Interview with cybersecurity experts from ENISA

The changing threat landscape has impacts on security and trust of current and future networks in Europe and worldwide. Eurescom message editor-in-chief Milon Gupta asked three cybersecurity experts from ENISA, the EU Agency for Cybersecurity, about the status, trends and strategies to deal with security threats: Goran Milenkovic is cybersecurity expert in the Policy Development and Implementation unit of ENISA, and he is primarily responsible for the telecom sector and for 5G security; Marnix Dekker leads the work of the Agency in the area of telecom security, cybersecurity breach reporting, and the security of cloud and digital infrastructure under the NIS Directive; and Apostolos Malatras, is Team Leader of ENISA’s Knowledge and Information Team, in charge of the cybersecurity of emerging technologies, threat landscapes and foresight.

What are the major threats for current mobile networks including 5G?

Goran Milenkovic: Most of the major incidents coming out of the EU-wide incident reporting process are software bugs and hardware failures. Additionally, because a mobile network is a large, partly underground partly above-ground ICT infrastructure, there is exposure to natural phenomena, cable cuts, power cuts and battery theft. 5G networks will have even more complex software, featuring machine learning, edge computing, network function virtualisation, and rely on cloud services for the core network and outsourcing. Therefore, it will be a challenge for telecom providers to manage the new 5G technology and keep it secure. ENISA has worked over the last couple of years on 5G threat assessment and mapping the relevant landscape.

How will the growth of Cloud and IoT ­usage change the threat landscape in the next years?

Marnix Dekker: With IoT and 5G we are witnessing a diffusion of computing, shifting from traditional centralised cloud architecture to the edge and closer to the end users. 5G also changes how critical network functions are being implemented and deployed. Besides numerous technical security aspects that have to be considered, this shift means providers will have to rely on suppliers, but also additional players, like cloud service providers and system integrators. Overall the network setup will be more complex and there will be more dependencies, more outsourcing and a more complex supply chain landscape. At the same time there will also be changes on the side of the subscribers and the devices they connect to the networks with the arrival of IoT. These new IoT devices connected to the mobile networks will bring new risks for the availability and resilience of the networks.

How will the changing threat landscape impact security and trust of 5G and ­beyond networks?

Apostolos Malatras: The threat landscape is always changing. As we have seen recently, attacks by nation-state actors are a growing concern, especially for telecom providers. And novel technologies such as 5G also involve new risks and threats, but it is important to underline that 5G also brings important benefits, including several security improvements, like better encryption and better authentication. At the moment, the technical specifications are still being developed and a lot will depend on how they will be built into products and used by the operators. And that is not always as straightforward as it may seem. And let’s not forget complexity. Complexity is the enemy of security and in the case of 5G networks this is perhaps more evident than ever. One of the key risks identified in the EU coordinated risk assessment for 5G is the lack of cybersecurity skills and expert personnel on the side of the providers, to deploy 5G networks securely.

What will be the impact of technological dependence and efforts toward technological sovereignty on security and trust in the European 5G and beyond domain?

Goran Milenkovic: Indeed, 5G not only brings more technological complexity, it also changes the overall ecosystem and the telecom supply chains. There will be many new players, integrators, managed service providers, software vendors, etc. Because mobile networks are so critical for society, it is important to consider the different technology dependencies in order to avoid the risks of relying on one single supplier for our network equipment. The 5G cybersecurity toolbox includes specific measures and concrete recommendations to mitigate such risks, both at national level as well as at EU level by stepping up efforts for maintaining a diverse and sustainable 5G supply chain, and further strengthening EU capacities to develop 5G and post-5G technologies.

Which elements of the EU cybersecurity strategy should be implemented with ­priority?

Marnix Dekker: The EU cybersecurity strategy announced in December 2020 is a broad package containing new Commission initiatives, legislative proposals and also funding to secure Europe’s digital market in the near future. It contains for example a proposal for a revised NIS Directive, called NIS2, which will cover also the telecom sector. The strategy also explains the next steps on cybersecurity of 5G. It is not easy to pick some of these elements over others, but one of these worth mentioning is the issue of supply chain security, which is the subject of a growing concern, as we saw with the recent SolarWinds case.

 
Goran Milenkovic

Marnix Dekker

Apostolos Malatras