There’s good news and bad news for Chinese 5G network equipment makers in Tuesday’s wireless security policy announcement from the European Union.
At the moment, despite pressure from the United States, the EU won’t impose a Union-wide ban on gear from China, or any other country. Instead, EU members have to come up a Union-wide equipment risk mitigation strategy for all 27 countries (28 if the United Kingdom stays in the EU).
But — and it’s a big but — “EU Member States have the right to exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework,” the statement adds.
EU countries have until June 30 to complete a national risk assessment of their 5G network infrastructures. Countries will share those findings. Then the European Agency for Cybersecurity (ENISA) will complete a co-ordinated risk assessment by October 1. After that, countries have to agree by Dec. 31 on a set of mitigating measures that can be used in individual countires (or, in EU-speak, at the national level). “These can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure.”
EU countries “should develop specific security requirements that could apply in the context of public procurement related to 5G networks, including mandatory requirements to implement cybersecurity certification schemes,” the statement adds.
Reuters quoted Huawei’s chief representative to the EU describing the decision as an “objective and proportionate” approach to the security of future 5G networks.
The ruling will likely be watched closely in Canada where the government is deciding whether to follow the lead of fellow partners in the Five Eyes intelligence co-operative Australia and New Zealand in forbidding their wireless carriers from buying 5G network equipment from China. The U.S. hasn’t officially banned its carriers from buying Chinese network gear, but officials have warned that European allies that use Huawei for critical infrastructure might find themselves excluded from U.S. intelligence sharing.
Intelligence officials from Canada and the U.K. have suggested there may be mitigations put into government networks that could limit any threat from foreign-made equipment. According to the Globe and Mail, Canada and Huawei quietly oversee a lab where Huawei gear is scrutinized. The U.K. has a similar but more public lab. Bell and Telus have Huawei 4G equipment in their access networks, although in their network cores.
Canada has yet to rule on allowing 5G gear from Huawei, a decision complicated by the detention in China of two Canadians following this country’s decision to honour an extradition request for Huawei’s chief financial officer, Meng Wanzhou on allegations she committing fraud by violating trade sanctions against Iran.
All this comes because of worries that China may squeeze its network equipment makers to install technology allowing it’s intelligence agencies to siphon off sensitive traffic going through the next-generation 5G networks.
To meet that suspicion Huawei and Chinese officials recently have made statements saying that won’t happen. This week, the Globe and Mail reported, one of Huawei’s co-chairs told Canadian reporters it would ignore a direct order even if the demand came from the General Secretary of the Communist Party.
‘Cybersecurity of 5G networks is key’
In its statement, the EU said “the cybersecurity of 5G networks is key for ensuring the strategic autonomy of the Union,” Once rolled out, it noted, 5G networks “will form the backbone for a wide range of services essential for the functioning of the internal market and the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, and health, as well as industrial control systems. The organization of democratic processes, such as elections, will also rely more and more on digital infrastructure and 5G networks.
“Any vulnerability in 5G networks could be exploited in order to compromise such systems and digital infrastructure – potentially causing very serious damage or in order to conduct large-scale data theft or espionage … This justifies the need for a robust risk-based approach, rather than one relying primarily on ex-post mitigation measures.”
On March 12 the EU Parliament adopted a resolution expressing “deep concern about the recent allegations that 5G equipment developed by Chinese companies may have embedded backdoors that would allow manufacturers and authorities to have unauthorized access to private and personal data and telecommunications from the EU.”
The EU recently approved a Cybersecurity Act, which will shortly come into force. It will allow the creation of an EU-wide security certification framework for products, processes and services. Ultimately it will force hardware and software makers to incorporate security features in the early stages of their technical design and development. Buyers will be able to see the level of security assurance, and know that certain security features are independently verified.
As a result of this week’s EU announcement member countries are encouraged to prioritize a certification scheme covering 5G networks and equipment.
This year 5G-related spectrum auctions are scheduled in Austria, Belgium, Czech Republic, France, Germany, Greece, Hungary, Ireland, Netherlands, Lithuania, and Portugal. Six more auctions are scheduled for 2020 in Spain, Malta, Lithuania, Slovakia, Poland, and the U.K.