Main Image Credit Courtesy of Olga/Adobe Stock.
The UK government must learn quickly from its policy decisions around its 5G networks, and start grappling much earlier with risks posed by other emerging technologies.
MPs have called on the UK government to identify other critical emerging technologies, highlight the dangers of dependency on high-risk vendors and set out the government's proposed response. Considerations should include domestic capability and international cooperation, research and supply chain security, and transparent standards setting.
In June 2019, following US sanctions on Huawei, the UK’s National Cyber Security Centre (NCSC) recommended that network operators should not use 5G equipment supplied by Huawei. The potential threat from Huawei’s presence in UK networks has been much debated. Regardless, removing Huawei completely has increased other risks – for example, in relation to vendor diversity. Nokia and Ericsson are now the only two alternative 5G suppliers to the UK. The NCSC has referred to the negative security and resilience consequences of this situation. Whatever the merits of the decision to ban Huawei may be, it clearly heightens the risk of a single point of failure to UK 5G networks, and potentially gives the two remaining vendors excessive business leverage.
Over the past year, the House of Commons’ Science and Technology Committee has been looking into ways to diversify the 5G market in order to mitigate these risks. Importantly, they have also urged the government to learn from this episode and focus on the potential risks from other critical and emerging technology. Here are some additional thoughts on some of the committee’s conclusions:
On 5G Diversification Strategy
The Department of Culture, Media and Sport (DCMS) 5G strategy sets out three ways to diversify the 5G market: strengthening the resilience of existing suppliers; attracting new suppliers into the market; and incentivising interoperability. While the committee broadly agreed with the three steps to 5G market diversification, evidence suggests that the government’s strategy to bring more suppliers into the UK market has ‘simply come too late’. The committee called for ‘a more detailed action plan’ on how these steps will be delivered with the £250 million that has initially been set aside to do so.
On interoperability, it is worth noting the historical issues with the telecommunications market, which essentially mirrors a 1980s-style business model where single suppliers traditionally provide all of the equipment for the service they are delivering. In some cases, it is not possible to swap out a component of one vendor’s equipment for another without having to rip out every component and start again. This has severe economic and time-consuming costs. Current UK 5G networks are non-standalone, meaning they are built on top of existing telecommunications networks. In the UK, Samsung 5G may not be able to build on top of 4G and 2G equipment provided by other suppliers, but could provide new standalone networks. In the short term, shoring up the resilience of existing suppliers is just as important as diversifying the market.
OpenRAN is a group of companies trying to make it technically possible for different vendors’ equipment to interoperate in parts of the 5G network. In theory, it will create an environment where networks can be deployed with a more modular design without being dependent on a single vendor. While evidence provided to the committee did advocate giving OpenRAN initiatives ‘a prominent’ role, experts rightly pointed out that success is ‘not guaranteed’ via this method alone. Instead, the committee concluded that OpenRan should be part of ‘a range of measures’ to increase 5G vendor diversity.
While OpenRAN technology is potentially one way to overcome the inflexible nature of the current 5G supplier model, it is not a silver bullet. Such initiatives face serious challenges. Even if interoperability between suppliers is possible, it may not yet be economically viable. Moreover, the initiative could end up being dominated by certain vendors or could even create new vulnerabilities.
Another challenge relates to national context. Many point to the success of the Japanese OpenRAN model, but this was achieved by building on virgin ‘greenfield’ sites. Meanwhile, the UK’s networks contain a bunch of legacy systems that need to be factored in when discussing OpenRAN in the UK context. With the rollout of 5G and other emerging technology in the UK, it is of course important to learn from the experience of other states. Equally, policymakers must understand that the UK context will always have its own peculiarities. We must not become obsessed with OpenRAN.
The committee concluded that incentives alone to diversify the 5G market will not work and should be combined with ‘regulatory requirements’. This may be especially appropriate when public funds are being used and could include ‘measures to reduce operator costs’. The committee called for the government ‘to publish the measures it is considering to incentivise and require network operators to diversify their suppliers’.
The elephant in the room is that there are few incentives for existing suppliers to relinquish their substantial share of the 5G market. New entrants to the market face challenges in scaling up their production lines, and telecommunications is not exactly a high-margin business. For network operators, the process of market diversification will inevitably increase operating costs. The role of government, including its relations with network operators and 5G suppliers, will be vital in removing these substantial barriers to entry for new suppliers. Importantly, this is a matter of industrial and economic policy, and not just a discussion for cyber security experts.
Experts told the committee about the critical role of ‘international standards for national economic competitivity and technical capability’, and the potential for the bodies that set those very standards to ‘become politicised’. While there was naturally strong support for wider use of global standards in 5G and other technology, a consistent message was that in practice technological divergence is leading to separate Western and Chinese standards. Evidence suggested that the ‘influence of British companies and officials in global standards-setting processes is diminishing’.
Cyber and technology standards matter. Reports indicate that China is determined to take the lead in global standards setting, backed by state funding and political influence campaigns. Meanwhile, US policy continues to isolate Chinese companies. In some cases, existing vendors are not incentivised to share their intellectual property (IP) with competitors, or are even banned from doing so. Consequently, they will likely develop their own bespoke standards for a particular piece of IP. Moreover, if you are new to the market, you will likely have no IP in the first place, creating an even higher barrier of entry. This is a recipe for mutually assured destruction. For all the talk of interoperability, this form of protectionism encourages an atmosphere of competing US v China standards.
The UK has a role to play here, as it defines its future international role in cyber. One strategic goal should be to increase UK engagement in international cyber standards bodies, so that the UK becomes a global leader in technical standards setting. Some commentators suggest that alliances should be based on coalitions such as the Five Eyes, or the G7 plus Australia, India and South Korea. Just looking at global cyber security standards through these alliances could be the wrong way to go about it. It is just as critical that the UK continues to work with a wide range of international partners, including those middle-ground countries who may find the Chinese model attractive.
The Wider Context
The most striking conclusion of the committee’s report is that the government should learn from its 5G experience and ‘urgently’ start making plans for other critical and emerging technology. This includes the use of ‘artificial intelligence, quantum technologies and synthetic biology’. This list is by no means finalised and requires further research. The committee stated that ‘the UK has always been playing catch-up with 5G policy because of a lack of strategic foresight’.
To overcome this, the UK should recognise the security challenge from fragmented and competing supply chains, a Chinese-dominated emerging technology marketplace alongside a competing Western model, and reinforce the need for pragmatic cyber risk management approaches. A new approach to critical and emerging technology will require significant investment in crystal-ball gazing to deliver future prosperity and security.
Finally, it would be naïve to suggest that this is just a matter for technologists and cyber security experts. The harsh reality for some companies is that there will be a clear political backdrop to these policy decisions that will continue to play out. For example, there are human rights concerns regarding how Chinese technology companies have allegedly enabled the Chinese government to suppress its citizens. It will be important that the UK’s future strategy tries to disentangle the political, economic and technical factors that could inform these policy choices, so that we are all clear as to why certain policy decisions have been made. The intersection between technology and geopolitics will define policy decisions for decades to come.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.
Director, Cyber Research