Huawei is an obvious risk when you are assessing the vendor landscape, but to ensure supply chain resilience and integrity, focusing too narrowly on one company poses a bigger risk, according to Vodafone.
It might be easy to point the finger at China, but according to Vodafone UK CTO Scott Petty, this is a dangerous position to take. Despite a lack of evidence to suggest backdoors are being built into Huawei products, the world is determined to find one, but in reality, there isn’t a single company in the vendor ecosystem which can justifiably state they are 100% secure. This is the world we are living in; risk is everywhere.
“The discussion about Huawei is all managing the risk appropriately,” Petty said at a briefing in Central London.
Risk is a big topic at Vodafone UK right now, and this is clear when you look at how the vendor ecosystem is being managed.
On the radio side of the network, of the 18,000 base stations Vodafone has around the country, Huawei equipment accounts for 32% of them, Nokia 12% and Ericsson taking the remainder. Interestingly enough, Nokia equipment is being phased out in favour of Ericsson. For transmission, this is split between Juniper, Cisco and Ciena, while Cisco is responsible for the core. With this blend of vendors, and appropriate security gateways between each layer of the network, Petty feels Vodafone is managing the risk very appropriately.
And while some might suggest having this much exposure to Huawei might be a negative, Petty argues radio is such low risk it shouldn’t dictate play. You have to take into consideration the risk/benefit equation.
When assessing risk, Vodafone (working with the National Cyber Security Centre) considers two possible scenarios. Firstly, what is the risk of a nefarious actor leaching data from the network, and secondly, taking down the network. On the radio side of things, the exposure is very low.
Firstly, Vodafone has 18,000 base stations throughout the UK. Should one of these base stations be compromised, only the traffic going through that base station would be at risk. This will be a fraction of the total, devices will be handed off to other base stations as people move around, while the clear majority of internet traffic is encrypted nowadays. The likelihood of a nefarious actor trying to bleed valuable insight in this manner is low.
Secondly, even if one of these base stations is taken down by the external wrong-doer, this is only one of 18,000 base stations. To have a material impact on Vodafone’s network, hundreds or even thousands would have to be impacted simultaneously. This is not inconceivable, but highly unlikely. As Petty mentioned, its all about evaluating and minimizing risk.
This is where the discussion becomes incredibly complicated. Huawei is one of the leading names (if not the leader) in the radio segment, ignoring such a vendor is a difficult decision to make as a technologist; you always want to use best in class.
For transmission, another area Huawei would be considered a leading name, the risk has been identified as medium. You would still need a lot of compute power to crack the encryption software, but Vodafone have decided to steer clear of Chinese vendors here.
Finally, onto the core, the most important part of the network. Petty pointed to O2’s issues last year, where a suspect Ericsson node effectively killed the entire network for a day, to demonstrate the importance of this component. Cisco is the vendor here, but this leads us onto the dangers of a such a narrow focus on security.
When looking for signs of a telco vendor assisting a government for intelligence activities, there is arguably only one piece of concrete evidence to support such claims. Edward Snowden produced this evidence, proving Cisco was aiding the NSA for its own spying agenda. This is the reason we suspect the US is so convinced China is spying on the rest of the world; the US government is doing the same thing and therefore knows it is technologically possible.
We are of course not accusing Cisco of aiding the US government in this manner at this moment, but such is the sophistication and technological capabilities of those on the dark web, no company should consider themselves 100% secure. They have their own supply chains which could be vulnerable at some point. The complexities of this ecosystem mean nothing is 100% secure, therefore it comes down to risk assessment, and also the mitigation of risk through layers of security, gateways and encryption.
For Petty, the establishment of Huawei’s European cyber-security centre is a step in the right direction, though he would want the European Union to play an active role in its operations and for the net to be cast wider, considering all vendors. As mentioned before, too much of a narrow focus on one area heightens the risk in others.
However, the talk of a Huawei ban would be a disaster for everyone involved.
“We don’t think a complete Huawei ban would be a proportionate response,” said Helen Lamprell, Vodafone UK’s General Counsel & External Affairs Director.
If risk is appropriately managed and mitigated, business can continue as usual. Policy decision makers have to realise there is no such thing as 100% secure. A broad-sweeping ban on Huawei would be disastrous not only for Vodafone UK, but everyone in the connected economy.
Firstly, you have to think of the cost of removing all Huawei equipment. This would cost hundreds of millions and take a considerable amount of time. This would delay the introduction of 5G and fundamentally undermine the business case for ROI. It could set 5G back years in the UK, not only for Vodafone but the whole industry.
The supply chain review is currently working its way through the red maze of UK government, and while the certainty needs to arrive sooner rather than later, getting the review right is better than speed.
The message from Vodafone this morning was relatively clear and simple; the Huawei risk can be managed, but an outright ban would be disastrous.