EU Sets Tougher Security Standards for Future 5G Mobile Networks

The seemingly endless debate over the use of Huawei’s kit in mobile networks has today resulted in the European Commission (EC) recommending a set of new “operational steps and measures,” which have been designed to help mobile operators to ensure a “high level of cybersecurity of 5G networks across the EU.”

Huawei has a strong reputation for building good quality equipment and selling it an affordable price, but over the past few years’ the Chinese company has also become the target for some increasingly vocal security warnings (fears of the potential for spying etc.). Meanwhile major mobile operators have warned that any measures to prevent them from using such kit could significantly delay the roll-out of 5G.

In reality the average person can never realistically expect to know precisely what security concerns the intelligence agencies from various countries, including the United Kingdom, are acting upon. Nevertheless the EU have decided to address these concerns, at a wider level, by recommending a “set of concrete actions” to assess the cybersecurity risks of 5G networks and to “strengthen preventive measures.”

The EC warns that without these recommendations “any vulnerability in 5G networks or a cyber-attack targeting the future networks in one Member State would affect the Union as a whole.”

Vice-President Andrus Ansip, EU Digital Single Market, said:

“5G technology will transform our economy and society and open massive opportunities for people and businesses. But we cannot accept this happening without full security built in. It is therefore essential that 5G infrastructures in the EU are resilient and fully secure from technical or legal backdoors.”

In reality no operator or Government can ever completely eliminate the risk of unauthorised access, which goes just as much for Huawei’s kit as it does for the equipment from any other country in the world. In that sense it’s probably unrealistic to expect that these new measures will suddenly make everything safe, but the fact they’re being recommended at all is an important step.

The UK already subjects Huawei to extensive checks and so today’s change probably won’t make much of a difference over this side of the channel. Speaking of which, the Oversight Board for the Huawei Cyber Security Evaluation Centre (HCSEC) is due to update again soon on some of the “shortcomings” that they identified in Huawei’s engineering processes last year, which they claimed “exposed new risks in the UK telecommunication networks” (here).

Meanwhile Vodafone UK has paused adding related kit to their core network and BT (EE) are still in the process of removing it from their core (here).

The EC’s New 5G Security Recommendations

1. At national level

Each Member State should complete a national risk assessment of 5G network infrastructures by the end of June 2019. On this basis, Member States should update existing security requirements for network providers and include conditions for ensuring the security of public networks, especially when granting rights of use for radio frequencies in 5G bands. These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks. The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.

EU Member States have the right to exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework.

2. At EU level

Member States should exchange information with each other and with the support of the Commission and the European Agency for Cybersecurity (ENISA), will complete a coordinated risk assessment by 1 October 2019. On that basis, Member States will agree on a set of mitigating measures that can be used at national level. These can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure. This work will be done by the Cooperation Group of competent authorities, as set out under the Directive on Security of Network and Information Systems, with the help of the Commission and ENISA. This coordinated work should support Member States’ actions at national level and provide guidance to the Commission for possible further steps at EU level. In addition, Member States should develop specific security requirements that could apply in the context of public procurement related to 5G networks, including mandatory requirements to implement cybersecurity certification schemes.

Today’s Recommendation will make use of the wide-range of instruments already in place or agreed to reinforce cooperation against cyber-attacks and enable the EU to act collectively in protecting its economy and society, including the first EU-wide legislation on cybersecurity (Directive on Security of Network and Information Systems), the Cybersecurity Act recently approved by the European Parliament, and the new telecoms rules. The Recommendation will help Member States to implement these new instruments in a coherent manner when it comes to 5G security.

In the field of cybersecurity, the future European cybersecurity certification framework for digital products, processes and services foreseen in the Cybersecurity Act should provide an essential supporting tool to promote consistent levels of security. When implementing it, Member States should also immediately and actively engage with all other involved stakeholders in the development of dedicated EU-wide certification schemes related to 5G. Once they become available, Member States should make certification in this area mandatory through national technical regulations.

In the field of telecoms, Member States have to ensure that the integrity and security of public communications networks are maintained, with obligations to ensure that operators take technical and organisational measures to appropriately manage the risks posed to security of networks and services.

Member States, which for now continues to include the UK, are required to complete their national risk assessments by 30th June 2019 and an EU-wide risk assessment should then be ready by October 2019. By the end of this year the NIS Cooperation Group should have also agreed on any mitigating measures to address the cybersecurity risks identified at national and EU levels.

However it will be 1st October 2020 before member states have had a chance to assess the effects of the Recommendation in order to determine whether there is a need for further action. By that point the commercial roll-out of 5G mobile networks will have already begun in many member states, including the EU.