The 5G equipment deals between some of Europe's operators and the world's big vendors may have to be torn up and renegotiated under future European Union (EU) rules.
The European Commission has given a strong signal it will not stand for any 5G networks that are heavily dependent on a single supplier. In a risk assessment published this week, the Commission warns that a lack of diversity would make 5G infrastructure more vulnerable -- especially if there are already risks associated with the supplier in question.
Although Norway is not a part of the EU, the Commission's report turns an uncomfortable spotlight on the deal announced this week between Telia Norway and Ericsson, under which the Swedish vendor will take full control of that operator's radio access network (RAN) in the next four years. Other telcos with potentially risky arrangements include Three UK, the smallest of the UK's four mobile network operators, and Telecom Italia.
The report has been interpreted by some parts of the mainstream press as a response to the perceived threats posed by Huawei and ZTE, two Chinese vendors that could be a conduit for spying and cyber attacks by the Chinese government, according to US authorities.
Prepared by EU member states as well as the European Agency for Cybersecurity, the document warns about the "likelihood of the supplier being subject to interference from a non-EU country," especially if there is a "strong link between the supplier and the government of a given third country."
Yet Huawei and ZTE are each named just once in the report, and then only in a list of equipment suppliers deemed to have significant market power. That list also includes Finland's Nokia and Sweden's Ericsson, and warns that over-reliance on these companies would also provoke jitters, according to the latest report.
Such dependency would make it harder to procure technologies from other suppliers and leave an operator stranded if its supplier came under "sustained commercial pressure," says the report. Over-reliance also gives vendors less incentive to develop more secure products.
Similar concerns were aired by Jeremy Wright, the UK's former digital secretary, during a recent parliamentary debate about the UK's supply chain review. The UK is still considering whether to restrict the 5G activities of Huawei and ZTE on national security grounds.
An operator would not necessarily overcome EU concerns by using one vendor in the radio access network and another for the "core," the intelligent part of the system, because this would still leave a single supplier in control of one network domain.
Indeed, the report states: "The risk of national dependency from a single supplier is particularly acute in the access part of the network where there are fewer market players."
Ericsson, Huawei and Nokia account for nearly 80% of the mobile infrastructure market, said Nick Read, the CEO of Vodafone, one of Europe's biggest operators, during a press conference at Mobile World Congress in February.
The Commission's report may prompt scrutiny of several deals that have already been announced. In Italy, national incumbent Telecom Italia is understood to be heavily reliant on Ericsson for the construction of its 5G network. It is unclear whether a network-sharing partnership with Vodafone Italy, which appears to be using alternative vendors, would help to address any regulatory concerns.
While the UK is poised to leave the European Union, an arrangement between Three UK and Huawei also looks risky. Under that deal, Huawei has become Three's sole 5G RAN vendor and will phase out Samsung's 4G equipment.
Outside the EU, Ericsson this week revealed to Light Reading that it will become Telia Norway's sole RAN vendor by the end of 2023, replacing Huawei's 4G equipment as it builds a new 5G network.
Single-vendor contracts have allowed Ericsson, Huawei and Nokia to "lock in" their customers and maximize revenues. Desperate to increase its market share with the transition to 5G technology, Ericsson says it bid competitively for its single-vendor contract with Telia Norway. Huawei insists that multivendor networks are much costlier for service providers.
Roger Entner, the founder and lead analyst of market research firm Recon Analytics, welcomes the findings in the Commission report. "Europe is finally understanding how single-vendor systems pose grave threats to 5G security," he said in an email. "Single-vendor deployments are exposing operators to incalculable risks as operators tie their success to the viability of their vendors … The next step is to translate the concerns the European Commission has into binding rules that prevent 5G networks from becoming controlled by criminal and state actors alike."
Nokia said it had already been in contact with standards bodies to push for security improvements while insisting the breadth of its product portfolio gave it an edge over rivals with a narrower focus. "Nokia is the only globally available vendor providing all building blocks of 5G networks, from radio and core to transport, giving us a unique insight into 5G networks -- including network security," a spokesperson said in emailed comments.
Huawei said it was pleased the EU had taken an "evidence-based approach, thoroughly analyzing risks rather than targeting specific countries or actors."
But former influential US officials said the report was further validation of the warnings about Huawei. "Also noted by the report, the 'corporate governance' of Huawei, compared to Ericsson and Nokia, 'presents notable differences, for example in terms of level of transparency and type of corporate ownership structure,'" said Tom Ridge, the former US Secretary of Homeland Security, in a statement emailed to Light Reading.
In fact, the Commission's remarks about transparency and corporate ownership refer to vendors "headquartered outside the EU," including US-based Cisco and South Korea's Samsung.
Ericsson said it was following the EU process closely and that it could make an important contribution to the understanding of 5G security. "It acknowledges that the dependency between operators and vendors could be exposed to cyber threats that impact the security status of deployed networks," said a spokesperson by email.
- Telia Norway Goes All Ericsson on 5G & Dumps Huawei
- 5G Momentum Props Up Ericsson's Q2
- ZTE Ban & Iliad Entry Blow Wind Tre Off Course
- Ericsson Expects $1B US Fine for Corruption, Warns Non-US Investigations May Follow
- For Trump's Attack Dogs, There's No Stopping Huawei
- The Eye-Watering Cost of Multivendor Networks
— Iain Morris, International Editor, Light Reading