The European Commission is preparing to publish its coordinated assessment of risks to 5G infrastructure on 9 October. The draft text consulted by EUROPE, to which Member States were invited to react one last time, identifies “state or state-supported actors” as the most dangerous (level 5, the highest).
The document does not explicitly refer to Huawei, which is only mentioned in the list of equipment manufacturers, as one of the two categories of actors considered most likely to undermine cybersecurity. However, it is this Chinese company that is the main focus of this analysis.
Nine risk scenarios
The document follows the risk analysis carried out by each Member State on its territory, in accordance with the Commission Recommendation (2019/534) published in March (see EUROPE 12326/14). It identifies 7 categories of actors according to their capacities (resources) and motivations, including state or state-supported actors “whose motivations are primarily political”. “Threats posed by states or state-supported actors are perceived as being most relevant. They represent the potential actors of the most serious and likely threats, as they may have the motivation, intention and above all the ability to carry out persistent and sophisticated attacks on the security of 5G networks”, the document notes, noting that several Member States have identified that some non-EU countries pose a particular cyber threat to their national interests.
The draft text also proposes 9 risk scenarios related to the inadequacy of security measures implemented by mobile network operators, the 5G supply chain, the way threatening actors operate, the interdependence between 5G networks and other critical systems and the risks associated with end-user devices. Again, the shadow of Chinese OEMs hangs over the document: according to scenario 5, “a hostile state actor puts pressure on a supplier under its jurisdiction to provide access to sensitive network assets through integrated vulnerabilities (intentionally or unintentionally)”.
In conclusion, the Commission seems to recommend identifying potential gaps in existing frameworks and enforcement mechanisms, ranging from the implementation of cybersecurity legislation to the supervisory role of public authorities, including the lack of obligations and responsibilities of operators and suppliers.
A toolbox in December
The European Commission is due to formally present its document on 9 October, after which it will continue its assessment before proposing a toolbox containing mitigation measures. “It is far too early to come to conclusions and say that the December measures will be this or that”, Security Commissioner Julian King said at a Lisbon Council event on 24 September. “There are a whole range of initiatives being taken by Member States, such as pre-authorisation, evaluation, transparency or sustainability obligations. These are the types of questions that could be on the table.”
However, Mr King had refused to comment on Huawei's gesture to share its 5G technology, at least some patents, with American companies (see EUROPE 12331/7). (Original version in French by Sophie Petitjean)