Strand Consult identifies 8 risks for the 5G supply chain from suppliers under undue influence of adversarial countries China
By Strand Consult, Denmark
The world we live in is changing rapidly. China is not the country we knew from 10 years ago. Today China considers Russia, North Korea, Iran and the former regime in Syria as its friends. These countries that want to undermine the democracies that we in the free world value.
China helps Russia wage war on Ukraine. Chinese mobile network suppliers have delivered 4G networks to Crimea after Russia’s invasion in 2014. Thousands of North Korean soldiers fight on the Russia’s side in the war against Ukraine. This war is waged on European soil with what appears to be approval from the Chinese government.
A lot has been written and said about the topic of «untrusted vendors». However, the debate can be derailed by myths planted in the media by Chinese suppliers. The Chinese suppliers don’t want to lose the good countries they have outside China. However, non-Chinese suppliers never get a chance in China to begin with.
Australia was the first country to restrict Chinese equipment formally with a new law, notably for 4G in 2012. The USA had existing laws which it they applied in 2011, and other countries have followed
The European Commission, European Union Agency for Cybersecurity (ENISA) and the Body of European Regulators for Electronic Communication (BEREC) developed an EU-wide coordinated risk assessment. Based upon a set of identified risks, the EU 5G Toolbox was developed and agreed to include strategic (non-technical) and technical mitigating measures. In sum, the European Commission and the EU member states implement key measures in two areas; strategic (non-technical) and technical security measures, both of these assessments and mitigation measures must be satisfied to deem 5G equipment suppliers as secure and trusted.
EU European Union 5G Toolbox was originally developed by EU member states. In the 2nd Progress report of the EU 5G toolbox (June 2023) all 27 EU Member States pledged to fully implement the EU´s 5G Toolbox. As of June 2023, 24 Member States have adopted the toolbox or were in the process to do so, for example by preparing legislative measures which vest the local authority to perform security assessments. By June 2023, only 11 Member States had taken measures to implement high risk vendor restrictions. As all EU countries support the 5G Toolbox, its implementation moves toward the de facto removal of Huawei and ZTE from European mobile networks.
In this note, Strand Consult identifies 8 risks for the 5G supply chain from suppliers under undue influence of adversarial countries China.
1. 5G Networks as Critical Infrastructure
5G networks extend beyond communication, connecting vital systems like energy grids, water utilities, transport, and industrial processes. The security and resilience of these networks are essential for public order, strategic autonomy, and national security.
While the EU’s 5G Toolbox is focused on mobile networks, the EU and many member states like Denmark are looking at such a risk assessment toolbox more broadly. In practice, this toolbox can be used to assess other parts of telecommunications networks and communication systems used by national train companies and other critical infrastructures.
A new Danish law directs assessment of telecommunications equipment and requires removal of equipment from non-trusted vendors. This Investment Screening Act forms the foundation for the Danish National Strategy for Cyber and Information Security. The assessment is performed by The Centre for Cyber Security (CFCS).
More countries are likely to follow Denmark and implement corresponding laws across all types of critical infrastructure.
2. Supply chain disruption and operational risks
Export controls can reduce supply and force some hardware manufactures to use components that do not always meet international quality standards. These manufacturers may substitute different, sub-standard, or otherwise risky components on account of related suppliers under adversarial state influence. Hardware and software is subject to continuous risks of sanctions, export controls and other legal/political repercussions that can disrupt the continuous use of already installed equipment or affect their performance.
At any time, suppliers under adversarial influence can introduce vulnerabilities, malware, or other exploitative features into networks, intrude, and/or interfere in networks, including with tactics to firms use to protect their systems with firmware or software updates. These tactics can overwrite the original source code reviewed and screened by authorities.
Telecom network are under constant attack by Chinese state affiliated attackers. The threat intelligence platform Recorded Future examines extraordinary circumstances (such as direct conflict) of supply chain risks of Huawei network monoculture.
3. Strategic dependency risks
China’s state backing for Huawei and ZTE has allowed these two firms two to seize global market share from innovative non-Chinese telecom equipment companies. They seize market share by severely limiting their competitors’ access to China and related markets and by supporting Huawei’s and ZTE’s rapid expansion overseas. These practices include but are not limited to illegal state subsidies of industry, artificial currency devaluation, intellectual property theft (espionage and/or forced technology transfer), dumping, «debt trap diplomacy», weak labor and environmental standards to lower prices, market access manipulation, counterfeiting, imitation, economic coercion, and other methods. A shake-out of non-Chinese supplier poses a long-term risk to nations that seek resilient, diversified supply chains or wanting to avoid a situation of solely being dependent on Chinese suppliers for their communication needs.
Chinese state practices to promote national champions have been documented by EU, US, and the think tank Merics. China has used these practices to get a foothold in the market while driving out non-Chinese competitors over time with a range of illicit tactics, leaving nation states without options for non-Chinese suppliers. While acquiring equipment through state subsidies cheaper equipment in the short-term providing the opportunity of, in the long run pushing out remaining non-Chinese suppliers from the market leaving nation states without non-Chinese supplier options.
Today, Chinese suppliers such as Huawei and ZTE hold over 98% of the market for 5G equipment in China. Very simply, China and Chinese suppliers have better conditions outside China than Western suppliers have in China.
4. Privacy and data exploitation risks
Hardware has both authorized and unauthorized data access to personal, corporate and government user data and suppliers can violate privacy laws whether accidentally or on purpose. Such situations include when suppliers visit physical locations, make logs of calls, and conduct billing and payment with customers. Such data may be held by telecom operators and may be accessible to hardware providers. This data if its relayed on Chinese network elements has the potential to be relayed to Chinese actors like intelligence and defense authorities. Such data is desired by adversarial nations to profile targets, dissidents, military personnel, and vulnerable persons for extortion. Chinese government actors used geolocation services and triangulation to identify citizens who had recently visited Wuhan during the early days of the pandemic. In addition to oligopoly of Chinese mobile network vendors, Chinese surveillance companies had 45 percent of the global facial recognition market in 2023.
This risk applies not only the mobile networks, but to Chinese cloud-based solutions that are marketed, sold, and implemented around the world. In many places, companies and consumers don’t know that their data ends up in a cloud as a built-in cloud, runed and belong to suppliers with close ties to the Chinese regime.
5. Political risks
Dependency to hardware in critical infrastructures creates a dependency risk on the country from which hardware equipment is supplied. Aside from the risks covered above, such dependency can be exploited by the state of the beholden supplier for political reasons to achieve political outcomes, for example in the case of emergency or crisis. In such situations, the integrity and/or availability of the 5G network can be compromised. In more practical terms, the state of a beholden supplier could limit the possibility of provide software updates (for example to interfere with patching vulnerabilities) or forcing it to change configurations in the system and thus altering performance parameters that can degrade the network performance. The extreme possibility of a kill-switch is discussed, but public domain evidence has not been shared. Hence it is hard to assess such a risk, but it does exist. Hence, policymakers must falls back to the question of acceptable risk tolerance under genuine uncertainty while considering the information value at stake of disrupting 5G connected critical infrastructures.
Above, Shanghai / Photo by Li Yang on unsplash
