5G: Reliable Suppliers and External Risks
Reading Time: 5 minutesE-health, urban traffic management, self-driving cars, security services, energy networks, industrial facilities and the media – all industries and services in which 5G telecommunications networks will make up the basic critical infrastructure in the short term. Security of the network and supplier selection have become divisive geopolitical issues. Concurrently, from a national security point of view, critical areas remain – yet they are not receiving sufficient coordination.
5G will speed up innovation and enhance productivity. At the same time, this technological transformation will create new network security challenges. For one, there will be broader attack surfaces, more devices, and greater traffic. It is imperative that we ensure 5G networks are secure from the start. According to a Juniper Research study, the United States is expected to account for 50 percent of data breached or compromised worldwide by 2023. This shows clearly, why states must ensure secure and resilient 5G networks. Unlike previous network transitions that were more like upgrades, 5G is a totally new and different network architecture. It will allow tailored security solutions such as “network slicing” for different network functions, and private networks, which can significantly enhance network security. They mandate more resilient, secure and trustworthy networks.
According to a study by PwC for the European Commission, losses as a result of cyber attacks could exceed EUR 60 billion, and millions of jobs could be lost by 2025 – so the issue of secure networks is without a doubt of national economic importance. The study also points out that Europe is not only spending less on cybersecurity, but its response time is also significantly slower. Today, attacks are targeting internal networks operating at various companies and government agencies, but with the spread of 5G, telecommunications networks will become increasingly targeted. This paves the way for cybercriminals to obtain business and national security secrets, or even indulge in extensive sabotage. It is not just the US that is pushing for protection, but the European Union is now recognizing the need to take certain preventive steps to reduce the risks.
This is imperative according to the European Commission “toolbox,” supported by a risk assessment study, which makes concrete, albeit non-binding, proposals to member states toward minimizing risk. Within this updating of the regulatory environment, diversifying the choice of network equipment companies and strengthening the protection lines of individual mobile operators are equally forceful measures as identifying and excluding high-risk suppliers from the systems. Although they are not named in the toolbox, the geopolitical awareness is as clear as day that the major Chinese telecommunications infrastructure providers were targeted by the committee’s proposal. After US moves, the Huawei case has spilled over into the EU, prompting several pan-European telecoms operators to change course on their previous decisions regarding the technical workings of their next-generation networks.
The EU toolbox, which is fundamentally a sound argument, presents a completely different picture from an economic policy perspective. U.S. protectionism, for example, could drive business to European network equipment suppliers, but China is also protecting its own markets even when faced with the fact that a European supplier has already won a Chinese mobile operator tender. The Chinese market is critical for European and American suppliers in the telecommunications industry, so it is no coincidence that there are enormous forces struggling against each other behind the scenes as EU 5G regulation develops.
In regard to the deployment of next-generation networks and the procurement of individual service providers, the most topical and important question now more than ever is whether it will be possible in the future to differentiate between secure and less secure mobile operators, or secure and risky systems, based on which network transmission equipment the subnetwork consists of.
“5G security can be seen as an uninterrupted process that begins with the selection of suppliers and goes through the production of network elements and the lifetime of network operations. Non-technical factors should also be taken into account when designing the supplier’s risk profile, and components critical to national security should only be sourced from trusted parties. Minimizing the role of ‘high-risk suppliers’ can be achieved completely if necessary, and a multi-supplier strategy is inevitable,” the committee wrote in a recommendation at the end of 2019.
A supplier with a non-democratic system in their home country could present a high risk, experts say. Eastern vendors, on the other hand, argue that this approach provides an opportunity to discriminate against Chinese companies. For example, Huawei itself claims to have been a market leader in cybersecurity issues for years, making its source code available to European security laboratories for software running on its equipment.
“We cannot allow information to flow through networks unless we are sure it is not in the hands of the Chinese Communist Party,” said South Carolina senator Lindsey Graham quite categorically, adding that the Huawei issue is one of the few issues on which there is agreement between Democrats and Republicans.
In light of this, it is perhaps no coincidence that the British government has come under intense pressure from the US for relying on Chinese equipment for building its 5G network. Originally, 35 percent of the UK’s 5G infrastructure was earmarked for Huawei, but these days the Johnson government is preparing for the complete elimination of Chinese products, according to press reports.
A secure network is a private one
Security is such a critical issue that it is a consideration for a mobile operator building a private network, the elements of which can be defined by the customer, for a larger partner even at the designing and standardization of 5G. Today, not only is it possible to choose the devices that employees have, but 5G systems have enabled an organization to build a network from the assets of a particular supplier and operate it separately from the rest of the network. To the best of our knowledge, this will be the prerogative of only the biggest companies. Security can be further enhanced if the mobile operator is left out of the entire internal infrastructure as it is and a company operates a private network on a frequency it has acquired itself, as allowed by the German regulatory authority under the relevant EU directive.
Critical networks
However, there is an area where even more stringent safety requirements apply, the network is even more isolated, but where EU regulation allows member states complete freedom by not having created a single EU regulatory environment. Emergency networks for ambulances, police, border guards, disaster management and other specialized encrypted networks for the safety of citizens and the communication of state security services will only appear in the near future in the realm of 5G technology, as standardization of this special segment is still ongoing.
These networks represent huge business opportunities for suppliers in all EU countries, as the average costs of the equipment and building a network are significantly higher than the average for public networks. True, these systems, which are not only more expensive to transport but also to operate — that is, to provide the service — than in the case of public networks, entail even higher expectations in connection to R&D and security.
There’s no need to point out that the security of dedicated police and disaster management and counter-terrorism telecommunications networks is a critical national security issue, perhaps explaining why the EU has left member states a free hand in this realm. Experts warn, however, that if any one member state does not carefully select a reliable supplier for emergency networking, it will pose a significant security risk not only to itself but to the EU as a whole – i.e. a vulnerable national contingency network will create a loophole in the EU-wide security system.