Pages

8 December 2022

Better Together: How the Quad Countries Can Operationalise 5G Security

ALEXANDRA SEYMOUR, MARTIJN RASSER

Introduction

The advent of 5G provides the Quadrilateral Security Dialogue—or the Quad of the United States (US), Japan, Australia and India—a unique opportunity to demonstrate how democracies can engage in effective technology collaboration. Recognising the risks that companies like Huawei, which is connected to the Chinese Communist Party, pose to telecommunications networks, each member country of the Quad has taken steps to ensure secure and resilient access to 5G.

Australia, for one, banned Huawei from its 5G rollout in 2018 and did the same with ZTE, citing national security concerns. For its part, the US has been raising concerns about Huawei since 2012, and doubled-down on its efforts in 2019 by adding Huawei to the Entity List.[1] Japan, meanwhile—a long-time leader in the telecommunications space—has accelerated its efforts to create ‘Open Radio Access Networks (Open RAN)’, which promote vendor diversification and competition for better solutions. And India took what it called a “step towards the new era” by deploying its first 5G services in select cities in October 2022; it is aiming to extend the network across the country over the next few years.[2] India is unlikely to include Huawei in its networks, given the clash with Chinese forces in Galwan Valley in June 2020[a] and concerns about vendor trustworthiness.[3]

Indeed, their alignment on securing telecommunications networks is an important item in the Quad Summit agenda. During the first in-person leaders’ meeting in September 2021, Quad countries agreed to “build trust, integrity, and resilience” into technology ecosystems by having suppliers, vendors, and distributors ensure strong safety and security-by-design processes, and committed to a “fair and open marketplace.”[4] Later, at the fourth meeting in May 2022, partners signed a New Memorandum of Cooperation on 5G Supplier Diversification and Open RAN, and reaffirmed their desire to “collaborate on the deployment of open and secure telecommunications technologies in the region.”[5] While these commitments are significant, maintaining momentum requires close coordination of resources and policies. No one country can build resilient, open, and secure telecommunications networks on its own, particularly as countries deploy 5G and think ahead to 6G.

To ensure that operationalisation moves forward in line with the Quad’s stated principles and goals, the member countries must work together in four key areas: standard-setting; security; talent development; and vendor diversity. These are the pillars that will ensure that people and processes are in place to operate secure networks and maintain competitiveness over Huawei and other companies similarly influenced by authoritarian regimes. This report examines each of these four fundamental domains and outlines a set of recommendations for Quad cooperation. These actions will not only promote secure 5G rollout in the Indo-Pacific, but also serve as a model for other democracies in other parts of the globe.

Setting the Standards

Global standards enable interoperability and facilitate trade. They matter to individual companies because developers and owners of standards receive licensing fees from other companies that use such technologies. Income is typically used to recoup past R&D investments and to fund new ones. For example, Huawei generated about US$1.3 billion in patent licensing revenues between 2019 and 2021[b] and is emphasising growth in this revenue stream to help offset losses incurred from US sanctions and export controls.[6]

Beijing recognises how outperforming competitors in standards is an effective pathway to dominating an industry. Telecommunications is a case in point. Chinese leaders, by championing the firm Huawei in particular, have pursued a policy of subsidising Chinese firms’ participation in standard-setting activities and through bloc voting—where government officials order other Chinese firms to back Huawei technologies for standards regardless of technical merit.[7]

These strategies, coupled with Huawei’s growing technical capabilities have borne fruit, and as of late 2021, the company led all firms in the number of self-declared 5G patents.[8] Chinese firms’ cumulative number of standards contributions in 2022 stood at nearly 34 percent, compared to 16 percent for US-domiciled companies.[9] Chinese companies also took an early lead in 6G patent applications, with over 40 percent of the total in late 2021.[10]
Maximising participation in standard-setting activities

Ensuring that companies from the Quad member states can fully participate in standard-setting for telecommunications can have an outsized impact on technological and economic competitiveness. Fulsome engagement in standard-setting also helps shape norms for technology use when sales abroad are coupled with safeguards against oppressive tactics such as mass surveillance and censorship.

To maximise participation in standard-setting activities, the legislatures of the Quad countries could do the following:Allow international standard-setting costs to qualify as expenditures under R&D tax credits. Each of the four countries boasts R&D tax incentive frameworks that can be amended to strengthen innovation policy. This is a more efficient way compared to offering grants, which require administering an application and approval process.[11]

Providing guidance on how to engage in standard-setting with sanctioned companies

International standard-setting in telecommunications requires engaging with companies that are subject to the Entity List. To uphold the integrity and transparency of international standard-setting, the process should remain open to companies from countries of concern and Quad governments should ensure the effective engagement by companies in their territories. For example, US Government policies on Huawei enacted in 2020 caused confusion as to whether and how domestic companies could fully participate in standard-setting where Huawei played a role. This limited the influence of American firms, putting them at a competitive disadvantage.

In September 2022, the US Department of Commerce Bureau of Industry and Security issued a rule that clarified what technologies and software could be released to companies on the Entity List within the context of “standards-related activity.”[12] The goal of this rule is to allow American companies to fully engage in international standard-setting, while safeguarding US national security interests.

To ensure that all firms in the Quad countries can maximise their presence at standard development organisations, the four governments could:Coordinate and harmonise their respective policies on how industry can participate in standard-setting alongside sanctioned entities. The US precedent shows that it is feasible to engage with sanctioned companies and entities from countries of concern without compromising on national security concerns.

Security

5G networks are critical infrastructure and it is imperative for states to ensure their security. In 2018, Australian officials were the first to warn the public of the risks posed by untrustworthy vendors on 5G networks.[13] Officials from the other Quad countries have followed suit and, along with key partners such as the European Union and United Kingdom, there is a clear consensus on the fundamental importance of secure and resilient communications networks.

There are two primary reasons why the Quad should continue its leading role by focusing on security for virtualised telecommunications networks. For one, virtualised (software-based) networks will be the norm in the next 10 years, by which time 6G networks will begin to rollout. Early attention to security issues for emerging telecommunications technologies will help ensure that there is sufficient focus on security in the runup to 5G rollouts.

The Quad’s advocacy of Open RAN networks—or network architectures that consist of interoperable software run on vendor-neutral hardware—is another reason why there is a need to focus on software supply chain and software-based infrastructure security. Critics of Open RAN solutions often point to security concerns to argue against deploying these technologies. A comprehensive 5G security strategy is necessary to ensure trust in these networks.

Designing a Quad 5G Security Strategy

The flagship effort to advance telecommunications infrastructure security should involve formulating a comprehensive approach that the governments of the Quad countries, with input from industry, will all agree to implement and use as a foundation for regulations and oversight. A common approach to network integrity would facilitate infrastructure buildouts to boost economic competitiveness. It would also bolster efforts by the Quad to support the development of secure infrastructure investments across the Indo-Pacific by providing appealing alternatives to offerings from untrusted vendors.

To lead on 5G Open RAN network security deployment guidelines, the Quad governments could:Craft and publish a unified zero-trust strategy for 5G networks, with special emphasis on Open RAN deployments.[c] An explosion of Internet-connected devices and 5G serving as the backbone of critical functions such as electric grids and water treatment means that threat vectors are expanding rapidly. The best way to address these risks is to set a strategy of ‘zero-trust’ that includes authentication methods, network segmentation, and continuous monitoring. Guidelines and regulations for software supply chain security and vendor validation should also feature prominently in this strategy.Partner with the EU to develop an Open RAN risk assessment and security framework. Having the Quad and EU more aligned will allow them to set minimum security standards and define best practices. Once the Quad 5G strategy is complete, the four governments should engage with the EU to create a common Open RAN risk assessment security framework. This framework could build on the EU’s risk assessment document, “Cybersecurity of 5G Networks: EU Toolbox of Risk Mitigating Measures.” While doing so will pose challenges as the EU has largely pursued risk-averse and actor-agnostic approaches to 5G security, a shared security posture on Open RAN would encourage European firms to enter the market segment, make European firms competitive in Quad country markets and vice versa, and expand the potential slate of vendors for Quad and EU-backed 5G network projects in the Indo-Pacific.

Talent Development

Nations across the globe are suffering from a talent shortage in the technology domain. With heightened demand for high-skilled workers, like-minded nations must cultivate and share their expertise with one another to bridge critical gaps. Recognising this, the Quad created the Quad Fellowship, which will support 100 students per year to pursue STEM-related graduate degrees in the United States.[14]

This could be an effective way to grow the talent pipeline in a way that fills current and emerging needs.

However, even though this is a good example of coordinated recruitment efforts, the current target of 100 students per year will not be adequate to address global workforce requirements. Additionally, programs like these that focus on the early stages of the talent pipeline bear fruit only in the longer term. If Quad nations are aiming to build resilience in the near term, they will need to think critically about how to recruit, retain, and reskill existing talent. Many nations have started to consider changes to immigration policies for high-skilled talent. Australia, for example, has raised its permanent immigration cap by 35,000 for the current fiscal year, and Japan is planning to expand its programs soon.[15]

At the same time, countries are likely failing to maximise the talent that they have within their borders due to consolidated talent hubs. For example, in the United States, eight metropolitan areas (San Francisco, San Jose, Austin, Boston, Seattle, Los Angeles, New York, and Washington, DC) accounted for about half of technology sector job creation between 2015 to 2019.[16] As jobs disperse across the country and remote work accelerated by the pandemic becomes permanent, it is time to seize talent in overlooked areas and communities. This is something that all Quad countries are experiencing as they seek creative ways to grow their technology talent pool. Indian companies, for example, are beginning to recruit in rural areas to address significant tech worker shortages that may stymie a growing start-up ecosystem.[17]

Whole-of-Society Outreach

With the introduction of new technologies comes new skills and ways of working. As jobs require new skills or are replaced/supplemented by automation, countries must consider where these skills are most prevalent. With the rise of the internet and access to high-speed telecommunication networks, information has become much more accessible. Individuals of all education levels have been able to acquire skills in ways that were not possible before, such as learning to code with open-source software or enrolling in free courses on online platforms. Although these are not considered traditional credentials, they can demonstrate knowledge, experience, and ability to learn.

To capture a broader swath of individuals in the Quad’s talent pool, the Quad could:Develop a recruitment framework for telecommunications. Quad countries have an opportunity to set a precedent for other democracies by rethinking what it means to be “qualified” for a position. Companies can look beyond degrees during the hiring process and focus on relevant skills by jointly developing assessment criteria for worker readiness and performance. These criteria can include creating standardised modules to test experience with a programming language or job-required skill that screen candidates before evaluating resumes, placing higher emphasis on apprenticeships and vocational training, or making education level an optional job application requirement.Incentivise 5G deployment in underserved areas. To ensure that talent is not left out of the candidates’ pool for tech jobs, Quad members can agree to prioritise secure 5G deployment in rural regions. Lack of access to reliable information and communications can be a significant barrier to entering the workforce, and expanding 5G deployment is a critical aspect of broadening the talent pool. As Quad countries collaborate on Open RAN, conducting tests of new Open RAN architecture in underserved areas could be a good way to demonstrate that these communities are priorities and to directly expose more individuals to opportunities to work on 5G security.Enhance public-private partnerships. As Quad countries build their infrastructure and talent pools at home, they must also think about other countries that only consider cost when choosing Huawei and other untrusted telecom providers. As such, the Quad could leverage public-private partnerships to bolster the presence of trusted companies in new locations. By using coordinated, strategic financial incentives, they will also have an opportunity to train and educate third country governments on the threats posed by untrusted 5G vendors. Consequently, they will contribute to broader network security and resiliency as 5G is more widely deployed.

Vendor Diversity

With current 5G infrastructure, software, hardware, and antennae are all supplied by one company.[18] Given the extent of services offered, only three companies control 80 percent of the world’s supply of wireless network-based stations: Huawei, Nokia, and Ericsson.[19] A growing recognition of the national security risks Huawei poses, coupled with the market expansion opportunities diversification presents, has caused Quad countries to embrace Open RAN. Countries must be able to provide a strong alternative to Huawei that will attract other democratic nations to participate in a new 5G architecture.

Since software, hardware, and antennae have historically been bundled together, it will take government prioritisation of Open RAN to support successful vendor diversification. Moreover, it will take government-level guidance to ensure that vendors understand how to implement security-by-design. Without this guidance, companies may continue to be discouraged to enter the space due to the high cost of entry.

To ensure there are opportunities for new vendors to contribute to 5G network deployment, Quad countries could:Create a subject matter expert (SME) grant program. Individuals are the most important resource that governments have. In addition to the talent identification challenges that governments face, SME growth is often overlooked. To support the broader 5G ecosystem, Quad countries could create an application-based grant program for SMEs to receive funding for one of two areas: Skill development in an area where SMEs have prior experience but want to learn how to meet Quad trusted vendor standards. At the end of their skill development period, they would obtain a specialist visa and be placed into a “SME marketplace” so that companies within any of the four Quad countries could hire them.[d]

Business growth if they own a smaller company that wants to be part of Open RAN vendor diversification efforts. This funding could support research and development costs, secure 5G expansion or deployment, or recruitment efforts.Coordinate vendor diversification efforts. While it will be important for Quad countries to individually make investments that support domestic vendors, they will also need to make sure they are maximising resources. As the Quad furthers Open RAN, partners have an opportunity to ensure that each part of 5G infrastructure—software, hardware, and antennae—is fully resourced and competitive. Conducting a thorough 5G infrastructure review to identify areas of weakness that China could exploit, and coordinating resources and policies, will support a truly secure and resilient 5G network. If successful, this approach can be used as a model for 6G coordination. Provide R&D incentives. The governments of the Quad countries should offer incentives to promote ongoing work in hardware, software, and security improvements, specific technologies such as high-band technology and end-to-end network slicing, and research areas including telehealth, energy research, and agriculture. A broad base of enabling technologies and applications would encourage new entrants into the market.

Conclusion

Quad countries are well-positioned to accomplish plenty together. Of the many areas where they can progress, securing 5G is particularly promising due to the clearly stated objectives that Quad countries share. By working together, Quad countries can leverage their individual strengths to improve standard-setting engagement processes, bolster security, and create more opportunities for talent development and vendor diversification. Additionally, their alignment on Open RAN makes them key to operationalising discussions that other democratic nations are still hesitant to have.

Their ability to coordinate policies and allocate resources will be an example to other countries that this diversified architecture is worth the risk and investment. As a result, by working on the recommendations laid out in this report, Quad countries will provide a secure, resilient, and open 5G network model to the Indo-Pacific and nations more broadly that seek democratic alternatives for their telecommunications infrastructure.

No comments:

Post a Comment