On October 9, 2019, with the support of the EC and the European Agency for Cybersecurity (Enisa), EU member states published a report warning of the risk of increased cyberattacks on 5G networks. This follows on from the EC's recommendation adopted in March 2019 to ensure a high level of cybersecurity of 5G networks across the EU. It called on member states to complete national risk assessments and review national measures in order to create a coordinated risk assessment and common toolbox of mitigating measures.
5G networks will connect countless objects, including those in critical sectors. The greater reliance of economic and societal functions on these networks could significantly worsen the potential negative consequences of disruptions. Therefore, it is essential that any vulnerabilities in the networks are addressed sooner rather than later. The EU's recent cybersecurity report is based on the results of the national cybersecurity risk assessments conducted by member states, and identifies the main threats and threat actors affecting 5G networks, as well as the most sensitive assets. The cybersecurity risks identified in the report will be used to create a toolbox of mitigating measures at national and EU level by December 31, 2019, and then by October 1, 2020, member states will have assessed whether there is a need for further action to complement the mitigating measures.
The cybersecurity report highlights the main vulnerabilities related to the compromise of confidentiality, availability, and integrity, and also a number of strategic risks. The assessment provides the basis on which the EC will identify mitigation measures that can be applied at both a national and EU level. Understandably, the report cannotoutline an exhaustive list of cybersecurity risks; however, it seems that regulators have attempted to outline the most important threats, such as5G network disruption, spying of traffic/data, modification or rerouting of traffic/data, and destruction or alteration of other digital infrastructures. The severity of specific threat scenarios to 5G networks varies according to a number of factors, including the number and type of users impacted; the length of time of the event before detection or remediation; the type of services impacted; the extent of damage; and the type of information breached.
According to the national risk assessments, threats posed by states or state-backed actors (especially non-EU countries) are perceived to be of highest relevance by member states. They represent the most serious as well as the most likely threat actors, because they have the motivation, intent, and the capability to conduct persistent and sophisticated attacks. Although the EU has so far resisted US pressure to boycott Chinese companies such as Huawei and ZTE, it seems likely that the results of these risk assessments will encourage the EC to look at addressing possible risks from non-EU state or state-backed actors.
The report has also identified a number of important security challenges that are likely to become more prominent in 5G networks; for example, the role of suppliers in building and operating 5G networks that results in greater access of third-party suppliers to networks and to interlinkages between 5G networks and third-party systems, as well as the degree of dependency on individual suppliers that increases the exposure to a potential supply interruption. The risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country. Key innovations in the 5G technology, particularly the important part of software and the wide range of services and applications enabled by 5G, also pose challenges because these increase the number of potential entry points for attackers.
All these challenges create a new security paradigm, making it vital that regulators reassess the current policy and security framework. At the EU level, existing security requirements relevant to the 5G networks are set out in EU telecoms legislation and in the Network and Information Security (NIS) Directive, as well as data protection and privacy frameworks. In addition, various security measures may already be applied by MNOs, such as technical measures (e.g., encryption, authentication, automation, and anomaly detection) or process-related measures (e.g. vulnerability management, and incident and response planning). However, the fundamental differences in how 5G operates means that current security measures employed on 4G networks are not comprehensive enough to mitigate security risks.