The European Parliament’s Committee of inquiry to investigate the use of Pegasus and equivalent surveillance spyware (pictured), known as PEGA for short, has been warned that its scope was too narrow by a representative of Enea, the Swedish telecom software and cybersecurity business. Speaking at an open meeting, Rowland Corr, Vice President of Government Relations at Enea, told the 38 Members of the European Parliament (MEPs) on the committee about the need to protect Europeans from a wider range of threats.
Vulnerabilities in mobile networks, and governance gaps are exploited by threat actors to execute unauthorized intrusions with impunity.
Corr emphasized the extent to which mobile networks can be abused by spies.
A key area of vulnerability is mobile telecoms signaling and the abuse of access to signaling infrastructure. To put this vulnerability into context as an area of surveillance risk — the use of mobile spyware weaponizes the personal device of the victim, and the use of mobile signaling weaponizes the network serving them. Put simply, in the hands of attackers, the mobile service itself becomes the cyber weapon.
He also highlighted how Europeans need mobile networks for far more than just making phone calls.
This area of risk is not sufficiently understood, reported or integrated at national levels. Critical infrastructure protection, cybersecurity, and national security all intersect when it comes to mobile network security. And the key to improving resilience may lie in emphasizing capability over compliance on the part of stakeholders — be they operators, regulators, or cyber agencies.
The purpose of the PEGA committee is to review the extent of surveillance by state actors that violates the EU’s Charter of Fundamental Rights. Its name explicitly references the Pegasus spyware created and sold by Israel’s NSO Group, and which has been tied to many privacy abuses around the world, all committed by state actors who purportedly purchased it on condition that it only be used for law enforcement.
A press release from Enea commented on the urgent need to overhaul privacy protections because of the additional complexity introduced by 5G.
As 5G is adopted worldwide, there is a pressing need for secure interworking between protocols, network elements (across generations) and a need for secure interconnections nationally and internationally. This represents an increasingly complex and critical area within electronic communications.
Sadly, I doubt Europe’s politicians are halfway capable of addressing the looming crisis being created by our over-dependence on insecure networks. It took the invasion of Ukraine by Russia to get them to appreciate the extent to which Europe had taken the supply of Russian oil for granted, a concept that is far simpler to comprehend than the explanation for how a lax telco on the far side of the planet could enable the tracking of an individual’s movements by permitting the subversion of network signaling. Europe has had a quarter of a century of data protection legislation that has proven remarkably ineffectual but you would never know that from listening to the Eurocrats. They can only tell you what their rules are meant to achieve because they have literally no idea about how to deliver the protections they keep promising.
Readers who are most optimistic about the work of the European Parliament can review the progress made by the PEGA committee here.
5G security expert Silke Holtmanns will be the special guest for today’s episode of The Communications Risk Show. Silke is responsible for the 5G Security Assurance service provided by PwC, volunteers her time as an advisor to the European Union Agency for Cybersecurity (ENISA), and was formerly the Head of 5G Security Research at Enea, so we can expect her to have plenty to say about this story and all the work that needs to be done to make 5G networks safe! Tune in live at 10am Chicago, 4pm London, 5pm Brussels, 8.30pm New Delhi to put your questions to Silke through our messaging system at tv.commsrisk.com. If you miss the live show then catch up with the video recording or audio podcast soon after the broadcast has ended.