The looming UK decision on 5G and Huawei has profound consequences for the UK, for the four other members of the Five Eyes intelligence-sharing group (the US, Canada, Australia and New Zealand) and for the future technological landscape of Europe. But it’s in danger of happening while those around it are distracted by bigger disasters.
The bad news is that, if what Britain’s top cybersecurity official, Ciaran Martin, outlined when he spoke at last month’s CyberSec conference in Brussels is any measure, the UK seems intent on defending the wisdom of a decision made a decade ago, despite all the changes in the strategic and technological landscape since then.
Martin sent some interesting signals in his speech. Apparently, it’s not that important who the 5G technology vendors are, because Russians successfully hacked the UK telecommunications system even though ‘those networks didn’t have any Russian kit in them’. So, ‘From the point of view of managing corporate risk, or, in our case, national risk, it essentially doesn’t matter whether the vulnerabilities are deliberate or the result of honest mistakes.’
This shows very woolly thinking. It’s familiar logic for those following gun control: US gun advocates’ bumper stickers used to say, ‘Guns Don’t Kill People. People Do.’ They always forgot to add, ‘But people with guns kill plenty more people than people without guns.’
So too with cybersecurity. Without access to vendor knowledge and cooperation, it’s possible to hack systems. But hacking is easier and less discoverable if you do have the access to system designers—and even better if they have to cooperate with you.
Despite all the denials, this is just what hackers at the Chinese Ministry of State Security have with Huawei, Beijing’s anointed national champion for 5G technology.
It’s on the public record that Beijing’s National Intelligence Law requires Huawei—and every other Chinese company—to cooperate with the ministry and every other state intelligence agency for the Chinese state’s purposes. Similarly, under the State Security Law, all ‘enterprises and institutions, and other social organisations have the responsibility and obligation to safeguard national security’—and under the Chinese Communist Party, ‘national security’ is a very broad, politically driven concept.
Chinese CEOs understand their obligations to Beijing well. As Sogou’s CEO put it, ‘If you think clearly about this, you can really resonate with the state. You can receive massive support. But if it’s your nature to go your own way, to think that your interests differ from what the state is advocating, then you’ll probably find that things are painful, more painful than in the past.’
As former Australian prime minister Malcolm Turnbull noted in a recent speech:
If a state-sponsored adversary has enduring access to staff, software or hardware deployed into a target telecommunication network, then they only require the intent to act in order to conduct operations within the network. Traditionally, cyber security is premised on raising the cost for an adversary to such an extent that the adversary will not find it worthwhile to compromise a network. When an adversary can persistently and effortlessly pre-position, the effective cost of activity is greatly reduced.
Martin goes on though, to even more dubious ground. He doesn’t just defend the oversight regime the UK directed the top secret Government Communications Headquarters to provide for Huawei systems and products back in 2008 and 2010, he extolls it as a model: ‘Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei. And it’s proving its worth.’
Martin tells us there’s more good news: Huawei has accepted all the UK’s findings about the flaws in the security of its components, its design and production approach, and its software.
In fact, according to Reuters, Huawei has committed to address all of them, with the catch being that the company expects this to take ‘between three and five years’ and some US$2 billion.
What’s the problem? It’s in another part of Martin’s speech. It turns out that 5G, among its other impacts, ‘hugely accelerates the pace of technological change’. Huawei itself has said, ‘Enhancing our software engineering capabilities is like replacing components on a high speed train in motion.’
So, the world’s leading oversight regime of Huawei is fixing 2018’s problems between now and 2023. But it is already being outpaced by Huawei’s product development cycle, and, as technological change in communications accelerates, this will only get worse.
Given these factors, no oversight regime—even a UK version on steroids—will be able to manage Huawei 5G systems and software embedded in a nation’s critical digital infrastructure.
If EU nations are looking for insights and guidance from the UK experience, that’s the big one. Don’t follow the UK down a failing path.
Meanwhile, Huawei continues to get product development advice and insights into UK agency knowledge through the UK model.
It also uses the UK ‘brand endorsement’ to say that those who see major national security problems from embedding this Chinese 5G national champion into their own national digital infrastructure are jumping at shadows.
I wonder if Martin has taken that line in discussions with his Five Eyes partner, Mike Burgess, head of the Australian Signals Directorate, who has said there is no way to safely manage high-risk vendors in 5G networks.
Burgess has advised that:
Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.
But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.
If the UK’s top cybersecurity official is talking down these risks, imagine what the UK’s economic ministries are doing.
Chinese state media has been helping here, campaigning hard to influence UK government thinking by flagging large new investments in the City of London and post-Brexit Britain. That state media product has gone into the UK debate word for word through the UK’s Telegraph newspaper, which ran a paid supplement, discreetly labelled as such, from the CCP’s China Daily on 21 February.
The negatives for the UK if it does exclude Huawei have been made less obvious, although Beijing’s punitive economic measures against a growing list of nations are clear enough.
At the core of UK thinking is a depressingly misplaced assessment. Martin sets his thinking in the context of globalised technology, and says, ‘There are limitations to what even a continent of the size and wealth of Europe can do on its own in an age where the US and China dominate tech development.’
A UK decision not to exclude Huawei would bring this world a few steps closer.
Martin seems to have forgotten that, when it comes to communications technologies, Europe has two globally significant firms with strong 5G technologies and patents—Nokia and Ericsson.
Let’s hope others in the UK government remember this, along with the fact that, at US$17.2 trillion in 2017, the GDP of Europe is bigger than China’s at US$12.24 trillion—and Europe’s plus America’s is some US$36.6 trillion. That’s a lot of heft and opportunity to set against Chinese threats and promises.
A truly strategic approach would not be to hand Huawei, which already benefits from a protected market in China, more global market power.
Instead, it would be to use the UK’s brand and market power deliberately, to work out how the big European providers might thrive and work with partner tech industries—like Australia’s, South Korea’s, France’s, America’s and Japan’s—to produce the prosperity, diversity, resilience and security we all need.
And the value of the Five Eyes partnership would weigh heavily in the scales of the decision too—at a time when the UK needs long-term, trusted friends.
Michael Shoebridge is director of the defence and strategy program at ASPI
This article was first published by ASPI on March 25, 2019.