Huawei’s Ability to Eavesdrop on Dutch Mobile Users Is a Wake-up Call for the Telecoms Industry

Outsourcing Gone Too Far
When everything is working, very few people notice outsourcing. But when things go wrong, outsourcing can often significantly complicate recovery, or create a large “single point of failure” or security issue.

In the UK, for instance, mobile operator O2 has seen at least one outage which has been linked to the use of outsourced functions. Where large numbers of operators rely on the same outsourcing partner, any issue or security breach affecting the outsourced provider can have a widespread impact.

Still, outsourcing by mobile operators is widespread. And firms in the UK and across Europe have often turned to Huawei to provide IT services and to help build core networks. In 2010, Huawei was managing security-critical functions of KPN’s core network.

Administrator Access
At the same time, equipment suppliers like Huawei are trying to move away from merely selling equipment and towards providing a managed service, including installation, maintenance and support. This helps them create recurring revenue in an industry that has generally been dominated by large five-year or ten-year purchasing cycles.

But as these vendors add services to their repertoire, they gain wider access to the mobile networks they work with. This could include certain security-critical parts of telecoms networks, which are often designed to work in trusted, secure environments.

In the scenario where a vendor like Huawei also provides a managed service, they find themselves sitting in a uniquely privileged position, with inside knowledge of their own equipment, and with direct access to trusted management interfaces.

This creates the high-tech equivalent of putting all your eggs in one basket. It’s akin to giving the combinations of the bank vault to the same security guard in charge of the CCTV camera footage. It’s difficult to reliably monitor operations carried out by the vendor without relying on that vendor’s own software.

In cases where a vendor has been designated as high-risk as a result of their own product security practices, it’s very difficult to know whether that vendor didn’t do anything untoward. This is the situation KPN apparently found themselves in with Huawei back in 2010.

Are Changes Needed?
With at least one operator aiming to reduce European operating expenditure by €1.2 billion, and 5G deployments bringing new opportunities for managed services and software-based solutions to be used in networks, decisions around outsourcing will continue to play an important role for mobile operators going forwards.

But legislation is rapidly catching up. The UK has proposed a telecoms security bill, and associated draft secondary legislation includes requirements for network operators to monitor all activity carried out by third party providers, to identify and manage the risks of using them, and to have a plan in place to maintain normal network operations if their supplier’s service is disrupted.

For some operators, it’s conceivable this might mean bringing key skills back in-house to ensure there’s someone watching the (outsourced) watchmen. In the case of KPN, these measures would likely have prevented Huawei from having seemingly unchecked and privileged access to its customers’ mobile data.

Greig Paul is Lead Mobile Networks and Security Engineer, University of Strathclyde.This article is published courtesy of The Conversation.