If foreign technology is the threat, Namibia’s entire telecommunications backbone is already compromised
When the Communications Regulatory Authority of Namibia (CRAN) declined Starlink’s application for a Class Comprehensive Telecommunications Service Licence in early 2026, it cited national defence and public security as a primary ground for refusal. The Authority argued that Starlink’s global network architecture, which routes traffic outside Namibia, creates “challenges for national security oversight, data protection, and lawful monitoring and interception.” The Applicant, CRAN concluded, had “not met the criterion for national defence and public security.”
On the surface, this sounds principled. Dig beneath it, however, and you encounter a reality so internally contradictory that the argument collapses under its own weight. The national security concern CRAN raises against Starlink applies with equal or greater force to the foreign technology that already permeates every layer of Namibia’s digital infrastructure — and has done so for decades, without a whisper of regulatory alarm.
The Foreign Technology That Already Owns the Network
Let us begin with the most uncomfortable fact: Namibia’s existing telecommunications networks are built almost entirely on foreign technology. Not peripherally. Foundationally.
Telecom Namibia’s mobile network modernisation is being delivered through a three-year transformative partnership with ZTE Corporation and Huafull International Limited, deploying 4G, 4.5G and 5G radio access equipment across the country. This is the same ZTE that won a USD 46 million contract to build Telecom Namibia’s unified 2G/3G/4G mobile network over a decade ago, replacing all CDMA base stations and integrating its IMS core with the fixed network. In November 2023, Telecom Namibia signed a N$100 million agreement with Huawei for a fixed-mobile convergence core network, followed by a five-year RAN modernisation partnership with Huawei in June 2024.
MTC, Namibia’s dominant mobile operator controlling over 80 per cent of the market, runs its network in close collaboration with Huawei. The two companies jointly conducted Namibia’s first 5G trial. MTC’s Buffalo Project — a rural connectivity initiative covering over 2,000 kilometres — was conducted in collaboration with what MTC itself describes as its “network partner Huawei.” MTC’s consumer routers are Huawei devices, managed through the Huawei HiLink application.
This is not peripheral involvement. Huawei and ZTE operate at the core network level — the switching fabric, the radio access network, the IP multimedia subsystem, the billing and operational support systems. These are the systems through which every voice call is routed, every data packet is switched, every subscriber is authenticated. If CRAN’s concern is that a foreign entity might have visibility into Namibian communications, the horse has not merely bolted — it left the stable years ago and has been galloping freely ever since.
The Huawei Question That Nobody Asks
The global debate about Huawei and national security is well documented. In 2018, Le Monde reported that the African Union headquarters in Addis Ababa — built and equipped by China, with Huawei providing the ICT infrastructure — had been secretly transmitting data to servers in Shanghai for five years. The building was also found to contain hidden microphones. Several countries, including the United States, Australia, Japan and the United Kingdom, have since restricted or banned Huawei from their 5G networks on national security grounds. In Uganda, investigative reports revealed that Huawei engineers assisted security officials in breaching the encrypted communications of opposition leader Bobi Wine.
None of this is to say that Huawei equipment in Namibia is being used for surveillance. What it does say, emphatically, is that the national security risk profile of the technology already embedded in Namibia’s core telecommunications infrastructure is objectively more concerning than the risk profile of a satellite internet service provider whose traffic transits through space. Huawei operates at Layer 2 and Layer 3 of the network stack — the switching and routing layers where traffic can be inspected, redirected, mirrored or intercepted at scale. Starlink operates at the access layer, providing last-mile connectivity to end users.
If CRAN genuinely believes that routing traffic outside Namibia constitutes a national security threat, then Namibia’s entire internet infrastructure is already compromised. All of Namibia’s international internet traffic travels through submarine cables — the same Google-funded Equiano cable connecting Portugal to Togo, Nigeria, Namibia and South Africa, and the same WACS cable system — before reaching servers hosted in foreign data centres operated by Amazon, Microsoft, Google and others. Every email sent by a Namibian government official through Microsoft 365, every document stored on Google Drive, every database query routed through AWS — all of it transits foreign infrastructure, is processed by foreign software, and is stored on foreign servers. CRAN has raised no security concerns about any of this.
Beyond the ISP: Where the Real Surveillance Risks Live
CRAN’s fixation on ISP-level interception reveals a fundamental misunderstanding of how modern surveillance actually works. Intercepting traffic at the ISP level is, in professional intelligence and counter-intelligence terms, one of the most complex and resource-intensive methods of surveillance. It requires either lawful interception infrastructure mandated by regulation, or covert access to core network equipment — precisely the kind of access that comes with supplying the switches, routers and base stations that form the network backbone.
In practice, there are far simpler, cheaper and more effective vectors for surveillance that CRAN’s decision completely ignores.
Consider the devices themselves. Every smartphone in Namibia runs either Apple’s iOS or Google’s Android — both foreign operating systems with deep access to microphones, cameras, location data, contact lists and communications. Every laptop runs Windows, macOS or Chrome OS. Every business uses Microsoft 365, Google Workspace or similar foreign-owned productivity platforms. These platforms have full access to the content of communications at the application layer, rendering ISP-level interception largely redundant for intelligence purposes. Why intercept encrypted traffic at the network level when the application that created the message can read it in plaintext?
Consider the network hardware. The routers, switches, firewalls and access points deployed across Namibian government offices, boardrooms and data centres are manufactured by Cisco, Juniper, Huawei, Fortinet, and other foreign vendors. Many of these devices support remote management, firmware updates pushed from foreign servers, and telemetry that phones home to the manufacturer. Every IoT-enabled device — every smart TV in a hotel conference room, every IP camera in a government building, every connected printer in a ministry — represents a potential surveillance vector that is orders of magnitude simpler to exploit than intercepting satellite traffic.
Consider an even more basic threat. Technical Surveillance Countermeasures (TSCM) — the discipline of detecting physical surveillance devices such as hidden microphones, covert cameras and GPS trackers — is a well-established field in the security domain. TSCM specialists conduct “bug sweeps” of boardrooms, executive offices, vehicles and sensitive meeting areas to detect unauthorised listening devices. This is standard practice in the corporate and government security programmes of developed nations. The question for Namibia is simple: how many government ministries, regulatory authorities, state-owned enterprises and critical private sector organisations conduct regular TSCM surveys of their sensitive areas? How many have ever conducted one? And when they do, which foreign vendor performs the sweep? A South African firm? A European contractor? These firms, by definition, gain intimate knowledge of the physical security vulnerabilities of the spaces they inspect. Where is CRAN’s concern about that?
The Selective Application of Sovereignty
The sovereignty argument CRAN advances is not wrong in principle. Data sovereignty matters. The ability of a state to exercise lawful interception within its own jurisdiction matters. The integrity of national communications infrastructure matters. But these principles must be applied consistently, or they are not principles at all — they are pretexts.
Namibia does not yet have a comprehensive data protection law. The Draft Data Protection Bill, first discussed in 2013 and revived in various forms since, remains unenacted. There is no national data protection authority. There are no data transfer restrictions, no mandatory breach notification requirements, and no enforcement mechanism for data security. This is not a country that has built the legislative infrastructure to protect data sovereignty and is now selectively applying it to Starlink. This is a country that has built no such infrastructure and is invoking sovereignty concerns against precisely the kind of service that could extend connectivity to the rural communities that incumbents have failed to reach.
Meanwhile, the Namibian government and private sector are actively migrating to foreign cloud platforms. Namibia is among the African countries identified as “nearly cloud ready” by industry analysts, with growing adoption of Microsoft Azure and Google Cloud services hosted in data centres in Johannesburg, South Africa — not in Namibia. Every byte of data processed in those cloud environments is subject to the legal jurisdiction of South Africa, and potentially to the extraterritorial reach of US law through mechanisms such as the CLOUD Act. CRAN has imposed no conditions, raised no objections, and expressed no concerns.
The Real Question CRAN Should Be Asking
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.The question is not whether Starlink routes traffic outside Namibia. The question is why the same standard is not applied to every other foreign technology provider operating in the country. If routing traffic through foreign infrastructure is a disqualifying national security concern, then the logical conclusion is that Namibia must disconnect from the global internet, ban foreign cloud services, replace all Huawei and ZTE network equipment with domestically manufactured alternatives (which do not exist), prohibit the use of foreign operating systems, and develop indigenous TSCM capabilities to replace the foreign contractors currently relied upon (if relied upon at all).
This is obviously absurd. No country operates this way. What countries do instead is develop regulatory frameworks — data localisation requirements, lawful interception mandates, security vetting processes for critical infrastructure vendors, bilateral mutual legal assistance treaties, and independent oversight mechanisms — that allow them to manage foreign technology dependencies while preserving sovereignty. This is precisely the approach CRAN itself proposed for Starlink’s competition criterion: impose licence conditions. Yet when it came to national security, CRAN abandoned this approach entirely, treating the concern as an absolute barrier rather than a challenge to be managed through regulation.
The inconsistency is telling. CRAN found that Starlink met the competition criterion, acknowledged the overwhelming public support (98.6 per cent of 1,180 submissions), accepted that LEO satellite services could achieve the government’s goal of 100 per cent connectivity, and proposed conditions including a physical office, USF contributions and an earth station. For competition concerns, CRAN was a problem-solving regulator. For national security concerns, it became an absolutist gatekeeper — without explaining why the same conditional approach could not apply.
A Challenge to Namibia’s Security Establishment
If Namibia is serious about national security in the digital domain, the conversation needs to extend far beyond a single satellite internet provider. The country needs a comprehensive audit of foreign technology dependencies across its entire telecommunications and ICT ecosystem. Which vendors supply the core network equipment for MTC and Telecom Namibia? What remote management capabilities do those vendors retain? What firmware update mechanisms exist, and who controls them? Which foreign entities have access to the configuration and operational data of Namibia’s critical communications infrastructure?
Beyond the network, the country needs to ask harder questions about physical security. Are TSCM surveys conducted regularly in government ministries, State House, the offices of the intelligence services, CRAN’s own boardroom? Who conducts them? What foreign technology is used in the surveillance detection process itself? Are the results classified, reviewed and acted upon?
These are not hypothetical concerns. The African Union headquarters incident demonstrated that physical surveillance devices, embedded in foreign-supplied infrastructure, went undetected for five years in one of the most high-profile diplomatic facilities on the continent. If the AU could not detect it, what confidence does Namibia have in its own detection capabilities?
Starlink is not the threat. The threat is the absence of a coherent national security framework for technology that applies equally to all foreign providers. Until Namibia builds that framework — enacts data protection legislation, establishes a national cybersecurity authority with real powers, mandates TSCM surveys of sensitive government facilities, conducts vendor security audits of its telecommunications backbone, and develops lawful interception requirements that apply uniformly — the invocation of “national security” against a single applicant is not a principled regulatory decision. It is a selective application of a standard that, if applied consistently, would require dismantling the very infrastructure on which Namibia’s digital economy depends.
By Job Angula
Opinion
