Last week, the European Commission released a coordinated risk assessment [pdf, 1.7 MB] on cybersecurity in 5G networks.
As stated in the accompanying press release:
The report is based on the results of the national cybersecurity risk assessments by all EU Member States. It identifies the main threats and threats actors, the most sensitive assets, the main vulnerabilities (including technical ones and other types of vulnerabilities) and a number of strategic risks.
According to the report, the roll-out of 5G networks is expected to have the following effects:
- An increased exposure to attacks and more potential entry points for attackers: With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.
- Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
- An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
- In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
- Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
- Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.
[emphasis in original document]
The European Commission says, “these challenges create a new security paradigm, making it necessary to reassess the current policy and security framework applicable to the sector and its ecosystem and essential for Member states to take the necessary mitigating measures.”
The EU has set a target of December 31, 2019 to develop a “toolbox” of these “mitigating measures”.
If there are strategies to be developed to mitigate security risks associated with the next generation of networks, we need to first develop an understanding of the types and sources of potential threats. To date, much attention has been directed to a single hardware supplier, but the EU observed that “The deployment of 5G networks is taking place in a complex global cybersecurity threat landscape.” It isn’t so simple a matter of banning or approving suppliers of network gear based on the location of corporate headquarters.
The EU seems to have a more sophisticated analytic approach, understanding that there are numerous challenges with global supply chains and a number of strategies available to mitigate those risks.
As the EU has found, the challenges of 5G architectures create a new security paradigm. We should be working to understand the security framework required for the entire 5G ecosystem in order to prepare appropriate mitigating measures.