The coronavirus (COVID-19) crisis has proven that telecom infrastructure is critical. Telecommunications networks delivered service during the lockdown, enabling many to continue to work, learn, shop, and access healthcare. Policymakers will likely revisit regulation for telecommunications networks, not only to optimize network investment, but to improve security. Indeed, policymakers will also realize that security which has focused to date on the transport layer of networks is leaving the access and applications layers vulnerable.
While the focus on Huawei is long overdue, the discussion of network security and Huawei’s role are oversimplified. It is insufficient to address only one aspect of conventional components of networks: access, core, and transport. The bigger issues are how end-user data will be protected while stored in cloud or being processed by artificial intelligence (AI) and how connected devices on Internet of Things (IoT) networks and other applications such as smart city solutions can be secured?
Historically network connectivity was likened to the dumb pipe, the medium which transmits data. The “smart parts” of the network were the edge and the core, where users access networks and where information processing occurs. These actions have become more complex with third party providers of AI and cloud computing. Naturally, these typologies don’t fit 5G in which the network is suffused with intelligence, but telecom regulation has been associated with these three traditional functions.
Now that networks have evolved, it’s time for telecom regulation to evolve. If the goal of security measures is to reduce the risk and vulnerability of exposure to Chinese state-owned and affiliated firms, then policymakers need holistic frameworks that address the multiple aspects of network security at its various layers: application, transport, and access.
Indeed, the singular focus on Huawei in connectivity misses the fact that Huawei sells products for the other layers, and that many other Chinese state-owned firms should be scrutinized. For example, Baidu, WeChat, Alibaba, and Huawei AI solutions in the applications layer; Huawei and ZTE in transport; and Huawei’ smartphones and laptops by Lenovo, the world’s leading maker of laptops as well as a leader in servers. Strand Consult has described this in the research note The debate about network security is more complex than Huawei. Look at Lenovo laptops and servers and the many other devices connected to the internet.
The EU’s 5G Toolbox is the first step towards greater security and accountability for a discrete part of 5G network transport, but it does not address all elements of 5G security nor other network layers. In performing its security assessment, the United Kingdom looked beyond 5G mobile Radio Access Networks (RAN) and Core to other network layers, types and technology, notably wireline networks. Policymakers need a broader focus than 5G when assessing the security of telecommunications networks in the future.
In China, Huawei is vertically integrated and delivers a suite of products and services for all the layers of a network: it transports the data; it provides access through end user devices, and it provides the applications in the form of AI and cloud solutions. While European policymakers debate issues of RAN and core, Huawei is busy selling other solutions for the rest of the network: smartphones, routers, AI, and cloud solutions. As restrictions tighten on Huawei’s network products, the company will naturally push other business lines to compensate for lost revenue. A large operator in Europe works with Huawei on a joint Chinese-German cloud platform, and the reference customer for this solution is the European Organization for Nuclear Research, CERN in Switzerland. It is not logical how Huawei which can be deemed high risk for telecommunications and military networks, but somehow neutral for nuclear research. The agreement for the project is four years old; the question is whether such a project will be acceptable for political and security standards going forward.
Vertical integration was the standard model for traditional state-owned telecommunications. The government built a telephone network (the wires and switches); it delivered a single service – telephony; and it sold the end user device, typically a classic phone. Privatizing networks was about opening up the value chain to different kinds of providers. This worked well in mobile networks; different firms specialized for different parts of the value chain. However, Huawei is driving the decentralized chain back to the state-centered concept, perhaps fitting for its practice in China where it partners with the government to deliver full-service surveillance solutions.
Policymakers, regulators, and competition authorities have long been skeptical of vertical integration in telecommunications, and it was frequently a way to control traditional telecom operators by demanding that the divest certain parts of their business or by prohibiting certain acquisitions.
COVID-19 has proven that telecommunications networks are vital infrastructure at all layers and levels. It’s not just military and public safety networks that need to be secure. Everyone needs to have secure networks if we are live in a digital society. If politicians and telecom operators don’t recognize this, network users do. Change is being driven by companies which themselves are increasingly victims of cyberattacks. Companies are putting increased pressure on telecom operators and governments to do more to make networks secure.
Six questions on the future of telecom regulation
Strand Consult believes that governments will take a broader view about network security. Here are six question for policymakers.
- What is critical infrastructure, and how will it be defined in the future? Historically, critical infrastructure had to do with physical and digital network assets which are required for physical and economic security, health, and safety. Indeed, there are many vital network assets deemed “critical” including those for chemicals, communications, manufacturing, dams, defense, emergency services, energy, financials, food/agriculture, government facilities, healthcare, information technology, nuclear reactors, transportations systems, and water/wastewater. Are these networks equally prioritized? What are the security concerns and protocols for each, both on the physical and cyber fronts? Do some have greater security than others? How does this change in the COVID-19 world?
- What are the government’s responsibilities to ensure the security of communications infrastructure? What are the minimum requirements to restrict a vendor? How is this balanced with requirements for fair and open processes for bids and tenders?
- What are the relevant communications networks to secure? Is it enough to focus on 5G mobile RAN and core or should security requirements apply to wireline networks, satellite, Wi-Fi, 3G/4G and so on?
- Is it sufficient only to address the transport element of network security? How will security be ensured for the storage and processing of data, for example on the computers, laptops, and servers provided by Chinese state-owned Lenovo where China’s rules for surveillance and espionage also apply? What about apps like TikTok and Huawei’s AI and cloud solutions?
- Who should perform the security assessment? Telecom operators, military departments, intelligence agencies, private security consultants, law enforcement, or some other actor?
- How will shareholders account for increased security risk in networks? Have shareholder asked relevant questions about operators’ security practices and the associated risk?
Strand Consult believes it is dangerous for telecom operators to make the decision about Huawei themselves without involving the authorities. There are a lot of arguments for why telecommunications companies should involve the competent and relevant authorities. Telecom operators must understand that If telecommunications companies assume responsibility as those who assess each supplier in relation to national security, they will be held responsible when things go wrong.
When you take on a responsibility, you also take on risk. Thus, shareholders are exposed to increasing risk when using high risk vendors. The historical facts show that telecommunications companies have been wrong in the past when assessing cooperation with partners which have proven to be corrupt. Some partnerships have cost shareholders billions of euros. In practice, operators are limited in their ability to judge whether partners and vendors are trustworthy.
Strand Consult’s research shows that is not only government, intelligence, and security officials who are concerned about compagnies like Huawei. Nor is it just telecom operators which build and run networks. It is the small, medium, and large enterprises that use networks that fear that their valuable data will be surveyed, sabotaged, or stolen by actors associated with the Chinese government and military. Consequently, it is the clients of telecom operators which push to restrict Chinese made equipment from networks. This is described in this research note, The pressure to restrict Huawei from telecom networks is driven not by governments, but the many companies which have experienced hacking, IP theft, or espionage.
What the future looks like – just ask the banks.
If you want to see the future of the telecom industry, look at what happened with banking. European banks have been required to implement Anti-Money Laundering (AML) and the Counter Terrorist Financing (CFT). About 10% of European banks employees are today working with compliance. Telecom authorities, defense officials, and other policymakers and will likely see cybersecurity is vital for Europe and that telecom infrastructure is critically important. So just as the banks have been put under a heavy regulatory regime to address corruption and financial crimes, the telecom industry will be required to implement deterrence of cyberattacks.
In practical terms, the authorities in the EU and in each nation state will likely make some demands that challenge the network paradigm that telecommunications companies operate today. The rules will likely be so rigid that they will effectively eliminate Huawei and other Chinese companies from being vendors without making explicit bans. However, it won’t be governments alone driving the charge. Corporate customers of telecom networks, companies that have experienced hacking, IP theft, or espionage, will also join the effort. This is described in this research note, The biggest taboo in European telecom industry is the cost of cybersecurity – just ask the banks.
The EU’s 5G Toolbox is the first step towards greater security and accountability in the transport layer of 5G, but there are many critical communications networks which also must be kept safe from Huawei. Policymakers need to look at Huawei’s movement into cloud and AI solutions in the application layer as well as the many state-owned Chinese firms in the access layer like Lenovo.
For 25 years, Strand Consult has held strategic workshops for boards of directors and other leaders in the telecom industry. We offer strategic knowledge on global regulatory trends and the experience of operators worldwide packaged it into a workshop for professionals with responsibility for policy, public affairs, regulation, communications, strategy and related roles.