As the issue of security in 5G networks gains momentum, policymakers around the world are taking contrasting approaches. Concerns around the use of Chinese vendors is resulting in outright bans in some countries (US, Australia, New Zealand), whereas others are yet to take a definite stance, such as the UK whose government is finalising a review of the telecoms supply chain. Operators were initially quiet on the issue, but they are now taking explicit stances to keep the market for network equipment as competitive as possible, to avoid delays and increased costs in 5G roll-out. As our Cybersecurity Tracker shows, It is likely that vendors will have to face more thorough scrutiny, whereas operators could end up having to avoid using one single vendor in core parts of their networks, as proposed in Germany.

The German regulator’s draft plan requires telcos to check vendors’ trustworthiness

The Federal Network Agency, BNetzA, has worked with the country’s Cybersecurity agency BSI to update the security requirements for telecommunications networks. The draft introduces nine additional requirements, such as the need to obtain systems from ‘trustworthy suppliers’ (particularly when it comes to ‘critical core components’ and when outsourcing security-related tasks); to monitor traffic regularly for abnormalities; to avoid ‘monocultures’ (i.e. the use of one vendor only) in planning and setting up networks. The new requirements are now subject to public consultation; it is expected that BNetzA will finalise them by the end of 2019.

The rules come at a time when European regulators are in the process of positioning themselves on network security. As detailed in Assembly’s Cybersecurity Tracker, concerns around the security of network components marketed by Chinese vendors (Huawei above all) have led governments around the world to consider limitations, or outright bans, on the use of such equipment. Some countries, such as Australia, have taken a very radical approach by banning Huawei in both the core and access segments of operators’ networks; others have been more specific in proposing a ban in 5G networks only (New Zealand, Norway). The stance taken by German regulators draws a compromise by requiring telcos to assure the trustworthiness of their suppliers; it is likely that this approach will be influential on choices about to be made by the European Commission, which is reportedly considering a ban on Chinese vendors. A stance similar to that taken by the German regulator could be adopted in the UK, where the government moved from “limited assurance” that Huawei equipment is safe, to a provisional position of manageable risk; this could lead to a cap on the extent to which Huawei equipment is used, instead of a complete ban.

Operators are throwing their weight behind Huawei to avoid delays to 5G

When the issue of the security of Chinese equipment arose, telcos initially took a cautious approach and generally refrained from voicing their position. In recent weeks, as the scale of the problem grew, operators have started to voice their concerns more loudly. In Germany, Deutsche Telekom reportedly proposed a plan in January 2019 to avoid banning Huawei in the country, in an effort to make the debate ‘more fact-based’. In February, the GSMA called on European regulators to safeguard competition in their effort to strengthen network security. In March 2019, Vodafone UK warned explicitly that a ban on Huawei would force it to replace equipment in about a third of its 18,000 mobile base stations; this would cost ‘hundreds of millions of pounds’ and significantly slow down the deployment of 5G. The operator also noted it uses Huawei in the RAN, which is much lower-risk compared to the core parts of the network where it uses no Huawei equipment.

Operators are understandably keen to preserve competition in the market for network components. Competing vendors ensure lower costs in network deployment, which in turn strengthens the case for operators’ investment in networks. Huawei is understood to be one of the lowest-priced, but most technically advanced vendors in the market; with a share of circa 35% in the European market, the Chinese vendor is undoubtedly a key player in the industry, whose exclusion would likely result in significant disruption at a time when regulators and policy makers are eager to win the race to 5G.

Huawei is increasing its engagement with policymakers

As operators raised their voice, Huawei also took steps to engage more actively with regulators around the world, in an effort to build public trust and improve regulators’ perception of the company. On 5 March 2019, the company opened its Cyber Security Transparency Centre in Brussels, which will showcase Huawei's cybersecurity practices; provide a platform for product security testing and verification; and, crucially, ‘facilitate communication between Huawei and key stakeholders on cyber security strategies’. The Brussels centre follows the recent opening of the Security Innovation Lab in Bonn, Germany, where Huawei plans to have ‘close and regular cooperation’ with the BSI.

These two centres show Huawei’s intention to strengthen its relationships with policymakers. To some extent, they have similarities with the Huawei Cyber Security Evaluation Centre (HCSEC) set up in 2010 in the UK, although they do not have the same in-depth oversight. The HCSEC is a Huawei facility located in the UK, which opened in November 2010 under a set of arrangements between Huawei and the UK government to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. The HCSEC provides security evaluation for a range of products used in the UK telecommunications market; through it, the UK Government obtains insight into Huawei’s UK’s strategies and product ranges. The UK’s National Cyber Security Centre (NCSC) leads for the government in dealing with the HCSEC and with Huawei more generally on technical security matters. Since 2014, the HCSEC has an Oversight Board, chaired by the CEO of the NCSC and by an executive member of GCHQ’s Board with responsibility for cyber security. The Oversight Board continues to include a senior executive from Huawei as Deputy Chair, as well as senior representatives from across Government and the UK telecommunications sector. Regulators in other countries could look to replicate the same model; however, this would present the challenge to require Huawei, or any other vendor affected, to share their source codes with a trusted third party.