The EU has warned of increased cyber-attacks by state-backed entities and groups from outside the EU, and said that the risks posed by telecoms equipment suppliers that have a significant market share should be assessed.
The comments came in a report prepared by EU member states on cyber-security risks to next-generation 5G mobile networks, whose timely launch is crucial to the bloc’s competitiveness in an increasingly networked world.
While the report does not name any country or company, observers have frequently cited China and the world’s biggest telecoms equipment vendor, Huawei Technologies, as potential threats.
“Among the various potential actors, non-EU states or state-backed are considered as the most serious ones and the most likely to target 5G networks,” the European Commission and Finland, which currently holds the rotating EU presidency, said.
In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country
The US government wants Europe to ban Huawei’s equipment, because it says it can be used by Beijing for spying, something the company has repeatedly denied.
Britain has yet to take a final decision on Huawei’s role in future 5G networks. Its National Security Council decided, in principle, in April, to block the Chinese vendor from critical parts of networks. Germany is creating a level playing field for 5G, in which all foreign vendors should prove that they are trustworthy.
Fifth-generation networks will hook up billions of devices, sensors, and cameras used in futuristic ‘smart’ cities, homes, and offices. With that ubiquity, security becomes an even more pressing need than it is in existing networks.
The report also warned against over-dependence on one telecoms equipment supplier. “A major dependency on a single supplier increases the exposure to a potential supply interruption, resulting, for instance, from a commercial failure, and its consequences,” they said.
“It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.”
Many European network operators have multi-vendor strategies, to reduce the security risks of relying too heavily on a single provider.
Deutsche Telekom, which sources network gear from Huawei, Ericsson, Nokia, and Cisco, said, last year, that it was reviewing its procurement policies, but it has so far not announced any change.
The EU will now seek to come up with a so-called toolbox of measures, by the end of the year, to address cyber-security risks at national and EU level.