Leading Dutch telecom provider KPN has an agreement with Huawei regarding the construction of a 5G network in the Netherlands. The construction of the network will be divided between two different parties. Huawei is responsible for the basis of the network, but will not be involved in the construction of the core, the most vulnerable part, of the network. This part will be constructed by a yet to be determined western company.
In a radio broadcast of NPO1 Frank Groenewegen, Chief Security Expert at Fox-IT, explains the construction is devided. “You can compare the internet to a collection of streets and highways that are connected to each other. To send information you have to, similar to using a car, hit the road to get the information, or in this case yourself, from point A to point B. On the road you pass big junctions, just like junctions seen on a highway. These junctions are the core of the network,” says Frank Groenewegen. “At these big junctions where the internet traffic comes together, it is important to make sure that all the traffic goes to the right destination. KPN chooses a different supplier for the construction of these junctions.”
But using a Western supplier does not guarantee safety for espionage at all. Although the chances of being spied on is reduced, we must stay alert. The main discussion about the 5G network rollout only concerns the presence of backdoors, but state actors have lots of different resources and methods to spy. They don’t need these backdoors., .
It is important that companies, especially companies in the critical infrastructure, assume that they are hacked or can be hacked. Critical points need extra protection. To do this independent control and testing is needed. “Look at other industries, like the car industry. You cannot just put a new car on the market. A needs to be tested by an independent party. Hackers entering your network is not that exciting. What is really important, by immediately detecting them before they reach their target and kicking them out of your network. . You can claim a car is safe, but to prove that you will need to do a crash test. This test represents just one particular moment , so it must be repeated from time to time. A test like that shows if the mitigated measures still meet the actual threat level,” says Groenewegen.
You cannot just trust anyone when it comes to critical infrastructure. Independent checks combined with unannounced testing, clear rules and regulations are the only way to minimize the risks. It is very important for those parties to understand what they need to protect themselves from and that the risk information is up to date. A good risk analysis is crucial; who are your digital enemies and how do they attack? It is about the whole, not only the technique but also about the processes, humans and suppliers.
Listen to the broadcast here (in Dutch)