5G Cybersecurity: How EU Policy framework ensures Cybersecurity and National Security of Member States?
The impact of 5G
5G, the fifth generation of mobile networks, is now a commercial reality and it is considered a key technology for society in terms of economic and social prosperity and new business procedures. Besides the obvious benefits and merits of 5G, cybersecurity related concerns are emerging as well.
The EU, under the visionary leadership of policymakers, strives to forge ahead in the global 5G race against its major competitors. 5G is expected to generate economic growth, create new jobs, and boost innovation. According to ETSI, “5G related investments by EU member states are estimated to be in the order of €56.6 billion in 2020 and €58 billion in 2025 which will be likely to create 2.3 million jobs in Europe”, (https://5g-ppp.eu/newsletter-22-october-2020/). Therefore, the technology advancement through 5G is considered also a strategic factor and a geopolitical asset.
Fast data transfer and low latency are inherent characteristics of 5G networks and can reduce the time between actions and responses, making devices, machines, and sensors more reactive, allowing for bi-directional communication and real-time remote control. Eventually, via 5G, private networks can be proliferated, enabling capabilities and coverage characteristics, where machines, tools, parts, and people in a production line will be perfectly synced, raise performance, and facilitate mass customization.
The most exciting implementation of 5G seems to be the upgrade of IoT devices delivering expanded networking capabilities. 5G can connect more devices at higher speeds with ultra-low latency. Integrating 5G to IoT devices can massively improve user experience, while at the same time making possible virtual and augmented reality applications irrespective of device or service been used. Furthermore, it is expected to accelerate the digitization of transportation, agriculture, manufacturing and other physical industries. The European Union’s 5G networks will shape the basis of the future society and economy and will drastically influence the lives of EU citizens. Billions of products and systems will be connected in all sectors of the economy: energy, transportation, industrial systems, banking and health. Even processes like elections are increasingly based on digital infrastructure and 5G networks.
Main technological elements
5G is designed to augment existing 4G LTE cellular networks or even replace them completely. Each generation is defined by several factors, like the technology used, the latency (i.e., the amount of time between sending and receiving a signal), and the overall speed of data transmission via the network to end-devices. Two of the most interesting evolutions driven by the adoption of 5G, is the push for industry standards in the design of equipment used in assembling the radio-access segment of cellular networks (RAN), through the adoption of “Open-RAN” (O-RAN) and the implementation of “network slicing” features.
Radio Access Network (RAN)/O-RAN
A radio access network (RAN) is the part of a mobile network that connects end-user devices, like smartphones, to the core network. Thus, information is sent via radio waves from end-user devices to RAN’s transceivers, and from these transceivers is forwarded to the core network and towards its final destination. For telecom network operators, RANs are considered as crucial connection elements and correspond to a significant part of network expenses, performing intensive/complex processing, and now facing increasing demand, as more 5G use cases emerge for telco customers. The virtualization techniques used in traditional computer networks, can also be exploited in RANs to improve performance and efficiency.
Open-RAN, aiming for an interoperable network architecture for RAN elements, introduces a software-based “white box” RAN. This operating software separates the RAN control plane from the user plane, thus building a modular software-based base station. This eventually would mean baseband units, radio units, radio heads and other elements, while being constructed by any vendor, could be managed by Open-RAN software to form a non-proprietary, interoperable and open RAN.
- The O-RAN is a promising technology and is going to resolve a lot of economic and technical issues in the whole telecom market. It will foster newcomers to enter the industry, promote innovation, and “break” the oligopoly of a handful of vendors. Some of them have already been characterized by several countries as “high risk” ones. Notwithstanding, O-RAN still is not fully standardized, and the industry still copes with it until it becomes the mainstream solution.
Network slicing
The latest mobile generation enhances cellular networks with capabilities that resemble the features of terrestrial networks. Network slicing, a core feature of 5G, refers to the slicing of a single mobile radio network into multiple virtual networks. This allows for multiple virtual networks to exist on top of a common shared physical infrastructure. Customization of these virtual networks facilitates the specific needs of applications, services, devices, customers or operators. Network slicing will maximize the flexibility of 5G networks, optimizing both utilization of the infrastructure and the allocation of resources.
- Network slicing undoubtedly offers flexibility both to providers and customers to exploit and finetune their resources and services. Nevertheless, it increases exponentially the complexity of the whole network operation since it might require the cooperation of numerous network providers both at home and abroad. While being subject to national regulation, there will be the potential of “private slices” held by “private third parties”, urging serious National Security concerns.
Cybersecurity/National security concerns
While looking at the other side of the coin and despite the obvious advancements and opportunities of 5G, we must figure out what might be the “Achilles’ heel” of 5G in terms of Cybersecurity and/or National Security.
The primary 5G equipment providers and IoT device manufacturers are mainly based outside Europe, (i.e., China, South Korea, United States) and theoretically must comply with the EU legal framework (GDPR, NIS Directive, RED, etc.) and the 5G Cybersecurity Toolbox (an EC recommendation for MS and their telecom operators – currently not fully implemented across the EU – related to security requirements affecting vendors and suppliers). Consequently, several concerns arise related to these vendors as:
- Are they obliged to proportional legal and security provisions by their own countries?
- Has each MS the potential to individually identify legal and/or technical breaches of EU legal acts?
- If a MS phases out a product, or even a supplier, from the domestic telecom networks, what might be the consequences in terms of the related extra costs and the telecom provider competitiveness? How are these costs balanced with the expected cybersecurity benefits?
- What are the implications regarding National Security (e.g., State sensitive data leakage)? Should MSs rely upon corporate groups to defend their services when National Security concerns arise?
- When MSs should act retroactively and when proactively?
- When an MS’s individual action is sufficient and when a collective approach is required?
CONCORDIA’s contribution
CONCORDIA, through its deliverables, highlights the relevant pieces of EU Cybersecurity regulations. It has presented the current legislations, amendments and EU initiatives. Besides, CONCORDIA has made specific proposals for legal/policy framework improvement, exploiting the acquired experience of its consortium related to the current technological advancements. Under the use of 5 main thematic areas of ‘’network-centric’’, ‘’system-centric’’, ‘’data-centric’’, ‘’application-centric’’ and ‘’end-user centric’’ security, the Cybersecurity legal/policy landscape has been holistically approached.
Within this scope, CONCORDIA analyzed legal/policy documents such as the NIS Directive (and the upcoming NIS2), the GDPR, the Product Liability, and the Radio Equipment one. As the EU is confronted with the legal/technical loopholes of 5G, it comes equipped with additional arrows in its quiver, namely the EEC Code, the 5G Cybersecurity Toolbox, various study groups considering the O-RAN implementation (e.g., ORAN Alliance), 5G standardization committees (e.g., ETSI, 3GPP) – just to name a few. These EU legal/policy actions are part of a bigger effort that comprises the EU Cybersecurity and Digital Sovereignty and each Member State’s National Security.
All these efforts form the main policy-making pillars that may enhance Cybersecurity across the European countries and make emerging technologies like 5G thrive, in favor of the EU’s further economic and social prosperity.
You can read more on 5G (and other emerging technologies), technological and policy, cybersecurity issues on CONCORDIA’s deliverables:
- Deliverable D4.1: 1st Year Report on Cybersecurity Threats.
- Deliverable D4.2: 2nd year report on Cybersecurity Threats
- Deliverable D4.4: Cybersecurity Roadmap for Europe by CONCORDIA
(By: Spyridon Chatziloizos and the National Cyber Security Authority of Greece)