TIM may use 5G equipment produced by Huawei, provided that it follows the rules dictated by the Presidency of the Council. Is national security safe? by Andrea Monti – originally published in Italian by Infosec.News

Background

On 7 August 2020, the Prime Minister’s Office issued a decree setting out the conditions under which Huawei can provide Italy, through former network monopolist TIM S.p.a., with its 5G infrastructure.

Apart from constitutional issues (yet another ‘creative’ use of the Prime Minister’s Decree, after the management of the COVID-19 lockdown) and political aspects (the decree would neither be a ‘surrender’ to China nor, therefore, a ‘betrayal’ of the Atlantic allies), the Conte-Huawei Decree raises several legal and technical doubts about its real effectiveness.

The impact of the Conte-Huawei decree on the TLC market

The Italian government has not denied the risks coming from using Chinese technology in the Italian 5G network but the Prime Minister thinks he can control it by requiring TIM to follow technical and organisational prescriptions.

Although issued only about TIM, it is clear that the Conte-Huawei Decree has a structural effect on the entire telecommunications sector. It is, in fact, a standard with which other operators (carriers and Internet providers) wanting to use Chinese technology will also have to comply. The cost of this compliance might well force small operators out of the market.

The requirements imposed by the government on TIM, and which will inevitably be the same for other large and small operators wishing to use Huawei’s technologies, are indeed incredibly costly. Unless practising the classic management approach based on ‘that will not happen to me’ (thus limiting the compliance to paper-check rather than to actual controls), it is not sure that smaller companies can afford the necessary investments and stay in the market nonetheless. As a consequence, if it not possible to create a single telecommunication network, the alternative path is to eliminate the ISPs, in perfect coherence with those who see a competitive market with annoyance.

Delegated management of national security

Instead of maintaining autonomous reins in the hands of the Executive, the Conte-Huawei Decree attributes exclusively to TIM (i.e. a private entity) the obligation to keep the Chinese apparatus under control. In other words, the government takes another step towards co-managing national security by default with private entities, which become an integral and structural part of the system.

TIM must, on the one hand, notify the government of the location of the Huawei pieces of equipment and, on the other hand, through its security department, is supposed to compile a list of trusted suppliers selected also according to security requirements, perform periodic risk analyses and verify, at hardware and software level, that the Huawei pieces of equipment are safe.

The criticalities caused by the Conte-Huawei Decree

On paper, everything looks perfect, but since the devil is in the details, the reading of the Decree raises doubt and concerns.

Firstly, the assessment of security requirements in the supplier clearing procedure can be done, literally, ‘on paper’. The Prime Minister states that TIM can resort to supplier’s statements or those of an internationally recognised certifier: this is like asking the host if the wine is good.

Secondly, control over hardware and source codes is optional. TIM “may” (this is the verb used by the DPCM) perform these checks, but is not obliged to do so.

Thirdly, even if TIM wanted (or had to) perform such controls, the costs would be very high and the results close to zero. Unless checking every single component already in the factories and the production chain and then in logistics, there would be no way to guarantee that the product complies with the declared security specifications. Furthermore, Huawei would have the right to ask TIM (and not the Italian government) to sign a confidentiality clause and assume responsibility for the unauthorised circulation of information.

In this regard, moreover, it is worth noting that Prime Minister forbids the disclosure of technical data to foreign countries. However, since it does not make any geographical limitation, the rule prohibits the exchange of data also with NATO countries, which will undoubtedly not be happy with this information isolationism of Italy.

Fourthly, from a technical point of view, such controls would make no sense. Giovanni Zorzoni, director-general of MyNet and vice-president of the Italian Internet Provider Association, points out:

Compared to the possibility of analysing the source code, SDN networks have such a huge quantity and stratification of code that, although with some verification tools, it is possible to detect the grossest errors, finding more serious bugs or backdoors is like finding a needle in a haystack. Here is one of the many possible examples: take the Telegram client code and re-design it for a home-made chat server. Very few comments, “spaghetti code”: it is faster to rewrite everything. Moreover, we are talking about a little thing in comparison to a whole (and chaotically written for time-to-market) complex and distributed network stack. The 5G network with widespread antennas will be the most significant security hole networks have ever seen. Worse, in today’s telco infrastructures, the level of complexity of interactions between systems is enormous. Between FPGAs and the like, complex ASICs and secondary processors with binary blobs loaded at the time of execution, whose intellectual property and source code is sometimes unknown, it is impossible to guarantee a level that meets national security requirements.

On the other hand, if the fear is ‘espionage’, it is inconsistent with reality. Software production processes have a well-known security issue. Huawei, like any other subject on the other side of the Atlantic, does not even need to risk its commercial reputation: the number of Zero-Days that periodically spring into the wild is such that it is not even necessary to install backdoors or other devilish things in order to snoop over other people’s whereabouts.

Ineffectiveness of sanctions

Last but not least there is the question of the ‘sanctions’ that the Prime Minister’s Decree establishes in case of violation of its terms.

Here too, we face a ‘creative’ use of the Prime Minister’s Decree, which dictates mandatory contractual clauses in relations with Huawei failure to comply with which falls within article 1456 of the Civil Code. The provision activates an automatic system whereby failure to comply with the requirements implies termination of the contract.

In practical terms using contractual termination as a form of sanction, as well as being improper from a civil law point of view, is useless.

Acting on the termination clause means going to court. Even assuming TIM’s lawyers were able to file the complaints in one day, the lawsuit would not start for 90 days, the taking of evidence would take months (if not years), and the sentence would arrive no one knows when. Of course, there are is the possibility to obtain an urgent, preliminary ruling but what effect would they have, if not the precautionary shutdown of the apparatus in dispute? Furthermore, how could TIM, in the meantime, continue to provide the service to clients?

In Italy, we have already experienced such a situation with the patent infringement case on the Tutor system, which initially blocked its use. Until the final decision of the Supreme Court that reactivated it, Italian drivers suffered an increased risk of accidents for a long time because Autostrade per l’Italia had not replaced the equipment challenged in court. In the end, the company was right, and if it had implemented the Rome Court of Appeal’s ruling without waiting for the final decision of the Supreme Court, it would have spent an enormous amount of resources, not just money.

But in the meantime?

Conclusions

The Conte-Huawei decree nurtures an intricate jungle of bureaucratic formalities, whose (non-)compliance will be very difficult to ascertain quickly and clearly. Also, it generates enormous potential costs in terms of legal actions and management of their consequences.

It can have distorting effects on the telecommunication market, also affecting the debate on the (in)opportunity to create a single telco network (in fact, a  nationalisation), thus stifling competition in the market.

Above all, however, the Conte-Huawei decree leaves some doubt on a matter of substance. Either the US intelligence and that of the other countries that supported its claims have made a resounding mistake in saying that there was no alternative to the commercial ban on Huawei’s technology, or the technicians of the Italian Council Presidency have made a huge error of assessment.

Transparency note: although the author is a consultant to the Italian Internet Provider Association (AIIP), the opinions expressed in this article are formulated in a personal capacity and do not represent the position of AIIP.