Networks built by Huawei would allow China's government to snoop on other countries and even sabotage their critical infrastructure. That, at least, was part of the rationale for the US-led campaign against the Chinese equipment vendor and promotion of open RAN as a Huawei alternative. But what if open RAN technology is as secure as David de Gea's goalmouth?

Germany's Federal Office for Information Security (BSI, in German) has just weighed into the open RAN debate with a potentially devastating report about the resiliency of networks based on the new-fangled concept. Its main conclusion seems to be that a mash-up of products from different suppliers – as open RAN champions – is inviting trouble, and that not enough has been done on the specifications side to ensure open RAN is secure.

This is arguably the worst bit of news to hit the open RAN community in months. Concern that open RAN may be costly, or that open RAN specialists could eventually be snapped up by giant vendors, will not stop the open RAN evangelists from pressing on with rollouts. Alarm in government circles that open RAN might expose Germany to additional security risks is another matter entirely.

Figure 1: Should German Chancellor Angela Merkel worry about open RAN before she steps down?
(Source: Armin Kübelbeck via Creative Commons)

The government report, it should be noted, was not written by German officials but outsourced to an independent German firm called Secunet, which develops cybersecurity products and offers consulting services. While it is a detailed, 86-page document available only in German, one of its main findings – in translation – is that "medium to high security risks emanate from a multiplicity of the interfaces and components specified in O-RAN."

This could simply be a contraction of open RAN but is probably a specific reference to the O-RAN Alliance, the operator-led group steering the development of open RAN specifications, mentioned numerous other times in the report. Secunet goes on to say that "the current development process of the O-RAN specifications is not guided by the paradigm of 'security/privacy by design/default.'"

It also recommends immediate action. "It is important that security improvements are now included in the specification to avoid a security debacle like the one that occurred with the development of the 3GPP standards this time," say the report authors in the executive summary.

Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.

Open RAN supporters could always retort that Secunet – as a vendor of security products – has a vested interest in suggesting more needs to be done. The O-RAN Alliance, however, had not responded to a Light Reading request for comment on these findings by the time this article was published.

And regardless of Secunet's vested interests, the German government agency evidently takes the report seriously enough to have published it. The reaction of Florian Müller, a technology patents expert who blogs his views on the FOSS Patents website, was succinct. "Bummer," he wrote.

"It is known in the telecommunications industry that the European Commission is also performing a risk assessment, and it will be interesting to see what comes out of that effort," Müller elaborated. "At first sight, the BSI-commissioned analysis is thorough and probably reliable. There really do appear to be serious issues, but again, I'll need some more time to digest the study."

Trouble for 1&1

While he does, the German operator most at risk is undoubtedly 1&1, a company that has put Japan's Rakuten (the world's most prominent open RAN cheerleader) in charge of building it a mobile network based on open RAN technology. If authorities decide, based on the BSI report, that specifications used in that rollout would expose Germany to new security risks, 1&1's plans – in their current format – could be in jeopardy.

As things stand, the impact on Germany's three other mobile network operators would be limited. Only Telefónica Deutschland has announced firm plans to use open RAN in a production network, and its intended deployment is limited to just 1,000 of its roughly 28,000 mobile sites. Nevertheless, both Deutsche Telekom and Vodafone Germany sound just as partial to open RAN, even if they have yet to make a commitment.

All three of the big German operators – along with France's Orange and Telecom Italia – were last week complaining in their own report that Europe has too few open RAN specialists and will lose out to Asia and the US without funding and support from local authorities. At a government level, though, security of national infrastructure is bound to be far more important than nurturing the development of a technology that still begs all sorts of questions.

The main beneficiaries of any German or European resistance to open RAN would be Ericsson and Nokia, the same Nordic vendors threatened by telco enthusiasm for the technology. Both have already gained mobile market share in Europe as governments and service providers have balked at reliance on Huawei. Without open RAN, there would be few other options.

Germany, however, has been warier of imposing restrictions on Huawei than other European countries. Doing so could imperil its cozy trading relationship with China, still a destination for plenty of German cars and machine tools. It could also be disruptive for German operators that have grown heavily reliant on Huawei in the last decade.

Indeed, according to a report last year from Denmark's Strand Consult, 57% of Germany's 4G infrastructure was then supplied by Huawei, with each of the big three operators using it for at least half of the radio access network. If open RAN is not a viable choice for those companies, and there is limited government pressure to switch suppliers, Huawei could have a German home for a long time yet.

Related posts:

— Iain Morris, International Editor, Light Reading