by John Strand, StandConsult (edited by Alan J Weissberger)
European Commissioner Thierry Breton presented the European Commission’s plan for banning High-Risk Suppliers like Huawei and ZTE from European telecommunications networks. Here is the first portion:
The security of 5G networks is essential. They are critical infrastructures in their own right and for other sectors that depend on them, such as energy, transport, health and finance.
This is why, in January 2020, the EU unanimously adopted a toolbox on the security of 5G networks. The “5G cybersecurity toolbox” defined the risks and the measures to be taken by Member States and telecoms operators to address them.
In particular, it recommended that the use of equipment in the core and access (RAN) parts of the networks should be restricted or prohibited for entities considered to be “high-risk suppliers”, notably because they are subject to highly intrusive third-country laws on national intelligence and data security.
3 years on, almost all Member States have transposed the toolkit’s recommendations into their national law. In other words, they can now decide to restrict or exclude suppliers on the basis of security risk analysis. But to date, only 10 of them have used these prerogatives to restrict or exclude high-risk vendors.
The Commission also released a status report on “Member States’ Progress in implementing the EU Toolbox on 5G Cybersecurity.”
Breton’s message is that the member must move more quickly to implement the 5G toolbox.
Image Credit: European Union
Here are Breton’s key points with Strand Consult’s assessment (SC):
- All EU member states are committed to implementing the EU´s 5G Toolbox. To date, 24 Member States have adopted or are preparing legislative measures giving national authorities the powers to perform an assessment of suppliers and issue restrictions.
- SC: This means that all EU countries support the 5G Toolbox, the implement of which will work to remove Huawei and ZTE from European networks.
- 10 Member States have imposed such restrictions, and an additional 3 Member States have relevant national legislation underway.
- SC: This is a significant improvement compared to a few months ago when Strand Consult’s released its report The Market for 5G RAN in Europe: Share of Chinese and Non-Chinese Vendors in 31 European Countries. Given the Commission’s communication we the remaining more operators in 14 countries to move more expeditiously to remove Huawei and ZTE equipment.
- The Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox.
- SC: This statement is very important to support the member states where Huawei and China attempt to thwart the implementation of the toolbox. China has made unseemly threats in certain members states. Now these states have meaningful European Commission support. For example, in December 2019, Wu Ken, the Chinese ambassador to Germany, was quoted as threatening the German auto manufacturing industry that access to the Chinese market could be restricted should Chinese Huawei be excluded from participating in contracts to build Germany’s 5G networks. The statement dampened Germany’s enthusiasm for opening its EU toolbox and examining its requirements.
- The Commission will take measures to avoid conducting its official communications via mobile networks built with Huawei and ZTE equipment.
- SC: If an EU mobile operator uses Huawei or ZTE equipment in its 5G network, the European Commission will not do business with that operator. In practice EU operators which use Huawei and ZTE will be labeled as “non-trusted operators.” This will likely accelerate the exodus of corporate customers from European operators which don’t want to conduct their business on Chinese networks. Strand Consult described this in its 2019 research note The pressure to restrict Huawei from telecom networks is driven not by governments, but the many companies which have experienced hacking, IP theft, or espionage. This is a needed and important step from the Commission.
- The Commission also intends to reflect this decision in all relevant EU funding programs and instruments.
- SC: The EU will further restrict grants, subsidies, and financing to European entities which use Huawei and ZTE equipment. This will have consequences for rural EU operators which receive EU money and recipients of European Investment Bank (EIB) loans.
Strand Consult is not surprised by today’s announcements. They are consistent with the security analyses and recommendations Strand Consult has published for years.
Some EU countries and operators will find it difficult to implement the EU’s new security and procurement policy. However Strand Consult believes that it is good business for an operator communication that it takes security seriously and backs it up with a clean network free of Huawei and ZTE equipment.
Strand Consult predicts that Huawei will make the road ahead difficult and will attempt to sabotage the European Commission’s efforts. Nations and operators should prepare for pushback by reading Strand Consult’s reports on Huawei’s tactics. Moreover, non-Chinese employees will likely find that working for Huawei has reputational risks.
How foreign network equipment is treated in China.
The foundation of any economy, be it the EU, the US or China, is national security. Some may find the EU approach tough, but it pales in comparison the blockade that China has imposed on foreign technology providers for years.
China restricts these technologies for ideological and economic reasons. Most people take for granted that the websites and media they access everyday are not available in China. These foreign technologies and their operators have been denied access to the world’s single largest online market, hundreds of millions of internet users, and a multi-trillion-dollar opportunity. Moreover, the Chinese people are denied to freedom to engage on an open internet.
Building upon censorship frameworks in traditional media which had been in place for decades in China, its State Council adopted rules and regulations to control internet traffic beginning in 1996.
The media focuses mainly on US and EU network security and associated vendor policies. However few if any investigate the rules in China.
A detailed review is available from White & Chase, February 2022. In general, China’s rules are significantly more rigid than those of the US and EU. These rules do not entail the same process and transparency which are standard and expected in the West.
The New Measures list the following main factors for assessing national security risk during cybersecurity review.
- The risk of any critical information infrastructure being illegally controlled, tampered with or sabotaged after any product or service is used.
- The risk of an interruption in the supply of any product or service endangering the continuity of any critical information infrastructure.
- The security, openness, transparency, diversity of sources and reliability of any supply channel of any product or service, and the risk of its supply being interrupted due to political, diplomatic, trade or other factors.
- The compliance of the provider of any product or service with the laws, administrative regulations, and departmental rules of China.
- The risk of any core data, important data or a large amount of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad.
- The risk of any critical information infrastructure, core data, important data, or a large amount of personal information being affected, controlled, or maliciously used by foreign governments, as well as any network information security risk.
- Any other factor that may endanger the security of any critical information infrastructure, network security or data security.
The effect of these rules is to limit foreign providers from the market from the start and to favor Chinese providers.
While the media sensationalizes cases like Huawei and TikTok, these pale in comparison to the systematic restriction undertaken by China against foreign technology for the last 20 years. Moreover, Chinese technology companies enjoy more freedom abroad than foreign technologies do in China.
Technological and informational control and restriction are widely practiced across China. This fulfills many political, social, cultural, economic, and religious objectives for the PRC,and is practiced by the government, corporations, and individual themselves. It has increased under General Secretary Xi. This Censorship is coupled with pervasive surveillance of people. Meanwhile PRC has attempted to export this “new world media order.”
Strand Consult addresses Chinas restrictions in its 2020 report You Are Not Welcome: An Analysis of Thousands Foreign Technology Companies Blocked by China Since 1996. It describes how and why China has systematically restricted thousands of foreign internet technologies like online news and media outlets, social media platforms, virtual private networks, content delivery networks, mobile applications, telecommunications equipment, cloud services, and other technologies.
With its new 2023 report The Market for 5G RAN in Europe: Share of Chinese and Non-Chinese Vendors in 31 European Countries, Strand Consult brings valuable evidence of the location, amount, and share of Chinese and non-Chinese equipment in European telecom networks. This report, the second of its kind, describes the respective amounts of 5G equipment from Huawei, ZTE, and non-Chinese vendors in European mobile networks and the share of such in equipment in the 5G Radio Access Network (RAN).
IEEE ComSoc/SCU SoE March 22, 2022 event: OpenRAN and Private 5G – New Opportunities and Challenges. Video: https://www.youtube.com/watch?v=i7QUyhjxpzE