The GSMA has announced that leading mobile network equipment manufacturers Huawei, ZTE, Ericsson and Nokia “have successfully completed an assessment of their product development and lifecycle management processes using the GSMA’s Network Equipment Security Assurance Scheme (NESAS)”. Alex Sinclair, Chief Technology Officer of the GSMA, said that:
By committing to NESAS, vendors are helping network operators, and other stakeholders make informed decisions about secure product development. We look forward to others participating in the scheme, evidencing their commitment to good security practice by promoting a security-by-design culture within the industry.
Few details were given about the independent security audit performed for the NESAS scheme, which is supported by both the GSMA and 3GPP. Nevertheless, trade bodies will be keen for all vendors to receive a clean bill of health after the US government ramped up policies designed to drive Huawei out of US and allied telcos. Huawei is a major sponsor of the GSMA, and the trade body was forced to cut 20 percent of its staff this year following the cancellation of Mobile World Congress, the source of most of the GSMA’s revenues.
The audit was only the first stage of the security assurance program for the equipment vendors.
During the second stage of NESAS, vendors will submit network equipment products to qualified test laboratories for evaluation. This stage involves laboratories running security tests, defined by 3GPP, and checking that the products undergoing evaluation have been developed under the assessed development and lifecycle management processes. The evaluation concludes with the production, by the test laboratory, of a valuation report that records the test results. The report is provided to the vendor who can make it available to its customers and other stakeholders at its discretion.
Allowing vendors to decide whether they will inform customers of the results of the security evaluations is not as strict as the stance already adopted by various countries towards Huawei. The reports of the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) have been published openly, and the 2019 report said they had “only limited assurance” about Huawei equipment currently deployed in UK networks, and there was “no material progress” with issues reported the year before. The future of the HCSEC is now in doubt after the UK government decided to ban the installation of any new Huawei equipment after the end of the year.
You can read the GSMA press release about the NESAS scheme here.