Tag: 5g security

Posted on

Germany says it won’t ban Huawei or any 5G supplier up front

Germany is resisting US pressure to shut out Chinese tech giant Huawei from its 5G networks — saying it will not ban any supplier for the next-gen mobile networks on an up front basis, per Reuters.

“Essentially our approach is as follows: We are not taking a pre-emptive decision to ban any actor, or any company,” government spokesman, Steffen Seibert, told a news conference in Berlin yesterday.

The country’s Federal Network Agency is slated to be publishing detailed security guidance on the technical and governance criteria for 5G networks in the next few days.

The next-gen mobile technology delivers faster speeds and lower latency than current-gen cellular technologies, as well as supporting many more connections per cell site. So it’s being viewed as the enabling foundation for a raft of futuristic technologies — from connected and autonomous vehicles to real-time telesurgery.

But increased network capabilities that support many more critical functions means rising security risk. The complexity of 5G networks — marketed by operators as “intelligent connectivity” — also increases the surface area for attacks. So future network security is now a major geopolitical concern.

German business newspaper Handelsblatt, which says it has reviewed a draft of the incoming 5G security requirements, reports that chancellor Angela Merkel stepped in to intervene to exclude a clause which would have blocked Huawei’s market access — fearing a rift with China if the tech giant is shut out.

Earlier this year it says the federal government pledged the highest possible security standards for regulating next-gen mobile networks, saying also that systems should only be sourced from “trusted suppliers”. But those commitments have now been watered down by economic considerations at the top of the German government.

The decision not to block Huawei’s access has attracted criticism within Germany, and flies in the face of continued US pressure on allies to ban the Chinese tech giant over security and espionage risks.

The US imposed its own export controls on Huawei in May.

A key concern attached to Huawei is that back in 2017 China’s Communist Party passed a national intelligence law which gives the state swingeing powers to compel assistance from companies and individuals to gather foreign and domestic intelligence.

For network operators outside China the problem is Huawei has the lead as a global 5G supplier — meaning any ban on it as a supplier would translate into delays to network rollouts. Years of delay and billions of dollars of cost to 5G launches, according to warnings by German operators.

Another issue is that Huawei’s 5G technology has also been criticized on security grounds.

A report this spring by a UK oversight body set up to assess the company’s approach to security was damning — finding “serious and systematic defects” in its software engineering and cyber security competence.

Though a leak shortly afterwards from the UK government suggested it would allow Huawei partial access — to supply non-core elements of networks.

An official UK government decision on Huawei has been delayed, causing ongoing uncertainty for local carriers. In the meanwhile a government review of the telecoms supply chain this summer called for tougher security standards and updated regulations — with major fines for failure. So it’s possible that stringent UK regulations might sum to a de facto ban if Huawei’s approach to security isn’t seen to take major steps forward soon.

According to Handelsblatt’s report, Germany’s incoming guidance for 5G network operators will require carriers identify critical areas of network architecture and apply an increased level of security. (Although it’s worth pointing out there’s ongoing debate about how to define critical/core network areas in 5G networks.)

The Federal Office for Information Security (BSI) will be responsible for carrying out security inspections of networks.

Last week a pan-EU security threat assessment of 5G technology highlighted risks from “non-EU state or state-backed actors” — in a coded jab at Huawei.

The report also flagged increased security challenges attached to 5G vs current gen networks on account of the expanded role of software in the networks and apps running on 5G. And warned of too much dependence on individual 5G suppliers, and of operators relying overly on a single supplier.

Shortly afterwards the WSJ obtained a private risk assessment by EU governments — which appears to dial up regional concerns over Huawei, focusing on threats linked to 5G providers in countries with “no democratic and legal restrictions in place”.

Among the discussed risks in this non-public report are the insertion of concealed hardware, software or flaws into 5G networks; and the risk of uncontrolled software updates, backdoors or undocumented testing features left in the production version of networking products.

“These vulnerabilities are not ones which can be remedied by making small technical changes, but are strategic and lasting in nature,” a source familiar with the discussions told the WSJ — which implies that short term economic considerations risk translating into major strategic vulnerabilities down the line.

5G alternatives are in short supply, though.

US Senator Mark Warner recently floated the idea of creating a consortium of ‘Five Eyes’ allies — aka the U.S., Australia, Canada, New Zealand and the UK — to finance and build “a Western open-democracy type equivalent” to Huawei.

But any such move would clearly take time, even as Huawei continues selling services around the world and embedding its 5G kit into next-gen networks.

Posted on

European risk report flags 5G security challenges

European Union Member States have published a joint risk assessment report into 5G technology which highlights increased security risks that will require a new approach to securing telecoms infrastructure.

The EU has so far resisted pressure from the U.S. to boycott Chinese tech giant Huawei as a 5G supplier on national security grounds, with individual Member States such as the UK also taking their time to chew over the issue.

But the report flags risks to 5G from what it couches as “non-EU state or state-backed actors” — which can be read as diplomatic code for Huawei. Though, as some industry watchers have been quick to point out, the label could be applied rather closer to home in the near future, should Brexit comes to pass…

Back in March, as European telecom industry concern swirled about how to respond to US pressure to block Huawei, the Commission stepped in to issue a series of recommendations — urging Member States to step up individual and collective attention to mitigate potential security risks as they roll out 5G networks.

Today’s risk assessment report follows on from that.

It identifies a number of “security challenges” that the report suggests are “likely to appear or become more prominent in 5G networks” vs current mobile networks — linked to the expanded use of software to run 5G networks; and software and apps that will be enabled by and run on the next-gen networks.

The role of suppliers in building and operating 5G networks is also noted as a security challenge, with the report warning of a “degree of dependency on individual suppliers”, and also of too many eggs being placed in the basket of a single 5G supplier.

Summing up the effects expected to follow 5G rollouts, per the report, it predicts:

  • An increased exposure to attacks and more potential entry points for attackers: With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.
  • Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
  • An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
  • In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
  • Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
  • Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.

The high level report is a compilation of Member States’ national risk assessments, working with the Commission and the European Agency for Cybersecurity. It’s couched as just a first step in developing a European response to securing 5G networks.

“It highlights the elements that are of particular strategic relevance for the EU,” the report says in self-summary. “As such, it does not aim at presenting an exhaustive analysis of all relevant aspects or types of individual cybersecurity risks related to 5G networks.”

The next step will be the development, by December 31, of a toolbox of mitigating measures, agreed by the Network and Information Systems Cooperation Group, which will be aimed at addressing identified risks at national and Union level.

“By 1 October 2020, Member States – in cooperation with the Commission – should assess the effects of the Recommendation in order to determine whether there is a need for further action. This assessment should take into account the outcome of the coordinated European risk assessment and of the effectiveness of the measures,” the Commission adds.

For the toolbox a variety of measures are likely to be considered, per the report — consisting of existing security requirements for previous generations of mobile networks with “contingency approaches” that have been defined through standardisation by the mobile telephony standards body, 3GPP, especially for core and access levels of 5G networks.

But it also warns that “fundamental differences in how 5G operates also means that the current security measures as deployed on 4G networks might not be wholly effective or sufficiently comprehensive to mitigate the identified security risks”, adding that: “Furthermore, the nature and characteristics of some of these risks makes it necessary to determine if they may be addressed through technical measures alone.

“The assessment of these measures will be undertaken in the subsequent phase of the implementation of the Commission Recommendation. This will lead to the identification of a toolbox of appropriate, effective and proportionate possible risk management measures to mitigate cybersecurity risks identified by Member States within this process.”

The report concludes with a final line saying that “consideration should also be given to the development of the European industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc” — packing an awful lot into a single sentence.

The implication is that the business of 5G security will need to get commensurately large to scale to meet the multi-dimensional security challenge that goes hand in glove with the next-gen tech. Just banning a single supplier isn’t going to cut it.

Huawei opens a cybersecurity transparency center in the heart of Europe

Posted on

Huawei: “The US security accusation of our 5G has no evidence. Nothing.”

Huawei’s rotating chairman Guo Ping kicked off a keynote speech this morning at the world’s biggest mobile industry tradeshow with a wry joke. “There has never been more interest in Huawei,” he told delegates at Mobile World Congress. “We must be doing something right!”

The Chinese company is seeking to dispel suspicion around the security of its 5G network equipment which has been accelerated by U.S. president Trump who has been urging U.S. allies not to buy kit or services from Huawei.

Last week Trump also tweet-shamed U.S. companies — saying they needed to step up their efforts to rollout 5G networks or “get left behind”.

In an MWC keynote speech yesterday the European Commission’s digital commissioner Mariya Gabriel also signalled the executive is prepared to step in and regulate to ensure a “common approach” on the issue of network security — to avoid the risk of EU member states taking individual actions that could delay 5G rollouts across Europe.

Huawei appeared to welcome the prospect today.

“Government and the mobile operators should work together to agree what this assurance testing and certification rating for Europe will be,” said Guo, suggesting that’s Huawei’s hope for any Commission action on 5G security.

“Let experts decide whether networks are safe or not,” he added, implying Trump is the opposite of an expert. “Huawei has a strong track record in security for three decades. Serving three billion people around the world. The U.S. security accusation of our 5G has no evidence. Nothing.”

Geopolitical tensions about network security have translated into the biggest headache for Huawei which has positioned itself as a key vendor for 5G kit right as carriers are preparing to upgrade their existing cellular networks to the next-gen flavor.

Guo claimed today that Huawei is “the first company who can deploy 5G networks at scale”, giving a pitch for what he described as “powerful, simple and intelligent” next-gen network kit while clearly enjoying the opportunity of being able to agree with U.S. president Trump in public — that “the U.S. needs powerful, faster and smarter 5G”.

But any competitive lead in next-gen network tech also puts the company in prime position for political blowback linked to espionage concerns related to the Chinese state’s access to data held or accessed by commercial companies.

Huawei’s strategy to counter this threat has been to come out fighting for its commercial business — and it had plenty more of that spirit on show this morning. As well as a bunch of in-jokes. Most notably a reference to NSA whistleblower Edward Snowden which drew a knowing ripple of laughter from the audience.

“We understand innovation is nothing without security,” said Guo, segwaying from making a sales pitch for Huawei’s 5G network solutions straight into the giant geopolitical security question looming over the conference.

“Prism, prism on the wall who is the most trustworthy of them all?” he said. “It’s a very important question. And if you don’t ask them that you can go ask Edward Snowden.”

You can’t use “a crystal ball to manage cybersecurity”, Guo went on, dubbing it “a challenge we all share” and arguing that every player in the mobile industry has responsibility to defuse the network security issue — from kit vendors to carriers and standards bodies, as well as regulators.

“With 5G we have made a lot of progress over 4G and we can proudly say that 5G is safer than 4G. As a vendor we don’t operate carriers network, and we don’t all carry data. Our responsibility — what we promise — is that we don’t do anything bad,” he said. “We don’t do bad things.”

“Let me says this as clear as possible,” he went on, putting up another slide that literally underlined the point. “Huawei has not and will never plant backdoors. And we will never allow anyone to do so in our equipment.

“We take this responsibility very seriously.”

Guo’s pitch on network trust and security was to argue that where 5G networks are concerned security is a collective industry responsibility — which in turn means every player in the chain plays a monitoring role that allows for networks to be collectively trusted.

“Carriers are responsible for secure operations of their own networks. 5G networks are private networks. The boundary between different networks are clear. Carriers can prevent outside attacks with firewalls and security gateways. For internal threats carriers can manage, monitor and audit all vendors and partners to make sure their network elements are secure,” he said, going on to urge the industry to work together on standards which he described as “our shared responsibility”.

“To build safer networks we need to standardize cybersecurity requirements and these standards must be verifiable for all vendors and all carriers,” he said, adding that Huawei “fully supports” the work of industry standards and certification bodies the GSMA and 3GPP who he also claimed have “strong capabilities to verify 5G’s security”.

Huawei’s strategy to defuse geopolitical risk by appealing to the industry as a whole to get behind tackling the network trust issue is a smart one given the uncertainty generated by Trump’s attacks is hardly being welcomed by players in the mobile business.

Huawei’s headache might lead to the mobile industry as a whole catching a cold — and no one at MWC wants that.

Later in the keynote Guo also pointed to the awkward “irony” of the U.S Cloud Act — given the legislation allows US entities to “access data across borders”.

U.S. overreach on accessing the personal data of foreign citizens continues to cause major legal headaches in Europe as a result of the clash between its national security interest and EU citizens fundamental privacy rights. So his point there won’t have been lost on an MWC audience packed with European delegates attending the annual tradeshow in Barcelona.

“So for best technology and greater security choose Huawei. Please choose Huawei,” Guo finished, ending his keynote with a line that could very well make it as a new marketing slogan writ large on one of the myriad tech-packed booths here at Fira Gran Via.