LONDON -- A suggestion from the GSM Association, the industry body representing the global mobile operator community, that a pan-European 5G test "regime" could help maintain supplier competition whilst also calming security nerves has been shot down by Ericsson, one of the leading suppliers of network infrastructure equipment to the region's network operators.
The GSMA, on behalf of its members, has been fretting over the implications of potential national bans or restrictions on the supply of network technology from China -- Huawei Technologies and ZTE in particular -- as such moves would limit operator's choices and likely lead to increased costs. (See GSMA set for crisis meeting at MWC over Huawei bans – report.)
And now it is urging European governments and operators to work together to create a regional "assurance testing and certification regime" that could ensure "confidence in network security while maintaining competition in the supply of network equipment."
The GSMA stated in a press announcement late last week:
As European policy makers consider ways to further secure network infrastructure, we urge them not to lose focus on all relevant policy objectives -- security, competition, innovation and consumer impact. This requires a fact-based and risk-based approach, including recognition that Europe's starting points and approaches to date, have been different than some other parts of the world. Specifically actions that disrupt the equipment supply for the various segments of the network (access, transport and core), will increase costs to European operators, businesses and citizens; delay 5G deployment by years across Europe and potentially also jeopardise the functioning of existing 4G networks upon which 5G is intended to be built.
One solution, believes the GSMA, is to set up a regional test program that could provide assurance to the region's operators about the technology they were set to deploy -- a process with which it believes it could help. To that end it notes and recommends:
- In addition to security tests carried out by individual operators, further testing is carried out in some countries by recognised third party laboratories;
The GSMA has experience in this area, having developed the Network Equipment Security Assurance Scheme (NESAS) in partnership with 3GPP, the international 5G- standardisation body;
To take this further, the GSMA is assembling a task force of European operators to identify ways to enhance and extend existing schemes; and
The GSMA recommends that governments and mobile operators work together to agree what this assurance testing and certification regime for Europe will be, so that it ensures confidence in network security while maintaining competition in the supply of network equipment.
With a number of senior Ericsson executives in London for pre-MWC briefings with the media and analysts, we asked if Ericsson would support such a move.
Perhaps understandably, it's not uber keen on a process that would, if implemented, help the cause of Huawei, one of its main competitors, though Arun Bansal, the vendor's Head of Market Area Europe & Latin America, would not give a 'Yes' or 'No' answer. He noted that test regimes have changed as the telecom sector's functionality has shifted from hardware to software, that testing software in live networks as part of such a program would not be feasible and that such a program would "slow down innovation." Besides, he noted, "we test the software as we develop it." That doesn't seem like the kind of assurance the GSMA is suggesting, though.
Bansal's response echoes the thoughts of his boss, Ericsson CEO Börje Ekholm, who shared a range of views related to 5G developments in an article published on the Ericsson website, in which he noted that Ericsson would comply with the demands of an industry test program "if mandated" whilst also noting how "insufficient" such a regime wold be:
- Much of the discussion around 5G globally is focused now on security. With 5G, security is not an add-on, but built in from the start as part of the standardization process. That's why 5G is the most secure network generation ever.
Yet the 5G standard is not the full answer to a secure 5G network. As 5G becomes a critical infrastructure, what will really determine the security of a network will be the security technology and operational procedures that are put on top of the standardized features.
When it comes to questions about software embedded in the core of 5G networks, Ericsson, like most other software providers, conducts software testing during the development phase. This has the benefit of providing instant feedback and makes it possible to fix issues promptly as part of normal development.
Post-development testing is sometimes brought forward as a means to achieve security assurance of live telecom networks. This is a decision for the policy makers, and if it is mandated we will of course comply.
However, we see it as an insufficient tool since lab-testing only reflects a limited representation of a network, at a given point in time in a specific test configuration. It also risks slowing down innovation and delaying time to market, including new security updates while leading to extra costs in the entire system as modern software development builds on continuous deployments of new releases and functionality. In particular critical 5G use cases, such as autonomous driving and manufacturing, will potentially require expanded scope of testing further slowing down the development of new industrial business cases.
Meanwhile, ZTE has issued a statement noting it has plans to set up a number of labs in which customers can test its products (including one in Belgium and one in Italy) and noting it has "never received any requests from relevant agencies to set up backdoors in our products; the source code of our products can be opened to security audits by customers and professional organizations through our security labs."
Huawei has repeatedly stated that it is not an agent of the Chinese government and has never been proven to be a security threat. (See Huawei Founder Fails to Put Minds at Rest.)
Such plans and proclamations might provide a public record of their position but will hardly appease security-conscious network operators: Independent testing and certification is another matter, though it should be noted that even that would only provide a limited set of assurances.
The GSMA is to hold a board meeting on Sunday, February 24, on the eve of MWC 2019. The board comprises 26 members, 25 of which are the CEOs of major mobile network operators: Oh, to be a fly on the wall…
— Ray Le Maistre, Editor-in-Chief, Light Reading