Irony Alert: What if China taps open RAN to breach networks?

The presence of Chinese companies in open-source radio access network (RAN) groups, such as the O-RAN Alliance, could pose a security threat to networks, says telecom consultant John Strand.

Chinese programmers and developers have long been good contributors to open-source groups involved in telecom networking. Many of these groups began in Silicon Valley in the United States. The Linux Foundation has captured the management of many of these projects such as OpenDaylight, the Cloud Native Computing Project and ONAP.

These and other open-source groups have sped the innovation in networks, incalculably. And the open-source community is religious about the “open” aspect of its work. Everyone is welcome to contribute and judged solely on the quality of their programming skills. The groups often bend over backwards to include programmers from China and to accommodate the difficulties of collaborating in different time zones.

At the same time, over the past couple of years, countries have been banning Huawei and ZTE equipment from their networks, citing security concerns. They say that China’s government is an authoritarian regime that can ultimately control companies such as Huawei and ZTE.

The open RAN trend has benefitted from these political and security concerns. An FCC 5G open RAN forum in September was kicked off with a keynote from U.S. Secretary of State Mike Pompeo, who cautioned against China involvement in networks and who lauded the promise of open RAN.

Earlier in the year, a bipartisan group of U.S. senators introduced legislation that would provide over $1 billion to invest in Western-based alternatives to Chinese vendors Huawei and ZTE. And the senators championed open RAN as a means to introduce more vendors into the telecommunications ecosystem to supply RAN equipment.

It would be ironic if countries worked so hard to expunge all Huawei and ZTE gear from their networks, only to have China gain a backdoor to these same networks via open source.

The O-RAN Alliance

The O-RAN Alliance was established in 2018 by AT&T, Deutsche Telekom, NTT Docomo, Orange and China Mobile. It has since grown to 237 mobile operators and network equipment providers. According to Strand Consult, the O-RAN Alliance has 82 U.S. member companies and 44 Chinese member companies (3 from Hong Kong). In addition to China Mobile, other Chinese service providers that belong to the group include China Telecom and China Unicom.

“Notably, the 44 Chinese member companies exert significant control on the technical specifications and supply chain of open RAN 5G products and services,” said Strand. “Other O-RAN Alliance members include Inspur, Lenovo, Tsinghua, and ZTE, companies the U.S. government restricts for security reasons given their ties to the Chinese government and/or military.”

Strand also said, “Many non-Chinese firms see an opportunity to enter the 5G network equipment market, but it is not clear whether and to what degree they will use Chinese standards, components, and manufacturing.”

Open-source stance

No one from the O-RAN Alliance immediately responded to a request for comment for this story.

But the typical open-source proponent will argue that open-source collaboration makes everything transparent. So even if bad actors do try to insert malicious code, there are many qualified eyes looking at the same code who can catch it.

A couple of years ago, Edward Snowden spoke via video conference to the participants at an OpenStack conference. Snowden, an American whistleblower, is exiled in Russa because he leaked highly classified information from the National Security Agency, revealing global surveillance programs, many of which were run by the NSA with cooperation from telecommunications companies.

Snowden told OpenStack attendees that the benefit of open-source software is that it involves whole communities to solve security problems, transparently.

“The beauty of open source is that it makes bugs more shallow,” he said. “But they still get through. When something does come through, the entire community can respond, and they do. When Apple or Google or Amazon has an issue, we don’t know what they learned. We can’t evaluate if their response was good enough. Fundamentally, we don’t work for governments, states, or corporations. We should be working for the spirit of technology itself, moving people toward a more empowered future.”

It should be noted that leaders in the open-source world, such as the Linux Foundation, receive funding from their top member companies, so they may not be the most impartial voices on the matter of open-source security.

A sponsored article on FierceWireless from Red Hat and Altiostar lays out a variety of reasons why those companies think open RAN is inherently secure.

Consultant Don Clarke, who was formerly with BT and who was co-founder of both ETSI NFV and OPNFV, has created a slide that shows some of the pitfalls of open source.

Pros include:

  • Reduced time to implementation 
  • Fast bug fixes and improvements 
  • Low barrier to participation by smaller players 

Cons include:

  • Lacks recognized, persistent governance authority
  • Unconstrained code contributions leading to bloat/bugs 
  • Uncertain licensing implications
  • Culture: hard to manage individual developer contributions 
  • Vulnerable to fragmentation into multiple communities 
  • Poor/non-existent documentation on what the code does 

Another question is: how in the world could governments possibly police open-source groups? Many of the programmers who contribute never collaborate in person. They work from their homes all around the world. It doesn’t take much of a stretch of the imagination that they may even conceal their actual identities.

Strand said, “However commendable the notion of open RAN may be from a technical perspective, it appears that China has already outwitted Western leaders. China can afford to lose the Huawei battle if it wins the war on standardizing and building billions of 'open,' 'interoperable,' and 'vendor neutral' devices. As long as China influences the O-RAN specifications and manufacturing, it does not care whose brand is used.”