Europe publishes 5G risk assessment; America scrawls ‘Huawei’ on the side of a nuke and goes for a ride
There’s nothing like reasoned policy debate. This is nothing like reasoned policy debate
The European Union has published a risk assessment of next-generation 5G mobile networks and concluded that everyone needs to think differently about security, given fundamental changes in how the new networks will operate.
In response, America has scrawled the name “Huawei” on the side of a nuke, pulled a Stetson on and clambered on top bellowing Yee-haw!
Yes folks, it is the latest installment in the 5G wars where every telco wants to make a fortune by dominating the market, every country wants to use the new infrastructure to spy on others, and America has decided that going full-blown Huawei-hating is the best solution.
The report itself, published Wednesday, is a 33-page rundown of what new considerations need to be made with 5G networks. It is, somewhat surprisingly, a clearly written document without too much jargon and just the right level of detail to grasp the policy issues without getting bogged down in technical details.
Most importantly, the report notes that there are fundamental differences in the current 3G and 4G networks that we use for our mobile phones (and broader mobile data delivery) and the upcoming 5G networks which promise far faster and more expansive opportunities.
Most importantly, 5G networks are reliant to a far greater degree on software and less on specialized hardware and software. This is a big plus - it means new features can be added easily and the underlying infrastructure won’t have to be overhauled or replaced to take advantage of them. But, at the same time of course, it means that 5G networks will be more open to attack.
Software, hard times
“A move to software and virtualisation through ‘Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies’... will represent a major shift from traditional network architecture as functions will no longer be built on specialised hardware and software. Instead, functionality and differentiation will take place in the software,” the report notes.
It goes on: “Such increased reliance on software, and the frequent updates they require, will significantly increase the exposure to the role of third-party suppliers and the importance of robust patch management procedures.”
Then there is “network slicing” which allows different service layers on the same physical network to be separated - which is great news in that it means new kinds of differentiated services can be offered. It means the network will be less centralized, which should speed things up and put more functionality at the edge of the network. This is precisely the change that 5G enthusiasts say will bring in a whole new world of third-party applications.
But it also means that the current 4G core network will need to be replaced - and that means huge replacement costs and new equipment across the whole network.
These are the changes that make people so excited about the possibilities of 5G but at the same time, the report notes, “these new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.”
It’s a fundamental shift in control, in a similar way to the advent of the internet allowing for an explosion in applications and information sharing while running over the previous limited functionality of telephone lines. But it will require a security rethink and come with greater risk.
Leaning over the edge
The report notes: “Some sensitive functions currently performed in the physically and logically separated core are likely to be moved closer to the edge of the network, requiring relevant security controls to be moved too, in order to encompass critical parts of the whole network, including the radio access part.
If not managed properly, these new features are expected to increase the overall attack surface and the number of potential entry points for attackers, as well as increase chances of malicious impersonation of network parts and functions.”
Now, the people designing 5G have recognized that one of the big problems with the internet was that it didn’t fully account for security and as a result we have been playing catch-up ever since, plastering bits of security over the cracks.
So there are lots of security components baked into 5G. However, the report notes: “These new security features will however not all be activated by default in the network equipment, and therefore their implementation will greatly depend upon how the operators deploy and manage their networks.”
But what about Huawei, the Commie telco looking to steal everyone’s information and cheeseburgers and hand it over to Beijing in return for a pat on the head from Xi Jinping? We’re getting to that.
It’s worth noting that the name “Huawei” only appears twice in the entire report: first to note that it is a “main supplier” of telecoms equipment, alongside Ericsson and Nokia (with ZTE, Samsung and Cisco noted as “other suppliers”); and second, when it flags, in a footnote, the work of the UK Huawei Cybersecurity Evaluation Centre (HSCEC) in reviewing “the practices of one of the major network equipment suppliers.”
But crucially, there is a section dedicated to “the risk profiles of individual suppliers” and the “likelihood of the supplier being subject to interference from a non-EU country.”
The report lists several factors that point to a greater likelihood of interference, including:
- A strong link between the supplier and a government of a given third country
- The third country’s legislation, especially where there are no legislative or democratic checks and balances in place, and
- The ability for the third country to exercise any form of pressure, including in relation to the place of manufacturing of the equipment.
Which is clearly talking about China and Huawei, right? Well that certainly what the Americans think.
The former Secretary of Homeland Security and governor of Pennsylvania, Tom Ridge, had this to say: “The new EU-wide 5G risk assessment further validates warnings from the cybersecurity community, which has been waving a red flag regarding Huawei’s involvement with next-generation wireless networks for many months.”
He notes that the reference to “non-EU countries” in the report “clearly includes China,” and argues that a reference to “notable differences, for example in terms of level of transparency and type of corporate ownership structure” in suppliers “headquartered outside the EU” is a clear reference to Huawei.
He then strays off the report to US press reports and provides some personal insights into Huawei in particular: “There’s no question in my mind that the company would comply with China’s 2017 law requiring assistance with intelligence gathering. Huawei has already taken money from the People’s Liberation Army, China’s National Security Commission and a third branch of the Chinese state intelligence network, as reported by The Times.”
He adds: “A company that’s been accused of both ‘intentional or unintentional backdoors’ noted in the assessment can’t be trusted to construct critical infrastructure like 5G. If countries needed more reason to implement stricter security measures to protect 5G networks, this comprehensive risk assessment is it.”
Take a seat
That assessment is shared by “senior counterterrorism official with the US Department of Homeland Security” Nate Snyder.
Snyder is so certain that the report was about Huawei, despite not mentioning its name, that he forewent the niceties of mentioning that fact and goes straight into it: “The European Commission’s report makes clear that the vulnerabilities facing a Huawei 5G global network are systemic. Huawei networks are a house of cards supported by shoddy coding and a supply chain full of holes, with countless entry points for state and non-state actors, organized crime, and terrorist groups—cyber-based and otherwise—to exploit.”
He has more: “Further, due to the single supplier nature of the architecture, it leaves the Huawei-based 5G network open to attack - essentially a sitting duck - meaning critical infrastructure such as electrical grids could be shut down or held hostage. These threats and vulnerabilities just scratch the surface; the EU report confirms that a Huawei 5G network across the EU (and US) is a counter-intelligence nightmare.”
US lobby group calls for open standards to fight Huawei 'threat'READ MORE
He has more, but you get the idea.
As for the actual report, it notes that “while a threat actor’s direct access to or influence on the telecom supply chain may significantly facilitate its exploitation for malicious actions and make the impact of such actions significantly more severe, it should also be noted that actors with a high level of intent and capabilities, such as State actor, would seek to exploit vulnerabilities at any stage of the product lifecycle provided by any supplier.”
Later on, it notes: “In this context, several Member States attribute a higher risk profile to suppliers that are under the jurisdiction of third countries conducting an offensive cyber policy.”
Which is just more code for China, right? After all, it’s not as if there are any other countries that are renowned for their interception and bulk surveillance of telecommunications networks. Or any that have - or frequently boast about - their offensive cyber policy. It can only mean China. China and Huawei. No one else. ®
- Black Hat
- Central Intelligence Agency
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Foreign Intelligence Surveillance Act
- Identity Theft
- Kenna Security
- New Mexico
- Palo Alto Networks
- Trusted Platform Module
- United States Armed Forces
- United States Department of Commerce
- Zero trust