21 Jun 2019

5G and National Security

A complex puzzle


5G technologies are portrayed as the new Holy Grail of wireless services: a new breed of digital applications that will exploit its higher speed (200 times faster than 4G) and faster data transfer from wireless broadband networks (i.e. transfers taking 10 times less time than 4G). These features will enable services for driverless cars, advanced factory automation, smart cities, e-health and many more. But 5G is not just a promising technology development, it is also a perfect stage for the newest geopolitical drama: a tech war between China and the US, which reminds us of the dangers when a rising power challenges a ruling power – Sparta vs Athens in ancient Greece, Germany vs Britain a century ago, or US vs Russia during the Cold War. And this struggle is only just starting: beside 5G, artificial intelligence and smart cities will all offer new arenas for rivalry.

Today, the battle is all about security. 5G networks pose unique challenges in this respect. First, the primary functions of 5G networks, as well as the promise behind their economic viability, are performed through software rather than hardware. This is both a significant advantage over legacy wireless networks and a source of vulnerability, since software is more easily subject to potentially malicious attacks exploiting weaknesses. Moreover, today’s IT systems are extremely complex: the Systems on a Chip of current smartphones have more than 8 billion transistors and current operating systems have more than 50 million lines of code. Many of these systems are built from parts supplied by many hardware and software vendors: in principle, this creates multiple possible “entry points” for both malicious attacks and data leaks, through ‘backdoors’, hidden remote accesses that can be exploited to gain full control of a device. If one cannot detect and monitor backdoors, the level of safety and security of a 5G network is inevitably compromised.

There are ways around these problems, of course. But security assessments, code reviews and penetration tests, while certainly helping to improve overall software quality, cannot prove the absence of malicious code or backdoors. This is true for any manufacturer, not just the Chinese ones.

But there’s more. 5G network architecture will blur the distinction between the radio access networks (base stations and antennas) and the ‘core’ network, including switching and transport. This also mirrors a shift of the network’s intelligence to the edges rather than at the core, which in turn can have significant implications for network security. The more intelligence is distributed at the edges and the number of connected devices and objects skyrockets, the bigger the attack surface becomes. The tremendous increase in traffic flow will make the detection of malicious traffic that much more difficult.

Against this background, the concerns of governments regarding the nature and the quality of the suppliers of 5G equipment are understandable. Indeed, since complete trust in the devices is impossible, trust has to be placed on manufacturers. But this depends on the jurisdiction, the legal systems and the rule of law in which the manufacturer operates. A summary report of a recent major 5G Security Conference mentions that “risk assessments of 5G products should take into account all relevant factors, including the applicable legal environment and other aspects of the supplier’s ecosystem”. Therefore, the question for the government becomes how to ensure deployment of highly resilient and trustworthy 5G infrastructures on which the country’s future economy and society can be built and rely.

Differences in the approach to 5G security have emerged between the US and Europe. The US administration decided to blacklist Huawei technologies on national security grounds, and more recently banned American firms from selling components and software to Huawei without prior government approval. The US is also pressuring other countries to ban Huawei on security concerns. What US administration is mostly concerned about is a 2017 Chinese Intelligence Law that allows the government to compel companies such as Huawei to switch off the phones of customers, or use their infrastructure to provide the government with an intelligence advantage. Huawei’s top management repeatedly stated that they would rather shut down than become a spy for the Chinese government. More recently, they have proposed “no spy agreements” with the US, Germany and the UK. Since there is no way to prove the absence of malicious code, network resilience in a case of sabotage may not be attainable: that would only be possible with completely separated networks, excluding commercial applications and content.

Furthermore, some US analysts and companies have observed that limiting US tech exports to Chinese companies like Huawei could eventually backfire. The reasoning is as follows: should the ban on Huawei be justified on security grounds, then withholding exports could make things worse. For example, stopping Google from dealing with Huawei will push the Chinese company to create its own version of Android, which may have more bugs than the original Google version. This would in turn increase the risk of Huawei phones being hacked, not least by China. Moreover, while the export ban will weaken Huawei, it will not shut the company down, and may eventually provide China with even stronger incentives to become technologically independent from the US. Finally, limiting the export of US technologies will reduce US output and jobs.[1]

In a nutshell, playing hardball with China may not be the best idea for the US on this front. Contrary to the case of 4G, China is clearly in the lead in 5G, and Europe and Korea are also better positioned than the US. A recent report from the Defence Innovation Board of the US Department of Defence clearly stated that “As 5G is deployed across the globe in similar bands of spectrum [sub-6 mid-band], China’s handset and internet applications and services are likely to become dominant, even if they are excluded from the US. China is on a track to repeat in 5G what happened with the United States in 4G”. Based on these warnings, the US would be better off playing its cards in a more conventional setting, such as the WTO and foreign courts.

Compared to the US, Europe is following a different, more cautious path. At the 22 March European Council, national leaders expressed the need for a concerted approach to the security of 5G networks and the European Commission recommended a set of operational steps and measures to ensure a high level of cybersecurity for 5G networks across Europe. The focus is on using existing tools such as certification schemes or even creating new ones. Each member state will be required to carry out a risk assessment to be used at the European level to complete an overall 5G threat landscape and an EU-wide risk assessment. This, by the end of 2019, will lead to the identification and adoption of mitigating measures that will likely include certification requirements, test controls as well as the identification of products and suppliers that are considered potentially non-secure. The UK National Cyber Security Centre is leading the way in the mitigation approach, with a mix of measures that go from vendor selection (with the definition of ‘risky vendors’  – not just based on country – and a framework to manage them) to rules such as requiring that every portion of the network have multiple vendors; keeping riskier vendors out of sensitive functions (like the core of the network); designing networks that are tolerant of exploitation of any device (regardless of vendor); and establish continuous monitoring requirements. Therefore, European member states should see the implementation of the 5G networks as an opportunity to create ICT supply chain review processes to assess risks to national security as the UK has started to do.

Europe should work to keep competition open among equipment suppliers and capitalise on the historical technical knowledge and capacity of the European suppliers Nokia and Ericsson (founders of the GSMA association and present in ETSI from the beginning), which are facing increasing demand for their equipment in the next generation core network as customers prefer to have dual sourcing for the most sensitive part of the network or just replace existing suppliers. Furthermore, the EU should contribute to making European industrial policy on digitalisation more robust – for example by screening foreign direct investment – and also taking a stronger stand on China’s non-market practices such as protectionist industrial policy and forced technology transfer. A stronger role for Europe is the best way of mitigating the effects of US-China technology rivalry.




[1] According to an ITIF analysis, US firms could lose $14 to $56 billion in export sales over five years, threatening 18,000 to 74,000 jobs.