Based on more than 10 interviews with industry insiders and regulators, TechNode tells the story of how Huawei established itself in the Greek market—and how the tables have turned for the Chinese telecom giant.
In the first part of this three-part series, we explored how Huawei entrenched itself in Greek networks. This installment expands beyond Greece to the European Union, examining how the bloc’s and consequently Greece’s policy on telecommunications security changed over the years, thanks to espionage and a global anti-Huawei campaign from the US.
A wiretapping scandal involving the 2004 Olympics, the US National Security Agency (NSA), and the mysterious death of a Vodafone employee erupted in Greece in 2005. As the mystery unraveled, the Greek government, telecommunications industry, as well as the public at large found out the hard way that Washington would not hesitate to spy on Athens’ top leadership. US security agencies had taken advantage of the 2004 Olympics to eavesdrop on the Prime Minister.
In 2018, when the US began imploring its allies to avoid Huawei, it was essentially asking Greek telecoms firms to end their relationship with a reliable partner—one that had stood by them in hard times—in favor of a government that offered them military and political support, but had spied on Greeks for months.
Greece wasn’t the only European country to be shocked by American espionage activities that decade. Starting in 2013, the bloc found out through Edward Snowden’s whistleblowing just how extensively the NSA was snooping on member-states, including heads of state.
The diplomatic fallout with the US was quickly patched up, but Snowden’s revelations contributed to the European Union’s growing concern over cybersecurity.
Decisions made in Brussels would affect Huawei’s prospects in Greece as much as those made in Athens. Over the next few years, the EU Commission rolled out key cybersecurity legislation.
In interviews with TechNode, industry and regulatory insiders stressed that Greece abides by EU rules when it comes to cybersecurity. As the bloc responded to the Snowden revelations and later, Washington’s warnings about Huawei, the effects trickled down from Brussels to Athens.
As the EU prioritized cybersecurity and made new rules, Greek governments gradually implemented them.
Our man in Athens
In the wake of the financial crisis, Huawei earned trust in Athens as it “stood by” Greece during its moment of need, as described in part one of this series.
At the same time, Huawei’s European rivals and US security agencies were caught engaging in clumsy episodes of corruption and espionage. Between 2005 and 2015, a major scandal shook Athens’ trust in its long-standing alliance with the US.
In January 2005, Vodafone found a glitch in its text-messaging service and notified Stockholm-based Ericsson, which had supplied the equipment. Two months later, Ericsson told the telecoms operator that it had found a complex piece of malware—6,500 lines of unidentified wiretapping code in the text-messaging function.
Ericsson gave Vodafone a list of over 100 tapped phone numbers, including those belonging to then-Prime Minister Kostas Karamanlis, Minister of Justice Anastasios Papaligouras, Minister of Public Order George Voulgarakis, and Minister of the Interior Theodoros Roussopoulos.
Two days later, a network planning manager at Vodafone by the name of Kostas Tsalikidis was found hanged in his Athens apartment. Two days after Tsalikidis’s death, Vodafone informed the Greek prime minister’s office of the wiretapping.
The Greek government proceeded with an 11-month preliminary investigation before breaking the news to the public.
On Feb. 2, 2006, the three ministers whose phones had been tapped called a press conference (in Greek) to inform the public of the wiretapping. By March, the government was accused of covering up the scandal in parliament. These accusations largely overshadowed the actual wiretapping in public and parliamentary discourse over the next few years.
At that point, Greek prosecutors, telcos, and the government knew that they had stumbled onto a massive security breach, but they couldn’t find hard evidence to prove who was behind the wiretapping. The highest levels of the Greek administration understood that the US had its hands dirty, but they did not discuss this publicly.
This “major scandal” made the industry and government uneasy in the years to come. The culprit of the “unprecedented data breach,” as 30-year telco veteran Andreas Polycarpou called it, was still out there. Instead of resolution and convictions, the incident left a trail of whispers and suspicions in its wake.
In 2008, the Greek Parliament passed two bills, in part to respond to the Vodafone wiretapping: In February, they voted to increase the powers but also checks and balances of the country’s intelligence service, which is responsible for counter-espionage activities. In June, they changed the legal framework on violating telecoms privacy, launching a new strategy for cybersecurity. The Greek anti-corruption watchdog disapproved of the new strategy, claiming that it would put politicians with little technical expertise at the helm of a rapidly changing technological environment.
The Vodafone case was still a mystery in September 2011, when the telco operator informed prosecutors that one of the mobile phones used for the wiretapping had made frequent calls to the US Embassy in Athens.
The Greek public had largely forgotten the Vodafone scandal, but behind the scenes the anti-corruption prosecutor was still working to hold the culprits accountable. In 2015 then-Greek prosecutor Dimitris Foukas issued a warrant for the arrest of William Basil, a US Embassy employee who was suspected to be an undercover CIA agent key in the wiretapping. The prosecutors were also investigating Basil’s connection to a plot to assassinate the former prime minister, Kostas Karamanlis.
Foukas was not reachable by phone. His staff told TechNode that the only way to speak to him would be to meet him in person at the Athens first instance court, which he now presides over.
When Edward Snowden blew the whistle on NSA surveillance, the Vodafone mystery was cracked open. Unveiled documents showed that the NSA had never removed its wiretapping system installed during the 2004 Olympics in Athens.
While giving the NSA access to Greek telephone networks was not unusual during such a high-profile event, the US intelligence agency turned it around to spy on top Greek officials. Neither the CIA’s operation in Greece, the US Embassy, nor the Greek government had any knowledge of the operation until Vodafone discovered it, the Intercept and Greek newspaper Kathimerini reported in 2015.
In 2018, the death of Kostas Tsalikidis was ruled a premeditated murder, and prosecutors pressed charges against unknown suspects. His family claimed he was murdered because he knew too much about the NSA’s abuse of Vodafone networks. Subsequent Greek governments and prosecutors refuse to officially comment on this theory.
The US was caught red-handed peeking into Vodafone’s telecoms networks to spy on Greece, its ally, without the knowledge or permission of local authorities.
Yet the Vodafone scandal didn’t make a big difference on Greece-US relations, according to Nikos Moumouris, a journalist who covered the story for newspaper Eleftherotypia at the time. It was like throwing a “pebble in the sea,” he told TechNode. “Maybe it wasn’t a pebble, maybe it was a rock. But once the story died down, it was back to business as usual [with the US].”
“Those were different times” when Greece’s capacity to investigate the breach was limited, Moumouris said.
The Snowden files
Back in the 2000s, Greece wasn’t the only country glossing over telecommunications security. “Historically, operators simply didn’t pay a lot of attention to IT security. Other operators simply didn’t care,” said Jan-Peter Kleinhans, Project Director of Security in the Internet of Things at Berlin-based think tank Stiftung Neue Verantwortung.
The 2013 Snowden leaks were a big shock to the EU. The NSA’s privacy abuses cut deep among politicians and the public. It was a “very loud wakeup call as regards to potential threats to our fundamental rights, data protection and privacy,” an EU Commission spokesperson said.
The EU’s most powerful countries were among the biggest targets of US surveillance: France, Germany, Italy, and the Netherlands.
Greece was the target of so-called Blarney, an NSA program designed to get access to fiber optic cables, switches, and routers, wrote journalist Glenn Greenwald, who worked closely with Snowden to publish the NSA documents, in his book No Place to Hide.
But TechNode hasn’t found any records of the Snowden revelations being discussed extensively in the Greek parliament.
One prominent member of the Greek parliament, Theodoros Pangkalos, said he wasn’t surprised by the revelations: The Greek intelligence service had also spied on the US embassy decades ago, he said.
Given its history with the Stasi, East Germany’s massive secret police and intelligence agency, Germany is extremely touchy about surveillance. Relations between Washington and Berlin plunged. German Chancellor Angela Merkel, whose phone was allegedly tapped for 10 years, expelled the CIA chief from the country.
The diplomatic fallout from the NSA revelations was quickly patched up. In February 2014, French President Francois Hollande said “mutual trust has been restored” between the two countries, less than a year after he found out the NSA had collected data for 70 million phone calls in France in a single month.
But the EU had woken up to the importance of cybersecurity—and started tightening cybersecurity legislation for member-states.
Baby steps
In July 2016 the EU began to take steps that would push Greece to act on cybersecurity: the “first EU-wide legislation on cybersecurity,” as the EU Commission called it, came into force. The same year, the EU Commission published the EU Directive on Security of Network and Information Systems (known as the NIS Directive), an “action plan” for the bloc’s transition to 5G networks, outlining key considerations. The document didn’t mention security of 5G networks.
Huawei was not the controversial company that it is today, so it wasn’t a prominent part of the conversation as implementation took place. The original NIS Directive didn’t spell any trouble for Huawei: It was relaxed compared to later iterations.
As an EU member, Greece had to follow the Commission guidelines. But Greece had consistently lagged other EU countries when it came to digital policy, including cybersecurity.
The 2016 NIS Directive was geared more broadly toward digital service providers; the word “telecommunications” is mentioned only once in the law, in an article about security in the shipping industry.
Greek Prime Minister Alexis Tsipras set up a dedicated cybersecurity agency (in Greek) in 2017 by presidential decree—four years after Spain, itself seen as a late mover. The Ministry of Digital Policy under Nikos Pappas published an 18-page National Cybersecurity Strategy in March 2018—five years after Italy, another member-state viewed as late to the party.
In July 2018, the EU Commission told Greece to hurry up and adopt the NIS Directive into its national law. In November, the parliament conferred on the legislation. The debate transcript is 130 pages long, but not because the merits of the bill were hotly contested.
Members of parliament took the November debate on the cybersecurity legislation as an opportunity to hash out unrelated grievances: farmers’ strikes, taxes on broadcast operators, austerity measures, protests, the reputation of Kostas Simitis, who served as prime minister from 1996 to 2004, and so on. Huawei was not mentioned.
The only parties that voted against the cybersecurity law and managed to stay relatively on the matter at hand during the debate were members of the far-right Golden Dawn, which was recently ruled a criminal organization, and the Greek Communist Party. Golden Dawn brought up surveillance by US security agencies and big tech to argue that digital policy is used against nationalist and conservative groups. The communists argued that the cybersecurity legislation will trample the right to privacy to serve US and NATO interests.
After the marathon meandering debate, the law was passed and came into force a few weeks later.
Over the next few years, the proliferation of cyberattacks, privacy scandals, increasing digitalization, and US pressure brought telecommunications security to the center of the bloc’s digital policy. The conversation was slow to take off, but quickly ramped up in 2018 and 2019.
“The issue of security is moving up in the EU agenda,” and so Greek governments and companies are increasingly prioritizing it, George Tsaprounis, head of corporate affairs at Greek network operator Wind Hellas, told TechNode.
The squeeze on the EU
Because Athens faithfully follows EU rules on digital infrastructure, Washington’s anti-Huawei pressure on the EU trickled down to Greece.
With the EU and member-states already on edge over cybersecurity, the Trump administration started its global campaign against Huawei in 2018. By December of that year, it started to bear fruit: The EU Commission’s then-Vice President for the Digital Single Market Andrus Ansip said that the bloc should be “worried” about Chinese companies like Huawei because they might install “mandatory backdoors […] It is not a good sign when companies have to open their systems to this kind of secret services,” he said.
In 2019, the US ramped up its anti-Huawei lobbying in Europe. In a visit to Germany in May 2019, US Secretary of State Mike Pompeo threatened that European countries which use Huawei equipment could be cut off from US intelligence.
That wasn’t enough for Pompeo, who continued to argue for more restrictions on the company. Ahead of a key meeting between EU leaders to discuss security measures for 5G, Pompeo published an anti-Huawei op-ed on Politico EU.
Pompeo asserted that “it’s critical that European countries not give control of their critical infrastructure to Chinese tech giants like Huawei, or ZTE.”
Brussels conceded to the US argument that the country of origin of an equipment vendor can pose a security risk, but has not been willing to go all the way and ban Huawei.
But Washington wanted more assurances. It launched a renewed campaign to rid telecom networks from Chinese technology in August 2020. Under the banner of the so-called Clean Network, the US started collecting pledges from countries to preclude “untrustworthy vendors,” like Huawei, from their networks.
Trust no one
Some within the EU and Greece disagreed with Pompeo’s campaign. They argued there was no evidence that Huawei was doing anything the US wasn’t already doing, using gear from Huawei competitors.
According to many cybersecurity experts, no vendor is completely trustworthy or infallible. The only solution is to diversify and mitigate risks. The more vendors you buy from, the less you are exposed to any one, and you set up security checks and balances; one supplier might catch the others’ mistakes.
“As German industry, you’re between two camps. You can choose which backdoor you want: A Chinese backdoor or a US backdoor,” Steffen Zimmermann, the lead expert on industrial security at German industrial lobby organization VDMA, said in March 2018. VDMA members include heavyweights like Bosch and Siemens.
While Pompeo was making the rounds in European capitals, Greek officials kept quiet on Huawei. Greek President Prokopis Pavlopoulos visited Huawei’s Beijing office in May 2019 during a five-day official visit to China. He commended the company’s work in Greece and the two sides promised to continue their cooperation. Back in 2008, the same politician had proposed the bill to revamp the Greek intelligence service after the Vodafone wiretapping scandal.
To Greek insiders, the debate felt somewhat moot. From a technical perspective, the risk of espionage or compromised communications is not affected by the country of origin or the equipment, they told TechNode.
“There are countries that do not rely on Huawei’s infrastructure. That doesn’t mean that they don’t have cybersecurity issues to solve,” Antonia Petrovits, a spokesperson for Huawei Greece, told TechNode.
Whichever company builds a network will have some capacity to use the infrastructure for its own purposes, the Greek telecom technical experts TechNode spoke with agreed.
Europe’s large telcos have recognized this risk for years. To avoid becoming dependent on any single supplier, and the backdoors or vulnerabilities in their equipment, many of Europe’s carriers have diversified their supply chains, procuring equipment from different vendors.
In January 2020, the EU Commission officially included procurement diversification in the bloc’s guideline for developing 5G networks. ”Dependency of one or several networks also significantly affects national and EU-wide resilience and creates single points of failure,” the Commission said.
Greece’s latest cybersecurity strategy, released on Dec. 3, made the same recommendation.
Delegating the Huawei decision
In January 2020, Brussels again tried to resolve the Huawei issue—by passing the buck to member states. In its official guidance on 5G adoption, the EU Commission asked national regulators to consider elaborate technical issues—in addition to equipment suppliers’ country of origin.
The EU has limited jurisdiction over member-states and, at least on paper, didn’t want to single out China. Directives “do not target or single out individual countries or suppliers,” the EU Commission spokesperson said.
The EU’s directive on 5G handed the decision on Huawei back to member-states. Every company which complies with EU rules can access the market, but individual countries reserve the right to exclude companies for national security reasons, the spokesperson said.
The January 2020 EU’s 5G cybersecurity “toolbox” places a lot of responsibility on member-states’ regulators and network operators, Kleinhans said. It’s up to them to decide whether Huawei will be excluded from 5G networks.
The 5G toolbox asks countries to consider the “risk of interference by a non-EU country” when evaluating equipment—in other words, deeming Chinese-made equipment a risk simply because it’s Chinese.
The Greek network regulator did not respond to TechNode’s multiple requests for comment.
The Commission’s delegation of the choice on Huawei has led to a patchwork of responses reflecting the bloc’s political diversity, from Sweden’s hard ban, to Estonia’s “Huawei law,” to Ireland’s continued relationship with the Chinese company. Some telecom operators like Vodafone have taken matters into their own hands and are replacing Huawei gear with alternatives.
It is hard to assess how much ground Huawei has lost, given the patchwork of responses and lack of public information.
Playing politics
Greek policy-makers face a diplomatic dilemma with Huawei. The company has a good track record of helping the market and offers competitive products. Security is a concern, but from a technical perspective Huawei’s gear is not more risky than its competitors, industry insiders said.
All equipment manufacturers, regardless of their country of origin, can open a backdoor to spy on communications. “There might be access points to the equipment, but these are for service purposes. Anyone can open a backdoor that is intended for service,” Polycarpou said.
Many operators told TechNode that they don’t see Huawei as a threat to their security—at least, not a bigger threat than the US. To them, security is a technical question that has been politicized. From a purely technical perspective, Huawei is at least on par with its Western counterparts.
But the diplomatic balance around Huawei is delicate. Greece needs its friendships with both the US and China.
Keep buying Huawei, and the US threatens to cut off military ties. To Athens, Washington’s support in defense issues is key to keeping Turkey, a country with four times Greece’s GDP, at bay: The two neighbours have a long history of military confrontation which flared up in August when Turkey threatened to go to war over a maritime dispute.
But giving Huawei up could be an affront to China. The EU is well aware of the political nature of an anti-Huawei decision. Considering the threats posed by state or state-backed actors is a “non-technical” issue, it said in its October 2019 5G security assessment.
When Sweden banned Huawei in October, the local telecommunications regulator said it was following the advice of military intelligence, which had found China to be “one of the biggest threats against Sweden.”
An outright Huawei ban would inevitably call China out as a threat to Greece’s security when the two countries remain, at least on paper, allies. In Greece, such a statement would incur a high political cost. Despite its longstanding alliance with the US, Athens has been courting China to invest in Greece.
In a landmark privatization deal in 2016, Chinese state-owned shipping giant Cosco acquired a 51% stake in Piraeus port, adjacent to Athens, for €280 million ($343 million), and is due to gain another 16% should it spend an additional €400 million on the port by the end of 2021.
Five days after Turkish president Recep Tayyip Erdoğan threatened military action against Greece, the US ambassador to Athens Geoffrey Pyatt tweeted that Greece had joined the Clean Network, which is widely regarded as an anti-Huawei initiative.
The next month, Pompeo visited Mitsotakis’ hometown on Crete island to talk about defense issues for which Greece is looking to the US for support, and vice versa; Mitsotakis’ focus was Greece’s dispute with Turkey, and Pompeo’s was Russia’s involvement in the Mediterrenean, particularly in Libya.
The secretary of state also visited a naval base on the island that offers support to US war and logistics ships. He announced the “US Navy’s newest expeditionary sea base,” a $498 million ship, would be moved to the Greek port.
At a joint press conference with the Greek Prime Minister during this visit, the two politicians announced enhanced cooperation on military issues—and Pompeo welcomed Greece to the Clean Network. However, Mitsotakis didn’t mention “clean” telecoms, during the press conference or anywhere else.
Pompeo claims Clean Network members will make “efforts” to rid their networks of untrusted vendors, including Huawei. So do international media outlets.
The Greek government has never confirmed whether it will make such efforts—or that it has joined the Clean Network.
It’s not clear what this means. The current Greek administration has long kept a “no comment” policy on the Huawei controversy, and in 2020 its alliance with the US has deepened, so it could be that it has joined the Clean Network and is merely letting Pompeo do all the talking.
If Greece has entered into an agreement on 5G networks with Washington, it could face retaliation from Beijing.
It’s not clear whether the small Mediterrenean nation will embrace the Clean Network and if so, how it will interpret it.
The next installment of this series explores what the Clean Network means in the Greek context, if anything, and Huawei’s position in the Greek market.