Research Notes

Eight risks for the 5G supply chain from suppliers under the influence of adversarial countries like China

The world we live in is changing rapidly. China is not the country we knew from 10 years ago. Today China considers Russia, North Korea, Iran and the former regime in Syria as its friends. These countries that want to undermine the democracies that we in the free world value.

China helps Russia wage war on Ukraine. Chinese mobile network suppliers have delivered 4G networks to Crimea after Russia’s invasion in 2014. Thousands of North Korean soldiers fight on the Russia’s side in the war against Ukraine. This war is waged on European soil with what appears to be approval from the Chinese government.

A lot has been written and said about the topic of “untrusted vendors”. However, the debate can be derailed by myths planted in the media by Chinese suppliers. The Chinese suppliers don’t want to lose the good countries they have outside China. However, non-Chinese suppliers never get a chance in China to begin with.

Australia was the first country to restrict Chinese equipment formally with a new law, notably for 4G in 2012. See the article describing Social Democratic Prime Minister Julia Gillard ban on Chinese mobile network equipment. The USA had existing laws which it they applied in 2011, and other countries have followed

The European Commission, European Union Agency for Cybersecurity (ENISA) and the Body of European Regulators for Electronic Communication (BEREC) developed an EU-wide coordinated risk assessment. Based upon a set of identified risks, the EU 5G Toolbox was developed and agreed to include strategic (non-technical) and technical mitigating measures. In sum, the European Commission and the EU member states implement key measures in two areas; strategic (non-technical) and technical security measures, both of these assessments and mitigation measures must be satisfied to deem 5G equipment suppliers as secure and trusted.

EU European Union 5G Toolbox was originally developed by EU member states. In the 2nd Progress report of the EU 5G toolbox (June 2023) all 27 EU Member States pledged to fully implement the EU´s 5G Toolbox. As of June 2023, 24 Member States have adopted the toolbox or were in the process to do so, for example by preparing legislative measures which vest the local authority to perform security assessments. By June 2023, only 11 Member States had taken measures to implement high risk vendor restrictions. As all EU countries support the 5G Toolbox, its implementation moves toward the de facto removal of Huawei and ZTE from European mobile networks.

In this note, Strand Consult identifies 8 risks for the 5G supply chain from suppliers under undue influence of adversarial countries China.

1. 5G Networks as Critical Infrastructure

5G networks extend beyond communication, connecting vital systems like energy grids, water utilities, transport, and industrial processes. The security and resilience of these networks are essential for public order, strategic autonomy, and national security.

While the EU’s 5G Toolbox is focused on mobile networks,  the EU and many member states like Denmark are looking at such a risk assessment toolbox more broadly. In practice, this toolbox can be used to assess other parts of telecommunications networks and communication systems used by national train companies and other critical infrastructures.

A new Danish law directs assessment of telecommunications equipment and requires removal of equipment from non-trusted vendors. This Investment Screening Act forms the foundation for the Danish National Strategy for Cyber and Information Security. The assessment is performed by The Centre for Cyber Security (CFCS).

More countries are likely to follow Denmark and implement corresponding laws across all types of critical infrastructure.

2. Supply chain disruption and operational risks

Export controls can reduce supply and force some hardware manufactures to use components that do not always meet international quality standards. These manufacturers may substitute different, sub-standard, or otherwise risky components on account of related suppliers under adversarial state influence. Hardware and software is subject to continuous risks of sanctions, export controls and other legal/political repercussions that can disrupt the continuous use of already installed equipment or affect their performance.

At any time, suppliers under adversarial influence can introduce vulnerabilities, malware, or other exploitative features into networks, intrude, and/or interfere in networks, including with tactics to firms use to protect their systems with firmware or software updates.  These tactics can overwrite the original source code reviewed and screened by authorities.

Telecom network are under constant attack by Chinese state affiliated attackers. The threat intelligence platform Recorded Future examines extraordinary circumstances (such as direct conflict) of supply chain risks of Huawei network monoculture.

3. Strategic dependency risks

China’s state backing for Huawei and ZTE has allowed these two firms two to seize global market share from innovative non-Chinese telecom equipment companies. They seize market share by severely limiting their competitors’ access to China and related markets and by supporting Huawei’s and ZTE’s rapid expansion overseas. These practices include but are not limited to illegal state subsidies of industry, artificial currency devaluation, intellectual property theft (espionage and/or forced technology transfer), dumping, “debt trap diplomacy”, weak labor and environmental standards to lower prices, market access manipulation, counterfeiting, imitation, economic coercion, and other methods.  A shake-out of non-Chinese supplier poses a long-term risk to nations that seek resilient, diversified supply chains or wanting to avoid a situation of solely being dependent on Chinese suppliers for their communication needs.

Chinese state practices to promote national champions have been documented by EU, US,  and the think tank Merics. China has used these practices to get a foothold in the market while driving out non-Chinese competitors over time with a range of illicit tactics, leaving nation states without options for non-Chinese suppliers. While acquiring equipment through state subsidies cheaper equipment in the short-term providing the opportunity of, in the long run pushing out remaining non-Chinese suppliers from the market leaving nation states without non-Chinese supplier options.

Today, Chinese suppliers such as Huawei and ZTE hold over 98% of the market for 5G equipment in China. Very simply, China and Chinese suppliers have better conditions outside China than Western suppliers have in China.

4. Privacy and data exploitation risks

Hardware has both authorized and unauthorized data access to personal, corporate and government user data and suppliers can violate privacy laws whether accidentally or on purpose. Such situations include when suppliers visit physical locations, make logs of calls, and conduct billing and payment with customers. Such data may be held by telecom operators and may be accessible to hardware providers. This data if its relayed on Chinese network elements has the potential to be  relayed to Chinese actors like intelligence and defense authorities. Such data is desired by adversarial nations to profile targets, dissidents, military personnel, and vulnerable persons for extortion. Chinese government actors used geolocation services and triangulation to identify citizens who had recently visited Wuhan during the early days of the pandemic. In addition to oligopoly of Chinese mobile network vendors, Chinese surveillance companies had 45 percent of the global facial recognition market in 2023.

This risk applies not only the mobile networks, but to Chinese cloud-based solutions that are marketed, sold, and implemented around the world. In many places, companies and consumers don’t know that their data ends up in a cloud as a built-in cloud, runed and belong to suppliers with close ties to the Chinese regime.

5. Political risks

Dependency to hardware in critical infrastructures creates a dependency risk on the country from which hardware equipment is supplied. Aside from the risks covered above, such dependency can be exploited by the state of the beholden supplier for political reasons to achieve political outcomes, for example in the case of emergency or crisis. In such situations, the integrity and/or availability of the 5G network can be compromised. In more practical terms, the state of a beholden supplier could limit the possibility of provide software updates (for example to interfere with patching vulnerabilities) or forcing it to change configurations in the system and thus altering performance parameters that can degrade the network performance. The extreme possibility of a kill-switch is discussed, but public domain evidence has not been shared. Hence it is hard to assess such a risk, but it does exist. Hence, policymakers must falls back to the question of acceptable risk tolerance under genuine uncertainty while considering the information value at stake of disrupting 5G connected critical infrastructures. 

6. Undue state influence – supplier autonomy

Factors limiting a supplier’s autonomy are non-technical in nature. A foreign supplier’s autonomy can be constrained by its home country’s legal and political system. For instance, the supplier may be subject to intelligence laws, direct or indirect government ownership, or other means of influence or control. In some cases, the lack of transparency makes it impossible to ascertain whether a foreign supplier can act independently of its home government. The absence of supplier autonomy also means that obligations put by the state on beholden suppliers may be contrary to the commercial interest of the supplier in question. In such a case, its rights to conduct business and safeguard its economic rights may be violated. Hence, the motivations of this category of influence and ultimately the risk of attacks are primarily political.

Undue influence or state control over suppliers is a distinctly different issue e.g. a unique threat vector, and hence distinct from technical security considerations, such as the supplier’s technical capability or capacity to secure its products. However, in addition to the non-technical factors, a supplier’s products may also be technically defective, leaving them vulnerable to attacks from threat actors, including those acting on behalf of foreign governments. It is therefore essential to emphasize that a supplier also needs to ensure adequate technical security posture to defend networks against cyberattacks. A supplier that is deemed to be free from undue state influence but lacks adequate security posture in its products, also introduces risks to critical infrastructures.

7. Counterintelligence risks

Espionage by technical means – Chinese hardware under state influence may use equipment in both RAN (Radio Access Network) and core networks for covert surveillance, data extraction, monitoring or precise location of targets like public officials, commercial entities, or dissidents through unpublished features and backdoors, or breach of features available for law enforcement agencies. Published reports involve ZTE in Uganda assisting the government’s political opponents with digital surveillance,Huawei in the African Union, or the recent state affiliated (APT) Salt Typhoon incident, see here or here.

Mass surveillance and collection of data – e.g. during summits, may take place to for decryption, awaiting the availability of advanced computing resources.

Espionage can also be conducted through human resources. China’s National Intelligence Law requires individuals to support Chinese intelligence activities, and both managerial and technical staff of hardware have been deployed by China’s Ministry of State Security. The most notable example is the arrest of Huawei staff while breaching the air-gapped information network exclusively used by the Polish Prime Minister and the Cabinet Members. In addition, there are cases of corporate espionage linked to hardware, see here, here, and here.

Data interception and manipulation are enabled by compromised hardware or software that enable interception, rerouting, or modification. Such backdoors or vulnerabilities are deliberately hidden or ignored to be later exploited by Chinese state-sponsored APT groups, see here, here and here.

8. China’s use of lawfare to silence its critics in the free world

There is a deeply disturbing trend of Libel Lawfare, in which the Chinese government and its affiliates use lawsuits to silence and intimidate those who dare to call attention to their illicit practices. Under China’s Libel Lawfare, legitimate commentary is litigated as libel; and critics are called liars. China’s strategy is used to target journalists, independent researchers, scholars, small businesses and other organizations which lack sufficient resources to defend themselves in litigation against giant multi-billion-dollar Chinese government actors and state-owned corporations. Besides trampling on the free speech laws of people in the democratic world, availing themselves to democratic processes little known in China, and forum shopping for friendly courtrooms, these Chinese actors and their lawsuits attempt to punish and deter foreign critique of Chinese corporate practices and policies.

Prof. Jamil Jaffer, Founder and Executive Director of the National Security Institute at the Antonin Scalia Law School at George Mason University. testified on these practices to the US House of Representatives Select Committee on the Chinese Communist Party.

Last week John Strand spoke at the Parliamentary Intelligence-Security Forum, held at the US Senate. He participates in this recurring event which rotates locations around the world.  Last week’s event features over 300 Members of Parliaments from over 60 democratic countries. Watch John’s presentation on How China Uses Lawfare to Silence Critics in EU and US.

Conclusion

This research note described 8 risks for the 5G supply chain from suppliers under the influence of adversarial countries like China. While these risks are described in relation to 5G mobile networks, they can also be examined for other communications networks and critical infrastructures. These risks emerge because of undue influence exercised by foreign governments through the supply chain of 5G equipment and ultimately the suppliers of 5G and by extension other critical and sensitive products used in critical infrastructures. Such undue influence introduces a unique threat vector in the supply chain associated with multiple risks. Foreign suppliers that cannot act autonomously can fail to fulfil their obligations to the procuring operator or to comply with privacy and security laws of the country where their equipment is used. Undue influence is a nontechnical condition, and objective criteria have been established in some jurisdictions to guide an assessment of supplier autonomy.

This note does not aim to cover the complete arsenal of the tools that a state actor can use to achieve its strategic intelligence or influence objectives including the use of advanced persistent threat (APT), but is rather is limited to provide a high-level overview of the situation and the associated risks of state influence through the supply chain of critical infrastructure operators in situations when undue state influence over beholden suppliers present in the supply chain is or can be leveraged. This note does not aim to cover the specific technical steps, methods, and procedures that a beholden supplier can apply or through passivity accommodate when requests to support a state’s strategic objectives are passed down to beholden supplier.

Critical infrastructure operators’ such as 5G mobile operators’ source critical and sensitive products from suppliers to configure, integrate, deploy, and operate networks and systems that deliver or enable critical or essential services for consumers, industries, public sector and connect other critical sectors (energy, water etc.). Suppliers source components and design and develop their own components that are packaged to final products and solutions that are offered to operators of critical infrastructures. This relationship also includes suppliers being responsible for their products over the entire product life cycle (typically 5-10 years), including installing products, spare part management, providing software updates and upgrades of products and provide emergency patches to rectify vulnerabilities.

Factors limiting a supplier’s autonomy are non-technical in nature. A foreign supplier’s autonomy can be constrained by its home country’s legal and political system. For instance, the supplier may be subject to intelligence laws, direct or indirect government ownership, or other means of influence or control. In some cases, the lack of transparency makes it impossible to ascertain whether a foreign supplier can act independently of its home government. The absence of supplier autonomy also means that obligations put by the state on beholden suppliers may be contrary to the commercial interest of the supplier in question. In such a case its rights to conduct business and safeguard its economic rights are being violated. Hence, the motivations of this category of influence and ultimately the risk of attacks are primarily political.

Undue influence or state control over suppliers is a distinctly different issue e.g. a unique threat vector, and hence distinct from technical security considerations, such as the supplier’s technical capability or capacity to secure its products. However, in addition to the non-technical factors, a supplier’s products may also be technically defective, leaving them vulnerable to attacks from threat actors, including those acting on behalf of foreign governments. It is therefore essential to emphasize that a supplier also needs to ensure adequate technical security posture to defend networks against cyberattacks. A supplier that is deemed to be free from undue state influence but lacks adequate security posture in its products, also introduces risks to critical infrastructures.

Due to the non-technical nature of hardware risks described in this note the criticality of 5G networks to a nation, effective mitigation of non-technical factors and risks has been deemed to require non-technical mitigations e.g. exclusions by: “assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risks-including necessary exclusions to effectively mitigate risks for key network assets”. Such restrictions in national laws have been among others implemented in: Australia, Belgium, Canada, Costa Rica, Denmark, France, Estonia, India, Japan, Latvia, Lithuania, New Zealand, North Macedonia, Portugal, South Korea, Romania, Sweden, UK and US. Note, the EU 5G Toolbox framework is specific for EU member states. Non-EU jurisdictions have developed their own country specific frameworks with or without explicit measures related to hardware codified in their national law and in many cases without explicit public designation of hardware to also in consider diplomatic relations.

5G networks relay more than just private and corporate communications. They underpin critical societal functions by connecting energy grids, water systems and vital industrial production, mines, logistical solutions such as trains roads, airports and harbors. Consequently, the security posture of these networks including their suppliers need to be considered in a broader context beyond privacy and confidentiality risks such as risks to public order, strategic autonomy, resilience, and ultimately national security.

Policymakers across the world increasingly focus on communications network equipment from Chinese vendors. Strand Consult has published many research notes and reports to help telecom companies navigate a complex world and have detailed the challenge of Chinese network equipment.

Although some customers disagree with its views, Strand Consult’s job is to publish what is actually happening and how policy decisions may affect the customer’s business in the future. Here are some more relevant Strand Consult research notes.

Feedback and questions about this note can be directed to Strand Consult CEO John Strand

Share