Research Notes

The debate about network security is more complex than Huawei. Look at Lenovo laptops and servers and the many other devices connected to the internet

Policymakers in the US and EU have focus on communications network equipment from Huawei and ZTE, noting that certain products should be restricted, if not banned outright. Strand Consult has covered the role of China in the world’s communications networks and in 5G for some time. See our most recent note The story behind the Huawei story.

The media likes to sensationalize Huawei, but there is more to the story. In addition, it’s important to put facts on the table, particularly as policymakers have tough decisions to make about how to manage security risks in communications networks. Many credible security analysts around the world have described and detected espionage, malware, and theft by manufacturers affiliated with the Chinese government and military.

The Huawei equipment identified for restriction is just one part of a large value chain with many points that can be compromised. It raises the question if network infrastructure equipment made by Huawei and ZTE is a threat, then what about the other (and quite considerable) components of the internet made by other firms affiliated with the Chinese government? What about the Chinese owned Lenovo, the world’s largest maker of personal computers (pcs) and servers? What about the many made in China Internet of Things devices, which we connect in our homes, offices, and businesses? These are frequently connected to the internet via Chinese made apps on Chinese made mobile phones They collect data which is processed and stored in Chinese data centers. How much insight do we have to these products and services, and have we considered the risks?

China drives much of the technological innovation that is the foundation of the digital society.
The US was the front runner in Internet innovation, and the EU; the historical leader in mobile communications innovation. The leaders of these regions believed that they would lead the pack when it comes the next generation of connectivity. That is not necessarily the case for the US, and certainly not for the EU. While the US is making strides in 5G, China is ahead. The EU is at least two years behind the US.

Look at the bulk of engineering papers on 5G technologies; they are published by Chinese scholars at Chinese universities, not Americans or Europeans. Look at the EU. After two decades of telecom regulation proffered by EU policymakers to drive internet innovation (including dubious “open internet” rules), the EU has essentially no leading internet companies today. Many patents are filed in communications technologies in the EU, but they are not necessarily filed by Europeans. Huawei files the most patents in the category.

In 2008, 2693 patents were filed in Europe within the telecommunications and connectivity categories. Of these, just 116 were filed by Chinese firms. In 2017 China accounts for 1478 of the 3717 patents granted, a 12-fold increase.

Outside of a few demonstration sites outside China, Chinese firms do the bulk of their research & development in China, not the US or Europe. China’s share of communications patents filed in the EU has grown from 4.3 percent to a 39 percent share in just 10 years. At this pace, in just a few years, Western companies will not be able to produce telecommunications technology without using Chinese patents.

With EU elections in just a few months, Europeans should ask the leaders why Europe has gone from being a net exporter of communications technology to a net importer. Indeed, Europeans should ask why the EU continues to promote policies that fulfill the opposite of their state objective. The promised jobs and growth have not materialized. Indeed the European telecom industry used to fertilize a booming R&D sector, but that has largely dried up from predatory regulation.

Find my smartphone, find my car, show me the way – smart services that can be abused.
The combination of smartphones and GPS applications are some of the most popular services. But they can also be abused. These services collect, process and store data in ways we don’t know, much less control. Consider the dozens of apps on your smartphone. Which data do they access? Who made them? Who accesses them?

The European Commission just recalled a Chinese-made children’s smartwatch. The Safe-KID-One smartwatch is purported to be “Manufactured in China according to the high German Quality Standards according to ENOX Hamburg/Germany.” This “high-tech SIM/GPS safety and surveillance smart watch for kids” is fitted with a range of features, including a GPS tracker, a speaker, microphone, and call/SMS functionality. It offers the parent the option to download the Safe-KID-One app to call, follow, and locate the kid with the smartwatch.

In the recall announcement the European Commission declared of the smartwatch, “The mobile application including the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data is located in the location history, phone numbers, serial number can easily be retrieved and changed. A malicious user can send commands to any watch making the call another number of his choice, can communicate with the child on the device or locate the child through GPS.”

The Safe-KID-One product is not the only product on the market to trigger concerns and recalls.  Indeed the Federal Trade Commission recently settled with Lenovo for installing man-in-the-middle malware on hundreds of thousands of laptops which hacked the digital lives of users.

The data generated on these devices are stored in many places—on the phones and computers themselves but also on servers across the internet and around the world. Ostensibly when using services by Google, Facebook, Microsoft and Amazon, one’s data is stored on a corporate server, but what about the $9.99 FitBit knockoff bought on Amazon? The watch is made in China; its app and software; made in China; and the data collected is probably forwarded to a server in China.

The bad news is that the worst is yet to come.
If the story makes you depressed or concerned, sadly there is little comfort. The so-called light at the end of the tunnel is that of an oncoming train made by China’s CRRC, the world’s largest supplier of rail transit equipment.

European telecom policy has succeeded to turn the EU from the leading region for investment and innovation to the follower behind China, Japan, South Korea and the US. The EU once accounted for one-third of the world’s investment in telecom infrastructure, had six makers of mobile phones, and significant R&D budgets and thousands of patents to show for it.  But no more. If one compares the EU to the United States, then the Americans have invested twice as much in infrastructure per 12-year period. Read Strand Consult’s story Asia, Africa and Latin America should learn from Europe’s mistakes. Ideology-based telecom regulation turned the EU from a world leader in telecommunications to a world loser.

China may be a security threat, but its leaders understand the economics that Europe rejects. The Chinese understood that combining high volume (large and efficient telecommunications companies) with large investments in innovation delivers global leadership. The EU, rather than allow telecom companies to get scale to build pan-European networks, has micromanaged networks. There is no pan European operator today, and unsurprisingly, no path to 5G. In Denmark (a country with a telecom market cap the size of greater Hamburg), the 2nd and 3rd operator could not get permission to merge. Prices in Denmark when up after the merger failed, the opposite of what pundits predicted.

EU leaders love to talk about the Digital Single Market and while they have imposed plenty of regulations to ensure a single standard, they have restricted European firms from getting scale. Europe is starved of investment for innovation. The nations that lead on 5G have consolidated mobile markets China, USA. See Strand Consult’s note from 2015: The FT-ETNO Summit gave answers to questions from the telecom industry and investors – Vestager determines the speed and direction of EU telecoms while Ansip and Oettinger are just side shows to promote the illusion of the Digital Single Market.

European regulation has so depressed investment in the EU that mobile operators have been driven into the arms of the Chinese. Huawei can price there products lower than Nokia and Ericsson on network equipment, and European leaders blessed the purchase of Huawei network equipment, a decision they now regret. European leaders will also come to regret their grandstanding on the new General Data Protection Regulation (GDPR). The promise of the GDPR means little when European communications networks have to ripped out and replaced with safe equipment. Indeed the GDPR actually empowers users to port their data to Chinese platforms.

Alas, Europe still hasn’t learned its lesson. Brussels plays small ball and misses the big picture. Earlier this month EU Competition head Margethe Vestager rejected the Siemens Alstom merger. The firms had hoped to leverage the merger to make needed investments investment in European rail technology, and even when combined, the two companies would still be smaller than CRRC.

If a mobile network which transports data is critical infrastructure, then hardware used to process and store data should also be critical infrastructure. Cyberattacks can be waged both deep in the network and at its edges with end users. However, it is not just the catastrophic attack which is a concern, but cyber trench warfare, small scale attacks, espionage, and surveillance which occurs just below the critical threat threshold. This kind of warfare, largely focused on soft-targets, is designed to fatigue the enemy, drain its resources, and collect its secrets.

While there is a risk that China could paralyze Western society by blocking critical telecommunications infrastructure produced in China—whether servers, routers, laptops, or phones – the even greater likelihood is that the West has become so dependent on Chinese technology, that it doesn’t produce its own innovation anymore.

When China entered the World Trade Organization in 2001, Western leaders assured that China would just do the low end manufacturing while the high end innovation would remain in the US and EU. That is no longer the case. Not only does China have hiqh quality manufacturing, it does the R&D too. Moving toward 2025, China’s goals are clear: dominate strategic industrial sectors and be independent of Western technology while getting the West addicted to its products and services.

The bottom line for the West is that it is a bad situation growing worse.

Please contact us, if you would like more information about Strand Consult’s Next gen telecom policy and regulation – Workshop for leaders in the telecommunications industry. 

Contact us to get a copy of the report

Request the report