Software issues, as well as vendor lock-in, are potential cybersecurity weak spots for telecommunications companies all over the world looking to integrate 5G, according to a new European report.
The European Commission and the European Agency for Cybersecurity issued a report earlier this week, which argues that, for 5G to work, telecommunications companies will increasingly rely on software, for things like network virtualisation and slicing.
If, due to a lack of skilled staff, the telcos turn to suppliers for software support, they could be putting their entire operation at risk.
"The increased role of software and services provided by third party suppliers in 5G networks leads to a greater exposure to a number of vulnerabilities that may derive from the risk profile of individual suppliers," the report states.
"Major security flaws, such as those deriving from poor software development processes within equipment suppliers, could make it easier for actors to maliciously insert intentional backdoors into products and make them also harder to detect. This may increase the possibility of their exploitation leading to a particularly severe and widespread negative impact."
According to the report, countries shouldn’t just look at the technical qualities of their potential suppliers and analyse the “non-technical vulnerabilities related to 5G networks”, which includes having connections and/or doing business with the government. It also includes potential problems like any lack of legislation, or “democratic checks and balances”, as well as the lack of security or data protection agreements between the supplier’s country and the EU.
"In particular, hostile third countries may exercise pressure on 5G suppliers in order to facilitate cyberattacks serving their national interests," the report states. "The degree of exposure to this risk is strongly influenced by the extent to which the supplier has access to the network, in particular its most sensitive assets, and by the risk profile of the individual supplier."
The media argue that the report has Huawei written all over it, even though the company’s name was never mentioned.