Whom to trust in a 5G world? Policy recommendations for Europe's 5G challenge

Policy Brief

Download the Paper (PDF)

The fifth generation of mobile networks is already changing the telecoms market and in the near future every industry will rely, at least to some extent, on mobile networks – not just for communication but first and foremost value creation: even though telecommunication networks have been built to enable human-to-human communication, they increasingly transport machine-to-machine communication, such as in smart factories or autonomous vehicles. Being connected to the mobile network will be almost as critical as being connected to electricity: disrupting mobile networks has thus severe impacts on ever more industries. This is why the security and resilience of those future networks is of utmost importance. Recent debates around 5G have almost exclusively focused on the question of whether or not it is safe for European countries to include Chinese vendors in the 5G rollout. A strong focus was on Huawei and the search for the “smoking gun” – a “kill switch” or “backdoor” in the source code of Huawei’s products on behalf of the Chinese Communist Party (CCP) to compromise foreign networks. This debate stole attention away from more systemic challenges: Securing our mobile networks is a much bigger task than deciding about the trustworthiness of a particular company.

The European Commission’s (EC) consolidated 5G risk assessment is the right step to identify those systemic challenges. The task ahead is now to identify policy initiatives to address those challenges. This paper argues that the EC’s upcoming “5G toolbox” will have to utilize different policy domains to properly address the three dimensions – IT security of mobile networks, trustworthiness of foreign suppliers and industrial policy for Europe. It provides an analysis of each of these dimensions and provides policy recommendations:

  1. The IT security of mobile networks has to be addressed on four different levels – standards, implementation, configuration, operations. Certifying network equipment or source code analysis, two heavily discussed strategies, should only be small pieces of a broader strategy: 5G is first and foremost about software-defined, highly modular and complex networks that blur the line between vendor and operator. This in itself creates severe challenges for policy makers to define requirements and responsibilities.
  2. The origin of technology matters – especially with software-defined products.  Policy makers will have to define criteria to reliably assess the trustworthiness of suppliers, not just for 5G. The EC has the chance to inform future debates of national security threats emerging from certain technology suppliers by establishing a framework that considers technical and non-technical criteria that impact the trustworthiness of a supplier.
  3. Lastly, Europe has to be pragmatic about a necessary industrial policy: Supplier diversity is a precondition for resilient networks and there are strong indicators that Chinese suppliers have systemic competitive advantages, not just through state subsidies. The EC will need to utilize industrial policy to strengthen a diverse supplier market and avoid vendor-lock-ins.
December 05, 2019

Jan-Peter Kleinhans, Projektleiter IT-Sicherheit im Internet der Dinge