Comment
Security assessment of suppliers of telecommunications infrastructure for the provision of services in 5G technology

https://doi.org/10.1016/j.clsr.2021.105556Get rights and content

Abstract

The process of commencing services based on 5G technology has begun. One condition for starting up 5G technology is the distribution of the frequencies required for the provision of those services. For the first time in the process of making frequencies available, requirements have arisen pertaining to the security of the infrastructure necessary for the provision of those services. In the EU, recommendations have been drawn up, based in particular on an NISCG report entitled Cybersecurity of 5G networks EU Toolbox of risk mitigating measures. In this article, an analysis is made of the implementation of those recommendations concerning suppliers of infrastructure, based on examples from selected EU countries, in order to ensure that such assessments are objective and transparent. In some cases, the provisions implementing the recommendations do not fully protect the fundamental rights of the entities assessed as foreseen in EU and domestic law, particularly the right to a fair trial before an independent court. I propose certain changes in the regulations pertaining to suppliers of telecommunications equipment.

Introduction

Around the world, the process of commencing services based on 5G technology has begun. One condition for starting up 5G technology is the distribution of the frequencies required for the provision of those services. Frequencies are distributed through a selection procedure, that is, a choice is made of what entities are to obtain those frequencies. In some European Union (EU) Member States, those auction proceedings have concluded; in others, they are ongoing.

In order to provide services using 5G technology, appropriate infrastructure is also necessary. In the selection procedures organised in the past aimed at choosing the operator to which the frequencies needed to provide services are granted, the issue of choosing suppliers of the infrastructure necessary for the provision of those telecommunications services has not been raised or regulated. For the first time, with 5G technology the issue has arisen of how to guarantee security in connection with the country of origin of the producer of the equipment used to build the infrastructure through which services using that technology are to be provided.

In the EU, there are general regulations in force concerning the protection of electronic communication networks.1 In particular, these include Directive of the European Parliament and of the Council (EU) 2018/1972 of 11 December 2018 establishing the European Electronic Communications Code (Recast) (the “EECC”),2 Directive of the European Parliament and of the Council (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”),3 Regulation of the European Parliament and of the Council (EU) 2019/881 of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity), and ICT Cybersecurity Certification and replacing Regulation (EU) 526/2013 (“Regulation 2019/881).4 The provisions of the EECC, which replace Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the “Framework Directive”),5 were to be introduced into the domestic legal orders of EU Member States by 21 December 2020.

Recently, regulations have also been approved in the EU concerning the security of infrastructure and services provided in 5G technology. On 26 March 2019, the European Commission approved Recommendation (EU) 2019/534 on the Cybersecurity of 5G networks, C/2019/2335 (the “Recommendation”).6 In the Recommendation, reference is made to threats to the cybersecurity of 5G networks, and Member States are called upon to make their own risk assessments and to review domestic measures.7 All EU Member States have already completed their domestic risk assessments concerning 5G network infrastructure and have sent the results to the Commission and to ENISA. On the basis of those domestic risk assessments, on 9 October 2019 a report was published entitled EU coordinated risk assessment of the cybersecurity of 5G networks.8 The report was prepared by the Network and Information System Cooperation Group (the “NISCG”) formed on the basis of the NIS Directive. The report contains analyses, but does not formulate guidelines for specific actions to be taken by EU countries. Recommendations within this scope were drawn up only at the end of 2019. In November of that year, a report entitled ENISA Threat Landscape for 5G Networks ENISA9 set out a catalogue of possible threats to 5G networks.

On 29 January 2020, the NISCG published a report entitled Cybersecurity of 5G networks EU Toolbox of risk mitigating measures (the “5G Toolbox”10). On the same date, the Commission adopted Commission Communication COM (2020)50 Secure 5G deployment in the EU – Implementing the EU Toolbox,11 in which it endorsed the 5G Toolbox conclusions and underlined the importance of their effective and quick implementation, and called on Member States to take concrete steps to implement them. The 5G Toolbox sets out potential risk areas and remedial measures. One of the risk categories in the 5G Toolbox is risks connected with suppliers of 5G infrastructure (p. 5). Remedial measures are divided into strategic measures and technical measures (p. 12). Among the eight remedial measures are “assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks – for key assets”, and “ensuring the diversity of suppliers for individual MNOs through appropriate multivendor strategies”.

In its conclusions in the 5G Toolbox, the European Commission called on Member States to take steps to implement the set of recommendations made by 30 April 2020, and to prepare a joint report on the implementation of the recommendations by 30 June 2020. Particular Member States prepared reports on the implementation of the 5G Toolbox recommendations within that time. In July 2020, the NIS Cooperation Group, supported by the European Commission and ENISA, drew up a Report on Member States’ Progress in Implementing the EU Toolbox on 5G Cybersecurity.12

On 10 December 2020, ENISA published guidelines for ensuring a common approach to the security of electronic communications networks and services (Guideline on Security Measures under the EECC) (the “Guideline”).13 That publication is an update of ENISA’s technical guidelines of 2014 concerning security measures issued on the basis of Art. 13a of the Framework Directive (Technical Guideline on Security Measures).14 It contains technical guidelines for telecommunications security authorities concerning security supervision as required pursuant to Art. 40 and Art. 41 EECC.15 Among the 29 high-level security objectives listed under the eight security domains, we find the security objective: Security of third party assets. The purpose of these actions is to establish and maintain a policy containing security requirements for contracts with third parties in order to ensure that dependencies on third parties do not negatively affect the security of networks and/or services.16

A supplement to the Guideline is 5G Supplement – to the Guideline on Security Measures under the EECC (the “5G Supplement”).17 The 5G Supplement focuses on the cybersecurity of 5G networks at the policy level related to the EU 5G Toolbox. Within domain D1 (Governance and Risk Management), we find security objective SO 4: Security of third party assets. Depending on the national approach in respect of assessing high-risk suppliers (as per the 5G Toolbox measure SM03), this may also include requirements for MNOs to conduct an assessment of the risk profile of their key suppliers.18 The 5G Supplement refers to the description of risk provided in the 5G Toolbox.

The purpose of this article is to analyse how the recommendations of the 5G Toolbox and the 5G Supplement for evaluating suppliers of infrastructure have been implemented, and whether the countries analysed have protected the fundamental rights foreseen in EU and domestic law; the analysis uses examples from selected EU Member States, namely Germany, Sweden and Poland, in order to guarantee objectivity and transparency. Based on that analysis, remarks and specific proposals are provided as to the implementation of the recommendations of the 5G Toolbox and the 5G Supplement in respect of assessing suppliers of telecommunications equipment.

Section snippets

The implementation of security regulations from the 5G Toolbox and the 5G Supplement in domestic legal orders

Introducing the provisions of the 5G Toolbox and the 5G Supplement pertaining to assessing suppliers of telecommunications infrastructure requires defining and resolving a series of issues, which can be divided into three groups. The first is the issue of where the provisions implementing the provisions of the 5G Toolbox and the 5G Supplement should be located, that is, to what legal regulations additions should be made or what separate regulations should be created. The second group of issues

Conclusions

An analysis was made of the manner of implementing the recommendations of the 5G Toolbox and the 5G Supplement within the scope of assessing suppliers of infrastructure, using the examples of selected EU countries, from the perspective of guaranteeing objectivity and transparency in assessments and ensuring the protection of the fundamental rights foreseen in EU and domestic law enjoyed by the entities such assessments concern. That analysis leads to the conclusion that certain solutions and

Declaration of Competing Interest

The authors declare no conflict of interest.

References (60)

  • Previously, Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory...
  • OJEU L Nr 321, p. 36....
  • OJEU L No. 194, p. 1....
  • OJEU L No. 151, p. 15....
  • OJEU L No. 108, p. 33 as amended....
  • OJEU L No. 88, 29.3.2019, p....
  • https://resilience.enisa.europa.eu/article-13, accessed on 20.06....
  • https://ec.europa.eu/commission/presscorner/detail/en/IP_19_6049, accessed on 25.07....
  • https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks, accessed on 30.08....
  • https://ec.europa.eu/digital-single-market/en/news/cybersecurity-5g-networks-eu-toolbox-risk-mitigating-measures,...
  • https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=64481, accessed on 25.08....
  • ...
  • https://www.enisa.europa.eu/publications/guideline-on-security-measures-under-the-eecc/, accessed on 20.12....
  • ...
  • https://www.enisa.europa.eu/publications/guideline-on-security-measures-under-the-eecc/, p. 16, accessed on 20.12....
  • https://www.enisa.europa.eu/publications/guideline-on-security-measures-under-the-eecc/, p. 20, accessed on 20.12....
  • https://www.enisa.europa.eu/publications/5g-supplement-security-measures-under-eecc/, accessed on 20.12....
  • https://www.enisa.europa.eu/publications/5g-supplement-security-measures-under-eecc/, p. 14, accessed on 20.12....
  • J Laws

    (2018)
  • J Laws

    (2004)
  • Lag om elektronisk kommunikation, SFS-nummer, 2003:389, http://rkrattsbaser.gov.se/sfst?bet=2003:389, accessed on...
  • Journal of Laws of 2020, item...
  • ...
  • J Laws

    (2020)
  • J Laws

    (2019)
  • See the draft of 29 July 2020 of the Act on the Electronic Communications Law,...
  • ...
  • Telekommunikationsgesetz vom 22 Juni 2004, BGBl. I S. 1190 ze zm.,...
  • https://www.gsma.com/security/network-equipment-security-assurance-scheme/, accessed on 29.07....
  • European cybersecurity certification frameworks should constitute a basic tool supporting the promotion of cohesive...
  • View full text