Cybersecurity in the rollout and operation of fifth generation mobile networks (5G) is a global concern. It has sparked political debate and led governments to impose security measures, such as the US ban on Huawei and UK restrictions on 'high-risk' providers that bar Huawei from providing sensitive parts of the 5G network and limit supply to 35 per cent of non-critical network infrastructure.

In response to this cybersecurity concern, the European Commission on 29 January 2020 endorsed the joint toolbox of mitigating measures agreed by EU member states to address security risks related to 5G

The toolbox was adopted following a March 2019 Commission recommendation on cybersecurity of 5G networks and a call from the European Council urging member states to complete national risk assessments and work together on a set of common mitigating measures. The EU initiative falls short of a pan-European ban on foreign-owned suppliers and was therefore welcomed by Huawei for enabling it to continue supplying 5G infrastructure in the EU.

This post explores the reasons why 5G presents a heightened cybersecurity risk compared to previous telecommunication technologies. It also discusses the measures covered by the toolbox and their impact on actors involved in the 5G rollout, such as mobile network operators (MNOs) and suppliers of 5G infrastructure.

Reasons for the heightened cybersecurity risk related to 5G

The heightened cybersecurity risk related to 5G has two essential causes.

  1. 5G technology is more prone to cybersecurity risks because it is more decentralised and reliant on software than previous telecommunication technologies. This makes 5G network infrastructure more sensitive, provides attackers more potential points of entry and increases the risk related to dependency on a single (foreign-owned) supplier.
  2. the consequences of a cyber-attack will be more far-reaching. 5G will become the backbone for a number of critical functions in society relating to energy, transport, banking and health. It will moreover enable new uses related to the internet of things such as connected mobility. Network disruptions are therefore more likely to have a pervasive impact.

Overview of the toolbox and implications for MNOs and suppliers

In order to mitigate 5G cybersecurity risks, the toolbox recommends a number of strategic and technical measures that will impact MNOs and suppliers of 5G equipment.

The toolbox covers strategic measures, which entail the strengthening of national authorities by giving them ex-ante powers to intervene in the supply, deployment and operation of the 5G network equipment, for example by:

  • imposing more stringent security requirements on MNOs and applying restrictions on suppliers considered to be high risks, including necessary exclusions to effectively mitigate risks for key assets (leaving open the possibility to exclude certain suppliers such as Huawei from critical parts of the network);
  • limiting the types of activity and conditions under which MNOs are able to outsource particular functions to managed service providers; 
  • limiting any major dependency on a single supplier (this could include caps on vendors such as the 35 per cent limit imposed in the UK);
  • screening foreign direct investment (FDI) that may impact the 5G value chain under the EU FDI regulation; and
  • lodging a complaint under EU anti-dumping and/or anti-subsidy rules.

The toolbox urges national authorities to ensure that MNOs and suppliers implement technical measures to safeguard network security and software integrity, such as access controls, segregation of duties, and the reinforcement of the physical protection of critical components.

The toolbox calls on the Commission to establish an EU-wide certification for 5G network components, customer equipment and/or suppliers’ processes, and compels all stakeholders to co-operate in developing guidelines and best practices on network security, shaping 5G standardisation and performing security audits.

In its communication on the secure 5G deployment in the EU, the Commission endorses the toolbox and compels member states to take concrete and measurable steps to implement key measures by 30 April 2020. A report on the status of implementation will be issued by 30 June 2020.

The Commission furthermore indicates that it will, where appropriate, use its competences to help safeguard the cybersecurity of 5G networks through: 

  • telecoms and cybersecurity rules; 
  • co-ordination on standardisation as well as EU-wide certification; 
  • the FDI screening framework; 
  • trade defence instruments; 
  • competition rules; 
  • public procurement, ensuring that due consideration is given to security aspects; and 
  • EU funding programmes, ensuring that beneficiaries comply with relevant security requirements.