你在这里

The EU Assesses 网络安全 and 5G Networks

丽贝卡·卢卡斯
评论, 25 October 2019
网络, 网络安全, 欧洲联盟, 技术, 欧洲
The EU’s consolidated risk assessment of the cyber security of 5G networks is not just about 华为. It highlights wider cyber security risks to 5G networks. Given the lack of market incentives to address these risks, regulation to safeguard 5G networks is becoming more likely.

Earlier this month, the EU’s Network and 信息 Security (NIS) Cooperation Group released its Coordinated Risk Assessment of the 网络security of 5G Networks。最终报告合并来自成员国,这些国家并没有公开发布,到国际5克威胁环境的全面风险评估个人意见。它描述了威胁,威胁者,资产,漏洞,风险情况和现有的缓解措施。欧洲网络和信息安全机构(ENISA) is also compiling a private, more detailed mapping and analysis of the overall findings. Both efforts are part of the EU’s focus on the security of 5G networks. The next stage is a mitigation tool kit scheduled for release in December.

Public Discussion 

Initial public discourse about the EU assessment has, as expected, focused on the risks from non-EU suppliers and possible implications if the Chinese company 华为 耗材 5克网络基础设施组件。报告指出状态和国家支持的行动者网络进攻能力,到5G网络中最危险的威胁,基于“动机,意图和高层次能力的组合”。另外,它描述了来自内部或分包商谁建立或维持5克网络组件,“特别是如果利用由国家”的威胁。 

However, the cyber threat to 5G networks is not just from those who build and maintain them. While malicious state-led cyber activity from 5G infrastructure suppliers is an important consideration, the report highlights many additional risks that the public discussion, including initial media  reports, has not sufficiently addressed. 

5G Threat Actor Landscape

国家和非国家行为者带来至5G网络中的网络威胁。对于前者,报告确定国家行为体和内部威胁作为独立的,虽然重叠,类别,强调的是,即使排除了5克的基础设施供应链,州和国家支持的演员保留威胁“保密性,可用性的能力, 5克网络的完整性。作为NCSC has pointed out, 俄国 has hacked into 联合王国 systems numerous times without ever supplying telecommunications components. A narrow focus on 华为, therefore, risks obscuring broader questions about the measures necessary to adequately secure 5G networks from a diverse set of adversaries.  

The threat from non-state actors could come from organised crime, hacktivists, or individuals who seek personal financial gain. Once again, there is an insider threat from individuals within vendors providing 5G network components or maintenance. 

Network Vulnerabilities

随着网络威胁环境是动态的,无法预测,报告十分显著空间,从工程较差或组件的故意操纵识别5克网络漏洞。它是要注意重要的是这些漏洞可能会被所有的威胁者所利用,而不仅仅是那些谁构建和维护5克网络。有漏洞的主要从两方面考虑:网络设计和安全性;和供应链。 

关于架构和网络访问的决定是维护5克网络的重要途径。分段和冗余,例如,可以帮助网络保持弹性应的一个或几个组件失败。该报告给出了较差的网络设计,包括失败的例子:适当地执行国际标准;减轻传统网络现有漏洞;占变更管理和软件更新(包括远程访问扶贫政策);而未能考虑物理安全风险的网络组件。总之,5G网络不仅容易受到恶意国家或非国家行为体的威胁,而且对人体的错误,自然灾害,或简单的厄运。

供应链风险涉及到生产设施的选址和设计方案的质量。所谓的“可靠”的厂商也不能幸免于人为错误,任何给定的产品的表观民族是没有办法提供了可靠指南,其中它的成分实际上是设计或制造的。许多设备供应商,总部设在其他国家,包括诺基亚(瑞典)和爱立信(芬兰),具有在中国容易受到政府的压力工厂和分包商。在供应链还可以插入后门程序的任何级别的人 without the knowledge 分包商,更不用说最终供应商,独立地或在一个恶意状态或非国家演员的要求下。而软件开发不佳的做法增加了这种风险,供应链的规模使得它不可能为运营商保证网络组件从所有漏洞免费。

Finally, the report points out two overarching risks stemming from the 少数5克供应商。首先,运营商或国家可能成为依赖于一个供应商,它可以给供应商相当大的影响力;如果供应商为一个国家或国家支持的演员,这会产生政治后果。第二,单一供应商的设备离开网络的优势打开失败或剥削的潜在的单点。而短期措施,例如来自多个供应商或“购买设备vendor diversity’ throughout the network can mitigate this impact, only a few vendors can provide this equipment. The problem is therefore likely to require long-term solutions. 

下一步

As a follow up to this risk assessment, the EU will release its 工具包 of proposed mitigation measures for member states in December. So far, though, consumers have been unlikely to pay a premium for a ‘more secure’ 5G service, while securing supply chains or designing resilient network architecture involves a considerable up-front investment. This lack of existing market incentives means government regulation will likely be necessary to secure 5G networks. 正如报告所指出,这些网络的安全是国家安全的重要组成部分,特别是5克覆盖率和使用率全社会扩大。因此,政府必须要么激励或迫使公司及其股东支付那些最初的前期成本,以确保电信基础设施的安全性。 

从各国政府进一步干预应力求阐明与5克网络,而不仅仅是从一个国家或一个公司相关联的更广泛的风险。这种风险往往是技术性很强的深受观众不太容易接近。这可能是为什么我们越来越多地强调中国的人权纪录和不公平的贸易做法有道理的华为禁令的一部分。他们也可能从不太知名的演员干。欧盟5克风险评估和计划的工具包在这个方向上的积极步骤,因为像英国的国家的具体努力 华为 网络安全 Evaluation Centre. While approaches to 5G cyber risk management may well be based on political and economic considerations, policy decisions must also account for evidence-based cyber security concerns.

The views expressed in this 评论 are the author’s, and do not represent those of RUSI or any other institution.

作者

丽贝卡·卢卡斯
Research Analyst, 网络 Threats and 网络安全

丽贝卡·卢卡斯 is a Research Analyst in 网络 Threats and 网络安全. Her current work focuses on managing risks stemming from the... 阅读更多

Subscribe to our 新闻letter

Support Rusi Research