EU states told to restrict Huawei and ZTE from 5G networks ‘without delay’

The European Commission told member states on Thursday to restrict “without delay” high-risk equipment suppliers from their 5G networks, with the Chinese vendors Huawei and ZTE being specifically highlighted as representing “materially higher” risk.

The warning follows a progress report on 5G cybersecurity revealing that of the European Union’s 27 member states, all but three have either passed or are in the process of passing laws allowing them to make these restrictions.

A spokesperson for the Commission confirmed that the three member states were purposefully not identified. The call to restrict these suppliers is a recommendation and is subordinate to the assessments made by member states’ national authorities.

In a speech accompanying the report, Thierry Breton, the European commissioner for the internal market, complained that of the 24 member states who have at least begun to develop the capacity to exclude high-risk vendors, to date only 10 have actually done so.

“This is too slow, and it poses a major security risk and exposes the Union's collective security, since it creates a major dependency for the EU and serious vulnerabilities,” said Breton.

According to the progress report, the current situation creates “a clear risk of persisting dependency on high-risk suppliers in the internal market” which has “potentially serious negative impacts on security… across the EU and the EU's critical infrastructure.”

Beijing has accused the West of falsely claiming that Chinese equipment poses a security risk, alleging that the restrictions are actually a protectionist economic measure.

Huawei, whose equipment has been scrutinized by a special unit at the British cyber and signals intelligence agency GCHQ since 2010, has stressed that this scrutiny has never uncovered a “backdoor” — although it has identified “serious and systematic defects in Huawei's software engineering and cyber security competence.”

One such defect, discovered in 2020, was considered “nationally significant” and of such severity that it was withheld from the company itself, although the agency said it “does not believe that the defects identified are as a result of Chinese state interference", and stressed there was no evidence the vulnerabilities were exploited.

Huawei and ZTE are also both subject to U.S. sanctions, which means the companies cannot access U.S. technology and software in the design and production of their products, something which GCHQ said made its oversight of those products “significantly more challenging, and potentially impossible.”

Bart Groothuis, the cyber rapporteur for the European Parliament, said that the issue with Huawei and ZTE “is not a secret backdoor in their hardware or software.”

“One is always just one software update away from inserting a new backdoor. The actual problem is the ties these companies have with the Chinese state.”

Western concerns regarding the risk posed by Chinese equipment vendors are often expressed in the context of Beijing’s offensive cyber espionage activities and China’s National Intelligence Law of 2017, which allows the state to “compel anyone in China to do anything,” as the National Cyber Security Centre summarized it.

Groothuis described 5G as the future nervous system for the political, strategic and military aspects of the state. “It is unthinkable that we allow our adversaries in such critical networks,” he told The Record.

“Past open source reporting has shown an overlap between Huawei personnel and Chinese spies. In the case of hackers group APT3, Boyusec and CNITSEC, Huawei vulnerabilities have been exploited against European targets,” he added.

Citing the response to the invasion of Ukraine, Thierry Breton praised the Union’s ability to “reduce or eliminate our dependencies in other sectors such as energy in record time, when many thought it was impossible.”

“The situation with 5G should be no different: we cannot afford to maintain critical dependencies that could become a ‘weapon’ against our interests. That would be too critical a vulnerability and too serious a risk to our common security,” he warned. “I therefore call on all EU Member States and telecom operators to take the necessary measures without further delay.”