December 1, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

In early spring of 2020, the world underwent the largest change in how people did work in human history.

Almost overnight “going to the office” became a potentially deadly trip.  Hundreds of millions of people, world-wide, suddenly had to figure out how to work remotely from home.

Imagine the chaos, the confusion, the economic displacement – to say nothing of the far more severe health consequences if the world’s telecommunications system was still operating in the dial-up age of 28k modems? 

The digital connectivity provided by telecommunications companies globally have allowed virtually every global sector to operate remotely amid the ongoing COVID-19 pandemic.

Covid-19 presented significant challenges for the sector.  There were very rapid and significant changes in the patterns, types and volumes of traffic on the networks as populations faced huge changes in both their private and work lives.  Network service providers moved rapidly to facilitate the mass roll-out of working from home for millions, thereby protecting the economy from even greater damage.  They were also a critical enabler of the lockdowns that proved so effective in slowing and managing the spread of the disease in many countries.  They supported the dramatic expansion of access to e-learning when schools and universities closed and enabled the video calls for those in isolation or with those who fell ill and could not be visited. The use of telco data for tracking and tracing positive cases and their contacts, and the provision of entertainment, internet access and gaming for the hundreds of millions of people confined to their homes for weeks at a time, were all significant in facilitating and enabling the government and societal response to the pandemic.

The urgency of the requirement for as many people as possible to work from home drove both innovation in new ways of working and significant expansion in global network capacity.  In commenting on CISA’s own move to 93% home working, Director Chris Krebs commented that telecoms networks: “have absolutely performed as intended, kudos to the telecom operators.

Now imagine if a pandemic of similar breadth took place in 2030.  Would our telecommunications systems be similarly up to the tasks required then?

The reality is that, we were fortunate, in this one sense at least, that COVID-19 happened when it did.  Between the dawn of the modern telecommunications system in the 1930’s and the late 1990s there was remarkably little innovation or expansion of services in telecommunications.  Even the Federal Communications Commission was still using black rotary phones in the 90s. The 1996 Telecommunications Act, and subsequent regulatory initiatives changed much of that by providing the economic environment that stimulated inter-model completion, increased investment and a stimulated innovation that created the modern telecommunications system.  

The potential for permanent changes to the way in which work is organized in future underlines the importance of the sector and the huge potential it offers for supporting economic recovery and future growth.  The requirement for the sector to deliver existing and new services flexibly, quickly, resiliently and, above all, securely has never been greater and the ability of the sector to manage the significant challenges of Covid-19 shows its ability to adapt to new responsibilities and opportunities. 

However, the sector faces significant challenges which, if not addressed, will restrict its ability to have the positive impact on society that governments and citizens have come to expect.  As we have seen in our previous posts on the health, energy, retail and defense sectors, the unique economic challenges each sector must deal with as it faces new challenges must be a central element of public policy.

There is perhaps no better example of this than the development vs security issues the telecommunications industry faces on a world-wide basis. In earlier posts we documented how China, by virtue of an extremely well developed and supported digital strategy, has already created massive security issues by using massive economic cross-subsidization of its ITC industry throughout the world –even here in the US.  We are clearly playing catch-up with development and deployment of the new 5-G networks which most expect to become the dominant basis for telecommunicators in the foreseeable future.

While our adversaries are supporting and promoting and collaborating their telecom industry the west has done comparatively – and this must be judged in comparative terms – little to support the growth and competitiveness of the telecom industry.  Indeed, there are signs that some policy makers are considering new restrictions that will further hamper our domestic players.  

Although the domestic “Huawei issue” can fairly easily, if belatedly, be addressed with the FCC’s “rip and replace” policy, the modern ITC supply chain is an inherently international issue.

The telco supply chain issue mixes sovereign national security judgements with commercial decisions on equipment choices.  The extent to which governments decide they need to intervene in this process for national security reasons is already significantly shaking up the current supply chain dramatically – bringing with it potentially very significant second order consequences.  

Over the past decade there has been a significant decline in the number of scale providers of telecoms equipment.  As the number of vendors has shrunk, two Chinese companies, Huawei and ZTE, have emerged and grown to the point where they produce around 50% of global production of key telecommunications network equipment.  With the exception of the US market Huawei and ZTE have gained a very significant share of the global network equipment business in 2G, 3G and 4G.  Given that early 5G deployments build on existing infrastructure i.e. they are not standalone units, where the existing 3 and 4G services run on Huawei equipment, the operator has a stark choice – use Huawei in 5G or rip and replace the existing 3 and 4G Huawei equipment with an alternative non-Chinese vendor. 

In the US, the presence of Huawei amounts to no more than 7% of the total network infrastructure and this is predominantly in the networks of smaller rural providers.  Contrast this with figures of over 30% in many European countries and higher figures still elsewhere.  There is significant interdependency.  Against this backdrop it is easy to see why the current sharp deterioration in US/China relations – accompanied by a broader reassessment in Europe and elsewhere of relations with China – poses very specific and significant challenges to the telco sector. 

Any effective ban on the use Chinese equipment by telco companies will leave an effective choice between only two suppliers – not enough to ensure effective competition, innovation and supply chain resilience.  It is absolutely right that governments make national security decisions – but the practical management of the second order consequences need to be worked through in detail.  Failure to do so represents a serious risk to the sector, and the citizens it serves, for the medium and longer term.  In subsequent posts we will be discussing potential paths to help resolve some of these issues, but for the moment it is imperative that policy makers understand and appreciate that cybersecurity policy cannot be resolved in a vacuum or with a dominant focus only on operations and technical fixes.  We need to follow the money.

Join the Rethink Cybersecurity Community click here