The European Union has just published a raft of measures - a toolbox in EU jargon - to enable its members to mitigate cyber risks. "According to the EU coordinated risk assessment report, the measures concern the security of stakeholders in the 5G ecosystem, which are mainly mobile network operators and their suppliers, in particular telecoms equipment manufacturers," the report reads.

The measures set out by the EU fall into two categories: strategic and technical, complemented by targeted support actions. Each of these measures is associated with a level of risk backed by positive or negative implementation factors and the time required for implementation.

It has thus identified 8 strategic 5G cyber risk mitigation measures and 11 mitigation measures at the strategic level.

In addition, a roadmap has been specified: Member States are invited to take "concrete and quantifiable steps to implement the set of key measures according to the recommendations contained in the conclusions associated with the EU toolkit" by 30th April 2020. Then to draw up by 30th June 2020 "a report by the SRI Cooperation Group on the state of play of the implementation of these key measures in each Member State, based on the reports and regular monitoring carried out in particular within the SRI Cooperation Group, with the assistance of the Commission and ENISA".

This announcement comes at a time when the 28 members of the Union have agreed to give priority to local players, Nokia and Ericsson, for 5G core network technologies, de facto excluding players such as Huawei. This does not mean, however, that the Chinese manufacturer's equipment will disappear altogether, as it will, for example, be able to offer it for non-sensitive parts of the network in the UK, while being capped at 35% of the 5G market. This prospect seems far from being a topical one in Germany, where the government is said to have evidence of Huawei's connivance with the Chinese intelligence services...

 Read the article

Source : Le Monde Informatique

On 22th November last, the Arcep adopted the procedures for allocating frequencies in the 3.5 Ghz band. Two days later, the government announced the reserve price below which it did not intend to transfer the first portion of spectrum dedicated to the 5G mobile network. And the operators make a face: the floor price seems far too high to them.

4 sets of 50 MHz allocated to each of the four operators at a fixed price of 350 million euros. Then 11 blocks of 10 Mhz that they will then compete at auction, bidding 70 million euros. 2.17 billion, while Orange, SFR, Bouygues Telecom and Free did not expect this reserve price to exceed The Arcep even campaigned for a prize of 1.5 billion "grand maximum".

In an interview at Les Echos, however, Agnès Pannier-Runacher presents this amount as "reasonable". In particular with regard to the sums paid by German or Italian operators. The representative of Bercy also argued that this figure corresponds to that determined by the Commission des Participations et Transferts, which "analyses the price below which the French people's assets do not seem to him to have to be sold".

A discourse that clashed with the operational and financial reality of 5G, reacted the operators. "This decision is not consistent with what has been put forward by the government in recent months," said Arthur Dreyfuss, President of the TFF. It constantly warns the State against a price boom that would deprive operators of the means to invest in deployment afterwards. Especially since the obligations assigned to them in return for the allocation of frequencies seem too ambitious.

5G frequencies too expensive: another dispute on the road to the future mobile network. Their disagreements relate not only to the reserve price, but also to the size of fixed-price blocks, the pace of deployment, 5G hedging obligations and the duration of licences. A non-exhaustive list of demands on which the regulator is far from having satisfied the Telecom Quartet.

Against the advice of Arcep, which favoured 60 MHz blocks, the state finally opted for 50 MHz. "With 50 MHz blocks, for a total of 310 MHz, the risk is that one operator will get twice as many frequencies as another," explained Sébastien Soriano, President of the Arcep, in Le Figaro. Bouygues Telecom and Free fear that they will lose out in the deal as they are less well equipped financially to bid higher.

Iliad also called for the removal of the third milestone in the deployment of 5G sites - 12,000 at the end of 2025 - for operators who would not obtain the famous 60 MHz. Arcep did not grant this right, but this obligation has been reduced to 10,500 sites. An adjustment reflecting the many criticisms encountered by the initial schedule. This assumed an acceleration of 1,000 sites per year from 2020 to 2022 and then to 2,500/year in 2023-2024 and 4,000/year in 2025 alone.

Bouygues Telecom, Orange and Free replied that they were unplayable, citing technical, financial and administrative constraints. Operators simply do not have the means to make the "leap" of 4,000 sites initially expected in 2025, argues Bouygues Telecom. For whom, moreover, "there is also no capacitive need of this magnitude on this horizon".

8,000 sites in 2024 and 10,500 in 2025 finally but not only in urban areas. The Arcep intends to ensure that the deployment of 5G will also benefit low-density areas, in line with government expectations. The regulator initially proposed to extend this obligation to the 22,000 municipalities of priority deployment areas (PDAs) as defined by the 2015 decision on the allocation of 700 MHz frequencies.

Again, there was no unanimity on this idea. Bouygues Telecom is not going about it in four ways: "Hedging obligations are very heavy and inconsistent with the object sold". For the operator, the 3.4-3.8 GHz band is intended for uses primarily for capacity, so that its use "is not relevant in sparsely populated areas".

Also mentioned by other actors, an approach consisting in prioritizing 5G deployments on "territories that we are sure will not benefit from FttH before a date to be determined". One of the approaches mentioned by Cerema or by the Assembly of French Departments is to use fixed 5G to compensate for future deficiencies in very high wireline broadband.

Finally, the opportunity to add the ZDP perimeter to the very recent list of "Industrial Territories" is suggested by several actors: Cerema again, but also Banque des Territoires or Orange. An addition finally retained by the Arcep in its specifications.

The last point of contention on the part of operators is the granting of 5G licences for an initial period of only fifteen years, which can be extended by five years after the Arcep's assessment. The Authority considers that this period is "appropriate to the level of investment required to fulfil the obligations under the procedure". Not Orange, Bouygues Telecom and SFR: the trio believes that this will not be enough to make their investments profitable.

 Read the article

Source : DegroupNews

In a report published with the European Agency for Cybersecurity on securing 5G networks, the European Commission warned EU Member States of the dangerousness of new wireless telecommunications technology. For the Commission, the deployment of 5G risks "creating a new security paradigm that requires a reassessment of the current policy and security framework applicable to the sector and its ecosystem and is essential for Member States to take the necessary mitigation measures".

In more detail, this report calls for a review of the current design of 3G and 4G networks and warns against the use of a single supplier, particularly those not based in the European Union, without however mentioning the name Huawei. "The increased role of software and services provided by third party providers in 5G networks leads to greater exposure to a number of vulnerabilities that may result from the risk profile of individual providers".

The European Commission also explains: "While 5G network technology and standards will also bring some security improvements over previous generations, several important challenges arise from new features of the network architecture and the wide range of services and applications that may in the future depend heavily on 5G networks. [...] Major security breaches, such as those resulting from poor software development processes among equipment suppliers, could facilitate the malicious insertion of intentional backdoors into products by actors and make them more difficult to detect. This can increase the likelihood that their exploitation will have a particularly serious and widespread negative impact".

The report adds that EU Member States should not judge 5G network providers solely on their technical qualities and assess them on the basis of "non-technical vulnerabilities related to 5G networks", such that the provider's country has "no legislative or democratic control and balance in place, or in the absence of security or data protection agreements between the EU and the given third country" or that the structure of the provider's owner and the ability for its own country to "exert any pressure, in particular with respect to the manufacture of equipment". If Huawei's name is not mentioned, it is impossible not to think about it...

As a result, Huawei once again defended itself against any interference from the Chinese authorities: "We are a 100% private company, 100% employee-owned, and cybersecurity is a top priority: our end-to-end cybersecurity assurance system covers all process areas, and our solid experience proves that it works".

No one is saying that the Commission will respond to this extended hand, since it has apparently also decided to sweep away another option proposed by Huawei. Indeed, the Chinese manufacturer had indicated that it could be satisfied with intervening only on parts considered less sensitive in the future 5G networks of EU Member States.

The European Union's next steps will result in the publication of a range of mitigation measures to address the identified cybersecurity risks at the national and EU levels by 31 December 2019. Finally, Member States should assess the effects of the Recommendation in order to determine whether further measures should be taken by 1 October 2020. This assessment should take into account the results of the coordinated European risk assessment and the effectiveness of the measures.

 Read the article

Source : ZDnet