The EU 5G Risk Assessment and the German proposal to amend the security catalogue both recognise that protection of end-users depends on two different types of risks of both technical and non-technical nature, based on reliable and robust examination.
The technical assessment is a relatively straightforward question about security and entails technical considerations that can be vetted through different means. Meanwhile, the non-technical assessment is primarily about the trustworthiness of the vendors, where their autonomy is increasingly highlighted: The influence from foreign governments could coerce them to pursue objectives that may conflict with European or German interests.
The question of trust can be determined by objective criteria such as transparency concerning the vendors’ ownership structure, decision-making processes or the laws of the country where the supplier is headquartered, determined by aspects like rule of law, separation of powers, independence of the judiciary systems. Not least, recent discussions have also highlighted the legal obligations laid down in national intelligence laws.
While the EU-wide approach to mitigate the two categories of risks identified in the EU risk assessment is yet to be finalised which is not due until the end of December 2019 (with the so-called EU toolbox), the German draft proposal has already taken that step.
The German draft proposal may be comprehensive and consequential on the technical front: The draft identifies several important mitigation factors to protect end-users of telecommunication networks, not just 5G. These include:
- Network traffic must be monitored continuously for any abnormality.
- Critical network and system components can only be deployed based on an appropriate acceptance test, subjected to regular security checks.
- All regulatory requirements on national security, telecommunications secrecy and data protection must be met.
- However, the final draft omits requirements on source code inspection after much stakeholder criticism. Such requirements make no significant contribution to network security while wasting precious human resources on examining millions of lines of code. Networks don’t run the source code itself, but the “binaries” that are the result of a compilation process when malicious vulnerabilities can be injected, i.e. after such examination.
The BSI – the German cybersecurity agency – prides itself with having 150 employees in his certification department to make a meaningful technical assessment of the security of German networks. In every case, any vendor must be certified as technically secure, which means that even a trusted vendor could fail the technical assessment, and thus, become a threat. However, none of the 150 employees involved in the assessment of the non-technical factors. Instead, the trustworthiness is based on self-declaration without any assessment by an independent authority.
The German paradox of being thoroughness on the technical aspects, while only looking at trustworthiness pro forma raises some questions. To begin, one may discuss the merits of such self-declaration – Is any supplier, including those that do not meet the requirements, in a position to not signing such a declaration in the first place?
Secondly, it raises the question of whether Arne Schönbohm – the head of BSI – seems to be perfectly colourblind when it comes to the merits of each political systems and their impact on security. For instance, an Apple iPhone is famously designed in California and manufactured in China. As Schönbohm sees no qualitative difference between the political systems, he is also stating that rule of law is immaterial for trustworthiness.
But this analogy somewhat falters: iPhones are not in the scope of the network security at all. Consumers may choose a brand or device they trust but do not have a choice over which components their operators should use – or even the right to demand the disclosure of such information. Interestingly, major German corporations may have some choice as certain spectrum bands are reserved for specific industries, effectively allowing them to become their own operators and to use any equipment they’d like.
Thirdly, a more stringent assessment (i.e. not self-declaration) is also required under Federal Public Procurement rules (see points 2 and 13) when it acquisitions communication services for its own use. In other words, the absence of consumer choice or assessments by an independent authority, the conclusion is that trustworthiness of 5G suppliers is only relevant when federal agencies and large corporations are the end-users – but not for consumers or the vast majority of corporations.
Some civilian products inevitably have implications on national security. On such occasions, the fault lines are whether those rules imposed by a non-democratic government – without separation of powers and independent judiciaries – are materially different those imposed by a democracy under rule of law where vendors may object to those obligations and end-users may seek judicial redress. But at least for the Head of BSI, there is simply no such difference.