Experts claim that there is little to suggest that Huawei's network hardware and phones are any more or any less vulnerable to attacks compared to the competitors' offerings. For India, it might be unwise to take any country or supplier for granted.
The strategic nature of communications technology requires that it be robust in its reach and quality, and secure in its deployment. The pace with which these networks have so far proliferated is remarkable and historically unprecedented, yet progress on matters of security has lagged. Our world is replete with large-scale and organised system breaches, service attacks that can bring large systems down to their knees, and a plethora of spyware/malware designed for identity theft. It is, therefore, no surprise that authorities and organisations are actively studying and attempting to prepare themselves for future cyber threats.
The year 2016 was a watershed one as far as cyberattacks go, with some of the most high-profile attacks occurring within six months (Cisco). The “Pegasus” zero-day IOS malware was discovered in August 2016 and was found to have been used to spy on high-profile iPhone users. In October, denial of service attacks on DNS provider Dyn led to significant outages of significant websites. This was followed in November by a substantial data breach at an EU operator that exposed mobile user customer records to attackers. 5G networks pose unique challenges in such aspects. Unlike 2G, 3G or even 4G to a large extent, 5G is not a telecom-centric product but one that transcends industrial boundaries—it is a core technology that conforms to the requirements of where it is being applied. 5G is as much to healthcare, agriculture, automotive, manufacturing, and other sectors, as to telecom. It is then easy to recognise that challenges relating to the security of these networks will present new and unknown mysteries that will unravel as adoption intensifies.
As the new Government tries to accelerate the implementation of 5G (the telecom minister has firmly placed it in the 100-day agenda), one is much worried that security aspects could well become the next significant roadblock for again delaying progress
We need to understand that, after a great start through the establishment (in September 2017) of the High-Level Government Forum for 5G 2020, India has clearly faltered in its path and fallen behind in its mission. Many other nations have moved ahead undeterred, and we now lag by almost two years.
Adopting a reactive approach to 5G-security will only delay us further. In addition to the numerous use cases of 5G (connected cars, sliced networks, remote health care, manufacturing, etc) that stand to be significantly influenced by the presence of security threats and pervasive attacks, the network topologies that are finding relevance in a 5G-era accompany their own unique set of security issues. Software-defined networks are soaring in popularity in 5G discourses and designs and are deeply vulnerable networks whose management interfaces can effectively be used by cybercriminals to bring down the entire system. Such vulnerabilities are often the result of the same open & flexible features that make such technologies attractive in the first place. This, as would be expected, makes cybersecurity in a 5G era an elegant balancing act that must attempt to address critical vulnerabilities while maintaining open architectures. At the forefront of 5G network infrastructure design, manufacture and supply stand the Finnish vendor Nokia and the Chinese supplier Huawei. A little behind them is Ericsson and then Samsung and ZTE. Founded in 1865, Nokia is a highly reputed pioneer with excellent quality and very long experience in mobile telecommunications. Huawei, on the other hand, although only about 32-years-old, has made remarkable progress to become the world’s largest telecommunications manufacturer, with 118,000 employees (about 76,000 in R&D!) and a ~$108.5 billion turnover in 2018. The latter’s prices are the lowest and the quality also one of the best. There are questions and concerns in many quarters about the firm’s connection to the Chinese government and the possibilities of espionage or sabotage through malware. However, there is apparently no firm evidence from anywhere. Experts also claim that there is little, if anything, to suggest that network hardware and phones manufactured by the company are any more or any less vulnerable to attacks when compared to what is offered by competitors. India is a fast-rising economic and political power, and it might be unwise to take any country or supplier for granted.
The financial and other implications of the security decision in 5G are enormous. For example, a couple of days ago, GSMA, the apex body globally for mobile telecommunications, cautioned that Europe will incur an extra cost of $62 billion and 18-months rollout delay if Chinese vendors are banned. Europe has a population 60% lower than India’s and has a far lower dependency on mobile due to excellent wireline network penetration. If such is the impact for Europe, one can well imagine the humungous impact, both financially and in terms of delay in introduction of 5G, for India, with a population of 1.3 billion and an abysmally low wireline penetration. The thought is too scary, indeed.
National security is not a light matter where money can override other considerations, and one cannot but appreciate the unenviable task in front of state leaders. On the one hand, they must do everything in their power to help industry roll out communication services at affordable prices but must do so with due regard to national security and the safety of their citizens’ data.
All possible safeguards regarding security need to be ensured while procuring and using any network equipment. This should not be, for India, a big challenge. With the established Indian IT prowess—one of the best in the world and probably well ahead of Chinese capabilities—it is inconceivable that our engineers cannot devise the necessary tests and safeguards. We need to be scientific, objective, and dispassionate in addressing the Huawei risk and not be swayed by other political considerations.
Probably as a response to rising concerns, Huawei recently announced offering No Spy Agreements to the UK and Germany, and stated that the company would be open to signing such deals with other nations as well. India could also demand this.
The ministry inaugurated a special equipment testing laboratory at ITIL, Bengaluru, last year. We have the expertise and the wherewithal to deal with concerns regarding the security of network equipment. Moreover, it is not essential to own and house all the test laboratories in India. One could well hire capacity in established independent labs abroad and also have the tests performed under the direct supervision of our experts.
In today’s scenario, when India is rising fast as a formidable power in both telecommunications and economic strength, we can ill-afford not having vigorous checks and safeguards universally applied. In this context, it is very heartening to hear that Government has just set up a Special High-Level Committee of Experts & Officials to consider Security Aspects of 5G Network and associated equipment. This is of great importance because the industry urgently needs clarity at the earliest as regards what is allowed and what is not.
Security vulnerabilities exist in all networks, but India cannot afford to fall behind further on 5G- a technology that is so vital for Digital India, merely based on speculative fears and political considerations without having leveraged its formidable IT skills to address the situation.
Research inputs by Kartik Berry
The author is Honorary Fellow of IET (London) and president of Broadband India Forum, (Views are personal)