German rail operator Deutsche Bahn, which is digitizing its operations, last December awarded a €64 million ($67.79 million) contract to supply most of the components for its new IP network to a company using technology from China’s Huawei.
The IP network will form the backbone of a new digital infrastructure that will enable the state-owned DB to remotely steer all operations in one of the largest rail networks in Europe.
The contract, which has not previously been reported, shows how German firms continue to use Huawei tech in what many consider to be critical infrastructure, despite growing security concerns at home and warnings from ally the United States over the use of Chinese technology.
It also exposes gaps in legislation on the protection of digital critical infrastructure more than a year after Russia’s invasion of Ukraine prompted German Chancellor Olaf Scholz to declare a “Zeitenwende” or “turn of era” towards a greater focus on security, lawmakers from the ruling coalition told Reuters.
A DB spokesperson told Reuters that under current IT security legislation it did not have to run network components by Germany’s cybersecurity office, the BSI, unlike public telecoms network operators. A BSI spokesperson said it was not
aware of any law that determined the DB IT systems as “critical components.”
No European country currently has legislation against the use of Huawei tech in private corporate networks although Sweden and Britain have legislated against its use in 5G telecoms networks and other countries have urged operators to avoid it.
Germany said this week it was conducting a full review of components deployed by telecoms firms, in a sign it could be taking a more assertive stance.
“If it’s true that the company is betting more on Huawei technology, then that raises some serious questions,” said Konstantin von Notz, chairman of the parliamentary committee that oversees the intelligence services.
The lawmaker from the Greens junior coalition partner said it was up to this government “to rectify as quickly as possible years of ignorance and massive shortcomings in security policy.”
Critics of Huawei say its close links to China’s security services means that use of its technology could give Chinese spies and even saboteurs access to swathes of essential infrastructure.
There is no publicly available evidence Huawei and the Chinese government could actually disrupt networks and both reject claims they represented a security risk. A Huawei spokesperson said the firm would never harm any nation or
individual. Operators say it provides top quality components for lower costs than competitors.
“Digital infrastructure is becoming an important battleground in the quest of domination,” said Paolo Pescatore, an industry analyst with PP Foresight.
The December contract with Deutsche Telekom Business Solutions, a subsidiary of Deutsche Telekom, is for Huawei tech like switches and routers. These contain software that needs to be regularly updated remotely, potentially allowing for
malicious updates, say cybersecurity experts.
DB granted it in an auction just two months after an attack that caused a halt in all train transport in northern Germany for several hours and raised awareness of vulnerabilities in German critical infrastructure.
Several lawmakers told Reuters they suspected a state actor given the sophistication of the attack. Investigators have not yet come to a final conclusion.
Expanding regulation of digital infrastructure
The debate over the role of Huawei in Germany has heated up in recent months as the coalition government hammers out a new China strategy document, with the junior Greens and Free Democrats (FDP) coalition partners advocating for a tougher stance than Scholz’s Social Democrats (SPD).
Germany, which saw China become its top trade partner under former conservative Chancellor Angela Merkel, did pass tighter legislation in 2021 for makers of telecoms equipment for 5G.
Critics say the law, which stopped short of banning Huawei, lacked teeth though and did not require the verification of critical components for digital infrastructure in other sectors.
“It’s the task of the state to make the rules clear, it’s not up to companies to willingly give up certain providers,” said Manuel Hoeferlin, the FDP parliamentary group’s spokesperson for internal affairs.
Germany actually became even more dependent on Huawei for its 5G radio access network equipment (RAN) than in its 4G network, according to excerpts of a report shared with Reuters.
The government admitted last month it did not actually have “any conclusive information on the percentual amount of components from Chinese and other producers in German mobile and fixed networks,” but said that 40 percent of the components in one of DB’s radio networks were from Huawei.
A government source said it had detected some operators had already built in Huawei critical components without waiting for a BSI green light and could be required to replace those.
Separately, an interior ministry spokesperson told Reuters it was planning on expanding current IT security legislation to cover more infrastructure and working on a law strengthening cybersecurity.
“We have a good legal instrument for 5G,” said SPD parliamentary group foreign policy spokesperson Nils Schmid, “but we need to expand it to other critical infrastructure, for example hospitals, electricity providers or the railway.”