5G and security: security of networks and equipment and security of mind

The Fifth Generation (5G) technology is expected to potentially affect almost every aspect of citizens' lives. Compounding this, the less centralised architecture of 5G networks , due to its features, requires smart computing power and the need for more antennas and increased dependency on software to protect 5G networks from vulnerability to cyber-attacks. Therefore, ensuring the security of the European Union’s 5G networks is of utmost importance for all countries and the union. In this process, operators are largely responsible for the secure rollout of 5G, with Member States responsible for national security, while network security is of strategic importance for the entire EU. The purpose of the EU toolbox on 5G Cybersecurity is to identify a coordinated European approach based on a common set of measures, aimed at mitigating the main cybersecurity risks of 5G networks. The short and long term objective will be to help Europe remain one of the leading regions in the 5G deployment. 

In order to insure this, the toolbox would rely on the coordinated risks assessment report based on the results of the national cybersecurity risk assessments carried out by all EU Member States. The report outlines the main threats and threats actors, the most sensitive assets, the main vulnerabilities (including technical ones and other types of vulnerabilities) and a number of strategic risks. The document also enlists a number of important security challenges that are likely to appear or become more prominent after 5G transformations. These hazards are predominantly linked to: key innovations in the 5G technology, in particular the important part of software and the wide range of services and applications enabled by 5G; the role of suppliers in building and operating 5G networks; and the degree of dependency on individual suppliers. For each of the nine risk areas identified in the EU coordinated risk assessment report, the toolbox should provide risk mitigation plans. The latter consist of possible combinations of strategic and technical measures.

Being an instrument for action, the toolbox recommends a set of key activities for the Member States and/or the Commission. In particular, Member States agreed to ensure that they put in place measures to respond appropriately and proportionately to the risks already identified as well as possible future risks, to strengthen security requirements for mobile network operators; assess the risk profile of suppliers; ensure that each operator has an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier (or suppliers with a similar risk profile); and ensure an adequate balance of suppliers at national level and avoid dependency on suppliers considered to be of high risk.

The development of the coordinated EU approach on 5G cybersecurity counts on the strong commitment by both Member States and the Commission to use and fully implement recommended measures. At the same time, the roll-out and operation of 5G networks is a matter of national security. In respect to this, Member States can go further than what is proposed in the toolbox should they find out a need to do so.

The EU toolbox directs that vendors assessed as high-risk based on factors including country-specific threat assessments be subject to “necessary exclusions [from] key assets defined as critical or sensitive.” In practice, this approach does not exclude any company outright but offers solutions to manage risk imposed by the politics of a vendor’s home jurisdiction. The UK, for instance, applies political, not just technical, criteria to determine the extent to which a company should be allowed involvement in 5G networks. The U.K. framework, in particular, defines Huawei as a “high-risk vendor,” taking into account China’s legal system and past cyberattacks by the Chinese state. High-risk vendors are restricted the network’s “edge,” and even that presence is capped at 35 percent. 

According to the Polish Digital Minister Marek Zagórski, Poland, a close ally of the United States, will also introduce tougher controls that would "limit the use of [telecom equipment] vendors who are suspicious or who are not necessarily trustworthy, or who do not stick to the security standards". To this end Poland has signed an agreement with the U.S. government pledging to only allow "trusted" suppliers into 5G networks. The objective is to keep Chinese suppliers away from the national market. To strengthen its executive power the agreement is being "translated into legal provisions."

Estonia and Romania signed similar deals with the U.S. government when Washington sought to have Huawei banned from the European 5G market in the past year.In their joint declaration US and Estonia stressed that a careful and complete evaluation of component and software providers was essential to guarantee “a robust and comprehensive approach to network security”.

Getting back to the Polish approach to 5G infrastructure, it is evident that the state takes all challenges related to these networks very seriously. Fifth-generation cellular network technology has only recently arrived in Poland, but given to the fast spread superstitions that precede its introduction, the Polish Digital Affairs Ministry has decided to publish a white paper on “Electromagnetic Fields and the Human Being” to disqualify false claims and harmful misconceptions. The document, edited by the National Institute of Telecommunication and Medical School students of Jagiellonian University “will help everyone understand what an electromagnetic field is and how can it be utilised for the good of Poland.” The White paper consists of four sections, three of which answer the most frequent questions regarding electromagnetic waves. The last part explains the relationship between electromagnetic fields and telecommunication, formulating, in particular, what the 5G is. Communication aspects are treated in a multidisciplinary manner, combining physics, biology, and medicine, and Polish and international legal perspectives. The publication debunks the myth that the radiation of cellular telecommunication is as harmful as radioactivity. In addition, the White paper emphasizes the revolutionary impact 5G may leave on the economy and society as a whole.

Compiled by Media 21 from

https://ec.europa.eu/commission/presscorner/detail/en/ip_19_6049

https://ec.europa.eu/commission/presscorner/detail/en/QANDA_20_127

https://www.politico.eu/article/poland-wants-to-go-beyond-5g-security-toolbox-restrictions/

https://polandin.com/43040822/polands-digital-affairs-ministry-debunks-5g-myths

https://www.whitehouse.gov/briefings-statements/united-states-estonia-joint-declaration-5g-security/

https://thediplomat.com/2020/02/5g-and-huawei-the-uk-and-eu-decide/

Conference on media security, held in Sofia, Bulgaria

Dr. Bissera Zankova, “Media 21” Foundation

Nowadays, the topic of debates is no longer whether or not society should digitize – we have already immersed in the digital reality. Companies know they must digitize in order to compete, organizations realize that Internet is the foundation of modern culture and education, and the public sector adjusts its policy to respond to the changing needs.

Internet was built on the idea of openness and transparency, and we witnessed devices and people going online at an unprecedented scale throughout the last years. As the number of attack targets increase and the stakes grow, the exposure to and involvement in such threats increase and their complexity level grows rapidly.

A 2017 Cisco report stresses that “for most companies, one of the first things standing in the way of their digitization journey is the question of security”. The figures provided further prove this trend – 71 % of the executives are concerned that cyber-security shall hinder innovation in their organizations, nearly 40 % have halted mission-critical initiatives due to cyber-security issues and 69 % are reluctant to innovate in areas such as digital products and services because of the perceived cyber-security risks. Companies that differentiate their business through secure technology gain competitive advantage and build a foundation for continued innovation.

It is of no surprise that “the security issue” is a central topic of discussion in many local and international events, during which the diverse impact of the new technologies on companies, organizations and the media is examined. The Third National Conference on Media Security, held in Sofia (Bulgaria) in May 2019, conformed with this already established framework. The aim of the event was to quote both broader, as well as more specific problems, while considering the role of media as the so-called “fourth power” in our modern society. The Conference further examined the historical reasons behind the present disintegration in the mentality of the young Bulgarians and the new business challenges arising from fast-expanding technologies, including the risks of cyber-attacks. 

The conference participants debated on a variety of interrelated topics and reached to the unilateral conclusion that the security factor should be taken into account when it comes to discussing online issues of any nature. The solutions proposed – ranging from abstract to more specific – were dominated by a critical and pessimistic stance. According to Raycheva, digitization could be perceived as the new media demon of Frankenstein. In the same vein was the opinion that the blending of IT and Ad technologies has resulted in a loss of individuality and lack of creativity in the journalistic profession, instead turning it into “robojournalism”. Commercialization prevails and we live in a digital chaos, Todorov concluded. 

On the other hand, stands the problem with the lack of legislation on the matter of cyber security – looking at the Bulgarian laws, it can be stated that they are not capable of  efficiently protecting children on the internet, and the Bulgarian legislation is rather weak compared to the laws in the US and Turkey. (Iliev). Analyzing the internet usage among adolescents, it can be concluded that they are mostly active on  internet games, Facebook and the Snapchat. Since the beginning of 2019, eighteen pedophiles have been convicted, but the number of effective sentences is low – instead, the majority of the judgments are suspended. Legal difficulties exist with respect to imposing penalties on the owners of the websites that spread fake news, as there are no incriminating legal norms in force on the matter. The General Directorate for Combating Organized Crime has knowledge on the identity of the violators of the law, but the recently transposed GDRP and its related legal impediments pose difficulties in terms of the implementation of legal measures. 

When examining “Internet” as the new business environment and analyzing the possible business models to be pursued, Angova and Valchanov came to the conclusion that there is a strong link between the development of communication technologies and the innovative business initiatives of media organizations. This new environment, marked by information and communication technologies, strengthens the understanding of “paid online content” and replaces the traditional understanding of free circulation of products online. 

One of the biggest challenges, posed to modern journalism is achieving a balance between the commercial interest in increasing asset returns and the mission to pursue quality journalism in the name of the public interest. Apparently, this blending does not settle, but instead deepens the conflict between the commercial and the socio-cultural goals of the media. 

Focusing particularly on the types of cyberattacks, their initiators, goals and threats to inflict specific harms on people and company operations, Tzenkova referred to an analysis of the World Economic Forum, dated November 2018, which reviewed more than 120 000 entities in 140 countries and defined cyber-attacks as the biggest risk for European business development. The “New York Times” reports that the personal data of over of 500 million guests of the “Marriott” hotel chain had been stolen by 2018 year-end. The data breach was classified as “part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans.” The potential business losses are enormous, thus provoking the need for companies to adopt special cyber security strategies, which shall involve technical and organizational measures, as well as the evolution of a cyber security culture. Tzenkova underlines that entrepreneurs should well acknowledge the fact that they might become potential targets of a cyber-attack at any moment and they should adjust their management and train their staff in order to ensure cyber security. 

Getting back to the notorious “Analytica” data scandal, Vangelov shared thoughts on the Facebook risks and its omnipresence in our lives. By March 2019, the network has 2.38 billion active users per month – users who allow it (i.e. Facebook) access to important personal information at its disposal. Vangelov cites Giovanni Buttarelli, a European Data Protection Supervisor, who supervises an independent European Union authority that provides consultancy on privacy-related laws and policies, In his work, Buttarelli warns that “every single action, every single relationship is carefully monitored,” and “people are being treated like laboratory animals” on Facebook. Vangelov proposes two lines of action against data breach – one through system regulators and another through the users’ self-regulation. Users can sue Facebook or take precautionary measures including deactivation or deletion of their accounts, while system regulators can supervise the activities of Facebook by adopting agreements (at a governmental level) or through the work of the judiciary. The GDPR can also be used as a tool against online data theft and abuse.

The forum was an occasion for Bissera Zankova and Anelia Dimova to present the main characteristics, goals and findings of the COMPACT project, registered under the title “Social media and convergence, social media and regulation” on behalf of “Media 21” Foundation. Their presentation focused on the unique holistic approach applied within the project, enabling it to explore social media and convergence from different perspectives and to raise awareness about the multifarious effects of this complex process. The conferences organized by COMPACT and the symposium, to be held in Sofia in November 2019, merit particular attention. Topics like the everyday online threats and the security of adolescents against internet violence are at the core of the upcoming meeting in Sofia.

The media security conference raised more questions than answers. Discussions on such hot topics, however, should expand.

Links:  https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

http://reports.weforum.org/global-risks-2018/global-risks-2018-fractures-fears-and-  failures/?doing_wp_cron=1559043154.4802060127258300781250

https://www.cisco.com/c/m/en_qa/campaigns/security/cyber-threats-and-protection-2018-report/index.html