Europe has warned that 5G networks will be “a major security challenge” and that the EU’s current policy and security framework needs reassessing in the face of a “new security paradigm”, as 5G networks look set to emerge as the backbone of many critical IT applications.
The comments came in a sweeping new report on 5G security, published today by Europe’s member states, the European Commission (EC) and the European Agency for Cybersecurity (ENISA).
Emphasising supply chain risk, without naming any specific providers (both Huawei and Cisco regularly suffer from serious security issues) the report suggests trying to build a home-grown 5G infrastructure industry: “Consideration should also be given to the development of the European industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc.”
Other key points: That 5G will increase the overall attack surface and –
“Enhanced functionality at the edge of the network and a less centralised architecture than in previous generations of mobile networks means that some functions of the core networks may be integrated in other parts of the networks making the corresponding equipment more sensitive (e.g. base stations or MANO functions);
“The increased part of software in 5G equipment leads to increased risks linked to software development and update processes, creates new risks of configuration errors, and gives a more important role in the security analysis to the choices made by each mobile network operator in the deployment phase of the network.”
In itself, the report carries little immediate weight, but does suggest key threat concerns, and strategic pointers for their amelioration.
The European Agency for Cybersecurity is finalising a specific threat landscape mapping of 5G networks, which “considers in more detail certain technical aspects covered in the report”, the EC said today.
Europe’sCooperation Group (a collection of member state, EC, and ENISA members dedicated to ensuring a “high common level of security of network and information systems in the European Union”) meanwhile has been tasked with agreeing on a “toolbox of mitigating measures to address the identified cybersecurity risks at national and Union level”.
This is due to be published by December 31, 2019. By 1 October 2020, meanwhile, EU member states should “assess the effects of the Recommendation in order to determine whether there is a need for further action”, the EC said.