It is becoming increasingly clear that governments around the world will “outsource” significant cybersecurity responsibility to telecom operators.
It is well known that the Chinese government has the country on lockdown: people are monitored 24/7 with millions of CCTV cameras; the “Great Firewall of China” blocks access to unapproved content and tracks attempts to circumvent it; municipal party leaders keep tabs on citizens. All networks and equipment are operated by companies either owned by the government or are beholden to them.
All surveillance data is aggregated into a unified system of social credits intended to standardize the assessment of the social and financial reputations of individuals and firms. People who do not live up to the Chinese government standards are sent to “transformation-through-education” or reeducation camps and generally are denied due process to defend their activities, according to Amnesty International. In practice, no information moves outside of the government’s purview.
It is curious then why so many cyberattacks originate from China than any other nation. If the Chinese government was so concerned about law and order, they could end these attacks immediately, but they do not. In China, the government and President Xi control everything except the people hired and encouraged to hack the free world every day.
The White House, The U.K. government, and The European Union agree
Yesterday the White House, U.K. government, and European Union simultaneously published statements calling for China to stop cyberattacks of malicious behavior and electronic espionage. The US also charged four Chinese nationals (three of whom were working as part of the state’s Ministry of Security) for attacks on companies, universities, and government entities in the US and abroad between 2011 and 2018.
What advanced technology China has not been able to develop itself, it appropriates through other methods, whether forced technology transfer or theft. U.S. cybersecurity vendor Cybereason issued a report describing “an ongoing global attack against telecommunications providers that has been active since at least 2017.” The report concludes the perpetrator is the APT10, an “advanced persistent threat,” and a state-supported Chinese espionage group. In December 2018, the U.S. government indicted APT10 members with conspiracy to commit computer intrusion, conspiracy to commit wire fraud, and aggravated identity theft. The indictment noted the hackers worked in tandem to steal intellectual and technological information from dozens of commercial and defense technology companies throughout the continental United States. Additionally, APT 10 is also responsible for the theft of personnel information for 100,000 U.S. Navy personnel.
In Norway, the supplier of financial systems in the cloud Visma saw that Chinese hackers tried to steal client data – Visma is a company that delivers finance systems to hundreds of thousands of companies around the world.
Australian intelligence officials claimed China may have accessed thousands of files and 19 years’ worth of data – to include tax and banking records – on Australian National University students and staff. Many of ANU’s graduates serve in the country’s intelligence and security agencies.
Symantec unveiled, in June, how Chinese hackers have attacked satellite and telecommunications infrastructure in the west.
The Center for Strategic and International Studies (CSIS) identified China as responsible for the greatest number of cyberattacks by any nation over the past dozen years. It reached this conclusion by examining public data. The true depth of China’s efforts – and successes – in penetrating western networks is probably still unknown.
Every day cyberhackers are looking for vulnerabilities to exploit, but if you can build products and services with backdoors, the Chinese government has in many countries still an open road to telecom operators’ corporate customers, information, technology, and secrets.
In Germany, the government, NATO, and corporate and private entities do not have access to networks free from influence from Chinese government tech.
Every time the Germany-based U.S. Commanding General Christopher Cavoliare of United States Army Europe and Africa, his staff, or his family use a mobile phone, their traffic is sent through a Chinese mobile network. General Christopher Cavoliare and the rest of the people in Germany cannot get a network free from Chinese government tech.
Telecom networks are the foundation of the digital society. COVID19 proved that telecom networks are essential, as they have allowed people to work, learn, shop, and get healthcare from home during a period of lockdown and social distancing. Consequently, the importance of security and resilience of these networks is heightened. Policymakers are justifiably concerned about the vulnerabilities of these networks. They want to examine the network elements–their vendors, supply chains, and protocols and adopt measures to secure them.
Many countries have implemented restrictions on Huawei and ZTE. These restrictions have followed extensive investigations which have uncovered many red flags, including but not limited to, the inability to establish the technical baseline that the systems are not compromised by backdoors, inability to demonstrate that the Chinese government and military are not integrated with the enterprise, lack of operational and financial transparency and disclosure, illegal and unethical business practices, and violation of international law.
These investigations also follow the hardening of the Chinese regime under General Secretary Xi Jinping and the demonstrated aggression and repression against the people in Hong Kong, Xinjiang, and Tibet in addition to the widespread implementation of surveillance technologies and practices on the Chinese people. Thus, restricting the implicated firms and technologies is a prudent response from a nation that wants to protect the privacy, sovereignty, and security of its people and assets. This is hardly a new concept; NATO has never purchased Chinese fighter jets or Russian submarines or Huawei telecom equipment. It follows that in a world with a new threat landscape, policymakers need to review and update the standards for telecom network equipment.
Consumers are increasingly savvy and concerned about the privacy and security of their data; moreover, they expect their suppliers to demonstrate ethical behavior and good governance. Telecom operators and governments are well aware of this, but they have responded differently. There are three categories of response: some recognize the threat and remove vulnerable elements like Huawei and ZTE from their networks; others which recognize that Huawei and ZTE are problematic but believe that the risk can be managed; and finally, those which do not believe there is a problem and continue to use Huawei and ZTE. For the customers of the networks in the last two categories, they cannot exercise their right to limit their exposure to Huawei and ZTE unless (1) there is transparency of the elements and (2) there is a safe network alternative.
Indeed, private and corporate customers increasingly demand that telecom operators improve the security of networks. They want to limit if not eliminate the risk of theft, espionage, surveillance, sabotage, and other compromises of their information. As such, many operators choose not to renew their Huawei and ZTE contracts, or they launch a rip and replace effort to upgrade networks with secure equipment.
Consider Belgium, the headquarters of the European Union, NATO, and many firms in the defense, pharmaceutical, and other advanced technology industries. Until now, like Germany still, it was impossible to choose a telecom operator who had no exposure to Huawei or ZTE. Fortunately, in late 2020 Proximus and Orange moved to upgrade their networks with secure, non-Chinese equipment. This is not just an issue for Brussels or big cities; consider Puurs, Belgium, the European epicenter for the COVID19 vaccine. Pfizer and BioNTech will likely demand additional measures to secure their networks, as China’s state-sponsored hackers have targeted vaccine-related information.
What the future looks like for the telecommunications industry – just ask the banks.
To see the future of the telecom industry, look at what happened with banking. European banks have been required to implement Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT). About 10 percent of European banks employees are today working with compliance. Telecom authorities, defense officials, and other policymakers and will likely see cybersecurity as vital for Europe and that telecom infrastructure is critically important. So just as the banks have been put under a heavy regulatory regime to address corruption, the industry will be required to implement deterrence of cyberattacks.
In practical terms, the authorities in the E.U. and each nation-state will likely make some demands that challenge the network paradigm that telecommunications companies operate today. The rules will likely be so rigid that they will effectively eliminate Huawei and other Chinese companies from being vendors without making explicit bans. However, it will not be governments alone driving the charge. Corporate customers of telecom networks, companies that have experienced hacking, IP theft, or espionage, will also join the effort.
National telecom regulatory authorities in Europe publish information about the telecom industry including the number of customers, mobile coverage, percentage of landline infrastructure, speed, pricing, and other obligations such as anti-discrimination/net neutrality. This information is likely to expand to the resilience of networks. In the long term, the E.U. will find ways to assess the security of each operator’s network. Just as speed data is published today, safety and security data will be published in the future, e.g., number of data breaches, etc. In this way, security could become a competitive parameter like price, mobile coverage, speed, etc. Indeed, it could become a marketing point for operators to say that the network was free of malicious vendors.
Financial executives have been forced to manage their business and achieve profitability with a heavy layer of AML and CFT regulation. Telecom CEOs will likely experience this new reality when it comes to cybersecurity.
What telecommunications companies can do
The telecom industry has two choices: they can invent their process to certify network security, or they can wait for the government to impose rules. The industry should do something very quickly. There is a need to acknowledge cyber threats, and as an industry, be more visible to propose solutions and demonstrate mastery over the challenge.
Some CEOs do not want to take on the cost or effort to secure their networks from risky vendors; they claim their customers will not tolerate price increases. However, what does it say about the CEO who does not think his customers’ security is worth paying for?
The telecom industry should be forthright to customers and shareholders about cybersecurity costs. Customers expect secure communication and are willing to pay for it. If a company is not proactive about planning for cybersecurity costs, it is likely to end up paying more to respond to an attack, and in the lost time implementing a solution they should have taken from the start, they will experience lower profitability. This is what the banks experienced when it came to fighting money laundering and terrorist financing. The companies that waited to act, ended up paying more. Companies should start the dialogue today and be transparent about the cybersecurity challenge.
As the issue evolves, national security leaders and cybersecurity experts are likely to get greater visibility. They are some of the voices which bring credibility and urgency to the discussion and the need for mitigating measures.
Telecom operators need to lead in the cybersecurity challenge and be prepared with a strategy and solutions for 4G, 5G, and the IoT when it is not human users online but billions of devices.
The discussion is greater than any one country or company, and indeed Chinese tech threats are more than just Huawei. However, failing to secure networks from Huawei equipment would be like NATO buying Chinese fighter planes. NATO prohibits procurement from many countries; the question then is if fighter plane is critical infrastructure, why is the same standard not applied to telecommunications networks?
We have come a long way since Bell and Marconi. Telecommunication is the foundation of the connected world. If telecommunications infrastructure breaks down, it will have major, reverberating consequences.
In 2019, 5G became a mainstream topic and rebooted the discussion of the value that telecommunications brings to society including innovation, security, and inclusion. Consider the many transformations that the industry has delivered from the invention of the telephone. Today the digital world, including its businesses, the communications of individuals, and the operation of the public sector is predicated on the advanced infrastructure that the telecom industry provides.
Today, policymakers in the U.S. and E.U. have a lot of focus on communications network equipment from Chinese vendors. Going forward, while the media has largely focused on Huawei, the discussion should be broadened to the many companies that are owned or affiliated with the Chinese government including but not limited to TikTok, Lexmark, Lenovo, TCL, and so on.
John Strand has a background in Sales and Marketing in the IT and Publishing Sector and has been consulting on strategies, sales, and marketing since 1989. In 1995 John founded Strand Consulting solely on the telecom sector, analyzing markets and market trends, publishing reports, and holding executive workshops that have helped mobile operators, mobile services providers, etc. all over the world focus on their business strategies and maximizing the return on their investments. John is one of the best-known consultants in the business. Being honest – and giving his honest opinion on current issues in the telecom industry has become John’s trademark – even when it means being controversial or treading on a toe or two…
To contact John Strand, email: [email protected]