its design, development, procurement, deployment, operation and maintenance. Member States need to create a technical screening process for any extra-EU infrastructure element of mobile and wireless communication technology that will be implemented in the domestic telecommunication network. By displaying inherent vulnerabilities affecting software, service and hardware, the analysis will help to spot the most sensitive elements where security breaches could have a significant negative impact on the network (paragraph 19).
For the ‘other’ criteria, Member States are invited to consider non-technical risks examined through the lens of an analysis of, inter alia, the relations between foreign 5G equipment suppliers and the political and legal regime they are subject to. Paragraph 20 of the document states:
‘Other factors may include regulatory or other requirements imposed on information and communications technologies equipment suppliers […] inter alia, the overall risk of influence by a third country, notably in relations to its model of governance, the absence of cooperation agreements on security or similar arrangements, such as adequacy decisions… whether this country is party to multilateral, international or bilateral agreements on cybersecurity, the fight against cybercrime, or data protection’.
Clearly, this requirement is strongly shifting the burden of proof to suppliers’ shoulders, forcing them to reach a new degree of transparency and collaboration with EU Member States acquiring 5G components from extra-EU suppliers. The objective is to assess equipment, not only on a technical level by spotting inherent vulnerabilities such as coding errors, but also on the likelihood of any supplier introducing vulnerabilities or the likelihood that a supplier might allow a third state to have access to the network.
…for the creation of a common toolbox.
Once the national risk assessments are finalised, ENISA, in collaboration with the Cooperation Group and the Computer Security Incident Response Teams network already established under the Directive (EU) 2016/1148, will identify national best practices and create a toolbox containing an inventory of the types of security risks affecting 5G networks. A set of mitigating measures will be proposed which will also be based on the risk assessment provided by Member States. Possible mitigating measures may include a list of products, services or suppliers that are considered potentially insecure.
To be able to apply risk management measures, Member States need to adapt their national legislation in line with the Union’s framework in the field of electronic communications. For instance, the Commission recommends that Member States rely on relevant remedies available under the EU telecoms regulatory framework, such as the ‘Framework Directive’ (Directive 2002/21/EC) and the ‘Authorisation Directive’, (Directive 2002/20/EC), which would allow national authorities to impose security and binding requirements on networks operators and to attach conditions to the right of access to radio frequencies in the 5G band to secure public networks against unauthorised access (pages 2 and 8).
The toolbox might be also used to compile the future cybersecurity certification framework. Enshrined within the Cyber Security Act, the framework may be useful in providing with the tools for enacting a mandatory certification scheme for 5G security, offering specific protection profiles for 5G networks and equipment to Member States.
To enhance and boost the process of creating necessary safeguard measures that will protect communication critical infrastructures, the Recommendation reminds Member States that they can rely on existing EU instruments. Among them is the EU foreign investment screening regulation, which recently came into force, and the General Data Protection Regulation (GDPR). The former allows Member States and the Commission to raise concerns on specific foreign direct investments (FDIs), determining whether an FDI may affect security or public order,1 and the latter will secure standards for the protection of data and privacy in 5G. Hopefully, the GDPR will also establish a new degree of transparency and cooperation between mobile network operators and equipment vendors. While the EU GDPR imposes obligations only on operators responsible for handling personal data, vendors will be required to deliver solutions which enable operators to comply with GDPR. In this case, mutual economic interests may create a sufficient incentive to deliver secure equipment from the beginning of the production process.
Existing European risk management examples for 5G
The measures laid out in the Commission document are deemed to create some order among the diverse and sometimes messy approaches that EU Member States are taking on the 5G issue, and some have already beefed up their national strategies by putting in place tougher regulation regimes while acquiring foreign 5G infrastructures. Italy has recently reviewed its Golden Power rule, which requires private and public companies to inform the government of any purchase of 5G technology from extra-EU providers. On the basis of national security risks, the interested Ministry is given a veto over those purchases. The French parliament initiated a debate on a bill which will set a tight framework for the selection of 5G equipment from foreign suppliers, requiring them to share specific information on 5G equipment with the French National Cybersecurity Agency (ANSSI). An excerpt of the proposed law will allow the Prime Minister a margin of appreciation in respect of foreign manufacturers if deemed to be under the control of or subject to interference from a non-EU member. The Dutch government has established a commission which works with the major operators in the Netherlands to analyse the vulnerabilities to misuse by technology vendors of 5G telecommunications networks, and the measures needed to manage the risks.
Although these examples are good efforts to tackle risks, they represent uncoordinated preventive actions which might also sometimes be interpreted as discriminatory.
An advanced system of risk assessment has been put in place by the United Kingdom. The Huawei Cyber Security Evaluation Centre (HCSEC) was established in 2010 by the UK government and the National Cyber Security Centre (NCSC). It is a body cooperating with Huawei and mobile network operators to assess and mitigate risks and evaluate network equipment in the UK critical national infrastructure and its implementation within an operator´s network. By completing and publicly sharing annual reports, the HCSEC highlights possible technical risks in Huawei equipment, allowing the UK government to establish limitations on its deployment and configuration. Although lacking political considerations about the foreign supplier, the HCSEC reports are tangible examples of how to deliver a risk assessment model for 5G infrastructures. Currently, it can be considered as the best example of how to implement the Commission’s recommendations and create a body which will audit foreign 5G suppliers.
Conclusion: exercising sovereignty without discrimination
Although the recommendations on 5G have been built with objectivity in mind, without targeting or discriminating against specific companies or countries, one cannot simply ignore the fact that the risk factor ‘other’ has been specifically crafted to tackle the risk of third countries’ influences affecting companies, with an obvious focus on China. In this respect, the main concerns lie around the revised Chinese National Intelligence Law,2 which enables the central government to force Chinese organisations, parents of foreign subsidiaries and, more broadly, people of Chinese nationality to collaborate with the intelligence services for the sake of national security. The general character of this piece of domestic legislation and its presumably unlimited extraterritorial application render the assessment of the criteria ‘other’ a very stringent one, making the degree of involvement between suppliers and the state a pivotal criterion to be considered.
Nonetheless, the fierce debate surrounding Huawei’s ties with the Chinese government has brought some advantages. Not only European Countries, but the whole world has become aware of how dependent they are on Chinese 5G technology. It is striking that, so far, Huawei holds 23 European contracts for the deployment of 5G technologies, enabling it to set a future dominant position when it comes to 5G solutions. Therefore, the recommendations stress the need to create a tightening supply-chain review entailing technical considerations as well as political analysis around the national environment in which certain suppliers operate.
The recommendations are a long-awaited and ground-breaking development which is protecting EU sovereignty without discriminating against any vendor. Besides boosting the development of a common European cybersecurity framework and endowing the newly empowered ENISA with a major role, the recommendations give Member States transparent and reliable procedures to follow. While the recommendations are not ruling out the possibility that extra-EU companies would be excluded from the 5G roll-out, the possibility of bans would certainly be based on transparent technical as well as strategic assessments.
Author: Samuele De Tomas Colatin, NATO CCD COE Law Branch
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- The regulation specifically mentions possible risks and effects on critical infrastructure and key enabling technologies. This measure pays particular attention to cases where foreign investors are state-controlled or state-financed. See, Regulation (EU) 2019/452, 19 March 2019, in particular para. 12 and 13. [↩]
- For a report on legal and political challenges related to Chinese 5G equipment see the report ‘Chinese telecommunication companies: Political and legal vulnerabilities and how Europe should deal with them’, available here. [↩]