Research Notes

Yesterday the White House, UK government and European Union simultaneous published statements calling for China to stop cyberattacks. What is the impact for the telecom industry?

For Strand Consult, it is increasingly clear that governments around the world will “outsource” significant cybersecurity responsibility to telecom operators.

It is well known that the Chinese government has the country on lockdown: people are monitored 24/7 with millions of CCTV cameras; the “Great Firewall of China” blocks access to unapproved content and tracks attempts to circumvent it; municipal party leaders keep tabs on citizens. All networks and equipment are operated by companies either owned by the government or are beholden to them. All surveillance data is aggregated into a unified system of social credits intended to standardize the assessment of the social and financial reputations of individuals and firms. People who don’t live up to the Chinese government standards are sent to “transformation-through-education” or reeducation camps and generally are denied due process to defend their activities, according to Amnesty International. In practice, no information moves outside of the government’s purview.

It’s curious then why so many cyberattacks originate from China than any other nation. If the Chinese government was so concerned about law and order, they could end these attacks immediately, but they don’t. In China, the government and President Xi controls everything except the people hired and encouraged to hack the free world every day.

The White House, UK government and European Union agree.

Yesterday the White HouseUK government and European Union simultaneous published statements calling for China to stop cyberattacks of malicious behavior and electronic espionage. The US also charged four Chinese nationals (3 of whom were working as part of the state’s Ministry of Security) for attacks on companies, universities and government entities in the US and abroad between 2011 and 2018.

What advanced technology China has not been able to develop itself, it appropriates through other methods, whether forced technology transfer or theft. U.S. cybersecurity vendor Cybereason issued a report describing “an ongoing global attack against telecommunications providers that has been active since at least 2017.”  The report concludes the perpetrator is the APT10, an “advanced persistent threat,” and a state-supported Chinese espionage group. In December 2018, the U.S. government has indicted APT10 members with conspiracy to commit computer intrusion, conspiracy to commit wire fraud, and aggravated identity theft.  The indictment noted the hackers worked in tandem to steal intellectual and technological information from dozens of commercial and defense technology companies throughout the continental United States.  Additionally, APT 10 is also responsible for the theft of personnel information for 100,000 U.S. Navy personnel.

In Norway, the supplier of finance systems in the cloud Visma saw that Chinese hackers tried to steal client data – Visma is a company that delivers finance systems to hundreds of thousands of companies around the world.

Australian intelligence officials claimed China may have accessed thousands of files and 19 years’ worth of data – to include tax and banking records – on Australian National University students and staff.  Many of ANU’s graduates serve in the country’s intelligence and security agencies.

Symantec unveiled in June how Chinese hackers have attacked satellite and telecommunications infrastructure in the west.

The Center for Strategic and International Studies (CSIS) identified China as responsible for the greatest number of cyberattacks by any nation over the past dozen years.  It reached this conclusion from examining public data.  The true depth of China’s efforts – and successes – in penetrating western networks is probably still unknown. 

Cyberhackers are every day looking for vulnerabilities to exploit, but if you can build products and services with backdoors, the Chinese government has in many countries still an open road to telecom operators’ corporate customers, information, technology, and secrets.

In Germany government, NATO, and corporate and private entities do not have to access to network free from influence from Chinese government tech.

All people should have access to at least one mobile network free from Chinese tech like Huawei and ZTE, but that is not the case in Germany.

Every time the Germany-based US Commanding General Christopher Cavoliare of United States Army Europe and Africa his staff, or his family use a mobile phone, their traffic is sent through a Chinese mobile network. General Christopher Cavoliare and the rest of the people in Germany can’t get a network free from Chinese government tech.

Telecom networks are the foundation of the digital society. COVID19 proved that telecom networks are essential, as they have allowed people to work, learn, shop, and get healthcare from home during a period of lockdown and social distancing. Consequently, the importance of security and resilience of these networks is heightened. Policymakers are justifiably concerned about the vulnerabilities of these networks. The want to examine the network elements–their vendors, supply chains, and protocols and adopt measures to secure them.

Many countries have implemented restrictions on Huawei and ZTE. These restrictions have followed extensive investigations which have uncovered many red flags including but not limited to the inability to establish the technical baseline that the systems are not compromised by backdoors, inability to demonstrate that the Chinese government and military are not integrated with the enterprise, lack of operational and financial transparency and disclosure, illegal and unethical business practices, and violation of international law. These investigations also follow the hardening of the Chinese regime under General Secretary Xi Jingping and the demonstrated aggression and repression against the people in Hong Kong, Xinjiang, and Tibet in addition to the widespread implementation of surveillance technologies and practices on the Chinese people. Thus restricting the implicated firms and technologies is a prudent response from a nation which wants to protect the privacy, sovereignty, and security of its people and assets. This is hardly a new concept; NATO has never purchased Chinese fighter jets or Russian submarines or Huawei telecom equipment. It follows that in a world with a new threat landscape, policymakers need to review and update the standards for telecom network equipment.

Consumer choice

Consumers are increasingly savvy and concerned about the privacy and security of their data; moreover they expect their suppliers to demonstrate ethical behavior and good governance. Telecom operators and governments are well-aware of this, but they have responded differently. There are three categories of response: some recognize the threat and remove vulnerable elements like Huawei and ZTE from their networks; others which recognize that Huawei and ZTE are problematic but believe that the risk can be managed; and finally, those which do not believe there is a problem and continue to use Huawei and ZTE.  For the customers of the networks in the last two categories, they cannot exercise their right to limit their exposure to Huawei and ZTE unless (1) there is transparency of the elements and (2) there is a safe network alternative.

Indeed private and corporate customers increasingly demand that telecom operators improve security of networks. They want to limit if not eliminate the risk of theft, espionage, surveillance, sabotage, and other compromise of their information. As such, many operators choose not to renew their Huawei and ZTE contracts, or they launch a rip and replace effort to upgrade networks with secure equipment. See Strand Consult’s research note The pressure to restrict Huawei from telecom networks is driven not by governments, but the many companies which have experienced hacking, IP theft, or espionage 

Consider Belgium, the headquarters of the European Union, NATO, and many firms in the defense, pharmaceutical, and other advanced technology industries. Until now, like Germany still, it was impossible to choose a telecom operator which had not exposure to Huawei or ZTE. Fortunately, in late 2020 Proximus and Orange moved to upgrade their networks with secure, non-Chinese equipment. This is not just an issue for Brussels or big cities; consider Puurs, Belgium, the European epicenter for the COVID19 vaccine. Pfizer and BioNTech will likely demand additional measures to secure their networks, as China’s state-sponsored hackers have targeted vaccine-related information.

What the future looks like for the telecommunications industry – just ask the banks.

To see the future of the telecom industry, look at what happened with banking. European banks have been required to implement Anti-Money Laundering (AML) and the Counter Terrorist Financing (CFT). About 10% of European banks employees are today working with compliance. Telecom authorities, defense officials, and other policymakers and will likely see cybersecurity is vital for Europe and that telecom infrastructure is critically important. So just as the banks have been put under a heavy regulatory regime to address corruption, industry will be required to implement deterrence of cyberattacks.

In practical terms, the authorities in the EU and in each nation state will likely make some demands that challenge the network paradigm that telecommunications companies operate today. The rules will likely be so rigid that they will effectively eliminate Huawei and other Chinese companies from being vendors without making explicit bans. However, it won’t be governments alone driving the charge. Corporate customers of telecom networks, companies that have experienced hacking, IP theft, or espionage, will also join the effort.

National telecom regulatory authorities in Europe publish information about the telecom industry including the number of customers, mobile coverage, percentage of landline infrastructure, speed, pricing, and other obligations such as antidiscrimination/net neutrality. This information is likely to expand to the resilience of networks. In the long term the EU will find ways to assess the security of each operator’s network. Just as speed data is published today, safety and security data will be published in future, e.g. number of data breaches etc. In this way, security could become a competitive parameter like price, mobile coverage, speed etc. Indeed, it could become a marketing point for operators to say that the network was free of malicious vendor.

Financial executives have been forced to manage their business and achieve profitability with a heavy layer of AML and CFT regulation. Telecom CEOs will likely experience this new reality when it comes to cybersecurity.

What telecommunications companies can do

The telecom industry has two choices: they can invent their process to certify network security, or they can wait for the government to impose rules.  Having worked with the telecom industry for 25 years, Strand Consult observes that industry leaders often have a naive belief in miracles and that they too often postpone the inevitable, and at that time, it is often too late to influence the process. The industry should do something very quickly. There is a need to acknowledge cyberthreats, and as an industry, be more visible to propose solutions and demonstrate mastery over the challenge.

Some CEOs don’t want to take on the cost or effort to secure their networks from risky vendors; they claim their customers won’t tolerate price increases. However, what does it say about the CEO who doesn’t think his customers’ security is worth paying for?

The telecom industry should be forthright to customers and shareholders about cybersecurity costs. Customers expect secure communication and are willing to pay for it.  If a company is not proactive about planning for cybersecurity costs, it is likely to end up paying more to respond to an attack, and in the lost time implementing a solution they should have taken from the start, they will experience lower profitability.  This is what the banks experienced when it came to fighting money laundering and terrorist financing. The companies that waited to act, ended up paying more. Companies should start the dialogue today and be transparent about the cybersecurity challenge.

As the issue evolves, national security leaders and cybersecurity experts are likely to get greater visibility. They are some of the voices which bring credibility and urgency to the discussion and the need for mitigating measures.

Telecom operators need to lead in the cybersecurity challenge and be prepared with a strategy and solutions for 4G, 5G, and Internet of Things when it’s not human users online but billions of devices.

The discussion is greater than any one country or company, and indeed Chinese tech threats are more than just Huawei. However, failing to secure networks from Huawei equipment would be like NATO buying a Chinese fighter planes. NATO prohibits procurement from many countries; the question then is if fighter plane is critical infrastructure, why is the same standard not applied to telecommunications networks?

We’ve come a long way since Graham Bell and Marconi. Telecommunication is the foundation of the connected world. If telecommunications infrastructure breaks down, it will have major, reverberating consequences.

In 2019, 5G became a mainstream topic and rebooted the discussion of the value that telecommunications brings to society including innovation, security, and inclusion. Consider the many transformations that the industry has delivered from the invention of the telephone. Today the digital world, including its businesses, the communications of individuals, and the operation of the public sector is predicated on the advanced infrastructure that the telecom industry provides.

Policymakers in the US and EU have today a lot of focus on communications network equipment from Chinese vendors. Since 2019 Strand Consult has published many research notes and reports to help telecom companies navigate a complex world. It focused heavily on the problem of Chinese equipment in telecommunications networks. While the media has largely focused on Huawei, the discussion should be broadened to the many companies that are owned or affiliated with the Chinese government including but not limited to TikTok, Lexmark, Lenovo, TCL, and so on.

Although some of our customers disagree with our views, Strand Consult’s job is to publish what is actually happening and how policy decisions may affect their business in the future.

Contact Strand Consult to get your free copy of our reports about China and cybersecurity