Nokia puts O-RAN Alliance relationship on hold. Other companies likely to follow. Strand Consult Research Note

Nokia is a leading technology contributor to the O-RAN Alliance, but has put its contribution on hold, citing US policy concerns. US agencies have cited O-RAN Alliance members Kindroid, Pythium, and Inspur because of their role in Chinese military modernization and weapons of mass destruction development. This follows US restrictions placed on Huawei and ZTE for illegal exports to North Korea and Iran, violations of the international Wassenaar Arrangement On Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The move was reported by Friday by Politico and yesterday confirmed by Nokia today.

In December 2020, Strand Consult published a research note detailing the 44 members of the O-RAN Alliance which are Chinese government-owned and/or military aligned. These include firms whose products have determined to be security risks by the US Department of Commerce, the US Department of Defense, and the Federal Communications Commission (FCC). Kindroid and Pythium have been placed on the Department of Commerce’s Entity List; the Pentagon barred Inspur from federal procurement for its military ties; and the FCC denied an operating license to China Mobile and may revoke the licenses of China Telecom and China Unicom. While Huawei is not formally involved in the O-RAN Alliance, Strand Consult believes it has an informal relationship with the organization given its close ties to many O-RAN members.

The ostensible purpose of OpenRAN, at least in the US, is to limit the presence of vulnerable Chinese government technology in networks. In fact, O-RAN Alliance members exchange specifications on OpenRAN every 6 months; this means that the 44 Chinese member companies, including those on the US Entity List, get fresh OpenRAN code at least twice a year. Given that Chinese state-owned companies comprise more than one-fifth of the membership of the O-RAN Alliance, it is essentially impossible to limit Chinese government influence in the organization. As such, non-Chinese companies may reconsider their membership in the O-RAN Alliance to reduce risk and improve security.

Moreover, the O-RAN Alliance appears to fall short of the “open” standard it advocates. The O-RAN Alliance does not satisfy the transparency and openness criteria laid down in World Trade Organization’s Principles for the Development of International Standards, Guides and Recommendations. In contrast to a bona fide standards development organizations (SDOs) like the Third Generation Partnership Project (3GPP), the O-RAN Alliance does not develop standards, nor does it operate in an open, transparent manner. The O-RAN Alliance is a closed industrial collaboration to develop technical RAN specifications on the top of 3GPP standards.

Nokia is not the first organization to review and pause its membership in an industrial organization. Indeed it is only prudent that a firm should assess the impact of its memberships in relation to what’s best for its shareholders, employees, and customers and to ensure that it operates in accordance with the laws in the countries its serves. Much has been published by US federal authorities, international media, security analysts, academics, and policy advocates about the growing threats and risks of Chinese government technology. An estimated 3000 Chinese government owned companies operating in the US today are considered integral to China’s Military Civil Fusion project.

Given growing demands by US and European voters for accountability, it is possible that many of these 3000 Chinese firms will likely trigger policy tripwires because of their military alignment, security vulnerabilities human rights violations, and other illegal activities. The FCC has just launched a significant rulemaking on how its equipment authorization process could allow a preemptive ban on vulnerable and insecure devices to “guard against malicious and foreign intrusions.”

If anything, more companies will likely follow in Nokia’s footsteps to pause, if not end, their membership in groups like the O-RAN Alliance. Many assert that solution to address the influence of the Chinese government in the O-RAN Alliance is necessary.

A related challenge from the US perspective is that US authorities may have been “irrationally exuberant” or as RWR Advisory suggests, overly enthusiastic, with the notion of OpenRAN as a panacea to the Huawei problem. It appears that some policymakers have not thought through the technical issues and consequences for Chinese government actors to be involved in the development, design, and production of O-RAN equipment.

There appear to be three ways forward.

1. Policymakers, whether Congress, the Executive Branch, and/or other European authorities can say there is no problem to cooperate with Chinese government companies to develop OpenRAN technologies and that US and European companies can participate in the O-RAN Alliance and other organizations under the influence of the Chinese government. (Probably the least likely outcome.)
2. The O-RAN Alliance voluntarily cleans up its act, or non-Chinese members leave.
3. Policymakers may consider rules about the use of OpenRAN equipment and could deem O-RAN Alliance developed technology vulnerable and therefore unacceptable in networks.

Many have mistakenly assumed that because a technology is branded as “open”, that it is safe and secure. The fact remains that no official security assessments of OpenRAN have been published to date, and there is no public access to the “open” specifications to conduct an objective security assessment.

What this means for mobile operators and other technology companies.

The realization of China’s role in the O-RAN Alliance is important not only for its equipment manufacturing members, but its mobile operator members like Vodafone and T-Mobile. These two operators have touted OpenRAN as an alternative to Huawei and ZTE. Given the heavy involvement of Chinese government owned firms in OpenRAN, the effort to rip Huawei and ZTE equipment in many cases has amounted to replacement with other Chinese brands.

One example of OpenRAN’s technological vulnerability is the use of Kubernetes, also known as K8s, an open-source system for automating deployment, scaling, and management of containerized applications. While it began life in 2014 as a Google project, Kubernetes currently is under the jurisdiction of the Cloud Native Computing Foundation, an offshoot of the Linux Foundation (perhaps the world’s largest open-source organization). By late 2017, Huawei had gained a seat on the Kubernetes Steering Committee. Huawei claims to be the fifth-biggest contributor of software code to Kubernetes. There is an Memorandum of Understanding (MoU) between Deutsche Telekom, Telefonica, TIM, Vodafone and Orange that OpenRAN should be built on top of Kubernetes.

In pausing its contribution to the O-RAN Alliance, Nokia just highlighted an obvious issue. Strand Consult has described this problem long ago, but authorities have been slow to recognize it. Many policymakers, including some responsible for national security, have been slow to recognize the issue. This delay threatens national security.  Other companies are likely to follow Nokia’s lead and not to wait for policymakers to act.

To learn more about this issue, see Strand Consult’s library on security and risk of Chinese government technology.