With the support of the Commission and the EU Cyber Security Agency, member states on Wednesday adopted a Report on the EU-wide coordinated risk assessment related to cybersecurity in 5th generation (5G) networks. published.

5G networks are the future backbone of increasingly digitized economies and societies. They will connect billions of objects and systems, including in critical sectors such as energy, transport, banking and healthcare, but also in industrial control systems that process sensitive information and support security systems. Ensuring the security and resilience of 5G networks is therefore of utmost importance.

The report is based on the results of the national risk assessments conducted by all EU member states regarding their cybersecurity. It identifies the main threats and their originators, the most vulnerable assets and facilities, the main vulnerabilities (technical and otherwise), and a number of strategic risks.

This assessment forms the basis for identifying risk reduction measures that can be taken at national and European level.

Most important findings

The report identifies several major security issues that are likely to occur in 5G networks or - compared to existing networks - are more significant there.

These security issues are mainly related to

• great innovations of 5G technology (which at the same time bring a number of specific security improvements), especially in the important software area and in the broad spectrum of services and applications enabled by 5G technology;
• the role of the Suppliers in the deployment and operation of 5G networks and the degree of dependence on individual suppliers.

Specifically, the deployment of 5G networks is expected to have the following impacts:

• A Increased risk of attack and more potential entry points for attackersAs 5G networks become increasingly software-based, the risks associated with major security vulnerabilities increase, e.g. due to poor software development processes at suppliers. This could also make it easier for attackers to build backdoors into products and make them more difficult to detect.
• Due to the new features of the 5G network architecture and new 5G functions certain network equipment or network functions become more easily vulnerable, e.g., base stations or important technical management functions of the networks.
• Increased risks due to the Dependence of mobile network operators on their suppliers. This will also change the Number of attack points that could be exploited by attackers' and increase the potential severity of the consequences of such attacks. Among the various potential actors, the greatest threats come from non-EU states or state-sponsored organizations, which are also most likely to target 5G networks.
• Against this background of an increased risk of attack favored by suppliers, the Risk profile of the individual suppliershave a special meaning, because it says how likely it is that the supplier will succumb to the influence of a non-EU country.
• Increased risks due to greater dependencies on suppliers: A large dependency on a single supplier increases the risk of possible supply disruptions, which can lead, for example, to business failures with all their consequences. Thus, it also exacerbates the possible consequences of vulnerabilities and susceptibilities and their possible exploitation by attackers, especially in the case of dependence on a high-risk supplier.
• Threats to network availability and integrity will raise major security concerns: As 5G networks are expected to form the backbone of many indispensable IT applications, in addition to confidentiality and privacy, the integrity and availability of these networks will become an important issue of national security interests and a major security challenge for the EU.

Taken together, all of these challenges are creating a new security paradigm that requires a review of the policy and security framework currently governing this sector and its ecosystem so that member states can adopt the necessary risk mitigation measures.

The threat situation from the perspective of the EU Cyber Security Agency: In addition to the report of the Member States, the EU Cyber Security Agency just finished its overview of the specific threat situation related to 5G networks, in which it goes into more detail on certain technical aspects of the report.

Next steps

By December 31, 2019, the Cooperation Group Agree on a set of risk mitigation measures to respond to identified cybersecurity risks at the national and Union levels.

By 1 October 2020, Member States - in cooperation with the Commission - should assess the impact of the Recommendation to determine whether further measures are needed. This evaluation should take into account the results of the coordinated European risk assessment and the effectiveness of the measures

Source: European Commission, Representation in Germany