EU countries “should not be naive” about the need to protect their critical digital infrastructures from cyber attacks, the head of the EU cyber security agency said.
Speaking at an online event organised by the Institute of International and European Affairs in Dublin, Juhan Lepassaar said high-level measures taken to boost 5G cyber security in recent years could be replicated in other areas, such as cloud computing.
Mr Lepassaar, executive director of the EU Agency for Cybersecurity (ENISA), described as “very positive” the general direction taken by member states to strengthen the security of infrastructure for the next generation of mobile networks.
ENISA has been at the forefront of developing the technical and strategic measures to boost 5G security based on threat assessments made by member states, as well as an EU-wide assessment.
These assessments were carried out on the back of mounting concerns, led by the US authorities, on the purported threat posed by Huawei, the leading Chinese supplier of 5G technology.
While the EU has not specified any country or company posing a threat to the new system, Britain banned its telecoms networks from buying Huawei 5G kit from December 31 and instructed that all existing equipment must be stripped out of mobile networks by 2027.
The EU threat assessment, published last October, did state that there were “threat actors” to 5G, in particular “non-EU state or state-backed actors”. It followed this up with its toolbox on mitigating the risks.
Last month, ENISA compiled a report on the implementation of measures by member states.
Mr Lepassaar said “Europe should not be naive” on the cyber security threats facing the union.
But he said member states and the EU institutions did respond to the 5G threat “in a way that reflects and protects European interests and values” by identifying risks and mitigating them.
He said with the threat assessments, “the general direction was very positive” and measures are being taken at a national and EU level to “increase the resilience” of infrastructure.
Chairing the event, Richard Browne, principal officer at the internet policy division of the Department of Communications, said there had been a “very significant amount of discussion” in the last five years in Europe regarding European digital strategic autonomy and the implications this had for 5G, cloud computing and the “physical infrastructure we are relying on to run our other critical infrastructure”.
Mr Browne, who has responsibility for Ireland’s national cyber security policy and the National Cyber Security Centre, highlighted the extent to which the EU operated politically and collectively on the challenge posed by 5G security.
He said they had the same goal: to ensure “greater European autonomy and security”.
Mr Lepassaar said the EU was allowing everyone to work in Europe if they complied with the rules.
He said that every year, there were “more cyber attacks” and they were “more complex”.
He said there was an increase in cyber incidents during the Covid-19 lockdown, between 25 March and 16 May, including 16 cyber attacks, 20 cybercrime incidents and three espionage cases.