As mobile network operators continue to roll out 5G infrastructure and services, it is to be expected that we will see a gradual uptake in new, innovative use cases. In the European Union a comprehensive effort to ensure an adequate level of security of this next generation connectivity is well under way: the EU Toolbox for 5G security.
The need for security in 5G networks and applications has been broadly publicized, including on this site. A key technical enabler for wireless networking in a broad range of scenarios from mobile broadband to massive IoT, there is no question 5G networks are part of the critical infrastructure of modern society. However, until recently there has only been moderate noticeable output by national regulators on the specific security risks 5G systems are subject to.
Realizing the need for guidance beyond existing industry standards and best practices by groups such as 3GPP or GSMA, and ensuring a common security baseline at scale, the EU gathered a range of different instruments in its “Toolbox”.
A Two-pronged Approach to Addressing 5G Security Challenges
These tools aim to improve the overall security posture across EU member states in various ways. Since effective security comprises more than just technology controls, a fundamental design consideration from the start has been to rely on both strategic and technical measures.
Telecommunication being an industry that managed to initiate and adopt significant security efforts in the past, such as the GSMA Security Accreditation Scheme (SAS) for SIM cards or the Network Equipment Security Assurance Scheme (NESAS), the EU is not starting on a green field either. Choosing what elements to build on and how to advance from there is key to ensure resulting measures are practical and see broad adoption.
Moreover, in recognizing the independence of each member state and the authority that comes with it –for example, on aspects like national security— the Toolbox needs to strike a balance between being too prescriptive and being too broad to be effective. The consolidated measures resulting from the collaboration of EU member states in the NIS Cooperation Group, which weighed up these considerations and many more, are outlined in the figure below.
Division of Responsibilities between the EU and its Member States
At EU level, there already exist a number of instruments to enable and facilitate the implementation of the Toolbox measures – namely, the European Electronic Communications Code (EECC), the NIS Directive, and the Cybersecurity Act (CSA).
Firstly, the EECC replaced the EU telecommunications framework in late 2020, which already mandated network operators to ensure certain high-level security measures. The EECC extends this by concrete provisions on compliance with international standards, security auditing and testing, monitoring, incident handling, and business continuity management, to name a few.
Secondly, the NIS Directive applies to all operators of essential services, including telecommunication providers, requiring them to implement appropriate security controls and, importantly, notify relevant national authorities in the event of a serious security incident.
Thirdly, the CSA establishes the European cybersecurity certification framework, enabling the creation of certification schemes targeting various sectors, including telecommunications and 5G. It further strengthens the role of the European Union Agency for Cybersecurity (ENISA), as explained later in this article.
In addition to these main pillars, there are of course other instruments which may also be utilized to support the Toolbox objectives, such as the Foreign Direct Investment (FDI) Screening Regulation and the General Data Protection Regulation (GDPR). Aside from regulation, the EU will play a role in coordinating joint efforts among member states and steering strategic investments towards relevant research and other projects.
On the other hand, the member states and their respective regulatory agencies will have to take on the specification and enforcement of Toolbox requirements on mobile network operators and services. As outlined above, these comprise technical aspects regarding generic security best practices and 5G specifically, but also longer-term considerations, such as an appropriate multi-vendor strategy.
As far as 5G suppliers are concerned, the member states will need to establish a transparent framework for assessing each stakeholder’s risk profile and take action accordingly. This may result in risk mitigations by way of restrictions (including potential exclusion), or jointly managing any residual risks with mobile network operators.
Empowering the European Union Agency for Cybersecurity
In addition to technical and strategic measures, the Toolbox defines several supporting actions to aid their effectiveness and the cross-border collaboration within the EU. Such collaboration is expected to extend to, for example, incident response, crisis management, and sharing of security relevant information supported by ENISA.
The agency should further facilitate the implementation of existing 5G security standards (e.g., those specified by 3GPP) with the publication of best practices and guideline documents. Going forward, ENISA may even play a role in actively shaping industry standards. By coordinating a more active dialogue between national regulators and industry players on EU level, the goal is to be able to influence standards development processes more effectively.
Lastly, ENISA also assumes the responsibility for the development of candidate certification schemes under the European cybersecurity certification framework.
Current State and Outlook
The latest comprehensive snapshot of the member states’ progress in implementing the Toolbox shows that as of June 2020 there is still work to be done, with most measures scoring a ‘Medium’ maturity level. Moreover, the report only captures the implementation of steps to be taken on national level and does not reflect efforts to be taken on EU level. Nevertheless, the document concludes that the EU is moving into the right direction, as all member states reported concrete steps being taken.
Most recently, in early 2021, the European Commission requested ENISA to start working on a candidate cyber security certification scheme for 5G. Once fully specified and adopted, it will be yet another tool available to the EU member states to help ensure the security of 5G equipment, processes, and services.