European Court of Auditors Concern: EU’s Divergent Approach to Security of 5G Networks
EU nations are ‘progressing at different paces’ in terms of cyber security protocols introduced by the European Commission in order to ensure the safety of next-generation telecommunications networks, the European Court of Auditors has said.
The news comes at the beginning of a year-long probe into the EU’s security of 5G networks by auditors, while the European Commission has also confirmed to EURACTIV that nations across the bloc have missed deadlines set out in law, which had bound countries to assign 5G spectrum frequencies by the end of 2020.
Auditors say their research has already unearthed evidence of a divergent approach to 5G security across member states [1.], as well as differences in deployment timelines for the technology across the continent. As part of a series of measures unveiled by the Commission in their 2020 5G Toolbox, member states were tasked with assessing the risk profile of telecom providers, with a view to applying restrictions for those vendors considered to be high-risk.
Note 1. Of course, there is an inconsistent approach to 5G security as there are no standards for same from ITU and the 3GPP Release 16 specs for 5G Security are incomplete (delayed to Release 17). That was all described in this IEEE Techblog post.
The toolbox highlighted that “a particular threat stems from cyber offensive initiatives of non-EU countries,” in a veiled reference to Chinese telecommunications providers Huawei and ZTE.
“Several member states have identified that certain non-EU countries (China?) represent a particular cyber threat to their national interests based on previous modus operandi of attacks by certain entities or on the existence of an offensive cyber program of a given third state against them,” the toolbox adds.
A progress report on the plans in July pressed member states to make ‘urgent progress’ on mitigating the risks to 5G telecommunications networks posed by certain high-risk suppliers.
Speaking on Thursday (7 January 2021), the European Court of Auditors’ Paolo Pesce, part of the team conducting the 12-month review, said harmonization across the bloc on such security standards had not happened yet. “Member states have developed and started implementing necessary security measures to mitigate risks,” Pesce said. “But from the information gathered so far, member states seem to be progressing at a different pace as we implement this measure.”
Annemie Turtelboom, the ECA member leading the audit, added that the report will seek to probe the trade-off EU nations seem to be making with regards to security and speed of deployment.
“The coronavirus crisis has made electronic communications including mobile communications even more vital for the citizens and businesses while making it more difficult to timely prepare authorization procedures so that several member states have recently expressed their intention to delay their national spectrum auction procedures,” a spokesperson told EURACTIV.
“The Commission will follow the matter closely and take any difficulty into consideration considering the impact of the current public health crisis.”
However, it appears that the security concerns of contracting various suppliers have been just as relevant in the delays as has the coronavirus pandemic.
In one recent example, Sweden had to sideline auctions for its 3.4-3.6 GHz and 3.6-3.8 GHz bands, after telecoms regulators PTS prohibited the use of equipment from Chinese firms Huawei and ZTE. Earlier this week, Huawei announced that it had lodged an appeal to the supreme administrative court for being frozen out of the auctions.
By mid-December, member states, including the UK, had assigned on average only 36.1% of the 5G pioneer bands, the European Commission informed EURACTIV. Under the 2018 Electronic Communications Code, all spectrum in the 700MHz band should have been awarded by June 30, 2020, with allocations of 3.6GHz and 26GHz airwaves wrapped up by December 31, 2020.
Commission presses member states to take action on high-risk 5G vendors
5G Security Vulnerabilities detailed by Positive Technologies; ITU-T and 3GPP 5G Security specs