Committee on Industry, Research and Energy
Secure G: From telemedicine operations to fully networked production facilities, high-performance 5G networks are driving digitalisation in all areas of life, making it a very good opportunity for hackers to obtain highly sensitive data and metadata. Considering the possible advantages and risks of 5G networks, what can be done to ensure the highest possible level of security?
By Tris Westerman (NL)
The Case Study
Meet Charles. Charles is a father of 4 children and a real tech lover. His house is littered with smart devices such as a smart fridge, smart heater and an iPad for each of his kids. To stay up to date and have the quickest internet connection, Charles decided to switch to 5G. But then, everything went wrong. All of a sudden his smart devices were getting hacked and his children could no longer use their iPads. After contacting a professional it turned out hackers managed to infiltrate his home system using his smart fridge, something Charles never would have expected. Now Charles is confronted with a difficult dilemma: how to keep using the latest technologies, while at the same time staying safe and protected?
Abstract
What happened to Charles is a mere example, but a very realistic one. 5G makes our internet connections faster, stronger, and more reliable, but it also has a danger to it. Nowadays a lot of people are using smart devices such as smart fridges, cookers, and ovens to ease their lives. However, having all these smart devices interconnected in your house is also dangerous. This interconnection, also called the Internet of Things (IoT), makes it possible for hackers to easily connect from one smart device to another. Where previously a hacker was only able to get into your phone by accessing your phone itself, now they are able to do so through your smart water cooker. With 5G more and more devices are able to connect with each other, significantly increasing this risk. Furthermore, not only does 5G cause a security danger to ourselves, it can also interfere with satellites or aircrafts, posing serious security threats and even possible plane crashes.
Key Concepts
- 5G, abbreviation for 5th Generation, is the 5th version of internet connection between devices. This newest version allows for a very short response time between devices (latency) and allows high-speed data transmissions, which can be 100 times faster than the 4th generation.
- The Internet of Things (IoT) is a concept used to define the system of all smart devices using any sort of wireless connection with each other. IoT is used in our daily lives and we are in constant connection with it. As it is based on digital networks, hackers might try to misuse it in order, for instance, to obtain metadata which can be sold to companies or to collect banking information to hack into bank accounts.
- Metadata is data collected by comparing and analysing enormous amounts of information about a subject. This can be used to get a good understanding of people. Hackers might sell metadata to big tech companies who will then use this information for targeted advertisement or other purposes.
- Smart devices are devices that can work (semi) independently, interact with their users, as well as connect and share data with other smart devices or networks via wireless protocols.
- Security certification schemes are comprehensive sets of rules, technical requirements, standards and evaluation procedures applying to products, services and processes.
Key Actors and Stakeholders
The European Commission
This is the main EU executive body, responsible for proposing legislation, implementing decisions and making sure they are being followed. This is the institution that could propose and put into action any new legislation or restrictions on 5G. It has developed some initiatives to strengthen 5G security, such as the EU toolbox for 5G security.
Among the Commission’s Directorates-General, the one focusing on Communications Networks, Content and Technology (DG CONNECT) is particularly relevant. It focuses on developing and implementing digital policies. They fund research, innovation and deployment of digital technologies.
European Union Agency for Cybersecurity (ENISA)
The European Union Agency for Cybersecurity, ENISA, is the EU’s agency dedicated to achieving a high common level of cybersecurity across Europe, mainly by drafting cybersecurity certification schemes and increasing EU-level operational cooperation. It also carries out research on potential future cyber challenges. For example, it publishes a yearly threat landscape that analyses possible cyber problems that might arise in the future.
European Cybersecurity Competence Centre and Network (ECCC)
The European Cybersecurity Competence Center and Network is an organisation created in 2021 and is still being established. It is an executive agency of the EU and directly helps the European Commission manage EU programmes. Its mandate is to strengthen European cybersecurity capacity, that is development and deployment of cybersecurity technology. It aims at building an inter-connected, EU-wide cybersecurity industrial and research ecosystem by working with industry and the academic community. It will manage the EU funds for cybersecurity research and industry.
5G Infrastructure Public Private Partnership (5G PPP)
The 5G Infrastructure Public Private Partnership (5G PPP) is a joint initiative between the European Commission and European 5G industries. Their goal is to offer solutions to 5G infrastructure and help with the development of a European-wide reliable 5G network.
High-risk suppliers
5G is supplied by tech companies, not all of which are reliable. The European Commission has identified Huawei and ZTE as “high-risk suppliers” who could pose a potential danger to a secure 5G network. This is due to the high dependence of the EU on these suppliers, even though they have strong ties with third countries that do not uphold the same security standards as the EU.
What Has Happened so Far?
Action undertaken to increase security
Due to the importance 5G already has in day-to-day operations, and how much more society will rely on it in the future, it is very important to have a reliable 5G infrastructure. If hackers were to penetrate a 5G network, they could compromise its core functions to disrupt services or seize control of critical infrastructure, which in the EU often has a cross-border dimension. That’s why the EU has been focusing more and more on increasing its cybersecurity.
In 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy jointly presented “The EU’s Cybersecurity Strategy for the Digital Decade”, developed by ENISA. This policy document outlines strategies to increase cybersecurity by revising legislation, developing a European cyber shield, raising standards for IoT devices, and securing 5G networks and supply chains. Furthermore, in 2021, the Commission has tasked ENISA to prepare the EU’s cybersecurity certification scheme for 5G networks that will help tackle 5G risks. At the moment, there are various security certification schemes for IT products, including 5G networks, in Europe. A single common scheme for certification would make it easier for businesses to trade across borders and for customers to understand the security features of a given product or service.
The field of IoT
Certain smart devices are less secure, making it easier to hack them. Sometimes, companies might maintain a wireless connection to their sold items, in order to carry out services such as delivering updates when needed. When a hacker manages to hack one smart device and is able to trace it back to the selling company, they can connect to all the other sold smart devices through there. Upon connecting with all those sold devices, they will also be connected to people’s personal IoT systems, giving them access to several devices and potentially passwords and bank accounts. It is therefore extremely important for IoT devices to be safe and secure. However, it is not uncommon for IoT providers to have a lack of security, posing risks to passwords, locations, and other information of their users. Studies estimate that the economic impact of cybercrime may be as much as EUR 5,000 billion a year worldwide.
In order to address this issue, the European Commission has allocated EUR 40 million to eight research and development projects for IoT security. The most important one of these are SecurIoT, a project which provides services for risk assessment, IoT Crawler, a now finished project which researched smart communities to find secure ways of integrating IoT into society, and SOFIE, a project which aims to connect IoT platforms in order to find solutions together.
High-risk suppliers
In 2020, the European Commission has laid out an EU toolbox for 5G security. This toolbox underlines the importance of using 5G, but also acknowledges its potential dangers. Furthermore, it gives Member States guidelines on how to safely roll out a 5G network. However, in doing so the Member States have experienced certain difficulties, namely their reliance on big tech companies such as Huawei and ZTE. Indeed, the European Commission has identified them as ‘high-risk suppliers’ due to their likelihood of being influenced by specific third countries whose laws on security and corporate governance are seen as a potential threat to the security of the Union.
Due to these high risks, and based on an assessment of the criteria set out in the Toolbox for identifying ‘high-risk suppliers’, the Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE are justified and compliant with the 5G Toolbox. In other words, Member States can now decide to restrict or exclude suppliers on the basis of security risk analysis. But to date, only 10 of them have used these prerogatives. According to Internal Market Commissioner Thierry Beton, this is too slow, and it poses a major security risk and exposes the Union’s collective security since it creates a major dependency of the EU on unreliable partners and serious vulnerabilities.
However, the European Court of Auditors has raised some concerns. One of these concerns is European reliance on High-Risk suppliers, as there are not many 5G suppliers big enough to support the whole of Europe with 5G networking. Even though the EU has given the green light for Member States to block High-Risk suppliers, Member States often have no other choice than to accept them.
In 2023, to counter this, the European Commission founded the ECCC. The agency has been established to tackle and react to this dependency on foreign and unreliable actors, to foster the EU’s own cybersecurity industry and research so that it does not have to rely on High-Risk suppliers. The agency builds on the expertise that already exists in more than 660 cybersecurity expertise centres from all Member States and is supported by four pilot projects, which are running to lay the groundwork for the Competence Centre and Network.
Picture 1: EU Toolbox for 5G Security
- Food for thought
So what should be done now? 5G plays a key role in our everyday life, but it might also expose us to a significant and constant threat. How can the EU strengthen its safety whilst also making use of 5G to its fullest potential? How can we keep using our smart devices and not worry about potential hackers?
Below are a couple of examples of good videos and sites you should visit. I can highly advise you search the internet yourself as well, and gather as much information as you can. It is important to have a good understanding of the topic before the session. This subject might be a very technical and complicated one, and it might seem threatening at first, but I assure you that it is quite understandable after reading a bit about it. By watching the videos alone you should already have a good idea of the topic, and I am always here to help and support each and every one of you during the entire process with any doubts or questions you might have.
Valuable Links to Browse
If you are still wondering how 5G works, this article gives a comprehensive explanation of 5G: how it works, how the security works, and what the dangers are. But what really is the threat of 5G? Well, this short article by ENISA gives a quick explanation of their role in the threat assessment of 5G, and how they contribute to 5G security.
How does 5G security really work? What are all the steps behind encrypting and securing using a 5G network and why is it useful? This video gives a quick 8-minute explanation of 5G and its security aspects.
What are the dangers of 5G security? Why is it dangerous and what can we do about it? This video by VPN provider NordVPN gives a quick and good explanation of the downsides of 5G. It is only 3 minutes long but quite interesting to listen to.
Finally, a more in-depth video about the risks of 5G and what should be done about it, and how it can indirectly lead to more damage.