5G vs. National Security
The transition to the fifth generation of mobile networks (5G) is often portrayed as a race – between economic systems and between companies. Who defines the standards? Which company holds critical standard-essential patents? Which nation has the most pilots to test equipment and applications? Who is the fastest to roll out the infrastructure? What are new business models? The race for 5G is truly multi-dimensional, highly complex and fast-moving. Yet, recently the debate has been dominated by one single question: does the deployment of Chinese 5G network equipment pose a threat to the national security of western countries?
Since there is no way to prove the absence of malicious code or vulnerabilities in any piece of hardware or software, ultimately one has to trust the manufacturer to keep devices secure and not exploit vulnerabilities. This trust heavily depends on the legal and regulatory system in which the manufacturer operates. So it is not just about trusting Huawei or ZTE but trusting China. There are many good reasons to distrust China. Yet, governments should be cautious not to conflate issues with China's geopolitical strategy, industrial policies or espionage with the trustworthiness and resilience of our future mobile networks.
The trustworthiness and resilience of mobile networks depend not just on the robustness of 5G standards but how those standards are implemented by the manufacturer and how securely these systems are configured and managed by the operator. On these four levels – standards, implementation, configuration and operation – proper threat modelling and risk minimization can go a long way toward addressing threats such as espionage or network disruption. Independent of the question whether to ban Chinese manufacturers, European member states should follow a risk minimization approach via regulation on all four levels.
It is important to understand that the debate about 5G and Chinese network equipment was simply the first but is not unique. China plays a key role in a variety of ICT supply chains and Europe should strategically assess potential risks that stem from these dependencies. A supply chain review process in different sectors and key technologies would enable us to identify and assess future dependencies that potentially threaten our national security. Based on these, proper risk minimization strategies should be developed.