Telecom insiders detail hardships posed by Chinese technology ban

Banning Chinese Telecom vendors Huawei and ZTE creates fear, uncertainty and doubt as well as new supply chain security ideas among small telcos.

CSO slideshow - Insider Security Breaches - Flag of China, binary code
BirgitKorber / Getty Images

Democratic Federal Communications Commission (FCC) Commissioner Geoffrey Starks hosted a workshop on June 27 entitled “Find IT, Fix It, Fund It” to hear from “interested parties on how to address the national security threats posed by insecure equipment within our communications networks.” Although not explicitly stated in the Commission’s public notice or its press release, the issue addressed in the workshop is whether and how to remove from the nation’s communications networks technology from Chinese suppliers given the recent executive order banning American companies from using any telecommunications equipment deemed to be a security risk.

That order was squarely aimed at China’s top telecom tech providers Huawei and ZTE as well as any other Chinese tech vendor whose products appear in the nation’s communications networks. The half-day workshop featured a range of speakers including academics, small telecom providers, rival telecom tech providers and small telecom trade association representatives. Almost all spoke about the uncertainty and fear the ban has created and the stark financial and opportunity costs it will impose.

Making the case for the Huawei and ZTE bans

Jim Lewis, senior vice president and director, Technology Policy Program, at the conservative think tank Center for Strategic & International Studies (CSIS), kicked off the workshop by making the Administration’s case on why removing Huawei technology from telecom networks is a good thing. “So, we have a well-funded nimble opponent and Huawei is one of the tools they use. It poses real security risks for the U.S. and its allies,” he said.

The fears driving the executive order and other bans imposed by the Administration center on possible spyware or other malware built into Chinese suppliers’ technology at the behest of their government in Beijing. Lewis, however, appeared to make the argument that Huawei is not only spying on behalf of its government, but is also receiving some form of Chinese government financial subsidies as it seeks to secure contracts to help build 5G networks around the world.

“You might have seen they recently won two contracts in Europe,” he said, “one in the Netherlands and one in Italy. I know from some of the competitors Huawei was able to find out the bid from the European competitor in the Netherlands and they offered a 30% discount. Where did that money come from? Let me think about that. Why did the Chinese government agree to spend to undercut the European competitor by 30%? It's not because they admire Dutch cuisine. Right?”

Be that as it may, small telcos, which have embraced the generally cheaper Chinese tech suppliers, are now facing tough, and perhaps existential, choices in replacing Huawei and ZTE gear given their limited resources and the still ill-defined nature of the ban. During the workshop, many of the small carriers also questioned whether the ban will actually enhance the security of communications networks and raised other solutions to bolster security in lieu of replacing and forever forgoing the more cost-effective suppliers.

Telcos and their customers face fallout from the ban

“The slow and dark cloud of uncertainty has settled over our heads. And it stays there to this day. And you could even say that our wireless consumers could be facing some gloomy times as well,” John Nettles, president of Pine Belt Telephone Company said.

If Pine Belt has to shut down its ZTE-based network for a preferred vendor to meet the Administration’s concerns without third-party financial assistance, its service and availability to rural areas will suffer. “Given the recent actions by the FCC, Congress and the White House, we cannot say with much confidence at all when, how or even if we'll be able to improve and expand our coverage into the numerous underserved population areas throughout west central Alabama.”

The costs of ripping out Huawei or ZTE technology from networks is a huge burden for small carriers, 25% of which have deployed the two suppliers’ gear, Carri Bennet, general counsel of the Rural Wireless Association said. “Just to replace their equipment, it would cost somewhere upwards of $800 million to $1 billion” and that's counting approximately 12 to 13 companies that deploy both ZTE and Huawei technology. “That leaves another 27 to 35 companies [that] are not represented in our calculations. We anticipate that the cost to replace all Huawei and ZTE equipment will be much more.”

Not only are the costs prohibitive to many small carriers, but replacing the proscribed suppliers’ technology is also a long-term proposition. “Replacing network equipment while the network is in operation is not something that can be done overnight or with ease,” Bennet said. “It requires intensive planning, an enormous amount of effort with the customer base to not cause loss of service and sometimes that's critical public safety service. Our members estimate it may take as much as four to ten years to perform a full migration based on the size of their networks and resources available.”

Alternatives to the Huawei and ZTE bans

Instead of simply banning Huawei and ZTE technology, a better approach would be monitoring by a trusted third-party if the Administration’s real concern is about network security, Bennet said. “Our members agree working with a trusted third-party cybersecurity monitoring service such as the company we've become aware of recently called Cyberengineering services out of Baltimore, Maryland, may be an expedient court of action to assess the security issues. Monitoring all communications networks, not just Huawei and ZTE networks 24/7, 365 days a year, may be a more effective cost-effective way to deter and prevent cybersecurity threats to our communication networks from both foreign and domestic sources.”

Rip and replace won’t make telecommunications better or safer

Chris Reno, director of accounting for Union Telephone Company, said it would cost his small company $85 million and take approximately seven years to rip and replace Huawei and ZTE gear. In addition, “the opportunity costs of going through this exercise is enormous. Every dollar and man hour spent on the project represents resources that don't expand coverage, don't build towers, and don't improve broadband in rural areas or help our communities.”

Moreover, ripping out and replacing Chinese technology won’t make telecommunications networks any safer, Reno argued. “We've been advised by our experts that there is an ocean of components currently present in our telecom and internet ecosystem sourced in China, likely by a company that is under the same obligation to China's government. These components are likely present within most major equipment gear, whether it be a small home router or sophisticated enterprise Class C equipment. In other words, ripping and replacing our equipment or the equipment of a few mobile broadband carriers is not going to make the U.S. even 1% more secure.”

Ban puts financial stress on rural telcos

Jeff Johnston, a senior economist with rural telco lender CoBank, stressed the financing difficulties rural telcos face. “From a financing perspective, many rural operators lack the balance sheet strength to take on additional debt to fund the capital expenses associated with replacing banned equipment,” he said. “Nor do they generate enough cash flow to cover the costs associated with the executive order. We estimate that a system-wide rip and replace on the core and optical related equipment could cost the industry over $1 billion. Without significant government support, the lion's share of rural operators would not be able to secure the necessary funding to meet this requirement. Further, some rural operators have struggled to do business with equipment vendors outside of the executive order scope, which has left them with very few options.”

Carriers need to have a better grasp on what specifically is covered in the executive order so they can have certainty in planning for their businesses and moving forward, Alexi Maltas, senior vice president and general counsel at the Competitive Carriers Association said. “It could make a substantial difference for the cost and timing whether someone is having to replace equipment at a handful of core network sites as opposed to thousands of base stations.” Moreover, “if companies are able to cycle equipment out over their natural life cycle or take other risk mitigation steps, they could reduce the costs compared to removing equipment immediately or on an accelerated time frame.”

In terms of how the costs of transitioning away from Chinese tech suppliers should be paid, the FCC can play a key role in supporting those expenses, Dileep Srihari, senior policy counsel and acting head of government affairs at the Telecommunications Industry Association (TIA) said. The FCC “has more expertise in understanding the dynamics the rural carriers face than some of other security-based agencies and we think [t]hat expertise should be leveraged.”

TIA believes in a whole of government approach to the problem and “Congress does need to provide funding. And when it does so, we think it does need to be done in a manner the transition costs are not drawn from other existing pots of broadband funding and we wouldn't want to see regular Universal Service funding diverted to this purpose.”

Addressing telecom supply chain security risk

Princeton University Computer Science and Public Affairs Professor Jonathan Mayer advocated for a series of changes in the models through which supply chain security risks can be managed in the telecom field. “As for long-term steps, I think it's important to consider moving away from the so-called perimeter security model in telecom networks,” he said. “There's a strong tradition of trying to build a perimeter around your network, keeping the bad guys out and the good guys in. And the idea is we trust the stuff on the inside and we don't trust the stuff on the outside. That does not work so well these days. It does not work so well in part because of the supply chain risk there.”

Brian Hendricks, vice president of policy and government relations at Nokia, said that trust in a technology supplier is the key element that will help ease worries about supply chain risks, particularly as the number of technology elements proliferate in a 5G world, making the attack surface of mobile telecom networks massively large. “You do have to start from a foundation of trust. And as George Michael said, ‘you gotta have faith, faith, faith.’ If you don't have faith, your toolkit gets extremely limited.”

In a 5G world, “you'll have many billions of new devices added, often coming from companies that have no heritage as device makers,” Hendricks said. Even network segmentation where certain suppliers are kept out of the core but instead pushed to the edge where radio or transmitting gear resides doesn’t eliminate the need for trust. “You're going to have many cheap and inexpensive IoT devices… so if you don't trust the radio supplier, you'll have serious concerns allowing your supplier to be your radio.”

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)