5G: Who is reading over your shoulder?

Should you worry about the new 5G network’s privacy and security? Delta discussed this issue with Professor of Cyber Security Michel van Eeten.

5G will make its entrance in 2020 and will be used for many other processes than the current 3G or 4G network. Just think about such things as smart devices, the internet of things (IOT), self-driving cars, remote medical operations, smart agriculture, stock management … What won’t it be used for?

‘Telecom companies are a gold mine for intelligence services’

According to Michel van Eeten, Professor of Cyber Security at TU Delft, there are also privacy risks in the 3G and 4G networks. Van Eeten mentions the Snowden revelations, when GCHQ, the British secret service, deeply hacked the Belgian telecom provider Belgacom. Van Eeten says that “telecom companies are a gold mine for intelligence services as conversations and messages can be easily tapped. You should always assume that other states have an interest in this information.”

He continues, “so the risks in the 5G network are not really any greater. With one proviso – countless societal processes are moving onto the mobile internet. The risks that we now have around the 3G and 4G network will be magnified because of the greater volume of activities on the 5G network.”

Chinese back doors
New equipment is needed to lay the 5G network. The frequency auctions will be opened this year and telecom providers can buy parts. The largest and cheapest supplier of parts is the Chinese company Huawei. The Americans, in the trade war with China, are trying to prevent other countries from investing in Huawei for their 5G network, arguing that Huawei builds in back doors for spying purposes. Even the AIVD has recommended the Cabinet to exclude Huawei from the heart of the 5G network. But Van Eeten says that “this is not what it literally says. It says that ‘the equipment may not come from a country with an offensive cyber programme’. If you would call Huawei by name, you’d be hauled into court. Under competition laws, you may not exclude an individual company. So they devised a general regulation to cover the situation. Coincidentally Huawei falls under that regulation. If there had been an American supplier in the running, this rule would probably not have been made. The Americans too have an offensive cyber programme.”

‘It does not really matter if it comes with a Chinese label’

Van Eeten himself does not believe that Huawei’s equipment poses a particular threat for spying. “First of all, that would be very stupid, even from the Chinese Government’s perspective, to explicitly incorporate a back door. The minute it would be discovered, it would be the end of Huawei. Secondly, and more importantly, Huawei does not have to incorporate anything. The 5G network equipment runs on a huge amount of software that has inherent vulnerabilities. It does not really matter if it comes with a Chinese, Swedish or an American label, the equipment is vulnerable. If the Chinese Government lets a bunch of competent hackers loose on a computer, they will find something. That’s simply how it works.”

The more expensive Ericsson
What often goes unmentioned in the discussion is that the 3G and 4G networks in the Netherlands are almost all Huawei. Van Eeten says that “if you want to exclude Huawei, you would have to rebuild the KPN network from scratch and be prepared to fork out a couple of billion euros. That’s not going to happen.”

Van Eeten continues. “KPN has invested little in 5G. It still has to start. For the peripheral equipment such as antennas, they could buy Huawei. For the computers at the heart of the network, they will buy more expensive Ericssons or Nokias.”

Geopolitical move
Van Eeten sees the new regulations that exclude Huawei from the core of the 5G network more as a geopolitical move. “I see it as a sort of payback for the three or four years that China carried out unlimited offensive cyber operations in the West. Whatever you think about the risks of Huawei, it could be desirable to give China a slap on the wrist. It may help encourage the country to operate a little more cautiously.”

‘The essential systems must be entirely secured’

Our network needs strong security to not be hacked. Van Eeten believes that much responsibility rests with the telecom providers. They should operate on the assumption that they could be attacked at any given point in time. “The essential systems must be entirely secured so that they do not communicate with the rest of the internet. A limited number of people could have access to the systems and they should continuously monitor what the equipment is doing. You must treat it as if it is in the intensive care unit.”

Telephone conversations
But what does the man on the street experience in terms of data espionage? Who would be interested in your conversations? Van Eeten answers that “if your telephone traffic would be intercepted by a foreign state, that would of course be the first thing that they throw out. But ultimately, what affects companies and governments, affects citizens in the long term. If it means that we suffer major economic losses, there will be fewer jobs.”

In any case, American investigation seems to show that there is little usable data among the enormous amount of information that the Chinese secret services have tapped, says Van Eeten. “Ninety-nine percent of the information is not interesting.” How you find that 1% that is useful is already hard enough. And even if you would find that information, what would you do with it as it will miss a lot of the contextual information. Van Eeten continues, “I believe that the societal impact of intellectual property theft – corporate espionage – is hugely overestimated.”

Sija van den Beukel / Freelance journalist