comment

There will be no global 6G unless we resolve

sovereignty concerns in 5G governance
Governments have underestimated the importance of technology governance in 5G development and will look to
reassert control over key technologies. If future technologies are to be based on global standards, and not become
geographically fragmented, the technology community need to urgently address this challenge.

Paul Timmers

T
he security of the fifth generation civil society need to urgently address this Digital layers Cybersecurity measures
(5G) of wireless communication challenge. People Awareness, skills,
is currently making headlines. Apps self-regulation
Governments, including those in the US and 5G security challenges Services Regulation for
across Europe, are worried about control The security of 5G has a wide range of resilience, privacy,
Data sustainability
of the 5G infrastructure and the impact it issues, including various technical ones, but
Devices/IoT Standards, hard certification,
could have on the longer-term sovereignty also those at an organizational, behavioural, architectures
of their countries; some have decided to ban and governance level. As security analysts Network/5G

Chinese suppliers of telecommunications always stress: the communications network

network equipment, including Huawei and is just one layer of the digital ‘stack’ (Fig. 1). Fig. 1 | The digital stack and cybersecurity
ZTE, stating that they cannot be trusted, And security needs to be addressed in each protection. For security in the lower layers, hard
while others are still reflecting on the issue. layer. As a general rule, hard technical and regulatory measures tend to be used, whereas
In turn, network equipment providers and regulatory measures — such as standards softer measures are used for the higher layers.
telecom operators publicly worry about the and certification — are applied to the lower
swings of the debate, and standardization layers, whereas soft, self-regulatory measures
groups like the 3rd Generation Partnership tend to be applied to the higher layers. parts of the network are used to provide
Project (3GPP) — which develops technical Security for 5G builds on extensive different services) is still being developed
specifications and standards for mobile experience from 2G, 3G and 4G, and today. Other vulnerabilities may be even
communication — worry about their future corrects several weaknesses, such as the harder to control. In particular, 5G will
now that geopolitics has entered their vulnerability to attacks over the radio access be more software based than previous
community1. network (RAN) using a false base station to generation networks (and also use more
5G has been in development for a catch the international mobile subscriber general-purpose software), and software
number of years now, so why did security identifier (a number that can be used to development is hard to control both from a
suddenly become an issue? It happened identify every user of a cellular network)4. security and quality point of view.
because governments underestimated the The technology is also designed to address One approach to safeguard security
importance of technology governance security issues through its architecture. would be to perform stringent checks, such
and, in particular, the governance Such a feature is compartmentalization: the as under Common Criteria certification
of 5G technology development and separation of the RAN and the core network. (standardized guidelines for security
standardization. While being interviewed Nevertheless, governments do not seem to assurance). However, there is a range of
on 5G security, French President Emmanuel be convinced by the security delivered by the non-technical risks for which firm security
Macron recently admitted that “sovereign 5G architecture and standards. assurance and risk assessment is much
decisions and choices were de facto A recent report on an EU-wide more difficult or nearly impossible. Defects
delegated to telecoms operators”2. The coordinated risk assessment of 5G security in software engineering are a typical
Internet of Things (IoT) could face similar highlighted technical and non-technical example (for which Huawei’s Cybersecurity
challenges3. Governments will now, risks5. Several of the potential technical risks Evaluation Centre in the UK has, for
I argue, look to reassert control over key listed could be addressed with a technical instance, been criticized6). According to
technologies, including 5G, 6G and IoT, but assessment, possibly combined with the report by the European Commission,
also quantum technologies and artificial certification against 3GPP norms. However, another non-technical risk might arise from
intelligence (AI). They will seek to control important steps, such as deployment and third-country equipment suppliers and the
security architectures and security features configuration, which are not covered by third country’s legislation, especially in cases
in their pursuit to safeguard sovereignty. 3GPP norms, could introduce security risks. where there are no legislative or democratic
Future technologies could thus become Furthermore, 5G may be configured to checks and balances in place.
geographically fragmented. If these partially run over less secure 3G or 4G. 5G The EU risk assessment will be the basis
technologies are to be based on global is also much more complex than previous of a toolbox of alleviating measures for
standards — and thus deliver their full networks. Finally, with edge computing cybersecurity risk for the EU countries and at
potential as an enabler of global business the split between the core and edge parts the EU level, expected for early 2020. In the
and common good — industry consortia, of the network becomes less clear and the meantime, several governments are already
the global technology community and security between network slicing (where taking measures on the conditions to be
10 Nature Electronics | VOL 3 | January 2020 | 10–12 | www.nature.com/natureelectronics
 comment

imposed on suppliers of 5G. Some countries, When states are challenged to strengthen
including Australia and the Netherlands, their strategic autonomy, they have three
mandated the potential exclusion of suppliers options (Fig. 2)8: risk management, strategic
from third countries7. In other cases, telecom partnerships and global common good. The Risk
operators proceeded carefully by limiting US and China could have another option — management
certain suppliers to the RAN part of the namely, absolute digital sovereignty — by
networks and by working with multiple pursuing full independence. This, however,
suppliers to avoid single-supplier control and is not a realistic choice for other countries. Strategic Promoting
lock-in. The implication is that suppliers need A risk-management approach recognizes partnerships common
to be able to interoperate, which may well that the larger part of critical infrastructures good

come with additional costs and needs is run by private sector service providers,
for security assurance. with their technology coming from
international suppliers. In many parts of Norms and values

Sovereignty at risk the world cybersecurity legislation exists

It is understandable that governments for such operators in order to ensure cyber
get worried about the security of resilience. There are two consequences to Fig. 2 | Three approaches to strategic autonomy
communications infrastructure that this. First, the risk management of critical to safeguard sovereignty. Risk management
underpins their country’s economy and infrastructures does not explicitly address is about ensuring cyber-resilience, that is,
institutions, including their judiciary today’s sovereignty concerns because, having capabilities and capacities — including
and electoral systems. If these electronic until a few years ago, cybersecurity risk awareness and skills, intelligence, analysis,
communications networks can be disrupted management was driven by traditional response, recovery, insurance, sharing and
at scale or can be infiltrated by a foreign business concerns. Second, the coupling of crisis exercises — to cope with security
power for espionage and theft of governments and industry is fairly loose, threats; it focuses on critical infrastructures
intellectual property, the very future of at national level as well as internationally. such as electricity, water, transport, hospitals,
the state is undermined and its sovereignty To manage risks internationally, industry, telecommunications and the cloud. Strategic
is at risk. governments, civil society and the partnerships involve collaboration with like-
However, only in the last two years technology community are engaged in minded partners only, through shared provision
have governments started to realize that developing international norms and values and control of capabilities and capacities in key
the security specifications of electronic for behaviour in cyberspace. This happens areas; they can be complemented by strategic
communications as a critical infrastructure through the UN, the Paris Call for Trust and interdependency arrangements with non-like-
were not sufficiently under their control, Security in Cyberspace, and other forums. minded parties, on issues for which both sides
as the statement from President Macron However, the various stakeholders have a would lose more than they would win. Global
illustrates. Some countries also worry that rather loose mutual commitment, resulting common good involves promoting globally shared
they have left the door open to the Chinese in non-binding arrangements. interests rather than state centricity through
government, which they suspect of close Strategic partnerships, in contrast, are globally shared assets, distributed control, open
involvement with companies in order to founded on mutual commitments between access arrangements and precautionary norms.
occupy key positions and decision-making parties — public or private — that, in Figure adapted from ref. 8 under a Creative
in international standardization bodies. principle, trust each other. Such partnerships Commons license CC BY 4.0.
Governments that have become aware of are likely legally bound by treaties, regulations
the situation now want to take back control and directives (in the EU, for example),
and better safeguard their sovereignty. mutual recognition agreements, third-country (a global common good), which involved
To achieve this, they will have to strengthen clauses in law and public–private contracts. scientists, policymakers and industry.
their abilities (capabilities and capacities) While a strategic partnership excludes not-
to take and act on decisions that affect like-minded parties, it can be complemented Industry–government relationships
the longer-term future of their economy, by strategic interdependency of opponents to will change
society and democracy: that is, strengthen keep geopolitical confrontation under control. Until recently, Europe and the US followed
their strategic autonomy. Examples of such Despite its advantages for sovereignty, there a combination of a risk-management and a
abilities include technological knowledge, are also downsides to strategic partnerships. global-common-good approach for 5G. In
an industrial ecosystem, and regulatory For example, if a business that is global by Europe, this included legislative measures
oversight and control. nature (such as the mobile communications for risk management, in terms of cyber-
This shift to strategic autonomy is already industry) is involved, a strategic-partnership resilience and information and technology
happening. The US not only excludes approach will have built-in tensions because certification9. The EU has also followed
Huawei and ZTE, and decides thereby national and global interests cannot be a very open approach with regards to the
to procure 5G exclusively from ‘friendly’ readily aligned. research and development of 5G, including
suppliers, but is also considering to invest in In the case of a global-common-good financial support through its Horizon 2020
home-grown or friendly 5G companies and approach, a widely shared common interest research and development programme.
more recently to promote an open-source must be found. A multi-stakeholder European, US, and Chinese companies
approach to 5G. The trend in Europe is also approach — involving civil society, could all work together in EU-supported
towards greater government control. But governments, industry, and the techno­logy research and development projects and
governments are late, perhaps too late: much community — and collaboration in technology forums to achieve global
of the architecture of 5G has already been ‘open’ consortia will likely be needed. specifications, essentially to contribute to 5G
decided upon and much of the required An example of a successful past specifications as a global asset.
technology development has already multi-stakeholder collaboration is the These two approaches for 5G are now
happened. Montreal Protocol to protect the ozone layer under serious pressure as they do not

Nature Electronics | VOL 3 | January 2020 | 10–12 | www.nature.com/natureelectronics 11

comment

seem to deliver sufficient guarantees for and energy. Second, money spent on a work of the Future Society initiative and the
sovereignty. Therefore, there is strong technology arms race could instead be OpenAI consortium.
pressure for a strategic-partnership spent on other priorities such as climate What is certainly needed is for the
approach to be pursued in the further change, education or other public services. industry to give governments a seat at the
development of 5G. This could lead to Third, strategic partnerships risk evolving discussion table to engage early with real
fragmentation in the development of 5G, into anti-historical and counter-productive or imagined sovereignty concerns, and
possibly leading to a split into two blocks friend-and-foe thinking. Fourth, strategic to correct the current misallocation of
centred around China and the EU/US, partnerships require governments to be much sovereignty. Industry-driven standardization
which has been feared by the 3GPP10. If more involved in setting specifications for in 5G, 6G and IoT (notably the IoT
this happens, we must anticipate the risk of research and development, standards, and standardization consortium oneM2M), as
5G work breaking up and perhaps even the procurement. To keep up with the rapid pace well as in major global industries that are
demise of 3GPP. of technological development, administrations going digital (such as the automotive and
The same debate will likely affect 6G, for must act and adapt quickly, which may not energy industries), should not wait until
which technical and business modelling work be feasible. Finally, the political focus on governments impose state-centric governance
has already begun in Finland11 and recently strategic partnerships risks proper reflection upon them and define the agenda from a
in China by a government-led initiative12. on the merits of the risk-management and the strategic partnership sovereignty perspective.
This time, governments will not delegate global-common-good approaches being lost. Industry should urgently reflect on renewing
sovereignty decisions to industry. And other the dialogue with governments across the
technologies — IoT in particular — might be Recommendations world, and do so in an inclusive way to
similarly affected. IoT devices will be used in Strategic partnerships between governments avoid planting the seeds for future trade
critical parts of economies and societies, from and industry have their merits and are barriers. They may be able to learn from past
manufacturing to health to public spaces. The becoming the go-to approach. However, in experiences (such as SWIFT in international
expectation is that there will be billions of the interest of global business, and to counter financial transactions13) but will likely need
such internet-connected devices, increasing the downsides of strategic partnerships, to come up with new governance models.
the cyber-attack risk. risk-management and global-common- Without such pro-active engagement, it is
The past risk-management and global- good approaches should also be pursued. likely that there will be no global 6G. ❐
common-good approaches were primarily For example, risk management should be
in the interests of industry because the feasible for the higher layers of the digital Paul Timmers   1,2
sovereignty threats of 5G (or IoT) were not stack through approaches such as sharing 1
Centre for Technology and Global Affairs,
yet clear. Governments are now acting faster of security threat information, joint cyber Department of Politics and International Relations,
than industry or civil society to formulate exercises, and mutual assistance in response University of Oxford, Oxford, UK.
a response to these threats: they are already and recovery. Similarly, there are several areas 2
Rijeka University, Rijeka, Croatia.
taking back control. It is likely that, at least where a global-common-good approach e-mail: paul.timmers@politics.ox.ac.uk
for now, governments will first consider a is preferable, such as for the protection of Published online: 24 January 2020
strategic-partnership approach because it the public core of the internet, a globally https://doi.org/10.1038/s41928-020-0366-3
appears to deliver ‘technological sovereignty’, standardized security architecture for IoT,
which has become a catchphrase for and open AI and distributed security control References
1. Alleven, M. Huawei maintains seat at standards table despite
politicians and policy-makers. Technological (blockchain based, for example) to protect geopolitical woes. Fierce Wireless https://go.nature.com/2QE9UZE
or digital sovereignty measures that are critical infrastructures. (28 February 2019).
already being drawn up refer to common Paradoxically, the global-common- 2. Emmanuel Macron in his own words (English). The Economist
https://go.nature.com/39Y3FYo (7 November 2019).
values and shared views on economy and good approach may actually strengthen 3. Yang, Y., Kynge, J., Wong, S.-L. & Liu, N. Huawei founder predicts
democracy: that is, working with likeminded sovereignty, because it would allow internet of things is next US battle. Financial Times https://
partners. A recent example is the German governments to concentrate scarce go.nature.com/2T9RQrZ (4 July 2019).
4. A guide to 5G network security https://go.nature.com/36GUd9T
(and French-supported) GAIA-X cloud resources on areas where sovereignty (Ericsson, 2018).
initiative. matters a great deal, but where a global 5. EU coordinated risk assessment of the cybersecurity of 5G networks
Strategic partnerships are certainly an common good does not exist, such as https://go.nature.com/39WCWLR (European Commission, 2019).
6. Oversight board of Huawei cyber security evaluation centre https://
important approach and respond to the in defence or at the core of government, go.nature.com/2RmXYdQ (UK Government Cabinet Office, 2019).
trend of geopolitics today. They will bring judiciary and parliament. 7. Besluit van 28 november 2019, houdende nadere regels
enhanced sovereignty, which is projected We should not be naive and believe betreffende de veiligheid en integriteit van openbare elektronische
communicatienetwerken en -diensten (Besluit veiligheid en
externally in order to be respected by other that there are many areas for a global- integriteit telecommunicatie). https://go.nature.com/2tIlcmJ
states (that is, external legitimacy of the common-good approach, given the (Government of the Netherlands, 2019).
state). They will also lead to an increased geopolitical behaviour of the large powers 8. Timmers, P. Mind. Mach. 29, 635–645 (2019).
sense of identity and national pride in the world. Nevertheless, the global 9. Directive (EU) 2016/1148 of the European Parliament and of the
Council of 6 July 2016 Concerning Measures for a High Common
and loyalty, which strengthens internal technology community, civil societies, Level of Security of Network and Information Systems across the
legitimacy, the other important dimension academia and industry play an important Union https://go.nature.com/2Tbwrik (European Union, 2016).
of sovereignty. Still, while strategic role in formulating and advocating global 10. Lucas, L., Standards body warns on US blacklisting of Huawei.
Financial Times https://go.nature.com/2R89IRH (9 June 2019).
partnerships may be possible for certain values and providing the meeting place 11. 6G Flagship https://go.nature.com/37SCGLT (Univ. of Oulu, 2018).
technologies (perhaps for 6G) and can give for exploring the possibilities for global 12. Meiping, G., China launches research and development of 6G
some degree of reassurance on sovereignty, common good in the digital world. technology. CGTN https://go.nature.com/3a7iTKO (6 Nov 2019).
13. Cowhey, P. F. & Aronson, J. D. Digital DNA (Oxford Univ. Press,
the approach has downsides. Examples of where such an approach has 2017).
First, it may become too costly to pursue been applied include the internet, such as
Acknowledgements
strategic partnerships in all key technologies the work of the Global Commission on Opinions expressed are the author’s and should not be
and sectors: 5G, 6G, IoT, quantum computing the Stability of Cyberspace and the World taken to represent the views of the University of Oxford or
and AI, as well as sectors such as defence Wide Web Foundation, and AI, such as the Rijeka University.

12 Nature Electronics | VOL 3 | January 2020 | 10–12 | www.nature.com/natureelectronics