30/01/2020

Europeans Struggle to Mitigate 5G Risks

Europe Tech & Innovation

Author

Mathieu Duchâtel

Resident Senior Fellow and Director of International Studies

Author

François Godement

Special Advisor and Resident Senior Fellow - U.S. and Asia

After a year of open debate on 5G risks, a lot of it centered on the case of China’s Huawei, explicit policies are coming out. France had been first with a new law - a certification system of "prior authorizations" that broadly empowers the administration and therefore leaves it much leeway on final choices. The UK, faced with strong demands by the US, has come out with its "new plans to safeguard the country’s telecoms network and pave way for fast, reliable and secure connectivity". It stops short of banning Huawei, and this is contested among security agencies and in Parliament. Germany is in the midst of polemics that leave Mrs. Merkel exposed to criticism from all parties except the Christian Social Union in Bavaria (CSU) for also refusing to name high-risk vendors. And the European Commission has finally published, with a delay of 45 days, its "toolbox of risk mitigation measures" with recommendations to Member States. Some of these have moved specifically on the issue of Huawei: Poland and Italy are pulling back from their earlier embrace of the Chinese supplier. The Danish carrier TDC, whose 4G was powered by Huawei, has announced the choice of Ericsson for its 5G infrastructure, on commercial terms.

Convergent threat analyses

On key points that cover technical and political issues, there are convergences in the published risk management announcements. 5G and its reach into many more activities through the Internet of Things (IoT) create new vulnerabilities. Sabotage or denial of supply (including from crucial subcontractors, for any reason) are even more ominous risks than spying. These threats are of a political and strategic nature. They are related to China’s leverage over Europe, and to the capacity of the Chinese state to conduct hostile actions in times of political tensions. The country of origin of the supplier may have laws that compel its cooperation with weak or inexistent democratic checks and balances: this is an obvious reference to China’s National Intelligence Law in the European risk assessment paper. In that case, how to protect targets in Europe from hostile intelligence action, since the capacity to seek legal redress is almost or entirely non-existent? To this list, the British framework for security threat analysis adds "network prepositioning", the ability to gain a presence for future exploitation.

5G and its reach into many more activities through the Internet of Things (IoT) create new vulnerabilities.

Finally, were US sanctions on Chinese suppliers to intensify, these suppliers might simply be unable to provide some of their services to customers. So far, the US has listed Huawei on the entity list only to immediately create a regime of exemptions through temporary general licenses. But a new wave of attacks against the Chinese equipment provider is in preparation in Washington.

Equally convergent is a refusal to name names - e.g. to exclude explicitly Huawei, although the UK decision bans ZTE, Huawei’s main competitor, from building British 5G infrastructure, accusing the company of posing risks that "cannot be mitigated". For the UK, this may be a political decision taken in London, perhaps helped by strong-arm tactics from China, and it is a loss of face for the US. In the case of the EU, it is a wish to avoid explicit discrimination, and a realization that risks go far beyond any single supplier. What is implied however at almost each page of these reports is that Huawei is to be treated as a potential security threat.

Facing "high-risk vendors"

Indeed, both texts from the EU and the UK determine or recommend multiple risk mitigation measures, often targeted at "high-risk vendors". The texts define "high-risk vendors" in terms that are not purely technical. The EU toolbox makes clear that "technical measures alone would not allow to address non-technical vulnerabilities". It includes access points - and especially base stations, a strong selling point of Huawei - as "high risk" if not "critical". The EU toolbox also lists in its "strategic measures" the importance of "assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk, including necessary exclusions to effectively mitigate risks, for key assets". Exclusion is suggested as a response, but for "key assets" - this is the Commission’s recommendation to the Member States, and the minimal common denominator endorsed by the Member States.

As a new security blueprint by the National Cyber Security Centre (NCSC) of the British Government Communication Headquarters (GCHQ), the EU report questions the risk distinction between the core and the periphery of 5G systems, which is also is likely to evolve quickly. Many technical experts insist that this distinction will vanish during the transition from non-standalone 5G (essentially a 4G+ currently being built on top of existing 4G infrastructure) to standalone 5G.

A transition that will shift much data to the periphery, and open the way for far greater virtualization of network operations. Virtualization means more reliance on the software architecture of the network, and thus greater risks that an equipment provider suddenly introduces vulnerabilities through software updates. As stated by the EU Commissioner Thierry Breton, "These ultra-complex softwares require kilometres of code, with the bugs inherent to their complexity... It is an illusion, under these conditions, to even think of detecting possible "backdoors"! Not to mention the risks stemming from all the maintenance and upgrade such softwares will generate."

"These ultra-complex softwares require kilometres of code, with the bugs inherent to their complexity... It is an illusion, under these conditions, to even think of detecting possible "backdoors"!"

Taking a middle-of-the-road approach has its downsides

The EU report accordingly asks for the strong protection of "hospitals" as a case in point, while the UK decision has focused on government and critical technology centers. The UK, and possibly France, are adopting a geographical risk containment approach. A key reason is cost: Huawei equipment is already in place. Sensitive sites that host military or industrial capacities are to be off-limits for high-risk vendors. But this split approach has its limits. Will areas deemed as non-sensitive be excluded for future military, critical or any high-tech or strategic business facilities? Literally every recommendation by the EU lists "resource costs" as a factor: what is the real hidden price of including high-risk vendors if this leads to huge security costs that will never be sustainable for some of the 27 Member States?

Another risk containment measure, to respond to the risks linked to excessive leverage, is the idea of a cap. The UK has announced a 35% limit on the network for high-risk vendors. The EU calls on Member States to ensure the diversity of suppliers and to adopt "appropriate multi-vendor strategies". This is already the case in many Member States for 4G networks.In France, Huawei has built 47,5% of Bouygues Telecom’s infrastructure, 52% of SFR’s and 0,7% of Free’s. Only Orange is Huawei-free. And the multi-vendor approach follows a geographical logic, with Huawei equipment in the north and the west of the country for Bouygues’s networks, in the south for SFR’s. What the EU recommends is, in other words, a prolongation of the status quo, at least in some countries.

An unfinished business

Indeed, the toolbox reads like a framework for security analysis, and a list of possible measures to mitigate risks. The Commission reaches the limits of its function as a promoter of intra-European convergence on best practices. On the strong side, this process has tangible impact in terms of promoting a security approach to telecommunications in countries where there is little capacity today. Perhaps the strongest piece of advice is for Member States to "cooperate in capacity building and (...) retain a level of discretion in supervision method and obligations". In other words, start thinking across borders. On the weak side, the Commission lacks executive powers over the telecommunications sector.

Perhaps the strongest piece of advice is for Member States to "cooperate in capacity building and (...) retain a level of discretion in supervision method and obligations".

The two documents are clearly not meant as manifestos in favor of a European industrial policy supporting European solutions to critical infrastructure. Even so, the EU toolbox lists as a strategic measure "maintaining and building diversity and EU capacities in future network technologies". Both the EU and the UK reports promote the search for innovative and "disruptive" solutions by new providers - this is likely to be an allusion to the potential of Open Radio Access Networks (ORAN) being developed in the United States and Japan (with some European firms) and currently proposed to India. These two suggestions imply encouraging new market solutions.

This leaves Europe with two problems, partly of its own making. First, the risk mitigation approach, as opposed to the exclusion of high-risk vendors, implies a constant and costly adaptation to a shifting offense-defense balance: this is a bet on future European cybersecurity capacities. Second, from a strategic perspective, despite a convergence across Europe on the need to be much more defensive- and security-minded on 5G than for previous generations of networks, the continent does not resolve its fragmentation. And by 2025, if a fourth or a third of European telecoms infrastructure is powered by Chinese technology and a major crisis erupts in US-China relations, what will be the consequences from that crisis for European allies?

Copyright: WANG ZHAO / AFP