The European Union member states published a report today assessing the security risks of 5G networks. Predictably, given the focus on Chinese telecom vendors this year, the report looks at supply chains, and warns against using suppliers that can be controlled by governments. The report also cautions carriers to not rely on a single vendor. In addition, it also raises awareness of some risks that haven’t been discussed widely – namely, the role of increased software in networks.
Led by concerns raised by the United States government, EU countries are also evaluating the use of Huawei’s telecom equipment in their networks. The concern is that Huawei would have to comply with the Chinese government if it was asked to use its telecom equipment for espionage.
The EU report said, “Threats posed by states or state-backed actors are perceived to be of highest relevance. They represent indeed the most serious as well as the most likely threat actors, as they can have the motivation, intent and most importantly the capability to conduct persistent and sophisticated attacks on the security of 5G networks.”
The report also said that a carrier’s big reliance on a single supplier puts it in a bad spot if that sole supplier has problems whether due to commercial failure, being subject to a merger or acquisition, or being placed under sanctions. Also, reliance on a single vendor could increase the impact of any systemic failures or hostile exploitation.
Roger Entner, founder and lead analyst of Recon Analytics, said in an email, “Europe is finally understanding how single vendor systems pose grave threats to 5G security. Single vendor deployments are exposing operators to incalculable risks as operators tie their success to the viability of their vendors. Furthermore, it becomes necessary to trust in the vendors to an even greater degree, as some are vulnerable to state actors and sponsors, including those who don't share our democratic principles. The next step is to translate the concerns the European Commission has into binding rules that prevent 5G networks from becoming controlled by criminal and state actors alike.”
Everyone has been focusing on the potential security threats posed by the Chinese vendors Huawei and ZTE. But the EU report points out that 5G networks are fundamentally different than prior generations in that they will rely much more on software. And this introduces new security risks.
More software in 5G networks leads to increased risks connected with software development and update and patch processes. Moreover, new types of technical vulnerabilities related to software are likely to occur as technologies such as SDN and NFV are deployed commercially.