For many years, European telecom operators have been using Chinese 3G and 4G technology from vendors such as Huawei and ZTE. The problem was a no-brainer. China was not seen as a national security threat – in fact, the EU had signed a comprehensive strategic partnership with China in 2003 – and Chinese technology was cheaper and, for many tech experts, even better than European suppliers like Ericsson and Nokia. As a result, many European telecom companies have formed strategic partnerships with their Chinese providers, deploying their technology both in Europe and in their overseas operations in the Global South.
But then Trump came with his aggressive policy towards Huawei and ZTE, and everything changed. In the US, Chinese 5G technology was banned and many close allies followed suit, notably Japan and the other Five Eyes countries, first Australia and New Zealand and more recently Britain and Canada. In Europe, there was initially resistance to US pressure to rule out Chinese 5G technology. One could even argue that the intense diplomacy of US embassies in many European capitals in 2018 was counterproductive as it sparked a backlash. Many pointed out that the Wikileaks wires showed it was the US spying on Europe, not China.
There was no concrete evidence that China was using backdoors in the 4G technology deployed in Europe, so why would it be doing it in 5G? The cyber intelligence community also sent mixed messages. Some said the risks of espionage and sabotage were manageable, while other qualified sources pointed to potential disruptions and threats to national security.
By 2019, however, the debate was tilting towards the increasing “threat” side. An EU-wide coordinated risk assessment report on cybersecurity of 5G networks by Member States was published in October this year. There was the following to read:
“Threats emanating from states or state-sponsored actors are considered highly relevant. Indeed, they represent both the most serious and likely threat actors as they may have the motivation, intent and most importantly the ability to launch sustained and sophisticated attacks on 5G network security.’
There is no doubt that when they said “states and state-backed actors” the drafters had primarily in mind Russia and China, but especially the latter given its advances in 5G technology. Not long after, in January 2020, the European Council endorsed the EU Cybersecurity Toolbox with mitigating measures in 5G technology. Here, too, the wording is significant:
“Threats to network availability and integrity are becoming major security concerns: In addition to confidentiality and privacy threats, the integrity and availability of these networks are becoming major national security concerns as 5G networks are expected to become the backbone of many critical IT applications from an EU perspective a major security challenge.”
Member states have been given some time to incorporate the new 5G toolbox into their national legislation, and many have done so by introducing new cybersecurity laws. But two years later, in October 2022, the European Commission sent a recommendation to the Council calling on certain member states to implement the toolbox effectively. Again, the special paragraph says:
“Member States should urgently achieve the implementation of the measures recommended in the EU toolbox on 5G cybersecurity. Member States that have not yet imposed restrictions on high-risk providers should do so without delay, as lost time can increase the vulnerability of networks in the Union.”
With this in mind, the question remains: How much Chinese 4G/5G technology is still used in the EU? The answer is not easy. Many telecom companies are not fully transparent in this regard, although John Strand and his team at Strand Consult have presented some very interesting research in this area. They are a large consultancy for telecom operators and therefore have access to the relevant data. Their first major discovery is that there is now a strong consensus in Europe to move away from Chinese 5G technology at the “core” of networks. Almost all operators have replaced Huawei or are obliged to do so.
However, like many other experts, Strand does not think it is wise to separate the “core” from the “periphery” in 5G as software is increasingly used in all parts of the network and the tendency is to take over “core”. With operations closer to end-users to reduce latency, the security risks evident in the “core” (the brain of the network) extend to the so-called periphery. As such, John Strand and his team are turning their attention to how heavily Chinese technology is being used as a proxy for potential risks in the Radio Access Network (RAN), traditionally referred to as the “periphery.”
You have looked at the RAN technology in 4G from 102 telecom operators in Europe and the results are quite interesting (see Figure 1).
Figure 1: Telecom customers on Chinese vs. non-Chinese 4G RAN
At the end of 2019, there were three countries in Europe powered by 100% Chinese 4G RAN technology. Shockingly, this includes Belgium, the host country of most EU institutions. On the other hand, countries like Slovakia, Ireland and Finland have had very little exposure to Chinese technology. Of the large countries, Germany was the one using more Chinese 4G technology at 57%, followed by Italy at 52%. The Netherlands is at 47% and Spain at 36%. In contrast, France is the most decoupled from the major countries with only 25% Chinese 4G RAN deployment.
John Strand and his team even broke down the numbers for each individual telco (see Figure 2).
Figure 2: Share of China 4G RAN – group level
|operator group||Share of Chinese 4G RAN|
Here it has to be highlighted that the big operators using more Chinese devices are BT, Vodafone and Deutsche Telekom, while Orange and Telefónica show lower numbers. At the extremes are companies like Proximus in Belgium with 100% Chinese RAN technology, while Telekom Austria uses 0%.
The reader might now disagree and say, “Yes, but this is 4G RAN technology and in 2019. What about 5G RAN technology and in 2022?”. Luckily, Strand Consult will be releasing these numbers in the coming weeks, and I had the opportunity to speak to John Strand himself about the results of this new research. According to Strand, the numbers should be pretty similar, especially for the larger countries, with Germany having almost 60% exposure, making it quite vulnerable. But there are two exceptions: Norway and Belgium, which have drastically reduced their reliance on Chinese RAN technology in 5G.
Therefore, it seems that the EU as a whole is taking the issue seriously. The exclusion of Chinese technology from the “core” is a big step, but the substitution of Chinese RAN technology is a slower process, especially in the larger countries. What are the risks involved? John Strand is very bold in denouncing the risks. The Chinese state can use its technology to suck data back into China, benefiting Chinese companies and the CCP, and it can also shut down its technology if it chooses, leaving countries like Germany in the dark.
I’m not sure if that’s that clear. If Huawei and ZTE send European customers’ private data back to China, I imagine the European cyber intelligence community would take notice and enforce sweeping bans. The reputation of the Chinese suppliers would be destroyed. This has not happened yet. Also, I don’t know if Chinese companies or the CCP have a “big switch” to abruptly stop using 5G technology. In this case, a vendor diversification strategy would be required and yes, one should call for the ban on high-risk vendors.
Finally, one more question remains. Even if we only use 5G or 6G technology from trusted providers, how secure are we really? Can Chinese operators penetrate our own networks and still engage in espionage and sabotage that we so fear? If so, what further action needs to be taken? And shouldn’t we think about being able to penetrate Chinese networks as well? If China can collect our data, maybe we should think about how we can also collect data produced in China (maybe we already do). Still, these are all open questions for a non-expert on the subject.
Image: Telecommunications tower in the background with the flag of Europe. Photo: SteveAllenPhoto999 / Various Photographs