Legislations applicable to 5G network operators
Franck Laurent et Pascal Nourry, Orange C&ESAR 2019 Rennes
2 Orange – unrestricted
5G dreams
Legislations applicable to network operators
Why a new French law for 5G ?
The new French law on 5G security
Conclusion
Agenda
3 Orange – unrestricted
5G Dreams
eMBB
mMTC uRLLC
Ultra Reliable & Low Latency
Communications 40ms (4G) => 1ms (5G)
massive Machine Type
Communications Low power consumption (10 years)
and x100 more devices
3D
VR
4 Orange – unrestricted
4G Network
Backhaul
Network
5G Dreams
UE User
Equipment
MME Mobility
Management
Entity
S-GW Serving
GateWay
P-GW Packet
Data
Network
GateWay
Packet Data
Network
(Internet)
HSS Home
Subscriber
Server PCRF Policy and
Charging Rules
Function
SecGW Security
GateWay
eNodeB (4G)
Control Plan
User Plan
5 Orange – unrestricted
5G NSA => 2020
3GPP TR 38.912
Backhaul
Network
5G Dreams
eNodeB (4G)
UE User
Equipment
MME Mobility
Management
Entity
S-GW Serving
GateWay
P-GW Packet
Data
Network
GateWay
Packet Data
Network
(Internet)
HSS Home
Subscriber
Server
SecGW Security
GateWay
gNodeB (5G)
Control Plan
User Plan
PCRF Policy and
Charging Rules
Function
6 Orange – unrestricted
5G SA => 2022 (?)
3GPP TS 23.501
Slicing
Backhaul
Network
5G Dreams
UE User
Equipment
AMF Core Access
and Mobility
Management
Function
UPF User Plane Function
Packet Data
Network
(Internet)
UDM Unified Data
Management
PCF Policy and
Charging Function
SecGW Security
GateWay
gNodeB (5G)
Control
Plan (Virtualisation)
User Plan
SMF Session Management
Function
AUSF Authentication
Server Function
NSSF Network Slice
Selection Function
NEF Network Exposure
Function
NRF Network function
Repository Function
http/2 SEPP Security Edge
Protection Proxy
7 Orange – unrestricted
Network security
Code des Postes et des Communications Electroniques
– Articles 32-1, 33-1, D98-4 and D98-5 on network integrity/availability/security
– Article L33-10 allows the French Communication Ministry to audit any French operator
Code de la Défense
– Articles L1332-x and R.1332-x related to French vital infrastructures
– Rules dedicated to communications providers are specified in « Arrêté du 28 novembre 2016 fixant les règles de sécurité et les modalités de déclaration des systèmes d’information d’importance vitale et des incidents de sécurité relatives au sous- secteur d’activités d’importance vitale «Communications électroniques et Internet» et pris en application des articles R. 1332-41-1, R. 1332-41-2 et R. 1332-41-10 du code de la défense (NOR: PRMD1630591A) »
Legislations applicable to network operators
8 Orange – unrestricted
Communication Privacy
Posts and Electronic Communications code
– Articles 32-1, 33-1 and D98-5 on communication privacy
Criminal code
– Articles 226-3, 226-15, 432-9 and R. 226-1 & s. on communication privacy
Legislations applicable to network operators
9 Orange – unrestricted
General Data Protection Regulation (GDPR)
General Context in the updated « Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés »
Specificities in Posts and Electronic Communication Code
– L32-1, L34-1 to L34-6 and R10-12 to R10-22: Electronic Communications operators shall protect personal data, with specific processing regarding traffic data.
Legislations applicable to network operators
10 Orange – unrestricted
European commission
Recommendation on a common EU approach to the security of 5G networks published in March 2019 – https://ec.europa.eu/digital-single-market/en/news/european-commission-recommends-common-eu-approach-security-5g-networks
– National risk assessment by 19 July 2019 – https://ec.europa.eu/digital-single-market/en/news/security-5g-networks-eu-member-states-complete-national-risk-assessments
– Coordinated risk assessment at EU level by 9 October 2019 – https://ec.europa.eu/digital-single-market/en/news/eu-wide-coordinated-risk-assessment-5g-networks-security
– Mitigating measures to address the cybersecurity risks identified at national and EU levels by 31 December 2019
– Member States are encouraged to cooperate with the Commission and ENISA to prioritize a certification scheme covering 5G networks and equipment in 2020.
– Member States – in cooperation with the Commission – should assess the effects of the Recommendation in order to determine whether there is a need for further action by 1 October 2020.
ANSSI leads French efforts
Why a new French law for 5G ?
11 Orange – unrestricted
Previous French laws limitations
Lack of rules on RAN equipment's
– In the context of communication privacy (R. 226-x authorization)
Most previous rules focused on communication privacy not on the vital aspect of main mobile network operators for French state and for French vital companies
– Emergency call mostly from mobile terminals
– French emergency services / police / militaries will use 5G network besides specific state communication networks
– such as PMR - Private Mobile Radio – which can already be provided on 4G network
– Factories 2.0 will rely on 5G network
– Connected Cars will rely on 5G network
Lack of rules on network equipment’s administration, included by subcontractors / third parties
(R)evolution of mobile network architecture in 5G with virtualized core network and slicing approach (in phase 2)
Why a new French law for 5G ?
12 Orange – unrestricted
Legislation
LOI n°2019-810 du 1er août 2019 visant à préserver les intérêts de la défense et de la sécurité nationale de la France dans le cadre de l’exploitation des réseaux radioélectriques mobiles (NOR: ECOX1907688L)
– English version available https://ec.europa.eu/growth/tools-databases/tris/en/search/?trisaction=search.detail&year=2019&num=376
– In order to safeguard national defense and security interests, the law introduces a new authorization to run 5G network equipment
– The list of concerned devices is set out in a order of the Prime Minister (see next slides)
– The approval process is set out in a decree in the Council of State (see next slides)
– The Prime Minister shall deny the approval if the Prime Minister believes it would pose a serious risk to national defence and security interests due to a lack of guaranteed compliance with the rules related to the continuity, integrity, security and availability of the network or to the confidentiality of the messages sent and information related to the communications.
– In assessing this risk, the Prime Minister shall take into account the level of security of the equipment, their
deployment and operation planned by the operator and whether the operator or its service providers, including
subcontractors, are under the control of or subject to interference from a country that is not a member of the
European Union.
The new French law on 5G security
13 Orange – unrestricted
Legislation
LOI n°2019-810 du 1er août 2019 visant à préserver les intérêts de la défense et de la sécurité nationale de la France dans le cadre de l’exploitation des réseaux radioélectriques mobiles (NOR: ECOX1907688L)
– The following offences shall be punishable by 5 years in prison and a EUR 300 000 fine
– operation of equipment without prior approval or without meeting the conditions attached to the approval
– The law retroactively applies to operation of the equipment installed on or after 1 February 2019
– R.226-7 authorization does not apply any more to equipment concerned by this law only for the operators
– Avoid a “double” authorization for network operators
The new French law on 5G security
14 Orange – unrestricted
List of devices
Order laying down the list of devices stipulated in Article L34-11 of the Postal and Electronic Communications Code
– Draft in English https://ec.europa.eu/growth/tools-databases/tris/en/search/?trisaction=search.detail&year=2019&num=378
– Draft in French https://www.entreprises.gouv.fr/numerique/preserver-interets-de-la-defense-et-de-la-securite-nationale-de-la-france-dans-cadre-de
– Not published by 12 November 2019
The new French law on 5G security
15 Orange – unrestricted
List of devices
Order laying down the list of devices stipulated in Article L34-11 of the Postal and Electronic Communications Code
– Based on 3GPP standard
The new French law on 5G security
16 Orange – unrestricted
Procedures
Decree on the preliminary authorization procedures for the operation of mobile radio networks stipulated in Article L34-11 of the Postal and Electronic Communications Code
– Draft in English https://ec.europa.eu/growth/tools-databases/tris/en/search/?trisaction=search.detail&year=2019&num=377
– Draft in French https://www.entreprises.gouv.fr/numerique/preserver-interets-de-la-defense-et-de-la-securite-nationale-de-la-france-dans-cadre-de
– Not published by the 12 November 2019
The new French law on 5G security
17 Orange – unrestricted
Procedures
Decree on the preliminary authorization procedures for the operation of mobile radio networks stipulated in Article L34-11 of the Postal and Electronic Communications Code
– Application is mostly similar to R.226-7 application with a focus on
– details on device deployment, engineering choices and any optional functions activated or not activated
– details on device operation, indicating the operations for configuration, monitoring and maintenance that may be performed on the device while in operation or on the IT hosting, and the subcontractors involved configuration and monitoring operations on the device
– Initial approval or approval renewal may include conditions with a delay for the operator to comply
– Approval renewal denial may include a delay to comply in order to limit network availability impacts
The new French law on 5G security
18 Orange – unrestricted
French legislation is in advanced regarding network security
Anteriority of R.226-x authorization + CPCE + Defence Code
ANSSI is working with network operators to improve network security
Dedicated recommendations
Audits
Network operators are now working on the implementation of the new 5G law with ANSSI
Conclusion
Thanks