Germany Takes the Middle Way on Huawei—For Now

04/11/2019
By Isabel Skierka

For months, European governments have been debating whether to allow Chinese tech giant Huawei to participate in building their 5G mobile networks. Caught between their two largest trading partners, the United States and China, EU members are facing a dilemma.

Should they ban the company’s technology on national security grounds in line with the United States, Australia and Japan?

Or should they embrace Huawei’s products to enable the swift and cost-efficient rollout of the urgently needed next-generation cellular network?

Germany, Europe’s largest economy, has now decided to adopt a middle way.

In a set of draft requirements for telecommunications security published in early March 2019, Berlin refrained from an outright ban of Huawei from its 5G mobile network. The ‘non-ban’ has already provoked a response: last Friday, the US ambassador to Germany reportedly warned the German government that the Trump administration would limit intelligence sharing with Berlin if Huawei were allowed to build Germany’s 5G infrastructure.

While an explicit ban is off the table, the new guidelines may leave room for indirectly excluding the Chinese company in the future. They stipulate that network operators must implement a number of risk management measures, among them, to ensure diversity of network equipment from different manufacturers—a measure that will greatly contribute to the network’s resiliency, independently of the supplier.

The rules stipulate that network operators may only utilise critical core components which have been tested by a recognised authority and certified by the German Federal Office for Information Security (BSI). Which core components will be deemed critical remains to be determined by the BSI and the Federal Network Agency.

Moreover, critical components may only be sourced from suppliers or manufacturers that have given appropriate assurances of their trustworthiness and which abide by national security regulations, including regulations on telecommunications secrecy and data protection. ‘Trustworthiness’ remains to be defined. It may well be that a foreign company subject to domestic laws that can compel it to support, assist and cooperate with intelligence gathering by the state in which it is domiciled will not be deemed trustworthy.

Crucially, the burden of proving that these security objectives have been achieved lies with network operators like Deutsche Telekom and Vodafone. They need to demonstrate that, for example, the suppliers and manufacturers of their equipment are trustworthy—which, with respect to Huawei, will be a challenge and may lead to a refusal to use their equipment.

Until the publication and implementation of the final criteria later this year, we can expect the debate over Huawei to continue in Germany and the rest of Europe—and with it, arguments for and against excluding the Chinese company from 5G rollouts.

One argument against excluding Huawei from equipping Germany’s 5G network is that it could delay the network rollout by up to two years, causing Germany to miss a crucial stepping stone to the next era of industrialisation and leaving it lagging behind other digital economies.

As yet, there’s been no public evidence that the Chinese government might be using Huawei products to spy on other nations. The US National Security Agency, on the other hand, has been shown to have manipulated certain types of Cisco network equipment exported to the world in the past.

While the US may have legitimate security concerns in seeking to persuade its European allies to ban Huawei, its campaign is partly economically motivated.

Washington aims to prevent China from gaining a competitive edge over the US economy. Beijing, on the other hand, is the EU’s second largest and Germany’s largest trade partner. Discriminating against one of China’s biggest tech giants could generate diplomatic tensions.

While many of these concerns are valid, they lack a long-term perspective on the issue and an understanding of the wider geopolitical context.

Precisely because 5G infrastructure will shape the next-generation internet and propel a new era of industrialisation, it needs to be treated as critical infrastructure. Exploiting vulnerabilities in its architecture could give an attacker the ability to affect network integrity and availability, as well as the confidentiality of customer data.

Relying on a Chinese company for the technology’s rollout would result in long-term dependencies. China’s aspirations for technological supremacy, its pervasive industrial espionage campaigns and its tight control of domestic companies would, taken together, make this a risky decision at best.

The absence of a ‘smoking gun’ in the espionage allegations against Huawei doesn’t eliminate the future risk of such practices. As ASPI’s Danielle Cave has demonstrated in The Strategist, there is indeed worrying public evidence that links Huawei to a five-year data breach at the African Union headquarters that, so far, the company has been unable to explain.

From an industrial policy point of view, rather than becoming dependent on a monopolistic foreign tech giant, Europe should promote its own industry and strengthen the diverse suppliers, including Europe’s Ericsson and Nokia, that also offer 5G equipment.

While a ban might risk Chinese retaliation, China’s record in Germany and across Europe isn’t exemplary either.

Beijing has led aggressive cyber espionage campaigns and has made targeted purchases of critical European infrastructure, such as German robot manufacturer Kuka. A German–Chinese no-spying agreement hasn’t materialised and at this stage of the Huawei debate, it would probably amount to window dressing rather than a genuine political accord.

The path taken by Germany in refraining from an open ban but keeping the door open for an indirect one can be seen as a diplomatic compromise agreed to in anticipation of the start of the 5G spectrum auction on 19 March.

The Huawei issue clearly illustrates the need for Germany, and Europe as a whole, to devise a comprehensive strategy for navigating an era marked by competition for technological supremacy, currently dominated by the US and China.

Europe seems to be in ad hoc reaction mode, and that approach has worked so far. But other strategic challenges are looming on the horizon in areas such as artificial intelligence, quantum computing and biotechnology. Decisions taken in these spheres will have consequences for decades ahead. And security will remain a cross-cutting challenge that the German government can’t ignore.

The EU needs to make informed, strategic decisions now that will shape the kind of global actor it wants to be in the future.

If Europe will not become a self-reliant technological superpower; in our globalised world, no one can.

But it can find a better way to manage risks, as well as its dependencies from and alliances with foreign powers, under a values- and rules-based institutional framework. And it should promote a competitive economic environment in which its own IT industry—startups, hidden champions and established companies—can continue to thrive.

Isabel Skierka is a visiting fellow at ASPI.

She is a research analyst and adviser with the Digital Society Institute at ESMT Berlin and a non-resident fellow at the Berlin-based think tank Global Public Policy Institute. Image courtesy of Ansgar Koreng on Flickr.

This article was first published by ASPI on March 13, 2019.