Interview with cybersecurity experts from ENISA
The changing threat landscape has impacts on security and trust of current and future networks in Europe and worldwide. Eurescom message editor-in-chief Milon Gupta asked three cybersecurity experts from ENISA, the EU Agency for Cybersecurity, about the status, trends and strategies to deal with security threats: Goran Milenkovic is cybersecurity expert in the Policy Development and Implementation unit of ENISA, and he is primarily responsible for the telecom sector and for 5G security; Marnix Dekker leads the work of the Agency in the area of telecom security, cybersecurity breach reporting, and the security of cloud and digital infrastructure under the NIS Directive; and Apostolos Malatras, is Team Leader of ENISA’s Knowledge and Information Team, in charge of the cybersecurity of emerging technologies, threat landscapes and foresight.
What are the major threats for current mobile networks including 5G?
Goran Milenkovic: Most of the major incidents coming out of the EU-wide incident reporting process are software bugs and hardware failures. Additionally, because a mobile network is a large, partly underground partly above-ground ICT infrastructure, there is exposure to natural phenomena, cable cuts, power cuts and battery theft. 5G networks will have even more complex software, featuring machine learning, edge computing, network function virtualisation, and rely on cloud services for the core network and outsourcing. Therefore, it will be a challenge for telecom providers to manage the new 5G technology and keep it secure. ENISA has worked over the last couple of years on 5G threat assessment and mapping the relevant landscape.
How will the growth of Cloud and IoT usage change the threat landscape in the next years?
Marnix Dekker: With IoT and 5G we are witnessing a diffusion of computing, shifting from traditional centralised cloud architecture to the edge and closer to the end users. 5G also changes how critical network functions are being implemented and deployed. Besides numerous technical security aspects that have to be considered, this shift means providers will have to rely on suppliers, but also additional players, like cloud service providers and system integrators. Overall the network setup will be more complex and there will be more dependencies, more outsourcing and a more complex supply chain landscape. At the same time there will also be changes on the side of the subscribers and the devices they connect to the networks with the arrival of IoT. These new IoT devices connected to the mobile networks will bring new risks for the availability and resilience of the networks.
How will the changing threat landscape impact security and trust of 5G and beyond networks?
Apostolos Malatras: The threat landscape is always changing. As we have seen recently, attacks by nation-state actors are a growing concern, especially for telecom providers. And novel technologies such as 5G also involve new risks and threats, but it is important to underline that 5G also brings important benefits, including several security improvements, like better encryption and better authentication. At the moment, the technical specifications are still being developed and a lot will depend on how they will be built into products and used by the operators. And that is not always as straightforward as it may seem. And let’s not forget complexity. Complexity is the enemy of security and in the case of 5G networks this is perhaps more evident than ever. One of the key risks identified in the EU coordinated risk assessment for 5G is the lack of cybersecurity skills and expert personnel on the side of the providers, to deploy 5G networks securely.
What will be the impact of technological dependence and efforts toward technological sovereignty on security and trust in the European 5G and beyond domain?
Goran Milenkovic: Indeed, 5G not only brings more technological complexity, it also changes the overall ecosystem and the telecom supply chains. There will be many new players, integrators, managed service providers, software vendors, etc. Because mobile networks are so critical for society, it is important to consider the different technology dependencies in order to avoid the risks of relying on one single supplier for our network equipment. The 5G cybersecurity toolbox includes specific measures and concrete recommendations to mitigate such risks, both at national level as well as at EU level by stepping up efforts for maintaining a diverse and sustainable 5G supply chain, and further strengthening EU capacities to develop 5G and post-5G technologies.
Which elements of the EU cybersecurity strategy should be implemented with priority?
Marnix Dekker: The EU cybersecurity strategy announced in December 2020 is a broad package containing new Commission initiatives, legislative proposals and also funding to secure Europe’s digital market in the near future. It contains for example a proposal for a revised NIS Directive, called NIS2, which will cover also the telecom sector. The strategy also explains the next steps on cybersecurity of 5G. It is not easy to pick some of these elements over others, but one of these worth mentioning is the issue of supply chain security, which is the subject of a growing concern, as we saw with the recent SolarWinds case.
New EU Cybersecurity Strategy
The new EU cybersecurity strategy was presented in December 2020. It contains concrete proposals for regulatory, investment and policy initiatives, in three areas of EU action: 1. Resilience, technological sovereignty and leadership; 2. Building operational capacity to prevent, deter and respond; and 3. Advancing a global and open cyberspace through increased cooperation.
Under the new EU cybersecurity strategy, Member States, with the support of the Commission and ENISA, are encouraged to complete the implementation of the EU 5G Toolbox, a comprehensive risk-based approach for the security of 5G and future generations of networks.
Further information – https://ec.europa.eu/commission/presscorner/detail/en/IP_20_2391
In spring 2020, SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months. Hackers had secretly broken into SolarWind’s systems and added malicious code into the company’s network management system, a software called “Orion” that monitors the various components in the networks of its 33,000 customers. In December 2020, The Washington Post reported that the IT systems of several government agencies were breached via the Orion software. Russian hacker group Cozy Bear, which is said to be working for the Russian Foreign Intelligence Service, was reported to be behind the attack. In January 2021, CRN reported that the attack could cost cyber insurance firms at least $90 million.
The SolarWinds case showed an advanced level of sophistication and the kind of impact cyberattacks on supply chains can have. According to ENISA, supply chain attacks are constantly increasing their presence in the threat landscape and will require a step-up in defenses, also in Europe. The EU 5G Toolbox has a specific focus on supply chain security, and it is also an important focus area in the new EU cybersecurity strategy.