On Wednesday 9 October, Member States published a “consensus report” on the security of 5G networks. As EUROPE announced last week, this document refuses to name Huawei directly as a threat (see EUROPE 12340/9). However, it notes that the most significant threat comes from state actors or those supported by a third State.
“Some comments said it was a weakness not to point at anyone. But I, on the other hand, find it a strength: we are determined not to put the cart before the horse and we have decided to embark on an evidence-based analysis”, said European Security Commissioner Julian King at a press conference.
This conclusion was immediately welcomed by Huawei, who stressed in its press release that, in addition to being a private company, it is very committed to security (with the underlying message, whatever the Americans say).
A joint, “very vague” assessment
This document, drafted by the Member States in cooperation with the European Commission and the Agency for Cybersecurity (ENISA), is based on the risk assessment carried out by each Member State on its territory (see EUROPE 12300/5). It highlights the fact that fifth generation networks have more entry points for an attack, notably via software updates and decentralisation of functionalities at the ends of the network, and the risk of operators becoming dependent on network providers.
It notes that several Member States have identified that “certain non-EU countries represent a particular cyber threat to their national interests, based on previous modus operandi of attacks by certain entities or on the existence of an offensive cyber programme of a given third State against them”.
This is indeed one of the main conclusions of the report, which indicates that third party actors represent the most important threat, after the presence of an ‘insider’ among telecom operators (or a subcontractor) who could compromise the confidentiality and availability of the network or the action of an organised crime group that would compromise the confidentiality of the networks. Why? Because they are the ones most likely to have “the motivation, intent and, above all, the ability to conduct persistent and sophisticated attacks on 5G networks [...]. These actors can cause large-scale failures and significant disruptions by exploiting undocumented functions or by attacking interdependent critical infrastructures.”
Huawei in the crosshairs
This coordinated assessment should of course be read in the context of the conflict (political and trade) between the United States and China today. The Trump administration has been campaigning for several months against Huawei, accusing it of carrying out espionage activities on behalf of Chinese authorities. It has blacklisted the equipment manufacturer and its subsidiaries, preventing American companies from trading with the group, and has chosen to prevent American federal agencies from acquiring Huawei equipment (see EUROPE 12331/7).
In the European report, Huawei is only mentioned once, when Member States list the main network providers. “Some of these suppliers are headquartered in the EU (Ericsson and Nokia) while the others are headquartered outside the EU. Their corporate governance presents notable differences, for example in terms of level of transparency and type of corporate ownership structure.” Among the foreign suppliers, only the Chinese Huawei and ZTE are mentioned, while the American Cisco, also mentioned, only offers a virtualised radio access network.
The United States in ambush
In response to a question from a Spanish journalist asking about the risk of spying on American companies, Commissioner King said he would not focus more on American companies than on Chinese ones. He still gave away, “We have arrangements with the United States, where European citizens have access to remedies.” For its part, the Finnish Presidency, at the head of the working group responsible for this evaluation (the NIS coordination group), indicated that the document had been drawn up without the intervention of a non-Member State. “The United States has asked to be able to inform Member States and this possibility, which also exists for other States, has been granted to them.
It should be noted that the NIS coordination group is chaired by Finland, alongside the Netherlands, Romania, France, the Czech Republic, Estonia and Italy, which have expressed an interest in the issue.
More concrete measures in December
However, this evaluation report, provided for in the Commission's March 2019 recommendation, represents only one step in the European reflection process (see EUROPE 12222/23). It is to be supplemented in the coming weeks by an analysis by the European Agency for Cybersecurity. According to a source close to the file, this study will focus more on the technical aspects of network security. At the press conference, Commissioner Mariya Gabriel, responsible for the Digital Economy and Society, also announced that the Body of European Regulators for Electronic Communications would also publish its opinion.
Finally, the process should lead to the development of a toolbox of measures to manage possible risks in an “appropriate, effective and proportionate” manner, with a view to mitigating the risks identified by Member States. These will be measures aimed at both Member States and telecommunications operators.
“It will be up to [Member States] to take their responsibilities: if in line, clear arguments, logic. They can go further. If they want to set out, they will have to explain publicly”, commented Commissioner King.
In what looks like a Sino-American conflict, no Member State has yet officially taken a position. But Poland clearly seemed to be leaning towards one side by signing a bilateral agreement with the United States in early September, which underlines the need to allow only “reliable and trustworthy” actors. Link to the report: http://bit.ly/2M3MB9D (Original version in French by Sophie Petitjean)