5G and geopolitics: Chinese technology disqualified
Among the pending tasks of the current Spanish Government is the fulfillment of the obligation imposed by Royal Decree-Law 7/2022 of March 29 on requirements to ensure the security of 5G mobile communications networks and services to take a decision on the equipment identified by operators as being manufactured with technology outside the scope of the OECD, i.e., Chinese, which may pose a threat to the security and integrity of communications. Since the beginning of the year, there have been calls in the media that, as other Western countries have done, the Government should demand the withdrawal and replacement of such equipment, thus avoiding dangerous business.
All mobile network operators in Spain have Chinese-made equipment installed and in operation, either in radio access or in switching, and have also invested in applications associated with the management and supervision of such equipment, with different degrees of vertical integration (i.e., with a greater or lesser degree of integration with equipment from OECD manufacturers) and with different presence in the respective networks. Before continuing, it should be noted that the presence of Chinese manufacturers in fixed telecommunications networks in Spain, whether transport or access, is equally relevant, although for various reasons it has not attracted the particular interest of Western governments, which are focused on anticipating and mitigating the potential risks associated with so-called open radio, i.e. mobile access technology that uses shared protocols and is based on public codes, subject to modification and evolution according to user requirements, overcoming the limitations and dependencies associated with “proprietary” technology, which in turn restricts in practice, for operational and financial reasons, the options for substitution (not unlike the dilemma of a cell phone user when considering a change of terminal that involves a change of operating system, i.e. between Android and iOS).
As particularly highlighted by the statement of the President of the European Commission at the last G-7 meeting in Hiroshima regarding the need to de-risk the EU’s relations with China (“de-risking” in the English expression), the EU has an agenda and web of identifying, rating and managing external technology risks, specifically in the area of 5G, which started with the Commission’s recommendation of March 2019, followed by the EU cybersecurity agency’s (ENISA) 5G risk map of November 2019 and embodied in the so-called “toolbox” for secure 5G networks of January 2020, on the eve of the pandemic, regarding whose implementation was reported by Member States in July 2020.
By then in Spain, a public consultation had been held in December 2019 regarding the push for 5G adoption, following the award to Vodafone, Movistar and Orange of the “star frequency” spectrum around 3.5GHz in July 2018. In fact, the Spanish 5G strategy was published in November 2020 and its Measure 15 anticipated, with what was later described as legislative urgency, the enactment of a 5G cybersecurity law that would turn out to be Royal Decree-Law 7/2022.
By then, operators had begun to market services with the “5G” label (basic or “non-standalone”), although without the technical features associated with the new technology, as they relied on 4G access (under the “dynamic spectrum sharing” modality), due to delays in the availability of equipment due in turn to the technical specifications pending definition by the international standardization body (3GPP). At the same time, Chinese manufacturers (Huawei, ZTE) had already positioned themselves ideally for the assault on the European market – where they were already widely present – due to the government’s clear focus on the development of cutting-edge technologies for mass use, the intensity of their innovative efforts, the earlier adoption of 5G in China and the scale advantages of Chinese mobile operators, with unbeatable prices. We come to the recent present and Directive 2022/2555 “NIS 2” (Network and Information Systems), whose transposition into Member State law must occur by October 2024, comes to reinforce the requirements for convergence in national critical risk mitigation policies across the EU, to support the continued exchange of knowledge and capabilities between countries and, notably, to promote the resilience of supply chains and other strategic EU security objectives, which would include those enunciated by the Commission President and presumably the intention to overcome the persistent feeling of around two out of three European citizens of a lack of effective protection from cyber-attacks according to successive Eurobarometers. The Russian invasion of Ukraine has unleashed a renewed rush to address the vulnerabilities of European critical infrastructures, limiting if not eliminating dependence on Chinese manufacturers, once the unconditional alliance between the aggressor and the Asian giant has been staged.
It is expected that the report of the National Security Council for the declaration by the Government, by agreement of the Council of Ministers, of high-risk and medium-risk 5G suppliers in accordance with the national security scheme for 5G networks and services referred to in Article 20 of Royal Decree-Law 7/2022 -which could have taken place as of the end of June last year, to date no such declaration has been made and there is no record that 5G network operators have submitted their supply chain diversification strategies to the Ministry of Economic Affairs and Digital Transition – will be based on statements similar to those reflected in the deliberação 1/2023 of the Security Assessment Commission of the Portuguese Government’s Higher Council for Cyberspace Security of May 25, 2007, according to which any 5G supplier whose headquarters or head office is not domiciled in an EU, OECD or NATO member state could be declared high-risk, confirming the expectation of total substitution and exclusion of Chinese manufacturers’ equipment and systems from the 5G supply chain.
Such a decision, deferred in Spain for various reasons (the replacement of equipment has its complexity and deadlines and the tacit imposition of supplier poses challenges in trade negotiations between operators and manufacturers) will mark the beginning of the decline of Chinese network manufacturers in Europe, which, in addition to being reciprocated by reciprocal treatment of European manufacturers by the Chinese authorities, will find operators with a still incipient and scarcely profitable commercialization of 5G services, despite the strong public push for the adoption of the technology through aid for 5G pilots and especially the subsidization of the extension of 5G access networks to unpopulated areas through the UNICO program (for the “universalization of digital infrastructures for cohesion”).
Gone are the times, at the beginning of the century, when Chinese network manufacturers made their first forays into basic technologies (such as SMS mailboxes) always limited to certain parts of the networks, where operators had a smaller share of accesses, which were clearly increasing, in a combination of “super-competitive” prices and a progressive and unstoppable technical advantage that made their particular “charm offensive” irresistible.
There was doubt almost twenty years ago, and then concern as to whether critical network elements were being placed in the hands of opaque, truly unknown entities – in a scenario different from the serene coexistence of the first decades of the 21st century, when Telefónica had an office in Beijing and a certain stake in the then China Unicom – because the state ownership of ZTE was known and the rumors that Huawei was an appendage of the Chinese People’s Army were accepted with a certain resignation, for a greater reason, that of the substantial savings that were being obtained with the purchase of its equipment and systems. With the consolidation of Chinese manufacturers in the operators’ supplier catalogs, they were able to negotiate more firmly, aware of the costs associated with their replacement and the advantages of continuity, in some cases achieving unassailable positions in the absence of effective alternatives. Circumstances have changed: there are now concerns about the potential impacts on network functionalities associated with radio sharing (a deployment savings mechanism resorted to by operators through a site sharing agreement), the potential critical dependencies on components and cloud resources where network management applications increasingly reside, the need for a single EU-wide 5G cybersecurity certification and, in the end, the viability of European manufacturers who would have to take over more or less accelerated from Chinese manufacturers.
On June 2, Internal Market Commissioner Thierry Breton reminded EU telecommunications ministers that only Denmark, Sweden, Estonia, Latvia and Lithuania had decided to exclude equipment from non-OECD countries from their respective operators’ networks. In a speech delivered by the same commissioner on June 15, ten Member States had already decided to exclude equipment from manufacturers Huawei and ZTE from their 5G networks and strongly urged governments and operators to take into account the EU’s 5G cybersecurity “toolkit” in order to proceed with such exclusion. Huawei’s reaction was swift and reminded that such exclusion will have to be paid for by European users, although it will undoubtedly have an impact on operators’ investment capacity from the outset. In the growing distrust between the G-7 member countries plus the EU and China, it is imperative – although, as Huawei has argued in its defense, to date no administrative or judicial authority in any of the countries in which its equipment is deployed has ruled against it for security reasons – to show reserved technological areas, both to protect the integrity and invulnerability of communications and to avoid dependence on suppliers suspected of being subject to an eventual hostile power.
The overall experience of using 5G equipment from Chinese reference manufacturers deployed in Spain (NSA and SA, i.e. hybrid with 4G for the signaling plane and with its own signaling plane with 100MHz contiguous bandwidth), for radio, switching and proximity data processing (MEC) is satisfactory. As far as user devices (terminals, routers, etc.) are concerned, the scarcity of latest-generation chipsets (which allow, among other things, the virtual division of the network between users according to service levels) and the licensing restrictions of the Android operating system have nevertheless put Chinese manufacturers at a clear disadvantage, without any administrative interdiction being necessary to prevent their use. Ultimately, technical and commercial criteria, effective performance and transparency should prevail in the choice of supplier for a technology that is just beginning to emerge, if it is not to fail without having yielded the expected results. The integration of equipment into the network, fully autonomous management of network control and operation, the ability to resolve all recorded incidents and limited recourse to so-called third-level technical support (associated with basic design and configuration issues), with schemes in which the nationality of the patent holder or the place of manufacture are identical for all suppliers – irrespective of the fact that in certain jurisdictions outside the EU approval by a public equipment verification entity is required – should inspire the confidence required by the EU and generally granted by operators. Except for official and military communications, the exclusion of manufacturers not based on strictly technical grounds may lead to a reduction in present and future alternatives, with the consequent dependence on and increase in the cost of the technology needed to offer more robust and efficient services. Ultimately, the allocation of resources in open and supervised capital markets and the conclusion of agreements under secure legal frameworks and under the tutelage of competent courts is the best guarantee that civil mobile telecommunications are competitive, innovative and accessible.