c.2019 The New York Times Company
BRUSSELS — The advisory report, drafted with input from all 28 EU members, laid out the types of major security failures that 5G networks could be vulnerable to.
A 5G supplier from a “hostile” country could be forced by its home government to wreak havoc by causing cyberattacks, a European Union report warned Wednesday, but the bloc stopped short of naming Chinese giant Huawei, which was blacklisted by the United States after the White House labeled it a tool for espionage by Beijing.
It said that putting all functions of a 5G network — including hardware and software, operations and maintenance — in the hands of a single company could leave entire countries at risk.
In May, the U.S. Commerce Department put Huawei on a so-called entity list of firms that need special permission to buy U.S. components and technology because they have been deemed security threats.
President Donald Trump has called on the EU to follow his lead in banning the company from its market.
The EU’s report, intended to provide advice to member states, said that a “strong link” between a 5G technology supplier and a government “where there are no legislative or democratic checks and balances in place” could prove a major source of vulnerability.
The language appears to point to Huawei. The company has vehemently denied all allegations of being under the control of the Chinese government, stressing that it is owned by its employees and that only about 1% of the company is held by its founder.
The idea behind 5G, a major leap from 3G and 4G telecommunications technology used currently, is that it will become ubiquitous, connecting almost everything, from defense systems to domestic devices like refrigerators and coffee machines, to an ultrafast wireless network.
Huawei is thought to be ahead of other 5G equipment providers around the world, including EU companies such as Ericsson and Nokia, in being able to install networks. Also, it has traditionally been a cheaper provider of technology.
Trump and other critics contend that a 2017 Chinese law could be used to force Huawei to hack its customers through preinstalled “back doors” into the network’s software, on behalf of Beijing.
The European report sounded some related concerns. “In particular, as 5G networks will be largely based on software, major security flaws, such as those deriving from poor software development processes within equipment suppliers, could make it easier for actors to maliciously insert intentional back doors into products and make them also harder to detect,” it found.
Abraham Liu, Huawei’s vice president for Europe, has said that his company does not and will not use back doors to spy on customers.
“In the past, we have never planted any back door, and we are committed not to do anything like this, forced by any government, including U.S. government, Chinese government or any other government. We are committed to this,” he said in a recent interview.
The report presented Wednesday could pave the way for the European Commission, the executive arm of the EU, to recommend that its member states take additional security measures when procuring 5G networks.
But neither the European Commission nor the majority of national cybersecurity agencies in member states have shown much interest in complying with Trump’s demand that they ban Huawei. In part, this is down to practical concerns.
No single company, experts said, will be able to handle all the demand for 5G work once network operators begin making the transition. Therefore, unless Huawei is banned from the EU or by individual countries, it will most likely play some part in the continent’s 5G future.
And in Europe, Huawei already has a deep and long presence in countries like Britain and Germany, which other nations look to for expertise and guidance.
Huawei, Ericsson and Nokia did not immediately respond to requests for comment on the report.