Can A 5G Network Really Be Secure?

Uploaded on 2020-01-20 in TECHNOLOGY-Key Areas-5G Networks, INTELLIGENCE--International, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Developments

The Australian government’s decision to ban ‘high-risk vendors’ from its 5G network build has made waves through the Five Eyes community but also in major markets where those high-risk vendors already have key customers. 

One such customer is Germany which, like Britain is grappling with multiple tensions when it came to opening the door to a potential 5G vendor that others had considered to be a risk. The decisions and deliberations of the Five Eyes countries have slowly become public.

The fifth generation of cellular technology known as 5G is the next great leap in speed for wireless devices. This speed includes both the rate mobile users can download data to their devices and the latency, or lag, they experience between sending and receiving information. 5G aims to deliver data rates that are 10 to 100 times faster than current 4G networks. 

Australia’s position on high-risk vendors is not new, neither are risk-based decisions about network operators. In 2012, the Australian government banned Chinese telecommunications company Huawei from taking part in building the National Broadband Network (NBN).  However, 2012 is a long time ago and the public narrative on restrictions on such vendors was quite different - there was no public statement and no Austaralian intelligence official publicly talked about the decision. 

The lack of a public narrative could be explained away in the context of a trade relationship. Or it could be explained in the context of a different time, when the government narrative on such issues tended to be less direct. The arguments about trust were often interwoven with reports of the theft of intellectual property and indictments against Chinese nationals accused of spiriting out highly sensitive US secrets, commercial espionage, or both.

A report from the US House intelligence committee at the time expressed concerns about Chinese legislation compelling its citizens to cooperate with requests, ‘Under Chinese law, ZTE and Huawei would be obligated to cooperate with any request by the Chinese government to use their systems or access them for malicious purposes under the guise of state security.’
For Chinese citizens and companies alike, participation in ‘intelligence work’ is a legal responsibility and obligation, regardless of geographic boundaries.

This requirement is consistent across several laws on the protection of China’s state security. For instance, Article 7 of the new Chinese National Intelligence Law declares: ‘Any organisation and citizen shall, in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any national intelligence work that they are aware of. ....The state shall protect individuals and organisations that support, cooperate with, and collaborate in national intelligence work.’

That could mean the Chinese government may influence, interfere with and have access to key assets of national interest, in this case, a telecommunications network.

The head of the Australian Signals Directorate, Mike Burgess, explained to the Sydney Morning Herald why assessing the security risks of critical infrastructure like the 5G network is a vital part of ASD’s work: “The stakes could not be higher. This is about more than just protecting the confidentiality of our information, it is also about integrity and availability of the data and systems on which we depend … Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks. But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network”.

In Britian, the General Communications Headquarters (GCHQ) securty agency seems to have formed a different view which has been reflected in the UK government’s approach to 5G vendors. 

The UK agreed several years ago to having a Huawei ‘cell’ in the country that assesses Huawei code before it’s used. The 5G network build is a matter for the UK government alone, and it’s perfectly entitled to make a decision different from those of its Five Eyes partners. News reports indicate that the 5G decision was subject to heated debate in the British cabinet, in which there was no uniform view on the question of excluding high-risk vendors. However, the debate marked the start of the ‘core versus edge’ public narrative, which could be convenient nuance for justifying the UK government’s approach.

So, where did all of this leave Germany? In June 2019, it appeared to be landing somewhere between the Australian and UK approaches.

Germany didn’t seem to want to adopt the direct Australian approach. One organisation we visited said, ‘Germany would never directly exclude a company in a procurement process.’  Some German organisations labelled the Australian decision as ‘geopolitical’. Often, talk moved on to China being regarded as less of a threat because it was not geographically close to Germany, which is odd given that the conduit of cyber has no borders. Germany wanted to be in a position to ‘trust and verify’ and that it would prefer to be able to determine its vendors on that basis.  However, when pressed to explain how this approach could ensure network security, when Chinese companies can be subject to their domestic law, and when German companies may be none the wiser, our German colleagues struggled to respond. 

Some shifted uncomfortably when we asked why an outright ban on high-risk vendors could not occur. They also spoke of a broader European strategy and said that no one country could dictate the procurement process, even though these decisions are supposed to be made at the national rather than EU level.

Now, there is  pressure on the Bundestag to reach a decsion and while the 5G build situation remains fluid, the Christian Democratic Union (CDU) has reportedly decided to allow Huawei to take part in Germany’s 5G bidding suggesting that Chancellor Angela Merkel has put Germany’s short-term economic interests first at the possible long-term expense of international security.

Germany’s decision to let Huawei take part in its 5G procurement process feeds into a broader EU issue about the degree to which collective security considerations should influence decisions made by national governments.

There does seem to be tension between the German and EU interests. It’s unclear whether there can ever really be a unified approach to building a 5G network, particularly because each EU member state may have different incumbent providers that in turn have relationships with overseas vendors like Huawei.

As Germany moves through the 5G procurement process, it will be interesting to see how it will or won’t be influenced by the different approaches of other nations and whether it will be influenced by a broader EU approach to national security.

Will Germany decide that it’s neither the ‘core’ nor the ‘edge’ that matters and that security risks can be managed by limiting the level of participation of foreign network operators, as suggested in the CDU document? Irrespective of which path Germany takes, it’s bound to attract attention and be closely watched.

ASPI Strategist:             Live Science:           Sydney Morning Herald:       Lawfare:

You Might Also Read: 

 5G Mobile Technology Poses An Espionage Risk:

Canada Is Suspicions Of Huawei:

A Looming US vs China Tech War Over Huawei:

 

 

« Travelex Ransom Demand Is Doubled
New York’s Albany Airport Pays Ransom »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Redcentric

Redcentric

Redcentric is a leading UK IT managed services provider. We deliver managed IT, cloud computing, data backup, information security services and managed networks.

Towergate Insurance

Towergate Insurance

Towergate Insurance is a leading UK specialist insurance broker. Business products include Cyber Liability Insurance.

Cyber Execs

Cyber Execs

Cyber Execs is a Cyber Security Consultancy & Executive Recruitment firm.

Riscure

Riscure

Riscure is a global test lab and tools leader for device security. Core expertise in side channel analysis, fault injection and embedded device software.

KeepSolid

KeepSolid

KeepSolid is a Virtual Private Network services provider offering secure encrypted access to the internet.

Cyber Security Centre - Daffodil International University

Cyber Security Centre - Daffodil International University

Cyber Security Centre, DIU is a non-profitable organization which is focused on applied research in cyber security.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

Anthony Timbers LLC

Anthony Timbers LLC

Anthony Timbers is a cybersecurity consulting and penetration testing firm providing services to the Federal and Commercial sectors nationwide.

AdaCore

AdaCore

AdaCore is focused on helping developers build safe, secure and reliable software.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

Surefire Cyber

Surefire Cyber

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities.

Acora

Acora

Acora provide a range of best-in-class managed services, Microsoft-centric business software, and cloud solutions designed to help mid-market organisations succeed in the digital economy.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.

Securily

Securily

Securily offers the ultimate solution for small to medium-sized businesses, blending cutting-edge AI with expert human insight to deliver the world’s easiest and most effective pentesting experience.

DevOcean

DevOcean

DevOcean, the leader in Cybersecurity Exposure Remediation, helps organizations cut through the chaos by automatically consolidating, prioritizing, and streamlining fixes.