In some European metropolitan areas, you can already see a 5G symbol on your mobile phone display. Nevertheless, most networks are still in the planning phase and mobile network operators (MNOs for short) have not yet made a final decision on which equipment provider they will purchase the network technology from. This applies even more to private corporate networks, so-called campus networks, despite the decision being potentially significant for the security of the factory of the future.

In many European countries, there are currently discussions about the economic possibilities in connection with the new mobile communications standard 5G. This concerns possible leaps in productivity, but also the security gaps and dependencies associated with greater networking that would arise if these new mobile networks were built with Chinese technology, for example. As a result of these discussions, some states have excluded untrusted network equipment suppliers from building domestic 5G networks or set the regulatory hurdles so high that the result is tantamount to a ban.  The question which is slowly moving up the agenda is: is it necessary to also regulate private networks with respect to the technology they use? From the perspective of an economist this should only be the case if using untrusted technology has a detrimental effect on customers, suppliers or employees for which they are not compensated. Economist call that negative externalities.

Network equipment providers for 5G networks are expected to have a high level of trustworthiness in order to participate in an infrastructure that controls large parts of a factory of the future. It is particularly difficult for Chinese suppliers to establish this credibility. They are often seen as untrustworthy, operating from a country without sufficient rule of law, which exercises strict state control over their business conduct and management. Moreover, Western intelligence agencies, cybersecurity firms and the media regularly report that China is the country of origin for numerous attempts at industrial espionage.

If companies with such origins are nevertheless involved in the deployment of 5G networks in Europe, this will come at a significant cost. Only part of these costs are incurred by the company operating the network and choosing the network providers. A large part of the costs must be borne by other parts of society, which in absence of further regulation have no influence on the choice of network provider.

Even when the factory of the future decides which providers to procure 5G network technology from, they do not take all costs into account – either because they are hidden costs that will be incurred later (life-cycle costs) or because they are borne by others than the MNOs (external costs). Of course, many security-related costs will also occur if 5G networks are built exclusively with trusted technology. However, these costs will be lower because a trusted provider is a cooperating partner in securing the network from external influences.

If non-trusted providers are a part of a private 5G network, additional efforts will have to be made

• to test and verify the software updates provided.
• to share information with other private network operators, government agencies responsible for network security, and with suppliers and customers of the cyber factory of the future. New information sharing and analysis centers need to be established among industry participants.
• to build additional sensors into the network to monitor network traffic and detect unintended data flows to third parties.
• To develop and integrate new AI tools into network management as an early warning system for covert data exfiltration.
• to devote resources to enforce regulatory policies and compliance to compensate for the lack of trust in the network.
• to cover damages caused by cyber-attacks by spending (more) money on cyber insurance to deal with the financial consequences.

If a 5G network contains untrusted technology, more of the burden to protect data or machines controlled over the network falls on the operator, but potentially also on other parts of their value chain. The latter will have to spend more resources on classic cybersecurity tools or will have to leave the value chain that makes the cyber-factory of the future and thus will not be able to realize potential productivity gains.

European 5G technology providers will have a hard time competing with companies that do not need to make a profit in order to stay in the 5G business – for example because they are backed by a state for strategic reasons. To internalize the external costs and to guarantee a level playing field, it should be considered to not only regulate nationwide networks, but to include private 5G campus networks. The goal is to either exclude non-trusted technology or to require operators of campus networks to invest in the necessary additional protection when using non-trusted technology.

Authors: Johannes Rieckmann und Tim Stuchtey, BIGS

A more detailed description and estimate of the hidden costs of untrusted vendors in 5G networks can be found in the policy paper and the country studies for Germany, France, Italy and Portugal. The virtual presentation of the policy paper takes place on the 16^th of March at 2pm (CET).