The European Union has warned carriers that relying on a single equipment manufacturer for next-generation 5G cellular networks will increase the risk of being hacked.
The report issued Wednesday, a co-ordinated risk assessment on the security of 5G networks, doesn’t mention network equipment makers Huawei or ZTE. However, it could be seen as a tool governments could use to restrict their carriers from either buying or heavily relying on the China-based network manufacturers. A number of governments around the world, including the U.S., are worried their partners will install Chinese equipment in their 5G networks, saying the makers have to allow the Chinese government access to their gear for security purposes. The manufactures insist they are not beholden to Bejing.
The latest EU report concludes in part that “a major dependency on a single supplier increases the exposure to and consequences of a potential failure of this supplier. It also aggravates the potential consequences of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.”
In addition, it says, “If some of the new use cases envisioned for 5G come to fruition, 5G networks will end up being an important part of the supply chain of many critical IT applications, and as such not only confidentiality and privacy requirements will be impacted, but also the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.”
This is part of a multi-step security process for EU countries. It began with a report in March ordering each EU member to come up with a risk mitigation strategy by July, followed by Wednesday’s report on a co-ordinated strategy based on those reports. The final step will be agreement by Dec. 31 on a set of mitigating measures (also called a toolbox) by governments. This could include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure. A country would have the right to refuse to allow carriers to buy non-compliant gear.
What bothers some countries is that 5G’s increased bandwidth is expected to spread wireless to a broad range of applications, so a hack could have wider implications than it does today.
While the U.S. is pressuring its allies in the Five Eyes intelligence co-operative, Canada has yet to make a decision on how much Chinese-based equipment to allow in 5G networks.
For related stories see this interview with Huawei Canada executive, a UK report on Huawei software issues, this 2012 story on how far back worries about Huawei go, and recommendations from an international meeting.
While in current 4G networks some carriers are hedging their bets by keeping Huawei gear out of the network core — reportedly Bell Canada is one of them — Wednesday’s report noted that in 5G network architectures some sensitive functions currently performed in the physically and logically separated core are likely to be moved closer to the edge of the network. That would require relevant security controls to be moved too, in order to encompass critical parts of the whole network, including the radio access part.
“If not managed properly, these new features are expected to increase the overall attack surface and the number of potential entry points for attackers, as well as increase chances of malicious impersonation of network parts and functions,” the report says.
And while the report points out that 5G technologies and standards could improve security compared to previous generations of mobile networks, due to several new security functions such as stricter authentication processes in the radio interface, their implementation will greatly depend upon how the operators deploy and manage their networks.
In response to the report, Huawei said it is “pleased to note that the EU delivered on its commitment to take an evidence-based approach, thoroughly analyzing risks rather than targeting specific countries or actors.”