EU Warns of 5G Risks Amid Scrutiny of Huawei
European Union analysis cites new security risks related to telecom infrastructure and suppliers
By Anna Isaac and Parmy Olson, wsj.com, 11 October 2019
|A Huawei display at a technology exhibition in Dubai this|
month. Photo: Ali Haider/Shutterstock
Earlier in the week, the EU released a public report warning that hostile states or state-backed actors posed a security threat to new 5G mobile networks being rolled out around the world. 5G promises faster connection speeds and the ability to link lots of devices—from cars to pacemakers—to the internet.
Separately, in a nonpublic risk analysis that EU member states have recently circulated, governments raise specific security threats posed by telecom-equipment suppliers, particularly from countries with “no democratic and legal restrictions in place.” A draft of the analysis, which hasn’t been previously reported, was reviewed by The Wall Street Journal.
The new assessment has raised alarm among officials in European capitals over Huawei, in particular, according to officials familiar with the report. Huawei has been a big supplier of network gear in large European economies like the U.K. and Germany. European leaders will lay out specific guidelines for member states on how best to approach issues of security within 5G networks later this year.
“These vulnerabilities are not ones which can be remedied by making small technical changes, but are strategic and lasting in nature,” said a person familiar with the debate inside the European Council, the bloc’s top political policy-making body.
The draft analysis doesn’t name Huawei specifically as a suspect vendor. But the Chinese company’s large market position as a seller of equipment in Europe makes it the only significant target of scrutiny as a non-European supplier. Huawei is the world’s largest telecom-equipment maker, ahead of Nokia NOK 1.62% Corp. of Finland and Ericsson AB of Sweden.
A spokesperson for Huawei said it welcomed Europe’s “commitment to take an evidence-based approach, thoroughly analyzing risks rather than targeting specific countries or actors.”
The analysis said several member states have identified specific techniques that could be used in attacks, including the possibility that a vendor could insert concealed hardware, malicious software and software flaws into the 5G network.
The analysis also said member states had reported the risk of “uncontrolled software updates, manipulation of functionalities, inclusion of functions to bypass audit mechanisms, backdoors, undocumented testing features left in the production version, among others.”
An EU spokeswoman said member states have identified risks to telecom security that “may be related to the characteristics of individual suppliers, coupled with their particular role and involvement in 5G networks.”
The draft analysis reviewed by the Journal is a compilation of individual country reports on risks, threats and incidents involving telecom networks. The report is aimed at guiding European policy makers in creating guidelines for EU member countries, which can choose to adopt or ignore them.
The U.S. and Australia have long warned European allies that Huawei, in particular, poses national security risks. The U.S. says Huawei could be forced to spy on or disrupt networks on Beijing’s behalf, something Huawei has said it would never do.
The Chinese government has said it asks Chinese companies to follow local laws in international markets where they operate.
In some ways, Washington has shown a willingness to ease pressure on Huawei in recent months amid trade talks with Beijing.
Diplomats and U.S. security officials, however, have continued to lobby foreign allies to ban the company from networks and contracts. The report published by the EU earlier this week and the attention being paid to the separate risk assessment have both been viewed as a significant victory among U.S. diplomats, according to people familiar with the matter.
The U.K. recently moved to restrict Huawei, but only by banning its gear from “core” 5G network systems.
The draft report doesn’t specifically call out China, but officials familiar with the report say language used in the risk assessment refers to Beijing, among others. The report says vendors or operators that were linked to a nation-state “with a high geopolitical risk profile would increase the risk of espionage, especially where there were no democratic and legal restrictions in place.”
A spokesman for the Chinese Embassy in the U.K. said the country “firmly upholds cyber security and opposes and cracks down on all forms of cyber attack and cyber theft.” He said “irresponsible reports and accusations only serve to heighten tensions and confrontation in cyberspace and poison the atmosphere for cooperation.”
—Stu Woo and Catherine Stupp contributed to this article.
Write to Anna Isaac at firstname.lastname@example.org and Parmy Olson at email@example.com