Nation-State Hackers Greatest Threat to 5G Networks: ReportNew EU Report Sidesteps Concerns About Huawei's Role
Nation-state attackers from outside the European Union pose the greatest threat to the continent's upcoming rollout of 5G networks, according to a security assessment conducted by the European Commission and the European Agency for Cybersecurity.
The study notes that reliance on one telecom company to create 5G networks poses its own security concerns. But it does not single out concerns about Huawei, the Chinese-based firm that’s one of the top three providers of 5G equipment. The United States has been pressuring its allies to avoid using Huawei gear because of security concerns.
"A major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences," the report notes.
5G and Software Concerns
The increasing use of software within these telecommunications networks and the proliferation of endpoint is expected to add to security concerns for the continent, the report finds. It points out that 5G could open the door to more supply-chain and nation-state sponsored attacks, especially as members of the European Union rely more heavily on mobile operators and telecom equipment suppliers to provide software and services within these 5G networks.
"This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks," the report states. "Among the various potential actors, non-EU states or state-backed [attackers] are considered as the most serious ones and the most likely to target 5G networks."
New Security Paradigm
The rollout of 5G will include newer technologies, such as software-defined networks, or SDNs, which is a major shift from older communication networks that relied on a combination of hardware and software, the report notes. With 5G, almost the entire network will be built on top of software.
And while there are benefits to this approach, such as faster updates and lower latency, it also means more software patching will be required, which could lead to more vulnerabilities in the network - especially if third-party suppliers fail to keep up with the latest updates and fixes, the report finds.
"With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers, are gaining in importance," according to the report. "They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect."
These concerns come at a time when commercial deployments of 5G technologies have only started. That, however, is likely to change in 2020, when more large-scale deployments are expected to get underway, the report notes.
The report also points out that 5G is likely to increase the number of connected devices that consumers and businesses use. These IoT devices include smartphones, sensors in factories and even autonomous vehicles.
Nation-states, and even individual cybercriminals, could take advantage of connected devices with poorly designed security to start large-scale distributed denial-of-service attacks using botnets built by utilizing millions of these unsecured IoT devices, the report notes.
"A very large number of devices simultaneously attempting to gain access to the network can indeed cause an overload of the network," according to the report. "Considered together with the expected growing reliance of society on 5G networks, the security implications of allowing large numbers of poorly secured devices on the network can be significant."
The increased use of IoT devices also means that more of the functionality of 5G networks will move from the core of the network to the edge, which is known as edge computing, according to the report. Moving to the edge of the networks means lower latency and faster response times, which will make these connected devices much more efficient, the report finds. It also means additional security concerns at the various endpoints.
"If not managed properly, these new features are expected to increase the overall attack surface and the number of potential entry points for attackers, as well as increase chances of malicious impersonation of network parts and functions," the report adds.
While not mentioned in the report, the use of Huawei equipment to build these 5G networks remains a major concern for the European Union. Huawei, Nokia and Ericsson provide the bulk of the necessary 5G equipment, according to a Reuters. And relying on just one vendor is a security concern in itself, the report points out.
Huawei has also had problems with its own equipment. A report from security firm Finite State released in June found that over 500 of the company's networking products had flaws in the firmware (see: Report: Huawei's Firmware Riddled With Problems).
In addition, the U.S. government has been pressuring its allies not to use Huawei gear in their 5G network rollouts, citing security concerns. Some governments, such as Australia, have agreed, but many members of the European Union have not committed to a total ban on use of the company's equipment (see: Huawei's Role in 5G Networks: A Matter of Trust).
The U.S. has suspected that Huawei uses its gear to conduct cyberespionage operations on behalf of the Chinese government. The company has long denied this accusation.
When the European Commission released its 5G report on Wednesday, Tom Ridge, former secretary of the U.S. Department of Homeland Security, said that the study validated U.S. concerns even though Huawei is not mentioned.
"The new EU-wide 5G risk assessment further validates warnings from the cybersecurity community, which has been waving a red flag regarding Huawei’s involvement with next-generation wireless networks for many months," said Ridge, who is now on the board of the Global Cyber Policy Watch think tank.
A Huawei spokesperson, however, told Reuters that the 5G security report was a fair assessment and proved that the company could be a trusted security partner.
"We are pleased to note that the EU delivered on its commitment to take an evidence-based approach, thoroughly analyzing risks rather than targeting specific countries or actors," the company spokesperson says.