Position Statement
Data, Service and Network security in the area of 5G
Federation of German Industries
version: 14th February 2019
Data, Service and Network Security in the Area of 5G
BDI welcomes the current discussions on security of digital networks, applications and data. In the age of digitalisation, the German industry requires a high-performance and secure network infrastructure. When it comes to the digital transformation, Germany is reliant on technical solutions from both national and international companies. Neither from a technological nor from an economic nor from a temporal perspective, would a systematic ban of international suppliers from the establishment of digital infrastructure or the provision of digital devices be expedient. To warrant the long-term security of digital data, services and networks, the German industry advocates the implementation of the following recommendations: Apply the same criteria to all suppliers ▪
Ideally on a European level, the same rules, procedures and test criteria should apply for products and services. In case of a suspicion of espionage, manipulation or similar, the accusations have to be examined in detail. One rule has always to apply: Legal procedures require “hard facts”. This includes technological, economic and judicial knowledge.
Impede unjustified political influence by third countries ▪
In case of a suspicion of an exertion of influence on producers by third countries, this would require an in-depth analysis by the German federal government or the competent EU institutions/agencies. This analysis should include both the legal framework as well as common practices, to which a supplier or its subsidiary in a third country are exposed to and which are relevant to their EU activities (e.g. required disclosure of data to public authorities). Under all circumstance, the admission or exclusion of a company and its offer must be based on transparent justifiable criteria (e.g. a combination of technical, economic, political and judicial considerations).
Allow for inspection of source code and development processes ▪
With regard to digital infrastructure, the inspection of source codes and development processes could be a meaningful tool in order to strengthen the trust in suppliers apart from testing hardware components. Such inspections should be conducted by civil servants in companies. Afterwards, accredited certification bodies and/or the German federal Office for IT-Security (BSI) could certify technologies, which are employed in sensitive critical infrastructure (such as 5G networks). Also in this case, the principle “same duties for peers” needs to apply. Moreover, it has to be ensured that (1) the BSI has sufficient resources to test the source codes and development process of soft- and hardware, (2) which consequences will result
Data, Service and Network Security in the Area of 5G
from an inspection/testing without detecting security vulnerabilities, and (3) that unauthorised third actors should not get access to source codes or information regarding development processes. When asking for the inspection of source codes, challenges, such as emergency updates and the length of source code, should be considered. Quickly develop Europe-wide security standards ▪
In order to strengthen the European Digital Single Market and to effectively hinder the unjustified access to data, uniform Europeanwide applicable security standards are required. In the framework of the EU Cybersecurity Act, a certification framework for 5G technologies should be quickly developed. Schemes which regard concrete products, shall address the interplay between hard and software as well as procedures, such as update management and transparent software development. Regional security certifications need to be grounded in international norms. Moreover, they have to be compatible with international rules for mutual recognition. To achieve results in a timely manner, the expertise of German industry should be integrated in the development of cybersecurity certification schemes.
Ensure effective oversight, sufficient resources and implement sanction mechanisms ▪
Certification procedures shall always be conducted in close coordination between national oversight authorities (in Germany the BSI), network suppliers and operators, user industries, and accredited independent test centres. The German BSI requires both the financial resources and personnel, to test and certify those technologies defined as critical not only once they are rolled-out but continuously throughout their product-life-cycle. If a supplier does not meet formalised standards, strict sanctions are required.
Establish a close dialogue with operators of critical ICTinfrastructure ▪
In addition, the German federal government should enter a dialogue with operators of critical ICT-infrastructure. Their experience and technical expertise should be utilised as a basis for decision-making processes. The German industry is available for a trustworthy and issue-oriented exchange.
Implement an innovation-friendly research and industry policy today for tomorrow ▪
To ensure that Europe possesses a maximum degree of technological sovereignty in future technological developments, EU funding programmes, such as Horizon Europe, should be utilised in a target-
www.bdi.eu
Seite 3 von 5
Data, Service and Network Security in the Area of 5G
oriented manner. An intelligent, targeted and innovation-friendly research and industry policy must be implemented now, to be digitally sovereign in future. Sensitise users â–Ş
The German federal government should sensitise citizens as well as companies more strongly that an unwarranted access to data cannot be completely prevented. Hence, the users are also asked to do their bit to ensure the security, integrity and availability of data. Secure networks and data transmission help little, if users handle data on their devices carelessly. For example, encryption (e.g. end-to-end) should be employed systematically for sensitive data – this applies to 5G just as to 4G, 3G and 2G. Furthermore, by applying appropriate measures all providers of technologies and services should ensure the security and integrity of data, services and networks for their users.
Conduct the auctions for 5G frequencies â–Ş
Now, it is important to draw the attention to the forthcoming auctions for 5G frequencies. The network operators require legal certainty to roll-out high-performance 5G networks.
www.bdi.eu
Seite 4 von 5
Data, Service and Network Security in the Area of 5G
About BDI The Federation of German Industries (BDI) communicates German industries’ interests to the political authorities concerned. She offers strong support for companies in global competition. The BDI has access to a widespread network both within Germany and Europe, to all the important markets and to international organizations. The BDI accompanies the capturing of international markets politically. Also, she offers information and politico-economic guidance on all issues relevant to industries. The BDI is the leading organization of German industries and related service providers. She represents 39 inter-trade organizations and more than 100.000 companies with their approximately 8 million employees. Membership is optional. 15 federal representations are advocating industries’ interests on a regional level.
Imprint Federation of German Industries (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 Contact Steven Heckler T: +493020281523 s.heckler@bdi.eu Carolin Proft T: +493020281529 c.proft@bdi.eu BDI document number: D 1018
www.bdi.eu
Seite 5 von 5