European 5G cybersecurity study: it's not just about Huawei, people
- Telcos warned of greater reliance on equipment makers in 5G world
- Software, virtualisation, network slicing bring their own vulnerabilities
- Single-vendor approach highlighted as a security threat
Given that the European Commission's new 5G security report references state-backed security threats and interference from non-EU countries, it is understandable that industry watchers have largely concluded that it is a thinly-veiled warning about Huawei. And to a certain extent, it probably is. But there's a lot more to the report than that, and there's a lot more to 5G network security than keeping out the Chinese.
5G will make telecoms operators more dependent on equipment makers in general and that brings with it a raft of potential security issues, the EU coordinated risk assessment of the cybersecurity of 5G networks warns. The report, published on Wednesday, is designed to help EU member states prepare what they describe as "a toolbox of possible risk mitigation measures" by the end of this year.
In addition, the new technical features of 5G – including the move to software and virtualisation, network slicing, and mobile edge computing – will also raise new challenges, both in terms of changing vulnerabilities and involvement from new players.
"In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network. This is likely to intensify further the reliance of mobile network operators on these third-party suppliers," the report states.
With greater reliance comes greater potential for attack. "Among the various potential actors, non-EU states or state-backed are considered as the most serious ones and the most likely to target 5G networks," it explains. "In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country."
With Ericsson, Huawei and Nokia hoovering up many of the world's mobile network contracts between them, it's all too easy to point the finger at the Chinese company here. But there are many other equipment makers to take into consideration. The report, which doesn't specifically name Huawei, other than as a vendor with a sizeable market share, lists Cisco, Samsung and ZTE as other large suppliers, none of whom are EU-headquartered.
Further, the report also highlights the risk of dependency on a single supplier on the part of telcos, the implication being that relying one vendor for everything – whichever vendor – increases the risk of problems both from the point of view of interruption in service resulting from a commercial failure and from the malicious attack angle.
While many telcos are talking up their intent to adopt a multi-vendor approach for 5G, some of Europe's smaller players are reportedly looking at single-vendor contracts, which tend to be cheaper and easier to manage. While Huawei is often the vendor of choice for small, budget-conscious operators looking for a single vendor partner, you would have to do a lot of reading between the lines to come to the conclusion that the Commission is cautioning against the Chinese firm specifically; the message really does appear to be that telcos should avoid putting all their 5G eggs in one vendor's basket.
Stay up to date with the latest industry developments: sign up to receive TelecomTV's top news and videos plus exclusive subscriber-only content direct to your inbox – including our daily news briefing and weekly wrap.