Some think that the debate on telecom infrastructure security is just Trump’s US v. China trade war. Sorry, this is not the case

Strand Consult has covered the debate on Chinese equipment in critical infrastructure for many years. We do this to dispel myths and to ensure that our customers, the world’s telecommunications companies, can make informed decisions.

Some believe that the debate on the use of Chinese infrastructure started with Donald Trump. This is not the case. Indeed, it is not difficult to document that the policy pre-dates Trump by years. This was already described in a Strand Consult research note in 2018. 

The first country in the world to take action on 4G was Australia in 2012. The Social Democrat Prime Minister Julia Gillard banned Chinese equipment. Other countries have since followed Australia.

The European Union Agency for Cybersecurity (ENISA) Telecom & Digital Infrastructure Security Forum 2024.

The European Union Agency for Cybersecurity (ENISA) just held its 2024 Telecom & Digital Infrastructure Security Forum, a key annual event for cybersecurity policymakers and professionals. A key presentation was held by Melanie Scheidt, policy officer from DG CONNECT in the European Commission, called “EU policy on the cybersecurity of 5G networks.”

The presentation emphasizes the importance of the report on the cybersecurity and resiliency of the EU communications infrastructures and networks The report examines risks of cyber-attacks on the EU’s communications networks and infrastructures by hostile third countries, i.e. nation state actors, but also organized crime groups and hacktivists acting in support of nation states. The report identifies 10 threats, including supply chain attacks, nation State interference on supplier, and network intrusion.

The EU Commission identifies 7 spill-over effects related to the vulnerabilities in telecom infrastructure and associated externalities including:

1. Disruption of access to emergency services and numbers, public warning systems
2. Disruption of emergency services if their communications and systems depend on the public mobile networks.
3. Disruption of digital payments
4. Disruption of secure communication with potential consequences on national security
5. Disruption of other critical sectors such as the health sector
6. Disruption to energy grid and energy supply as well as prolonged recovery time if attacked
7. Potential impact on the safety of individuals, the security of systems or networks used in other critical sectors, and/or on the confidentiality of intellectual property, trade secrets, etc.

Scheidt’s presentation described 10 risk scenarios:

1. Wiper attack to cause a large-scale network outage
2. Supply chain attack to gain access to the infrastructure of operators
3. Network intrusion as a preparation for future cyber-attacks
4. Third-country interference on a supplier, M(S)SP or submarine cable
5. DDoS attack to cause a large-scale network outage
6. Coordinated physical sabotage/attack on digital infrastructure
7. SS7 signaling attack to intercept communications and geolocation of target persons
8. Smishing attack to gain access to systems in other sectors
9. Power cut to cause a regional network outage
10. Interconnection attack to cause a large-scale network outage.

DG Connect categorizes the first 7 scenarios as high-risk and the last 3 as moderate to low scenarios. Based on these scenarios, they present five Strategic recommendations:

1. Resilience of international interconnection

• Assess resilience of international interconnection and clarify mandate
• Assess criticality, resilience and redundancy of core Internet infrastructure, such as submarine cables

2. Supply chain risks

• Create transparency on the landscape of suppliers and M(S)SPs used for fixed networks, fiber technology, submarine cables, satellite networks and other important ICT suppliers

3. Situational awareness and operational collaboration

• Involve the sector in cyber exercises and operational collaboration
• Foster information sharing and improve situational awareness about threats for the operators

4. Support operators with technical measures

• Provide funding support through relevant funding programs to operators for technical measures against cyber-attacks in their networks

5. Physical attacks on digital infrastructure

• Exchange good practices among national authorities about physical attacks on digital infrastructure
• Extend physical stress testing of critical infrastructure to include digital infrastructure

DG Connect offers 5 technical recommendations:

1. Mobile and fixed networks:

• Exchange good practices to support the detection and prevention of signaling attacks
• Exchange good practices to mitigate smishing attacks
• Exchange good practices and develop technical guidelines on the security of home routers

2. Network traffic routing security (Telecoms-as-a-shield)

• Exchange good practices and develop technical guidelines about blocking of cyber-attacks by operators
• Facilitate sharing of good practices on mitigating very large DDoS attack

3. Submarine cables

• Exchange good practices and develop technical guidelines on the resilience of submarine cables

4. Satellite communication networks

• Develop good practices in the area of securing satellite networks

5. Core Internet infrastructure

• Raise awareness of BGP security and promote good practices for the security of global Internet routing
• Develop guidelines to support Member States with cybersecurity supervision of IXPs and CDN.

There is significant research to inform the EU’s assessment. Moreover, it is clear that concerns about Huawei and ZTE go further than mere fear of espionage, however serious. The EU has long recognized that the telecommunications infrastructure provides vital functions for society. It is critical infrastructure which must be hardened and protected from abuse and degradation. In the same way that Europe was vulnerable to Russia shutting off the gas; Europe is vulnerable to China kill-switching the telecom network. 

Disregarding these concerns is like buying a car without seat belts or airbags. Hence buying equipment from countries with close relation to Russia, North Korea, Venezuela and Iran present risks.

The background for EU’s security assessment

The starting point for the DG Connect presentation was the 2019 EU-wide coordinated risk assessment including input from the European Commission, European Union Agency for Cybersecurity (ENISA), and the Body of European Regulators for Electronic Communication (BEREC). Based upon a set of identified risks, and to safeguard security and resilience, the EU developed a foundational and globally unique approach to security of 5G networks with the EU 5G Toolbox. The EU deems 5G networks critical for their horizontal role underpinning the delivery of health, energy, manufacturing, media, and mobility.

EU 5G Toolbox was developed and agreed to with strategic (non-technical) and technical mitigating measures. In sum, the European Commission and the EU member states implement key measures in two areas; strategic (non-technical) and technical security measures, both of these assessments and mitigation measures must be satisfied to deem 5G equipment suppliers as secure and trusted.

EU European Union 5G Toolbox was originally developed by EU member states. In the 2nd Progress report of the EU 5G toolbox (June 2023) all 27 EU Member States pledged to fully implement the EU´s 5G Toolbox. As of June 2023, 24 Member States have adopted the toolbox or were in the process to do so, for example by preparing legislative measures which vest the local authority to perform security assessments. By June 2023, only 11 Member States had taken measures to implement high-risk vendor restrictions. As all EU countries support the 5G Toolbox, its implementation moves toward the de facto removal of Huawei and ZTE from European mobile networks.

What does the future look like?

Scenario planning must be updated for new vulnerabilities, technological developments, and geopolitical developments. China today is not the same from the country which joined the World Trade Organization in 2001 or 2011. Indeed, there was a major shift in 2012 when General Secretary Xi Jinping came to power.

Xi considers Russia, North Korea, Iran and Venzuela his friends. His reign is marked by a notable decline in social democratic norms and freedoms, deliberate and systematic efforts to suppress human rights, and empirical declines in freedom of expression, religious freedom and freedom of the press.

The EU Commission is clear about network security. They say that the Member States measures to restrict or exclude Huawei and ZTE are justified and compliant with the 5G Toolbox and that Huawei and ZTE represent materially higher risks than other 5G suppliers.

In practice, this means that the Commission will take measures to avoid exposure of its corporate communications to those suppliers. This is done by avoiding buying telecommunications services from telecommunications companies that use these providers in their network. In addition, the EU Commission will ensure that this approach will reflect this assessment in all relevant EU funding programs and instruments.

The three risk costs associated with using Chinse equipment.

First: The costs associated with using suppliers from China. That is the risk EU described in the Report on the cybersecurity and resiliency of the EU communications infrastructures and networks It is the report that looks at risks of cyber-attacks on the EU’s communications networks and infrastructures, by a hostile third country, i.e. nation state actors, but also organized crime groups and hacktivists acting in support of nation states. The report identifies 10 threats including supply chain attacks, nation State interference, and network intrusion. 

Second: The commercial risk associated with using Huawei and ZTE equipment. Operators which do not use Chinese equipment have a competitive advantage and can offer their customers access to a network without Chinese equipment. Many institutions have sensitivity and heightened security needs for example banking/financial, public sector, military, and/or compagnies based on intellectual property.

Third: There may be additional costs associated with using such vendors and equipment. It may be that financial institutions and investors want to reduce security risk, rip and replace cost and so on.

 China’s official policy

In 2017, China implemented a National Intelligence Law which compels any Chinese subject to conduct espionage on behalf of the government (article 7). While ordinary citizens can be compelled to spy, operationalizing passive surveillance within networks through backdoors and other means is more effective. Given the increasing integration of software in network equipment, these backdoors are increasingly difficult to detect, as they can be shipped in subsequent software upgrades or activated after security clearances are concluded.

Today China suppresses not only basic human rights, but also people’s ability to practice their religion. Many official and respected reports demonstrate how China monitors and represses Uyghurs in Xinjiang, imprisions people for the purpose of suppressing their religion and re-educating them with the values that the Chinese dictatorship believes should apply in China.

People of other religions experience the same oppression in China, for example the Catholic Church and other Christian churches face discriminatory conditions in China. Last year China passed the “Patriotic Education Law,” consolidating the Chinese Communist Party’s control over education, including religious education. The new law, which was passed during a session of the National People’s Congress Standing Committee, would require churches and religious groups to adapt their educational activities to promote the party’s official ideology.

Understandably telecom operators want to be agnostic about vendors and their country of origin. That line of thinking worked when the universe of suppliers and nations generally shared the same values, principles, and practices. Unfortunately, vendors and equipment integrated with the Chinese state introduce uncertainty and unpredictability because the values diverge. These divergences become contractual baggage.    

Corporate decisionmakers understand this; that’s why they quickly cancelled contracts in Russia with the invasion of Ukraine. It’s just not good business to associate with countries and its companies which invade and oppress others. China’s oppressive practices are bad for business, and it’s better to steer clear of such practices. 

For more information about network security and telecom infrastructure, check out Strand Consult’s library of research notes and reports.