Germany finally gets round to banning Huawei, sort of

The actual number of days is pretty big though. Nearly 2,000 in fact. According to broadcasters NDR and WDR, and national newspaper Süddeutsche Zeitung, the agreement will see telcos remove Huawei from their core networks by 2026, followed by transport and access networks by the end of 2029.

Germany, along with 26 other EU members, has signed up to the EU toolbox for 5G security, which commits it to removing high-risk vendors from critical comms networks. Ideally, member states were supposed to have this all done by June 2021.

Germany has already been roundly criticised by its Western allies for dragging its feet over banning Huawei, so for them, this development is a step in the right direction. However, the length of time operators have reportedly been given to implement the changes has understandably attracted no small amount of ire.

Never one to mince his words, telco consultant John Strand said Germany "acts as if it's the 24th province of China."

"It is good that the German government and the German operators admit that there is a risk in using equipment from non-trusted vendors such as Huawei and ZTE. It is sad that they do not want to eliminate that risk before we get to 6G," he said.

What's more, Reuters quoted Germany's interior ministry as saying that talks between the government and operators are ongoing, so this ban might not even be official yet.

Furthermore, sources in the reports claim there is talk of a potential compromise that would allow telcos to continue to use Huawei RAN hardware provided they adopt third-party RAN management software. Sources cited by sister publication Light Reading were quick to pour cold water on this idea, one of whom asserted that such a measure is not possible in a traditional RAN deployment.

According to Strand's calculations, it would cost operators a combined €2.5 billion to rip out and replace Huawei, equal to €29 per German – the implication being that telcos can afford to do it, all that's lacking is the right motivation.

"The German government sided with the operators to save money by sacrificing security," he said. "It's like the car makers getting to wait five years to install airbags in new cars."

Indeed, but throughout this saga, it is also important to remember that removing Chinese network equipment will not prevent China – or anyone else for that matter – from conducting cyber attacks. There are already plenty of attack vectors that don't hinge on a compromised vendor bagging a high-profile, multi-billion-euro network deal with a telco.

Just this week, a report by the intelligence agencies of Australia, Canada, Germany, Japan, South Korea, the US, and UK accused China's Ministry of State Security (MSS) of sponsoring a hacker group dubbed Advanced Persistent Threat 40 (APT40) to snoop on governments across the Indo-Pacific.

According to the report, this group conducts phishing campaigns to obtain login credentials, and also hunts down vulnerable, end-of-life devices that haven't been properly maintained. In one incident in April 2022, APT40 was able to steal hundreds of usernames, passwords, and multi-factor authentication codes.

There is not a single mention of RAN, core, 5G, Huawei, ZTE or any other mobile vendor for that matter.

Removing Huawei from mobile networks will close down one avenue of attack. But there are numerous other routes available to the tenacious hacker, and it only takes one careless user to roll out the welcome mat.