Open RAN, which is championed by consortiums such as the O-RAN Alliance and the Open RAN Policy Coalition, has become increasingly politicized in the U.S. These technical standards have been framed as a national security imperative and an important tool for keeping untrusted vendors (namely Huawei and ZTE) out of 5G networks at home and abroad. But, can Open RAN live up to the national security hype? What are the potential solutions Open RAN presents -- and the potential pitfalls?
Rarely do technical standards capture the public imagination. It is equally rare for them to take center stage in discussions centered on bolstering American national security and the evolving dynamics of great power competition.
Yet, in the ongoing national security debate surrounding the development and deployment of the fifth generation of wireless networks (5G), technical standards have emerged as the latest tool for muscling Chinese companies out of 5G networks at home and abroad.
Open radio access network (RAN) architecture, Open RAN for short, has been framed not only in terms of the economic benefits for U.S. companies and American citizens, but as a national security imperative. Just last month, the Federal Communications Commission (FCC) hosted a groundbreaking virtual event focused on Open RAN during which national security concerns associated with Chinese equipment vendors were on full display. The event began with FCC’s Chairman Ajit Pai highlighting, alongside the economic benefits, the security implications associated with Chinese equipment (namely Huawei and ZTE) in 5G networks. In his keynote address, Secretary of State Mike Pompeo framed Open RAN more broadly, seeing it as a crucial tool for “addressing the China challenge” the U.S. now faces. Notably, Pompeo’s presence as a keynote speaker at an FCC event dedicated to technical standards only further highlights the recent geopolitical weight that has been given to Open RAN in the U.S.
The question, therefore, becomes ‘can Open RAN deliver on this national security promise?’
The answer: yes, and no. First, the devil is in the details, and those details are still evolving. The exact character of these standards is still being hashed out and their implementation in practice remains a work in progress. Second, our assessment of the national security benefits of Open RAN should not only be dominated by concerns over Chinese companies such as Huawei and ZTE. The security problem the U.S. faces is far broader and the security benefits of Open RAN are too. Third, in complex systems, there are no geopolitical silver bullets. Open RAN is only one part of a broader set of steps necessary to shape a robust and secure telecommunications ecosystem. It cannot, nor can any set of technical standards, achieve that goal alone.
What is Open RAN?
Open RAN, in its most basic form, creates standardized and interoperable interfaces between systems in the radio access network (there are three commonly understood components of telecommunication networks: (1) end-user devices, (2) the radio access network (RAN), and (3) the core network). In contrast, traditional telecommunication networks feature interfaces that are “either proprietary or optimized by the individual vendor, and are often tied to the underlying hardware layer.”
Why does this shift in interfaces matter? Recall, in the past, we were unable to take for granted that the wireless chip in our computer could connect to whatever wireless router we might purchase for our home or office. Now, we do take for granted that seamless interplay between routers and chips, each produced by a diversity of vendors. In 5G networks, the opening of interfaces at the heart of Open RAN seeks to provide network operators with a similar opportunity: the technical ability to integrate components from a variety of vendors without needing detailed, proprietary knowledge of or access to each component to get them to smoothly talk to each other in practice.
Notably, the usage of Open RAN as a generic industry or policy term has expanded to also include two processes aided by open interfaces. The first is the disaggregation of the network into smaller pieces (i.e. vendors have the ability to specialize and innovate in specific areas within 5G networks while avoiding others). The second is the decoupling of the software layer of the network from the underlying hardware (i.e. the ability to run one vendor’s software - increasingly the layer where the core functions of the network are located - on another vendor’s hardware).
Why do these three shifts -- opening interfaces, disaggregating the network, and decoupling hardware and software -- matter?
The “open” in Open RAN moves 5G away from proprietary, vertically integrated end-to-end networks dominated by a handful of vendors -- namely Sweden’s Ericsson, China’s Huawei, Finland’s Nokia, and, to a more limited extent, South Korea’s Samsung -- to a diversity of hardware and software players across the 5G stack (the sub-components that make up the broader 5G telecom network, such as semiconductor chips, radios, cloud-based services, servers, and mobile devices). Put more simply, it gives U.S. telecom operators like AT&T, T-Mobile, and Verizon the opportunity to shop around for hardware and software to build and maintain their 5G networks rather than facing a market where they must (primarily) purchase that array of hardware and software from a single vendor.
In the narrowest sense, the outcome Open RAN advocates promise is the opportunity for a more diverse and innovative 5G ecosystem. Disaggregating the stack allows for a greater number of players at each level of the network, and companies can specialize in sub-components rather than end-to-end solutions. By decoupling hardware and software, the U.S. can also play to its industry strengths (software, the platform economy, and an increasingly service-based economy).
In the broadest sense, advocates of Open RAN claim that this diverse and innovative ecosystem will muscle out Chinese companies like Huawei whose relative advantage is in providing proprietary, vertically integrated networks at low cost. Here, the argument, as Pompeo summarized in his keynote address at the FCC, is as follows: “When Americans can compete and innovate, we will win." Put another way, if operators in the U.S. and abroad have a real choice in vendors, they are unlikely to select Huawei or ZTE.
Open RAN and U.S. National Security Concerns
As I have previously demonstrated, there are two broad categories of national security concerns associated with the development, deployment, and maintenance of 5G networks, only one of which focuses on Huawei in particular and China in general: (1) risks shaped or amplified by the specific actors developing, deploying, and maintaining 5G in practice (here’s where Huawei comes in) and (2) risks that are intrinsic to 5G networks regardless of the specific vendors or operators (there are numerous cybersecurity challenges baked into 5G).
Importantly, Open RAN provides potential solutions to aspects of both of these critical areas of concern through (a) greater diversity of vendors and (b) increased visibility into the network. Though, it does not provide solutions to either in their entirety.
Greater Diversity of Vendors
Through open and interoperable interfaces, Open RAN shifts 5G networks from a proprietary, end-to-end stack toward a more diverse and modular architecture. How is that relevant for national security? The answer is three-fold.
First, Open RAN helps solve the vendor lock-in problem by giving operators viable alternatives to any single vendor of hardware or software components in their network. As a consequence, operators have the opportunity to seek out higher standards of cybersecurity and they can replace vendors if significant security concerns arise. In short, Open RAN makes it easier for security to become a competitive differentiator between vendors looking to sell to and retain contracts with operators within the U.S. and abroad.
Second, by diversifying the number of potential vendors, Open RAN architecture avoids dependency on any single vendor for the functioning of the network. This allows for greater resilience of the supply chain by reducing potential single points of failure.
Third, Open RAN offers a solution for the untrusted vendor problem the U.S. faces with Chinese companies. There are currently a handful of vendors that can offer an integrated end-to-end network at scale, from user devices to the core. Of that handful, two are Nordic (Ericsson and Nokia) and one is Chinese (Huawei). None are American. Yet, as James Andrew Lewis illustrated two years ago, many U.S. companies emerge as frontrunners when you look at components of the network individually (i.e. across the 5G stack). U.S. vendors are among the market leaders in end-user devices (Apple, Cisco, and Qualcomm) and the core network (Cisco and Juniper). In addition, U.S. companies dominate the market for chips, an area where Chinese companies are absent (Analogue Devices, Broadcom, Cavium, Intel, Qualcomm, and Texas Instruments).
In short, while no single U.S. company can compete (at scale) in a predominantly end-to-end telecom market, U.S. companies can more readily compete in a modular market. Rather than attempting to beat Huawei at its own game, Open RAN changes the game altogether to allow the U.S. to play to existing industry strengths.
However, Open RAN, despite allowing for a greater diversity of vendors, also faces significant limitations when assessed on its ability to address national security concerns related to 5G networks.
First, Open RAN is not as mature as the proprietary, vertically integrated network vendors it is meant to muscle out. It has yet to deliver an integrated and truly interoperable end-to-end process. In contrast, integrated 5G vendors like Nokia and Ericsson are already on their second-generation of 5G products. Although a bipartisan group of prominent U.S. senators have proposed investing $1 billion into Open RAN specially to address security concerns with Huawei, that figure represents “just 4% of what Sweden's Ericsson, China's Huawei, and Finland's Nokia collectively spent on research and development in 2018” alone. Consequently, concerns persist over whether U.S. operators “can continue to achieve the same level of performance at scale” with Open RAN that their customers currently enjoy with existing infrastructure. Why? Because “having the specs alone does not guarantee interoperability or performance” in practice.
Second, there is no guarantee that a diversity of vendors will be more secure than proprietary end-to-end solutions. For example, mixing and matching hardware and software introduces new opportunities for vulnerabilities and unanticipated failures. The greater the diversity of vendors in a network, the more complex the ecosystem.
Moreover, while in theory Open RAN provides a solution for the vendor lock-in problem, ripping and replacing components is not cost-neutral and ensuring that the replacement is truly interoperable with the remainder of the existing network is easier said than done. As JIO’s Mathew Oommen noted, we currently live in a BF RAN world: interfaces correspond with open technical standards, but interoperability and integration rely heavily on brute force (BF) rather than plug and play. Integrating the various components that make up a 5G network is no small feat.
Third, the U.S. does not have an equipment vendor that can manufacture RAN sub-components, such as radios, at the scale necessary to meet the needs of the U.S. market or compete with the Ericsson, Nokia, and Huawei’s of the world. ‘Just say no’ to Huawei and ‘yes’ to U.S. vendors only works when there is a viable U.S. alternative. Importantly, the RAN is the least vendor diverse segment of the 5G stack and, of the big three (Ericsson, Huawei, and Nokia), Huawei is currently the far cheaper option. For example, their radios are lighter and therefore require less robust towers to support them. They are also more energy efficient (i.e. require less energy to power). Even in the more diverse ecosystem Open RAN promises, this gap will remain within the U.S. market without significant investment in domestic capacity for "low-cost US-managed volume manufacture” of radios.
Fourth, it is important to note that Open RAN is more anti-establishment than it is anti-Chinese. It disrupts proprietary, vertically integrated 5G networks within the U.S. market. Notably, Huawei is not the only incumbent player in that space. This type of market disruption may yield positive outcomes in the long term. But in the short term, we risk undermining the few potentially trusted vendors we have for radios as well as the two vendors who are currently building nearly all the 5G networks in North America: Ericsson and Nokia.
Increased Visibility into the Network
The second mechanism for addressing security concerns hinges on a core bi-product of standards-based, interoperable interfaces: visibility into the network. While the breadth and functionality of software in 5G networks brings with it a host of security concerns, disaggregating the network and decoupling the hardware and the software allows for greater visibility into the hardware and software comprising these networks. Harkening back to the longstanding debate over the relative security of open vs proprietary systems, the argument here is that more eyes are better than less. Or as Dish’s Stephen Bye noted, “it's a lot easier to find the cockroaches when the lights are on.”
However, when it comes to the broader security of 5G networks, Open RAN leaves more open questions than it does closed.
More eyes are not always better. More can also mean more malicious eyes. Moreover, more eyes does not necessarily correspond with greater and more valuable scrutiny.
In addition to the broader category of cybersecurity concerns related to 5G networks, Open RAN also introduces its own set of cybersecurity concerns. As a relatively new system, it has not had the benefit of extensive testing or longer-term use in the field that can lead to the discovery and patching of previously unknown vulnerabilities. New is not always better. As MITRE’s Charles Clancy has argued, the Open RAN security landscape remains under examined -- a reality that was born out when Ericsson recently drew attention to a new series of foundational and yet unresolved security risks with and shortcoming of Open RAN. Significant work remains to first understand and then address end-to-end security for this architecture. Interestingly, and concerningly, the O-RAN Alliance, which coined and continues to champion the Open RAN concept alongside other newer consortium’s such as the Open RAN Policy Coalition, did not begin to formally address security until early 2020.
Open RAN: Take Aways
There is a well-worn phrase: ‘When all you have is a hammer, everything you encounter becomes a nail’. For far too many Open RAN discussions in the U.S., the opposite is true. When you are fixated on a nail, every tool becomes a hammer. Open RAN is not a geopolitical hammer. It does offer important solutions to a critical set of security problems, but the security benefits of 5G are more complex than the geopolitical rhetoric would suggest. These technical standards cannot solve “the China challenge” alone, nor is that likely to be the primary benefit of Open RAN. Overemphasizing great power competition between the U.S. and China (a) risks promising more than Open RAN can deliver while also (b) overlooking the wider range of opportunities it presents for the U.S. and other like-minded countries. To fully understand the impact Open RAN can have on American national security going forward, we need to look beyond the hype.
The Science and Technology Innovation Program (STIP) serves as the bridge between technologists, policymakers, industry, and global stakeholders.
Read more
Digital Futures Project
Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build.
Read more