As New Zealand’s government becomes the latest to place restrictions on the deployment of telco network equipment made by Chinese vendors, we re-publish this article, first printed within Issue 23 of TMN Quarterly.
Something strange has been happening in our industry. 5G has been driven by US, European, South Korean, Japanese and Chinese contributors. This stands in contrast to previous generations, where Chinese contributions were very low. As a result, 5G equipment contains significant IP from Chinese companies, and Huawei is at least as advanced as the likes of Nokia and Ericsson. And yet the Chinese vendors who made those contributions may yet be banned from selling their kit and software in several large markets. Why?
In early October, Bloomberg ran a long story claiming that server motherboards made for SuperMicro in China had been tampered with, as a matter of course, to make them hackable. The story alleged that a tiny element had been introduced at a manufacturing stage in the supply chain, unknown to SuperMicro or its end customers that used the boards to build servers. Bloomberg reported that when a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.
At time of writing this feature, the story seems very much up in the air. Apple and Amazon, two companies that were customers of Elemental – a server company that built products based on the MicroSemi boards – produced strong and unusually detailed denials of Bloomberg’s reporting. These were not just the standard pro-forma security breach reactions – “we take security very seriously and work with all our suppliers to ensure integrity of our customers’ data” etc – but detailed and even angry rebuttals of Bloomberg’s story. Bloomberg, meanwhile, had produced a story seemingly based on deep insider knowledge at governmental level, and even claimed three Apple insiders had confirmed its story.
But wherever the truth of this story lies, the most salient fact is that it immediately went viral, because it tapped into a very real fear in (especially) western countries – what if China is using its current position in ICT manufacturing to introduce vulnerabilities into network equipment that could be exploited as required, at some point in the future? Post-Snowden, the public is aware of the concept of the “backdoor”, so that security agencies can over-ride security to “spy” on them. And, the thinking goes, if our own agencies are doing this, then why wouldn’t China’s?
The Bloomberg story should best be viewed, then, in the context of confirming existing suspicions of Chinese tech vendors. Such suspicion is nothing new.
As far back as 2012 Huawei went on the offensive against politicians and critics, claiming that the company had subjected the company to “racist treatment and slander” because of its Chinese heritage. Both the United States and the United Kingdom had subjected Huawei to additional scrutiny over concerns that it could covertly assist state-sponsored hacking from China. Eventually, the US national hired to spearhead Huawei’s lobbying in the US, William Plummer, left in early 2018, having made little headway against a de facto ban.
That departure came as the US introduced punitive sanctions against ZTE for violating sanctions against Iran. The action included a ban on the export of any US technology to ZTE, and as ZTE’s kit was full of IP from US companies, it had to stop operating. But although the ban was initially about sanctions, one of the provisos of ZTE’s readmission to US markets was that it must conform to security demands, as well as to demands on its export behaviour.
The USA’s unofficial ban on Chinese vendors was formalised in 2018 when lawmakers introduced a bill called Defending U.S. Government Communications Act, which aims to ban US government agencies from using phones and equipment from the companies.
The bill would prohibit the US government from purchasing and using “telecommunications equipment and/or services,” from Huawei and ZTE. The bill said that technology coming from the country poses a threat to national security, and that use of this equipment “would be inviting Chinese surveillance into all aspects of our lives,” and cites US Intelligence and counterintelligence officials who say that Huawei has shared information with state leaders, and that the its business in the US is growing, representing a further security risk.
But Huawei doesn’t face issues just in the USA. In Australia, an existing ban on MNOs using Huawei equipment in networks has been extended to cover 5G.
In India, where the Government is currently involved in a cold war with China over China’s ambitions for a OneRoad OneBelt policy, operators too have been told they cannot use Huawei or ZTE gear, according to one report.
Even in the UK, where Huawei enjoys close relationships with government authorities and has long been a supplier to incumbent provider BT, as well as operators Vodafone and EE, the National Cyber Security Centre (NCSC) said that it could not allow ZTE equivalent access to the market. It said: “NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated.”
According to the Financial Times, a letter from the NCSC to companies states that the UK telecoms network already contains a “significant amount” of equipment supplied by Huawei, also a Chinese manufacturer. Adding in equipment and services from another Chinese supplier would “render our existing mitigations ineffective”. The issue was that the NCSC spends enough resources checking over Huawei kit, and it cannot extend that to another supplier.
The paranoid style hit a peak when a document prepared for US government discussion argued that the US needed a nationalised 5G network in order to prevent Chinese companies from exploiting 5G networks built on 3GPP standards. The thinking went that as Chinese companies were dominating 3GPP standards spec meetings, that meant they could somehow introduce unique vulnerabilities into 5G networks. To combat this, the US should develop its own 5G technology and network. The paper was just that, a paper, but it exposed a line of thinking that was deeply paranoid about Chinese intentions.
As the Bloomberg piece says, “The ramifications of the attack continue to play out. The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result. Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.”
What is not clear is if the end goal of Trump admin trade protectionists is to onshore manufacturing, and the security aspect is being used as cover. Or if concerns start with security, and therefore one mitigation is to onshore component manufacture.
Huawei has always fiercely denied it has close links to the Government. It has denied it would act as a threat vector against countries in which it is installed. And it has claimed that in fact it has been the subject of hacks by western intelligence agencies.
Meanwhile, the effective ban on Huawei and ZTE is having a major impact on the prices US consumers pay for 4G and, in time, 5G. Put simply, US operators do not have the same price power over Nokia, Ericsson and Samsung as operators do in markets where those same three have to compete against the Chinese vendors. That means that US operators pay more for network equipment than their counterparts in other parts of the world. And so does the consumer.
So we are seeing a split market develop – those where Huawei and ZTE may compete and those where they may not. The “global standard” is not being evenly distributed.