Short and to the point, did we expect anything from the German 5G security requirements other than meet our standards and you can operate in our country?
“We regularly adapt the applicable security requirements to the current security situation and the state of the art,” said Jochen Homann, President of Bundesnetzagentur. “The security requirements apply to all network operators and service providers and they are technology-neutral, covering all networks, not just individual standards such as 5G.”
What is worth noting is that while 5G and international security concerns might be the catalyst to these requirements, they will be applied across all networks and communications infrastructure moving forward, as well as all vendors.
The announcement from Bundesnetzagentur, the German regulator, will come as a blow to the aggressive geo-political ambitions of the US. It seems the anti-Huawei propaganda is running low on fuel, and such is the weight of Germany’s influence across Europe, Chinese executives might be letting out a sigh of relief.
Although the new safety requirements are only a concept for the moment, Bundesnetzagentur plans to release a draft of the rules for feedback over the next couple of weeks.
The requirements are quite broad-ranging, though there are enough clauses to ensure Germany is the master of its own fate. For example, critical components can only be used in communications infrastructure should there be certification recognized by the Federal Office for Information Security (BSI). Employees who install or manage this equipment will also have to be certified by German authorities.
There does also seem to be a move towards the UK’s approach to monitoring and managing risk. As part of the new requirements, network traffic must be regularly and continuously monitored for abnormalities, while safety-relevant network and system components must undergo regular and continuous safety checks. This is a more forensic approach to network management, which allows for companies like Huawei to operate in the country, but the risk is managed.
Another interesting aspect to be included in the new rules addresses ‘monocultures’. Although this is a term which is usually used in agriculture, Bundesnetzagentur is essentially ensuring there is depth in the supply chain. Redundancy must be built into the networks through using multiple vendors for different segments and aspects of operations.
While this might create more work for telcos, vendors and regulators, we feel this is a more proportionate response to the risk of nefarious external parties. Simply banning one company, or companies from a single country, will not work, such are the complexities of the digital ecosystem. Vulnerabilities are everywhere, and the most pragmatic approach should be to understand 100% secure will never exist. Its all about managing the risk most appropriately, and Germany seem to be taking a very sensible approach.
In the UK, the industry is eagerly awaiting the results of the Government’s supply chain review, which will potentially dictate how telcos interact with the vendor ecosystem. Rumours have emerged suggesting no single-vendor can own more than 50% of a certain area, but we hope the result is somewhat similar to the German approach here. This seems to be the attitude of Vodafone also.
Speaking at a briefing in London, Vodafone UK CTO Scott Petty highlighted the team has been working with the National Cyber Security Centre (NCSC) to identify the levels of risk associated with each segment of the network (Radio, Transmission, Core), and building a diverse supply chain to mitigate risk where appropriate.
This approach has led to Chinese companies being excluded from certain areas, though on the radio side where right has been deemed to be very low, Huawei supplies 32% of equipment. This approach allows best-in-breed kit to be considered but considering the sheer volume of cell towers around the UK, even if some equipment is compromised, the impact would be incredibly minor. Resilience has been built in through volume, data encryption and security gateways.
Interestingly enough, Germany is taking another very sensible approach to managing risk; the assumption that everyone is nefarious. All components and equipment will have to be certified, not just those products from countries which are deemed underhanded by paranoid opinion. Every vendor’s supply chain is becoming increasingly complex, suggesting vulnerabilities could appear anywhere. This impartial approach to suspicion will certainly place Germany is a sound position.
A considered approach to security
While certain countries have taken a knee-jerk reaction to security requirements, pinning the blame of an insecure digital ecosystem on one country or a very limited number of countries, Germany is taking a much more considered approach.
Having such a laser-like focus on security, scrutinising single elements of the ecosystem is incredibly dangerous. Cyber-criminals are incredibly intelligent, managing sophisticated networks through the dark web. If the risk of exposure becomes too high through a single route, another will be sought. Taking a blanked approach to security as Germany is doing minimises risk throughout the supply chain.
We suspect the Chinese government is not completely innocent in light of all the accusations, but we also believe they are not alone. Many of the fingers are being pointed in one direction, but Germany is not falling into that trap.