European cybersecurity authorities warned Wednesday that state hacking groups are a major threat to the security of 5G networks, increasing pressure on telecom operators to take action against new risks linked to telecom suppliers like Chinese equipment maker Huawei.
In an EU risk assessment report prepared by the European Commission and national cybersecurity experts, officials said that 5G networks would rely more heavily on software and suppliers, and that the biggest threat came from state-backed hackers from non-EU countries with cyber offense programs.
The report said that 5G “will bring numerous new security challenges” and will “increase the number of attacks paths that could be exploited by threat actors, in particular non-EU states or state-backed actors.” It also warned telecoms operators that procuring gear and services from vendors from such countries would increase the risk of getting hacked or spied on.
The assessment, drafted by the NIS Cooperation Group — which consists of national cybersecurity officials, the Commission and the EU’s cyber agency ENISA — argues telecom networks will be increasingly vulnerable to hackers, in part because they rely on more suppliers and more software.
But it also raises huge political questions: Suppliers may be more risk-prone if there is a higher “likelihood of the supplier [of 5G network gear] being subject to interference from a non-EU country” through intelligence legislation, government control of a company’s management or a lack of “democratic checks and balances in place” to counter such espionage attempts, the document said — implicitly pointing to China as a threat. POLITICO previously reported that EU authorities would be taking indirect aim at Beijing in the report.
The report will guide the creation of a “toolbox” by the end of the year, which countries can use to beef up their security requirements for vendors and operators. Both Wednesday’s risk assessment and the upcoming toolbox are voluntary tools.
The European Commission worked with national representatives on the report in past months during a tense process in which the EU feared overstepping countries’ competences on national security.
Capitals, in turn, feared the economic impact it could have on their telecom market and even on diplomatic relations with China.
“This is the first time 28 authorities have come together to analyze these risks,” said Julian King, the EU’s security commissioner. “That’s quite a big deal.”
Easing up on Huawei addiction
Operators across Europe have procured equipment from Chinese vendors Huawei and — less so — its competitor ZTE, in the past decade, as well as from European vendors Ericsson and Nokia.
4G networks in Belgium, Germany, the U.K., Spain and many other countries include large shares of Chinese gear. With 5G, operators were looking to close similar long-term deals with Huawei, but the political debate around 5G security has ruptured the market and forced these operators to reassess their plans.
“The report itself is already a signal to the market,” King said. The risk assessment makes it “very clear that it [5G procurement] isn’t like buying a car. It’s like joining a club,” he said.
He added: “5G networks will increase reliance on suppliers. That means we have to look even more carefully than we’ve done before at the suppliers, both from a technical point of view and for non-technical vulnerabilities.”
The EU also stressed that operators have to account for risks in the long term, including those caused by changing geopolitical relations with non-EU states and trade tensions between different economic blocs.
“Unintentional and intentional backdoors will be easier to introduce and harder to detect,” said King. As 5G powers more and more digital services, manufacturing and personal data, such backdoors and vulnerabilities will also “have a more severe and widespread impact,” he said.
US pressure on EU capitals continues
The EU’s move to crack down on risks linked to the rollout of 5G comes after a yearlong diplomatic campaign by Washington to ban Huawei.
U.S. security services have accused Huawei of corporate espionage and intellectual property theft as well as violating trade restrictions. The U.S. has also raised concerns over the long-term strategic risk of relying on Chinese companies to keep telecom networks from going down.
“If a country inserts untrusted vendors into its 5G networks, we will reassess how we are going to share information with them in the future,” Rob Strayer, the U.S. State Department’s chief cybersecurity diplomat, told reporters in Brussels late last month.
Washington has expressed concerns about EU countries like Germany, the Netherlands and the United Kingdom — a fellow so-called Five Eyes country with which the U.S. has a regular exchange of intelligence — and recently flagged concerns about Belgium, the seat of EU institutions and NATO’s headquarters.
King said the European Commission had maintained an open line to the U.S. all through the process of consulting EU countries in the run-up to the 5G risk report. He also said Brussels is talking to “like-minded countries” like Australia, Canada and Japan — all of which are reviewing their security requirements and two of whom have implemented stricter limits to Huawei’s market access.
But, King added, “I think it is important to say we take a different approach to this than other countries like the U.S., because we didn’t start by drawing the conclusion.”
Huawei has denied U.S. allegations of wrongdoing. It said in a statement Wednesday that it is “pleased to note that the EU delivered on its commitment to take an evidence-based approach.” A Huawei spokesperson also stressed to POLITICO that it is independent from the Chinese government.
Toolbox in the making
By year-end, member countries would finish their “toolbox” that lists all the different ways to deal with risks to 5G security. The document, which is non-binding, is meant to help capitals impose stricter measures on telecom companies.
For suppliers like China’s Huawei, the hope is that Europe drafts schemes of technical requirements, like standards and certification schemes.
According to King: “Certification in my view is relevant to mitigate the risks. It is not going to be a golden bullet. But it can help.”
For the non-technical risks, like having a headquarters in China, EU authorities are looking toward other measures entirely.
King mentioned the foreign direct investment screening mechanism, an EU instrument that looks at investments in strategic sectors like telecommunications, and public procurement tools that capitals can use to invest in European suppliers, for instance.
“There is nothing in this process that stops member states from going further,” King said.
For one, Poland and Romania both signed memorandums of understanding with the United States in past weeks that imply these countries would largely restrict Chinese equipment vendors from selling to national operators.
EU capitals have also started to work on a political, binding text for next December’s Council conclusions, which would help the next EU Commission draft stricter rules on supply chain security too.
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email [email protected] and mention Cyber.
