Germany is taking a step in the right direction for network security. Here’s what we know and the things people forget to talk about
Dear Colleague,
Yesterday German media reported that the German interior ministry wants to tighten the rules for the use of equipment from untrusted vendors like Huawei and ZTE. It’s a step in the right direction for the German government to honor its commitment to the European Union 5G Toolbox. Strand Consult described the background on the toolbox and EU network security policy.
All 27 EU member states pledged to implement the EU´s 5G Toolbox. To date, 24 Member States have adopted the toolbox or in process to comply, for example by preparing legislative measures which vest the local authority to perform security assessments. Only 11 Member States had taken measures to implement restrictions. As all EU countries support the 5G Toolbox, its implementation moves toward the de facto removal of Huawei and ZTE from European mobile networks.
There a lot of is contradictory information in the public domain regarding the German “decision”, so it is difficult to make a final conclusion on the policy. Here’s what we know:
- The German state acknowledges the risk in using equipment from untrusted vendors like Huawei and ZTE. It describes concern about National Security and the use of Chinese network equipment could result in a second Russian gas debacle, “like Nord Stream,” It called 5G networks as the “central nervous system” of German society.
- The German state use non-technical criteria/ factors that separate between if you prefer between trusted and untrusted vendors It is also recognized that the distinction between core network and radio access network (RAN) which was used previously to justify keeping equipment from untrusted vendors in networks, can no longer hold. The news declared that the risks of using untrusted vendors like Huawei and ZTE applies to both core and RAN infrastructure. The security risk cannot be isolated by keeping Chinese only in the RAN network for example. Because of the integrated nature of 5G networks, equipment from untrusted vendors poses a risk regardless of where it is in the network, whatever core or RAN.
- It asserted that use of Huawei and ZTE in the core network should be prohibited beginning January 1, 2026. A “phase-out” procedure is planned for the fixed access and transport network networks. Deutsche Telekom should do this by the end of 2025; Vodafone and Telefónica have until October 2026.
- It planned to define which regions of Germany which will be regarded as a security risks. In practice, certain regions of Germany will be subject to a ban of equipment from untrusted vendors like Huawei and ZTE.
- The plan will focus initially on removing untrusted elements from networks in Berlin/Brandenburg (3.7 million inhabitants) and Cologne/Bonn (1.4 million inhabitants) and replace it with equipment from trusted suppliers over the next three years. Separately, Strand Consult finds this distinction arbitrary. It is not logical that only citizens and enterprises in major cities (5.1 million inhabitants) are prioritized for secure networks while the 79 million citizens in the rest of Germany are considered to live in safe or lower risk zones.
- The news described that no more than 25 percent of network components should come from Chinese manufacturers in the coming three years. Separately, this provision seemed ambiguous, as it could only apply to network management software. If this is the case, there are likely to be complications in the policy. Strand Consult understands that there are different interpretations to this provision.
In all, however, the announcement was welcome as it signals a shift toward the common security direction of the EU. With its foot-dragging on removal of non-trusted vendors, Germany has been seen as the laggard in the EU, if not the problem child. For some years, it seems that Germany downplayed, if not rejected, the findings of official EU security assessments, and Germany appeared to have difficulty analyzing and implementing rules that ensure secure infrastructure.
The news also described costs to rip and replace untrusted equipment. Strand Consult has studied these switching costs. Given the precautionary principle and the fallout of the Nord Stream investment with the Russian invasion of Ukraine, it would seem that Germany would recognize that the Chinese shutting off 5G networks would be as perilous as Putin shutting off the gas.
Media reports have largely focused on the restrictions on untrusted vendors in Germany, but few, if any, report on the systemic restrictions that German and European firms face across many industrial domains. Here is more discussion on the double standard.
Rip and replace economics
Strand Consult’s report The real cost to rip and replace Chinese equipment from telecom networks, details what different European mobile operators have experienced when changing network vendors. Now many undertake 5G rollout. Operators have control over many of these costs depending on the timing and phasing of the rollout. To examine the financial impact of rip and replace effort, the issue can be examined by looking at the financial statements of mobile operators which have ended their contracts with untrusted vendors and switched suppliers.
If it were true that swapping Huawei would increase costs, there should be a marked CAPEX increase. However, we can see from T-Mobile in Nederland, Proximus in Belgium, Denmark’s TDC and Norway’s Telenor and Telia that costs did not go up for the same equipment investment when these operators switched from Huawei with Ericsson. The same can be said for KPN in Netherlands which switched from Ericsson to Huawei.
When it comes time to upgrade, most of Europe’s 2G, 3G and 4G networks were already 8-10 years old. Hence the equipment must be replaced anyway, so there is a foregone upgrade cost regardless of the choice of vendor. Moreover, in most networks, there are ongoing upgrades for software and other elements, so operators may choose to evolve their network investments over time, depending on the standard release. In many cases, operators may offer a blend of different standards in the same network as they upgrade.
Mobile operators are in the process of switching from 2G, 3G and 4G to 5G
In the German case, the operators complain that they made their upgrade and then were told to replace the untrusted vendors. Their view is that there was not a security risk and hence they should be able to keep their equipment.
However, this view must be held against the extensive public knowledge beginning in 2005 and increasing over time that Huawei posed security risks that could not be mitigated.
In practical terms, between 2019 and 2020, German operators made a commercial decision to purchase equipment from Huawei. Germanys operators chose to reject the overwhelming advice from experts and authorities around the world not buy Chinese equipment.
German operators knew well the financial risk in buying Chinese equipment. They also knew that the EU 5G Toolbox were underway. The US and other countries had long adopted its requirements. Instead of heeding this advice, Germany plunged headlong into Huawei purchases, even stockpiling equipment they knew would be restricted. For the full story read Strand Consult’s research note.
The rip and replace cost in Germany
Barclays Global Investors performed an extensive financial analysis June 14 2023 on the cost in Germany. Following is their assessment:
Huawei – EU to ask Germany to do more to reduce Huawei exposure
According to Reuters sources, the European Union is likely to ask Germany to do more to reduce its use of Huawei gear in its 5G network when Brussels publishes a progress report on the use of Huawei in Europe in the coming days. All three operators do not use anymore Huawei for their core network which has been banned since 2021 by the German government but Huawei equipment remains very present in the Radio Access Network: we estimate that for the three MNOs it is present in c. 50% of the cell sites. In March 2023, the German government had announced a review of the telecom suppliers use by the operators. A number of German officials have expressed concern about the importance of Huawei in German telecom operators’ network. Berlin and Beijing plan to hold talks to discuss this and other topics on 20 June 2023. Based on the number of estimated cell sites for each player (38k/27k/27k for DTE/VOD/TEF DE) and assuming a 50% presence for Huawei and a cost of replacement of EUR50k per antenna, the immediate replacement of all Huawei equipment would represent a bill of respectively EUR1.1bn/0.7bn/0.7bn which is respectively 1%/3% and 10%. For TEF DE’s parent company TEF it would represent c.1% of the market cap. However, if the ban is gradual and is allowed to take place over the natural upgrade lifecycle of the equipment the impact could be limited minimal as it would be part of the annual capex: for instance, DTE spends an estimated EUR300m on RAN every year in Germany. Notably, press reports (Financial Times 7 June 2023) indicated earlier that the EC may consider a mandatory ban on suppliers such as Huawei, with frustration that some national governments are dragging their feet on the issue. According to the article, only a third of EU countries have banned Huawei from critical parts of their 5G networks, despite the EC recommendations in its 5G toolkit to exclude “high risk vendors” from technology investments. Source: Reuters (13 June 2023)
A secondary analysis comes from Iain Morris at Light reading. While Barclays suggests a low to moderate switching cost, Morris believes it to be higher. Whether the cost is low, medium, or high needs to be weighed against the risks. What is the cost to the customer if their data or networks are compromised by Chinese state surveillance which Huawei is required to perform? What is the reputational cost to a European mobile operator which selects a vendor that develops tools and systems which are used for systematic human rights violations, or for a provider that partners with the Russian military? In these respects, switching to trusted vendors which offer the same or better network components at a competitive price is a no brainer.
In the German case, it must be asked, what is the cost of the wrong decision? If 5G networks are remotely switched off, what then? This Strand Consult research note explains the national security implications.
To learn more about cybersecurity, see Strand Consult’s library or contact Strand Consult.