Research Notes

The biggest taboo in European telecom industry is the cost of cybersecurity – just ask the banks

The security risks posed Chinese telecommunications equipment in networks is a hot topic. This research note breaks down the issue for operators, its political challenges, and the financial consequences. Though cybersecurity is managed on a nation state level in Europe, going forward, the European Commission will likely take a greater role.

The Chinese government and its army of 100,000 hackers is perhaps the leading source of cyberattacks around the world. A new report from the Center for Cyber ​​Security in Denmark declares cybersecurity threats in telecom networks have reached unprecedented levels.  While the US, Australia and Japan have pursued explicit restrictions on known malicious vendors, many European nations prefer a different path that requires minimum security standards.

For example Germany’s telecom regulator, Bundesnetzagentur (BNetzA), recently published a proposal on network security with request for comment by November 13, 2019. The document offers a short, non-specific catalog of security requirements for networks and data processing systems. No specific company or country is mentioned. The German car industry, which has big business in China, has pressured the German government to avoid restrictions on Huawei. Therefore, it is unlikely that the German government will lead on security measures that could be interpreted as discriminatory to China. Notably Germany’s Chancellor Merkel recently met with France’s President Macron and two dozen of Europe’s top industry leaders for a dinner, and network security was high on the agenda.

Meanwhile the European Commission and the European Cybersecurity Agency released an important report on coordinated risk assessment and cybersecurity for 5G. The report was created with limited stakeholder dialogue with telecommunications companies, infrastructure providers, and national authorities responsible for cybersecurity. The engagement did not include corporate users and institutions, the users that make a large part of network traffic.

The report reflects the current commissions view, which is likely to change when the new commission takes office on January 1. In its coverage of the report, the FT asked EU Security Commissioner Sir Julian King whether the report is a” fig leaf “for countries to use Huawei products, that is a means of political cover for countries to use dangerous equipment from China (The term “fig leaf” is metaphorical reference to Adam how Adam covered his nudity in the garden of Eden.).  Sir Julian King responded, “It doesn’t look like a fig leaf to me.” While some may prefer voluntary standards, it is likely that many governments will require telecom companies rip and replace parts of the equipment from China – Core network and in some cases Core and radio access network (RAN) equipment.

Moreover EU’s Network Information System (NIS) Cooperation Group will publish, by the end of December, a toolbox of mitigating measures to address cybersecurity risks at national and EU level. The design and content of the toolbox is likely a roadmap for EU in future. In practice, this means that the toolbox will have a greater significance than national decisions such as those Germany and other countries.

The toolbox is likely to be comprehensive but non-binding guidelines. It will then be up to the individual nation states to interpret and implement the guideline. It is a model familiar to other telecom policies, in which there is an EU level regulation and a representative group, such as BEREC, provides guidance on implementation. The EU is not harmonized on cybersecurity, and it’s an issue the new commission will likely take up.

What the future looks like for the telecommunications industry in Europe – just ask the banks.
To see the future of the telecom industry, look at what happened with banking. European banks have been required to implement Anti-Money Laundering (AML) and the Counter Terrorist Financing (CFT). About 10% of European banks employees are today working with compliance. Telecom authorities, defense officials, and other policymakers and will likely see cybersecurity is vital for Europe and that telecom infrastructure is critically important. So just as the banks have been put under a heavy regulatory regime to address corruption, industry will be required to implement deterrence of cyberattacks.

In practical terms, the authorities in the EU and in each nation state will likely make some demands that challenge the network paradigm that telecommunications companies operate today. The rules will likely be so rigid that they will effectively eliminate Huawei and other Chinese companies from being vendors without making explicit bans. However, it won’t be governments alone driving the charge. Corporate customers of telecom networks, companies that have experienced hacking, IP theft, or espionage, will also join the effort.

National telecom regulatory authorities in Europe publish information about the telecom industry including the number of customers, mobile coverage, percentage of landline infrastructure, speed, pricing, and other obligations such as antidiscrimination/net neutrality. This information is likely to expand to the resilience of networks. In the long term the EU will find ways to assess the security of each operator’s network. Just as speed data is published today, safety and security data will be published in future, e.g. number of data breaches etc. In this way, security could become a competitive parameter like price, mobile coverage, speed etc. Indeed, it could become a marketing point for operators to say that the network was free of malicious vendor.

Financial executives have been forced to manage their business and achieve profitability with a heavy layer of AML and CFT regulation. Telecom CEOs will likely experience this new reality when it comes to cybersecurity.

What telecommunications companies can do
The European telecom industry in Europe has two choices: they can invent their process to certify network security, or they can wait for the government to impose rules.  Having worked with the telecom industry for 24 years, Strand Consult observes that industry leaders often have a naive belief in miracles and that they too often postpone the inevitable, and at that time, it is often too late to influence the process. The industry should do something very quickly. There is a need to acknowledge cyberthreats, and as an industry, be more visible to propose solutions and demonstrate mastery over the challenge.

Some CEOs don’t want to take on the cost or effort to secure their networks from risky vendors; they claim their customers won’t tolerate price increases. However, what does it say about the CEO who doesn’t think his customers’ security is worth paying for?
The telecom industry should be forthright to customers and shareholders about cybersecurity costs. Customers expect secure communication and are willing to pay for it.  If a company is not proactive about planning for cybersecurity costs, it is likely to end up paying more to respond to an attack, and in the lost time implementing a solution they should have taken from the start, they will experience lower profitability.  This is what the banks experienced when it came to fighting money laundering and terrorist financing. The companies that waited to act, ended up paying more. Companies should start the dialogue today and be transparent about the cybersecurity challenge.

As the issue evolves, national security leaders and cybersecurity experts are likely to get greater visibility. They are some of the voices which bring credibility and urgency to the discussion and the need for mitigating measures. Here is one example of a Danish national security leader describing the threat as published Danish Center for Cyber ​​Security.

Telecom operators need to lead in the cybersecurity challenge and be prepared with a strategy and solutions for 4G, 5G, and Internet of Things when it’s not human users online but billions of devices.

The discussion is greater than any one country or company, and indeed Chinese tech threats are more than just Huawei. However, failing to secure networks from Huawei equipment would be like NATO buying a Chinese fighter planes. NATO prohibits procurement from a number of countries; the question then is if fighter plane is critical infrastructure, why is the same standard not applied to telecommunications networks?

We’ve come a long way since Graham Bell and Marconi. Telecommunications is the foundations of our current and future connected world. If telecommunications infrastructure breaks down, it will have major, reverberating consequences.

Strand Consult´s new report The real cost to rip and replace Chinese equipment from telecom networks critiques claims in the media and explains how a proper economic analysis must be prepared to examine the impact of restricting Huawei and ZTE. In practical terms, hardware and software within the network are constantly being upgraded and improved as the standards evolve from 2G to 3G to 4G to 5G, and in many cases, operators may offer a blend of different standards in the same network as they upgrade. In general, European operators are facing an upgrade of 4G networks built between 2012 to 2016.

Contact Strand Consult to get your free copy of the report The real cost to rip and replace of Chinese equipment in telecom networks.

Request the free report.

Best regards
John Strand

Contact us to get a copy of the report

Request the report