With the support of the European Commission and the European Cyber Security Authority, EU member states have issued an assessment report on the 5G cybersecurity risks in the European Union. This major initiative is part of the implementation of the security recommendations adopted by the European Commission in March 2019, which aims to ensure a high level of cybersecurity throughout the EU 5G network.
The report is based on the results of national cybersecurity risk assessments for all EU member states. The report identifies key threats and threat actors, the most sensitive assets, major vulnerabilities (including technical vulnerabilities and other types of vulnerabilities), and many strategic risks. This assessment provides the basis for identifying mitigation measures that can be implemented at the national and EU level.
Key insights from the European Union on 5G cybersecurity risk assessment:
The report identifies a number of important security challenges, which are likely to appear or become more prominent in 5G networks, compared with the situation in existing networks:
These security challenges are mainly linked to:
- key innovations in the 5G technology (which will also bring a number of specific security improvements), in particular the important part of software and the wide range of services and applications enabled by 5G;
- the role of suppliers in building and operating 5G networks and the degree of dependency on individual suppliers.
Specifically, the roll-out of 5G networks is expected to have the following effects:
- An increased exposure to attacks and more potential entry points for attackers: With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.
- Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
- An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
- In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
- Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
- Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.