Roman Khimich, telecommunications market adviser

 

The question of addressing Chinese equipment in telecom networks is gradually moving from a theoretical to a practical one. In the spring, the National Security and Defense Council of Ukraine also thought about it and invited the authorities and operators to offer their considerations. For the first time, Vodafone and Kyivstar publicly spoke on this issue. American and European partners are increasingly insistently offering Ukraine to decide.

The forthcoming of certain restrictions on telecom products from China seems more and more likely, almost inevitable. As discussed in a previous article, the US policy of banning Chinese equipment faces significant obstacles. In the case of Ukraine, these obstacles may become insuperable.

Are there any alternative approaches to risk management regarding Chinese equipment? Last time, I mentioned the attitude adopted by the European Union. Let’s have a closer look at both American and European approaches, their similarities and differences. 

American "Clean Network"

The United States has been the initiator and main driving force behind the campaign to ban Chinese telecom equipment globally. Even the UK, the closest ally of the United States, had considered it inappropriate to refuse cooperation with Chinese companies until mid-2020. In 2017, among other things, the HM Government approved the construction of Huawei’s R&D center, in which the company planned to invest an impressive GBP 1 billion. As British politicians admitted, the only reason for not cooperating with the Chinese was the pressure from Washington.

In 2020, the Trump administration launched the Clean Network framework initiative. In essence, this was a set of catchwords proclaiming the need to clean clouds, applications, cables, and other elements of the US and its allies’ digital infrastructure of the Chinese presence. Unlike many other issues, the Joe Biden administration has been demonstrating continuity with the policies of its predecessor, making efforts to eliminate Chinese companies.

In the regulatory and legal field, the Clean Network is mentioned in several executive and legislative acts. The most important are:

• Section 889 of the 2019 National Defense Authorization Act, which prohibited federal agencies from using equipment and services from five Chinese tech companies and working with contractors that use covered equipment.

• Title 2 of the SECURE Technology Act, which created a federal council to analyze supply chain security threats and recommended orders to remove or exclude certain technologies from federal networks.

• The ICTS rule, which allows the U.S. Department of Commerce to block public and private procurement and use of certain foreign ICTS.

• The Secure and Trusted Communications Networks Act, which permitted the Federal Communications Commission (FCC) to restrict the purchase of certain ICTS using federal funds.

The prominent features of the American approach are: 

a) a declared orientation against the PRC and its manufacturers;

b) the postulation of the ‘Chinese threat’ as something firmly established and not requiring proof; 

c) focus on the problems of the so-called ‘cyber threats’ and industrial espionage; 

d) uncompromising attitude. 

Officials and WE lawmakers see a complete and unconditional ban as a universal risk management tool.

As I have mentioned in the previous publication, the US authorities faced serious, perhaps even fundamentally unresolvable, obstacles in the implementation of this approach. In particular, the idea of the full elimination of Chinese technologies from supply chains in times of globalization involves, without exaggeration, an enormous amount of administrative work.

According to the US administration's internal estimates, up to 4.5 million US businesses import foreign technology subject to oversight. If each of them applied for just one license per year, the Department of Commerce would need to process up to 87,000 licenses per week. Meanwhile, the relevant bureau of the Department currently employs 16 people and has an annual budget of about $4.7 million. In the budget request for 2023, the bureau asked Congress for an additional 114 positions and $36.2 million. It is still unknown whether this request will be granted.

In the foreign policy aspect, the main problem Clean Network faces is the lack of evidence of cyber espionage or the purposefully introduced vulnerabilities, the so-called backdoors, in Chinese equipment. Today, participation in this initiative by the American administration has become a way of expressing loyalty to it. However, given the scale of the costs, the United States cannot always persuade even the most loyal partners, for example, Poland, to ban Chinese equipment.

European toolbox for 5G networks security 

The approach adopted in the European Union is, in many ways, the opposite of the Clean Network. First, it is not limited to the PRC "containment" and covers almost all risks of varied significance. These include the sustainability of supply chains, countering non-state actors, and much more. Secondly, instead of explicitly identifying the PRC as a source of threats, the framework definitions the EU uses cover a much wider range of actors. If necessary, "untrusted suppliers" might include not only Israeli or Russian but also even American companies. Thirdly, the EU claims facts to be the cornerstone: no statements are taken on faith but are subject to proof.

Of course, the question of the political expediency of certain bans has not gone away. This year, the rhetoric of some European Commission members regarding the PRC has become much harsher. Following the American partners, they have spoken on the need for serious restrictions or even a complete ban on telecom solutions from China. However, EU members still enjoy the right to independently assess the arguments in favor of restrictions, and these assessments do not always coincide.

These differences in approach emerged quite a long time ago, in May 2019. Back then, in the follow-up of the Prague 5G Security Conference, representatives of 32 states, including key members of the EU and NATO, voiced their aligned standpoint. Despite official support, the US was not happy with the conference outcome. The Trump administration made significant efforts to ensure that the final document included a mention of China and Huawei but failed to persuade the Europeans.

It is worth noting that the Chinese government itself saw the Conference outcome in a critical light, accusing the organizers of the event of bias and violating the free market principles. This fact illustrates a key feature of the European approach to the problem of risk management in 5G networks. It is neither pro-American nor pro-Chinese. The EU is implementing its experience and understanding of the nature of the threats it currently faces.

Having understood the need to counter Trump’s voluntarism with an alternative, in 2008, the European Commission began to work on its approaches and recommendations regarding digital infrastructure security. It resulted in several documents, primarily Cybersecurity of 5G Networks: EU Toolbox of Risk Mitigating Measures and Directive on Security of Network and Information Systems (NIS Directive). The second version of the last document, known as the NIS2 Directive, has now been adopted.

The word toolbox symbolizes a rational and pragmatic approach to problem solving. True to the titles, these documents offer a detailed and structured view of the subject and detailed action plans. The European Commission identifies five categories of risks in 5G networks and nine of their varieties. Eight strategic, eleven technical, and ten "supportive" measures are also proposed.

Such issues as trust in suppliers from third countries, state, and non-state cyber espionage, other destructive actions, etc., are divided into separate categories. The fundamental principle of the European approach is the reliance on facts.

The document does not mention any countries, groups, or incidents. Each EU member must independently assess the available evidence and decide based on the proposed approaches.

It is impossible to directly compare American and European approaches. The EU 5G Toolbox is aimed at risk management. And risk management involves assessing costs and their feasibility, as well as discussing options for problem-solving. On the other hand, Clean Network is something like a manifesto, a set of slogans. The Trump administration wanted to solve a fundamentally different task: eliminate the Chinese presence at any cost under any pretext.

Ukrainian approach: what should it look like?

As things stand, two of the country's largest operators, Kyivstar and Vodafone, have voiced their views on possible restrictions on Chinese equipment. Companies insist their losses should be compensated in case of early, especially urgent, replacement of a huge part of the network equipment. They ask to pay special attention to the problem of continuity, stability, and quality of services their subscribers enjoy.

In his exclusive interview with Interfax-Ukraine, Kyivstar’s CEO Oleksandr Komarov emphasized that a one-time rejection of Chinese telecom equipment is simply impossible since the share of Chinese vendors in the networks of Ukrainian operators reaches 60%. "If this is some kind of evolution, additional control, replacement of Chinese suppliers in some critical elements of the network, then, in my opinion, it is possible," he said.

The position voiced by Ukrainian mobile operators can be described as pragmatic and conservative. They have spent almost a year and a half working in times of a full-scale war. Unlike government agencies and state-funded institutions, the Big Three operators repelled every cyberattack. In other words, the large share of Chinese equipment in their networks wasn’t a risk factor.

This fact allows me to conclude that cybersecurity issues should not be considered a priority in resolving the "Chinese issue." In Ukraine, the sustainability of supply chains in the context of the US-China confrontation is coming to the fore. How will the interruption of supplies affect the work of national operators in the event of an escalation of this conflict? How will it affect producers from Western Europe and the USA? What other means are available to reduce risks and increase the resilience of networks other than bans and restrictions?

Ukrainian authorities and mobile operators should lean towards the European approach to risk management. It seems to be more efficient and flexible in our situation. After all, it is the European view on the regulation of telecommunications that our country is obliged to implement within the European integration framework.