Huawei feels heat as EU plans exclusions of high-risk 5G vendors

The expected ‘toolbox’ won’t box out Huawei but would significantly limit its future role in Europe.

European cybersecurity officials will call on national governments to impose stricter limits on telecom operators and partial bans on ‘high risk’ suppliers, according to a new document on 5G security seen by POLITICO.

The officials plan to present their recommendations as part of a new security “toolbox” next week which includes a range of measures that aim to stop 5G networks from being hacked, disrupted or spied upon by foreign governments.

The measures do not mention Chinese 5G equipment maker Huawei by name. But the list of recommended actions would allow EU capitals to limit Huawei’s role in 5G networks across the Continent in coming years.

The plans are the latest — and arguably strongest — move by European lawmakers to reshape the EU-China relationship ahead of two critical summits this year that will feature discussions on trade tensions, technology and competition practices.

They mark the culmination of work on stricter 5G security rules that began in early 2019, following strong calls by U.S. officials about the risks associated with Huawei. The company denies posing any security risk.

Countries including France, the Netherlands and Italy have already beefed up their rules on telecom security, while Germany and the United Kingdom are in the midst of reviewing their rules amid intense public debate about Huawei’s role.

The “toolbox” follows an earlier warning in October by the same cybersecurity expert group that state-backed hacking groups are a major threat to the security of 5G networks — implicitly pointing to China and Chinese vendors as bearing a higher risk for European telecom operators.

In a “5G Risk Assessment” report, first reported by POLITICO, the Commission’s group of experts then said suppliers may be more risk-prone if there is a higher “likelihood of the supplier [of 5G network gear] being subject to interference from a non-EU country” through intelligence legislation, government control of a company’s management or a lack of “democratic checks and balances in place” to counter such espionage attempts.

In its new “toolbox” document, the cybersecurity experts in the NIS Cooperation Group — a forum for cybersecurity cooperation between European officials — urged EU capitals to take urgent steps to beef up network security and to minimize “the exposure to risks stemming from the risk profile of individual suppliers.”

The group includes representatives of national cybersecurity authorities, as well as members of the EU’s Cybersecurity Agency ENISA and the European Commission.

While the group’s recommendations are nonbinding, they are likely to push European governments to review and beef up their national security measures in the short term.

The toolbox is expected to be presented next week Wednesday in Brussels, together with a Commission “communication” document that sets out the EU’s view on how to move forward with the measures.

Exclusions

The “toolbox” document calls for capitals to apply new “restrictions — including necessary exclusions” on “critical or sensitive” parts of 5G networks. Those parts include core networks, network management functions and parts of the core networks that manage data traffic to base stations and antennas, the experts said.

While this would mean Huawei could face new significant market restrictions, it would not exclude the Chinese vendor from selling base stations and antennas in Europe right now. Such sales of so-called Radio Access Network equipment make up the lion’s share of 5G profits for suppliers.

New measures would also impose stricter rules on whether foreign companies can provide services to Europe’s network operators in the future, as telecom networks become more reliant on software.

Those restrictions and potential exclusions are targeted at “high-risk” vendors, which the EU previously defined as suppliers likely to be “subject to interference from a non-EU country,” the document said, and that are expected to include Huawei and its smaller Chinese rival ZTE.

The European cybersecurity experts are calling on national authorities to impose such limits.

But they stopped short of naming the high-risk vendors or clearly stipulating how national security agencies would name them.

Audits

The group also called on capitals to take a much stronger role in overseeing the security of telecom networks.

That would include setting up mechanisms to scrutinize private contracts between operators and their suppliers and setting up “audits” of telecom companies to check their security policies and “multi-vendor strategies.”

The document calls for “technical” measures including imposing baseline security policies, managing access of employees or contractors, updating and patching software, imposing stricter requirements on suppliers that procure gear and services and creating a certification scheme for 5G network components.

Click Here: Cardiff Blues Store

The group also called for pan-European measures, including setting up a review mechanism to track how capitals are imposing stricter rules. It said that EU countries should set up periodical reviews of the work on 5G security and allow the Commission and the EU’s cybersecurity agency ENISA to monitor the implementation of the measures.

“No single type of measure will be sufficient and instead a range of measures used in an appropriate combination, will be necessary,” the document said.

5G future of Europe

The document comes after a year-long debate on the role of Chinese telecom vendor Huawei in Europe.

U.S. and other Western security authorities have called for caution in procuring the Chinese vendor for critical services.

Huawei is the global market leader on 5G network equipment. It has dismissed fears that it would assist the Chinese government with espionage.

Proponents of Huawei’s network gear — including some of Europe’s largest telecom operators — have argued that cutting the vendor’s market access would cause Europe to fall behind in the global race to roll out 5G.

But Huawei’s critics and its European competitors Ericsson and Nokia have warned that the Chinese company undercuts the European market, makes Europe subject to Chinese pressure in the future, and poses serious cybersecurity risks.

Internal Market Commissioner Thierry Breton this week flagged 5G as a key industrial issue, arguing ”Europe holds half of all the patents in the world when it comes to 5G” while “China holds around 30 percent and the U.S. 14 percent.”

“5G is a highly decentralised network, which exponentially increases the surface of risk … We need to take these risks seriously, responsibly, without any naivety,” Breton wrote.

“Europe can count on its own suppliers of 5G technologies,” he added.

Throughout the toolbox document, experts impose a sense of urgency on national capitals to take action — many of which are in the middle of rolling out 5G networks. The majority of measures suggested by the experts would be taken “in the short term,” the document said.

A new telecom legislation was agreed in 2018 and will replace the existing telecom law in December 2020, the deadline for capitals implement it.