Governance & Risk Management , IT Risk Management
Join Huawei and ZTE Ban, EU Official Urges European Nations
5G Infrastructure: Only 10 EU Countries Have Restricted or Banned High-Risk VendorsEurope hasn't done enough to block Huawei and ZTE equipment from entering 5G networks, a top European Union official said while urging countries "lagging behind" to be more aggressive against the Chinese manufacturers.
See Also: 2024 In Review: A Tactical Guide For Top External Cyber Risks and Vulnerability Management
Fewer than half of trading bloc members so far have excluded "high risk" suppliers from high speed cellular networks, finds a report issued Thursday by the EU's Network and Information Systems Cooperation Group.
The report's publication comes as EU Internal Market Commissioner Thierry Breton has sought to pressure more European countries into moving against the two companies, which have become a byword for cybersecurity risk in countries suspicious of the Chinese government.
"I can only emphasize the importance of speeding up decisions to replace high-risk suppliers from their 5G networks. I have also reminded the telecoms operators concerned that it is time to get to grips with this issue," Breton said in a speech Thursday. "We will continue to work with determination with the member states that are lagging behind."
European officials' concern stems from Chinese law requiring vendors to make changes to their products and services that the government might require. As a result, they warn, Beijing could require vendors to facilitate espionage or curtail product availability during trade wars or hostilities.
Multiple countries - including the United States, the United Kingdom, Canada, Australia, New Zealand and Japan - have banned or restricted the use of equipment built by high-risk Chinese vendors from their 5G networks.
The Chinese government, as well as Huawei and ZTE, have continued to decry any bans of the networking technology, claiming it poses no security or espionage risk.
All 27 EU member states in 2020 unanimously agreed that their legislatures need the power to restrict or ban the use of equipment manufactured by Shenzen-based Huawei and ZTE from their 5G networks. As of Thursday, the European Commission reported that only 10 EU member states have such bans or restrictions in place. Reached for comment, an EU spokesman declined to name those countries.
Another 14 EU member states are still preparing the required legislation that would allow their governments to restrict the use of vendors based on a number of criteria, including cybersecurity, supply chains and espionage concerns, while three countries have yet to even do that, according to the NIS Group report.
"This is too slow, and it poses a major security risk and exposes the union's collective security, since it creates a major dependency for the EU and serious vulnerabilities," Breton said.
European officials say failing to excise high-risk technology poses a risk to users and organizations across Europe, not least due to spillover from cyberattacks that target telecommunications infrastructure and supply chains, which could affect health, finance, energy and other sectors.
EU's 5G Cybersecurity Toolbox
In January 2020, the EU unanimously agreed on a so-called toolbox for 5G security and vendor assessment, which is designed to ensure that member states coordinate their approach to securing 5G networks. On Thursday, the EC released an updated version of the 5G cybersecurity toolbox.
Developed by the EU's NIS Group, the toolbox details strategic, technical and nontechnical risk factors that member states should assess, which include looking at each supplier's risk profile - which for non-EU vendors includes potential for "state interference" - as well as their cybersecurity acumen and supply chain practices.
"Given the importance of the connectivity infrastructure for the digital economy and dependence of many critical services on 5G networks, member states should achieve the implementation of the toolbox without delay," the commission said in a Thursday communication.
The communication also makes clear that any EU member state that opts to ban or restrict Huawei or ZTE from their telecommunications networks is acting in accordance with the toolbox.
The EU's 5G Observatory, which tracks the bloc's 5G efforts, reported that as of April, 5G services are available in every EU member state and that about four-fifths of the EU's population is now covered by at least one operator offering 5G services.
Officials say they're working with member states that have yet to implement the toolbox to try and speed their efforts. While the EU hasn't made complying with the toolbox mandatory, if noncompliance continues, officials may yet explore "possibly legislative avenues" for forcing compliance, the NIS Group's report said. The European Commission said it's also now implementing the toolbox for its own procurement processes, which includes factoring it into research and development grants.
Breton said leaders in EU member states have proved that they can move quickly when dealing with pressing issues of national security, and they should do so now where 5G is concerned.
"We have been able to reduce or eliminate our dependencies in other sectors such as energy in record time, when many thought it was impossible," Breton said, referring to changes wrought by the Russia-Ukraine war. "The situation with 5G should be no different: We cannot afford to maintain critical dependencies that could become a 'weapon' against our interests."