The European Court of Auditors (ECA) has launched an audit to assess whether the EU and its member states are implementing secure 5G networks in a timely and concerted manner.
The fifth generation of mobile and wireless telecommunication systems (‘5G’) offers ultra-highspeed connection supporting not only individual users but also a high number of connected devices, known as the ‘internet of things’. In this way, it marks a revolutionary advance on the former standards, 3G and 4G.
The audit follows on from ECA’s recent review of the EU’s response to China’s state-driven investment strategy, which flagged 5G security as an issue of concern. In that review, ECA looked at the multiple risks – mainly of an economic and political nature – China’s state-driven investment strategy poses to the EU, as well as the opportunities it presents.
Just before the end of 2020, EU and China concluded in principle the negotiations for a Comprehensive Agreement on Investment (CAI).
According to the Commission, the agreement will create a better balance in the EU-China trade relationship. The text of the agreement will need to be legally reviewed and translated before it can be submitted for approval by the EU Council and the European Parliament.
In the new audit, ECA will examine the EU’s 5G set-up, the European Commission’s support for the member states, and the latter’s 5G roll-out and consideration of security concerns.
The audit will focus on network security, encompassing cybersecurity and hardware. The auditors will cover action taken since 2016 and examine data gathered in a sample of four member states: Finland, Germany, Poland and Spain. The final report is expected in a year’s time.
“The way 5G is deployed across the EU will affect many aspects of citizens’ life, through developments such as e-health, smart cars and smart electricity networks. 5G will also impact Europe’s digitalisation efforts and, due to its cross-border nature, the functioning of the single market,” said Annemie Turtelboom, the Belgian ECA Member leading the audit.
According to ECA, a reason why 5G demands a concerted EU approach is that its infrastructure and potential threats to its security are of a cross-border nature. Any significant vulnerabilities and cybersecurity incidents concerning networks in one member state would affect the EU as a whole.
In recent years, the EU has allocated considerable funding to 5G projects in member states, including loans by the European Investment Bank. The EU’s action plan envisages the launch of 5G services in all member states by the end of 2020. By October last year, 5G had been deployed in 17 EU countries plus the United Kingdom.
A European Commission study estimates that benefits of €113 billion a year will arise from the introduction of 5G capabilities across four key strategic industries – automotive, health, transport and energy. It also indicates that 5G investments are likely to create 2.3 million jobs in the member states.
The division of responsibilities relating to 5G networks and their security is complex. The Commission supports and coordinates member states’ action on technical and security aspects; national authorities are responsible for developing and implementing their 5G plans as well as ensuring security.
Furthermore, telecom operators are responsible for the roll-out of secure 5G networks using vendor equipment. A recent study shows that several vendors have applied for patents in the 5G industry: the main ones are China’s Huawei (16%) and ZTE (10%), South Korea’s Samsung (14%) and LG (12%), and Europe’s Nokia (11%) and Ericsson (7%).
5G brings potentially enormous economic opportunities but raises also serious security questions. To inform about its 5G audit, ECA organised a webinar (7 January). Among others Michael Chertoff, a former US Secretary of Homeland Security, talked about the geopolitical aspects of 5G and the US approach.
Considering the US strained relations with China, what role does Chertoff play in the audit?
“Auditing is also listening, so we also listen to experts from academia, think tanks, international organisations and the private sector,” ECA member Turtelboom replied. “For our special reports on technical topics, we often consult experts to hear their views and expertise on a particular topic so as to enhance and deepen our own analysis, and to be able to focus on particularly relevant areas.
“Michael Chertoff is a renowned expert on national security and cybersecurity issues, advising governments and businesses. He has written extensively on the topic of 5G security, so we invited him to share his views and the transatlantic perspective on 5G security. In the course of our audit, we will be hearing other expert voices, not least during an expert panel on this topic.
Has ECA any opinion on the security concerns raised in some member states concerning Huawei?
“5G technology is an area where a concerted EU approach could have advantages, especially regarding cybersecurity concerns, which might have an impact on the functioning of the internal market,” she replied. “But we found in our previous audit that the EU member states have had diverging responses regarding cooperation with China on 5G.”
“Some of them took a cautious approach, but continued to work with the Chinese technology company Huawei to roll out 5G networks, for example in Germany and Belgium. While others decided to halt cooperation with Chinese providers of 5G technology, as was the case with the Czech Republic after having received a security warning.”
In Sweden, an intelligence agency also issued a security warning against the protests of Swedish telecommunication company Ericsson, which is operating in China and fears retaliation if Chinese companies are banned from participating in tenders for 5G in the EU.
ECA’s audit will touch upon the role of telecommunication companies such as Huawei, which according to a 2019 study is the main vendor holding patents in the 5G industry, Turtelboom added.
“While the purpose of our audit will not be to judge whether it is good or bad that a particular member state restricted the access to a particular vendor, we will seek to establish whether the member states’ different approaches towards high-risk vendors constitute a problem for the EU, and we will report on it in one year’s time.
Will ECA assess the Commission’s toolbox on 5G?
“We cannot put the cart before horse and jump to any conclusions. In fact, we are still very early in the audit process. But what is clear is that member states are implementing the necessary security measures of the 5G Toolbox at a different pace and in a different way. We will look at this issue in more detail during our audit and provide our final conclusions and recommendations in one year’s time.”
The Brussels Times