Weak links in 5G wireless security could threaten the whole EU, auditors warn

The European Commission did “too little too late” to make sure member states protected their nascent 5G wireless networks from security risks, and notably reliance on Chinese telecoms companies, a new report from the European Court of Auditors has warned.

A weak link in one part of the EU could compromise other parts of the bloc, the report says.

Superfast, low latency 5G connections promise to open up a wealth of economic possibilities – remote surgery, for example, and could add “up to €1 trillion” to the EU economy by 2025.

But reliance on such networks makes Europe especially vulnerable if security is compromised. Hackers could seize control of critical infrastructure like power grids.

The report, released on 24 January, gives several recent examples of the damage wreaked by network outages. In June 2021, France’s biggest network, Orange, went down, stopping emergency calls for several hours, although this was not thought to be a cyberattack.

Last May, Ireland’s health service was forced to shut down its IT systems after a ransomware attack. Even three months later, Ireland was still unable to publish full information on coronavirus deaths and hospitalisations.

Security services have long fretted over the risks of compromised 5G networks, turning the issue into a geopolitical hot potato that focused in particular on the Chinese telecoms company Huawei.

Australia, the UK, US and Japan are among the countries that have outlawed Huawei kit in their networks, and some EU states like Sweden have followed suit.

But the auditors highlight that vulnerability in one member state could spill over into others, and that while some countries have banned Huawei, others have taken no action at all.

“Both the 5G infrastructure, and its security threats, are cross-border in nature. This means that any cybersecurity incident involving 5G networks in one member state would also affect other member states and ultimately the EU as a whole,” Annemie Turtelboom, who led the audit, told a briefing on its findings.

Sweden, whose relationship with Beijing has deteriorated since the abduction and subsequent imprisonment of a Swedish-Chinese bookseller in 2015, banned new Huawei kit from its systems, and ordered the removal of existing components by 2025.

But Hungary, which is close to China to the extent of welcoming a Chinese branch university campus to Budapest, has not restricted any 5G vendors and declined to join a US-led initiative to freeze out Chinese components, the report points out.

EU member states are “not on the same page when it comes to security,” said Turtelboom. “In some states they are banning Huawei,” but in others the company is deemed “perfectly safe.”

In 2020, the Commission issued a “toolbox” to guide member states into a coordinated European approach, based on a common set of measures.

But this was “too little, too late”, said Turtelboom. By the time it was released, a number of national mobile network operators had already chosen their vendors, the report found.

Pressed on how security flaws in one country could spill over to another, Paolo Pesce, one of the auditors, said that “communication networks are not isolated” and that data “will not remain on a single network”.

Spill over security risks

Different standards could also impact citizens’ privacy when travelling between EU countries.

But this problem of spill-over security risks is not well understood, according to the Court of Auditors, which is calling for the Commission to report this year on whether allowing some member states to use vendors deemed “high risk” by others could imperil the single market. It also wants the Commission to discuss with member states whether there is a need to specify what level of security should be required and where appropriate, agree legislation to enforce it.

While the Commission has accepted these recommendations, it stressed that it is for member states to decide on the exact scope of any restrictions or exclusions.

This points to the balancing act the Commission faces in trying to bolster 5G security, and the trade-off between rapidly drawing up guidelines before member states closed deals with 5G vendors, or taking the time to make binding rules. 

The toolbox is merely “soft law” providing non-binding guidelines, said Turtelboom. But the alternative route of getting binding hard law through the EU, would have taken “many years,” she said.

“The EU Toolbox represents a nimble risk-based instrument to address security challenges, which [made it possible to] handle 5G cybersecurity aspects in a timely and efficient manner,” the Commission said in its response to the report.

Meanwhile, the auditors also found that only 11 member states are likely to hit a 2016 Commission objective to provide 5G coverage in all urban areas and main transport routes by 2025.

Belgium, Bulgaria, Greece, Croatia and Cyprus are particularly unlikely to hit this target. “Despite the Commission’s support, there are considerable delays in the member states’ deployment of 5G networks,” the report says.

By mid-decade, Europe will lag significantly behind North America, China, and Australia, Japan, Singapore and South Korea in terms of the number of mobile connections via 5G, according to a report published last year by the Global System for Mobile Communications Association.

The auditors criticised the Commission for not stipulating minimum speeds and maximum latency standards for 5G. In response, the Commission said it would “work together with member states towards developing a common definition of the expected quality of service of 5G networks.”