Your browser is not supported. Please update it.

29 November 2022

EU and UK intensify 5G security and self-sufficiency efforts

The European Union has a large number of projects focused on security and self-sufficiency in critical technology platforms, ranging from satellite (see separate item), to 5G Open RAN and sovereign cloud. Of course, reinforced security systems must be an integral part of all these infrastructure initiatives, in the light of current geopolitical tensions related to China, Russia and the Middle East, among others. The latest move by the European Commission is to invite companies, government agencies and others to submit proposals for “innovative cybersecurity solutions for 5G network infrastructure”.

While 4G and its predecessors could be seen as luxuries rather than part of critical national infrastructure, the increased capabilities of 5G, and its inclusion in most national digital and industrial strategies, has changed all that. That was at least the nominal reason given by the USA and some European governments for excluding Chinese vendors from their 5G networks, citing fears about spyware and vendors’ links to the Chinese state (Huawei, in particular, denies all such claims).

But whoever may be seen as the threat in the future, the EC (the EU’s governing body) aims to develop a wide range of secure services to protect 5G network infrastructure and the traffic and transactions it carries. The EC is offering €176.5m ($181.2m) in grants to organizations to improve the mechanisms and infrastructure that will enhance cybersecurity cooperation between the EU member states and the Commission.

“The calls aim to strengthen the cybersecurity of 5G network infrastructure by supporting secure services and by improving the testing and certification capabilities of tech solutions and services,” the EC said in its release. “The respective grants will also support the implementation of the new rules on cybersecurity of network and information systems (the NIS2 Directive) into national legislation, as well as the capacity of security operations centers (SOCs) across the EU to collect and share information on cyber-incidents.”

The aim is to improve the EU’s cybersecurity resilience and capacity to “protect, detect, defend and deter cyber-attacks”. Proposals must reach the EC by February 15 2023.

There are specific goals associated with China, and while there is no outright EU-wide ban or sanction on using Chinese 5G equipment, some countries have imposed their own restrictions, and some operators have moved away from Huawei in their 5G roll-outs, presumably concerned about potential future bans. They will be looking to the experience of operators in the UK (no longer in the EU), which have been instructed to remove Huawei equipment from 5G networks. Three of the UK’s four MNOs had planned to use Huawei kit in their 5G build-outs.

Recently, the EC has encourage member states to consider moving away from “high-risk vendors”, with those from China being in the spotlight. “We are urging member states who have not yet imposed restrictions on high-risk suppliers to do that without delay, as a matter of urgency,” said Margrethe Vestager, European Commissioner in charge of digital issues.

In 2020, the EC unveiled a toolbox of mitigating measures agreed by the EU member states to address 5G-related security risks. The aim was to encourage the states to adopt a common approach based on a region-wide assessment of identified risks and mitigating measures.

The assessment has been conducted and includes both technical and non-technical risks, the latter including the risk of interference from non-EU states or state-backed actors, through the 5G supply chain.

Having agreed the toolbox, member states will start to implement it. The main agreements are to:

  • strengthen security requirements
  • assess the risk profiles of suppliers
  • apply relevant restrictions for suppliers considered to be high-risk, including exclusion from supplying technologies, such as the 5G core network, that are considered to be critical and sensitive
  • devise strategies to ensure the diversification of vendors.

“The countries who have put the toolbox in use have done that differently, reflecting that there is a different legacy in different countries, which is exactly as we would expect,” said Vestager. “A number of countries have passed legislation, but they have not put it into effect. Obviously, passing legislation is a good thing – making it work is even better.”

The UK may not be part of the EU any longer, but it is addressing similar issues of 5G security and supply chain resilience, sometimes in a similar way to the EU. One important tool will be the UK’s Product Security and Telecommunications Infrastructure Bill, which aims to address device-side security issues as well as smoothing the path for 5G and fiber deployment.

This legislation is nearing the end of the process of consultation and debate and has been approved by Parliament, and is now expected to be passed before year end.

The security aspects of the bill focus on smart gadgets, with the UK government claiming that only 20% conform to basic security requirements. The new rules would “require manufacturers, importers and distributors to comply with new security requirements relating to consumer connectable products; and create an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market”.

In its infrastructure-focused provisions, the bill tries to address a key issue that can slow the progress of build-outs – the process of securing approvals from landlords and site owners to install equipment. The bill acknowledges “difficulties when negotiating requests for rights to install, use and upgrade telecoms infrastructure”, as well as a “lack of clarity and consistency” in the process of renewing site agreements.

The bill proposes changes to the existing Electronic Communications Code, which governs these matters, to “encourage collaborative negotiations for agreeing new – and renewing expired – agreements”. One measure would be to require operators to consider the use of Alternative Dispute Resolution rather than legal proceedings when there are problems with agreeing terms, since this should be faster and less expensive. The legislation would also enact “new provisions to enable operators to obtain Code rights over certain types of land quickly in circumstances where a landowner does not respond”.

“We are pleased the Bill has been approved by Parliament,” said digital infrastructure minister Julia Lopez. “It will improve the use of existing infrastructure and help landowners and telecoms companies agree deals quicker – meaning people get better mobile and broadband sooner, no matter if they live in a city centre flat or village farmhouse. The legislation will also strengthen cyber protection to make sure the UK has the strongest security regime for smart tech in the world.”

Despite its exit from the EU, the UK is still a key area of interest for companies supporting Open RAN, whose bid to disrupt the traditional supply chain is helped by the initiatives by many governments to foster more open, yet locally-centered, ecosystems. The UK has been particularly amenable to the USA’s demands to exclude Chinese vendors from 5G and fiber networks, and one of its operators, Vodafone, has been a significant champion of Open RAN, and of developing European capabilities in areas such as RAN chipsets.

Now Rakuten, whose Symphony vendor arm aims to commercialize its multivendor RAN platform with operators round the world, has set up a Customer Experience Center in the UK, which will support operators across Europe and the Middle East. The Center will open by the end of 2023 and complement existing European facilities. Rakuten’s biggest European base is in Germany where new mobile entrant 1&1 Drillisch plans to deploy the Symphony platform to support its 5G network, with the Rakuten unit providing integration as well as technology.

The UK center will “offer telecom operators and industry suppliers in the European and Middle East region direct experience and testing of the latest technological advances” from Symphony, and will help to “validate equipment interoperability, establish exhibition facilities to demonstrate the latest technologies and conduct workshops”.

There will be an exhibition facility to demonstrate how the latest Open RAN hardware and software can improve operational efficiency and enable new services.

No partners have yet been announced for the new center, which is to receive an unspecified level of funding from Japan’s Ministry of Internal Affairs and Communications (MIC). MIC already has a joint project with the UK government’s Department for Digital, Culture, Media and Sport (DCMS) to “increase supplier diversity in the telecom sector” and engage in “closer cooperation to solve global telecoms supply chain issues” in 5G and future 6G.

The UK government has been publicly supportive of Japanese vendor NEC’s bid to use Open RAN to expand its reach in this market globally, and NEC has opened a Global Open RAN Center of Excellence just outside London. Both NEC and Rakuten have built close ties with Vodafone and Virgin Media O2, the most active UK operators in Open RAN.

Rakuten Mobile already has two Mobile Open Innovation Labs in Japan, one at the Tokyo Institute of Technology and the other at the University of Tokyo.

It is not just the Open RAN challengers that are eyeing the UK. Ericsson has announced that it plans to invest $11.9m over the next 10 years in a UK-based 6G research program, which will bring together universities, operators and vendors to investigate 6G network resiliency, security, artificial intelligence, cognitive networks and energy efficiency. There will be 20 dedicated researchers as well as supporting PhD students working on a platform that is sure to become part of national hi-tech leadership goals as 6G starts to be defined.