• KPN commissioned a report into the security of its Huawei core network in 2010
• The report was damning but only now has it come to light, reports de Volkskrant
• KPN is defending its actions and says all security procedures have been followed
• But further testimony suggests KPN’s core might still be at the mercy of spies
• Report will further dent Huawei’s image... and not do too much for KPN's reputation

If you think that concerns about the (ab)use of Huawei technology deployed in the networks of western countries for espionage purposes is a comparatively new phenomenon then it's time to think again: It seems that as early as 2009, when Huawei's equipment first entered the core network of Dutch national operator KPN, the Chinese equipment manufacturer and close associate of the Politburo was able to, and did, eavesdrop on any and all of KPN’s then 6.5 million mobile subscribers, including the country’s political leaders, according to Dutch newspaper de Volkskrant. 

Those open to constant surveillance included the prime minister, cabinet ministers, politicians, businesses, individuals and, of course, Chinese dissidents, according to the newspaper, which based its story on a 2010 report from Capgemini, commissioned by KPN, that has until now been buried by the operator.

The de Volkskrant article, published on Saturday, goes on to say that Huawei also knew which numbers were being tapped by the Dutch intelligence and security service, the AIVD (Algemene Inlichtingen en Veiligheidsdienst). There were just six Huawei employees seconded to work in KPN's HQ when the Chinese vendor’s core network technology was being installed and the suspicion now is that at least some of them were engaged in espionage activities. To make matters worse, Huawei had also engineered unfettered access to the subscriber data of KPN's "no frills" subsidiary, Telfort. 

According to de Volkskrant, the AIVD repeatedly warned KPN that Huawei was suspected of widespread technological infiltration and espionage and that its network equipment was highly suspect. KPN took no immediate action but in 2010 opened an internal investigation and contracted the consultancy Capgemini to investigate and report back. 

The conclusions were so damning that KPN kept the resulting report under wraps. Capgemini reported that Huawei staff had penetrated to the heart KPN's systems and compromised them to the extent they could, and did, access and eavesdrop on any subscriber number from both within KPN's offices and exchanges. Huawei and state security operatives based in China could do exactly the same. 

The newspaper quotes Capgemini's report as noting, "The continued existence of KPN Mobile is in serious danger because permits may be revoked or the government and businesses may give up their confidence in KPN if it becomes known that the Chinese government can eavesdrop on KPN mobile numbers and shut down the network." 

KPN's spin doctors lost some of their weekend time off as they laboured long and hard to respond with an incredibly lame statement, which will do little to ease the concerns of those impacted. The operator notes in this statement that, “It has never been established in all years that customer data was stolen by Huawei from our networks or our customer systems, or that it has been tapped." 

KPN added that had such surveillance taken place the telco would have "certainly informed the appropriate authorities and our customers." Well, they would say that wouldn't they? 

KPN also noted that, as a result of the Capgemini report it decided not to fully outsource management of its core network to Huawei, but that it did continue to work in partnership with Huawei on the maintenance of the core systems.

“More than 11 years ago, Capgemini carried out a risk analysis on behalf of KPN because KPN wanted to know whether there were security risks present in certain systems and processes of KPN's mobile core network,” says the operator. “The maintenance of the mobile core network was done by KPN at the time, with support from Huawei. KPN also wanted to know what risks there were in possible outsourcing of the complete maintenance of the mobile core network (outsourcing). Partly on the basis of this risk analysis, it was decided at the time not to outsource this.” 

KPN added: “To this day, KPN does this maintenance itself, with the support of experts from several parties.”

But following KPN’s statement, a number of KPN sources contacted de Volkskrant to say that Huawei still has access to, and some control over, KPN’s 4G core network systems and that Huawei employees have “administrator rights” on the Dutch operator’s core platform.

Over the weekend Huawei too issued a carefully worded statement, no-doubt sanctioned at the highest levels; "Since our start in the Netherlands 15 years ago, we have never been held accountable by the government authorities for any unauthorised acts." True enough. But there's a big difference over not being held accountable for acts and having performed them, and not been publicly accused of doing so to save the embarrassment of some senior telecoms executives and a politician or two.

The de Volkskrant report will further dent Huawei’s reputation in the telecoms sector and make it increasingly difficult for operators to work with the Chinese vendor without attracting ongoing security concerns that could impact business and customer relationships.

Huawei now has a new strategy, focused much less on the production of telecoms network systems, but its brand is becoming increasingly toxic and make it increasingly difficult for the company to do any kind of business outside China and its allies. 

The story also doesn’t bode well for KPN’s reputation and no doubt it will now seek to accelerate the deployment of its new core system, which is being supplied by Swedish vendor Ericsson, and which will “deliver a significant upgrade to KPN’s existing 2G/3G/4G packet core and signaling technology and enable the communications service provider to deploy its first standalone 5G network,” according to the vendor. KPN decided in 2019 to replace its Huawei core elements with the Ericsson system but it’s not a swap and switch that can be performed overnight.

Where Huawei is still very much a part of KPN’s new networks is in the 5G radio access network, where it is currently the sole supplier. That might very well change in the coming months.