5G Technology is not like its predecessors and caution is needed in proceeding.
As I write this, the technology showdown between the US and China is again under scrutiny by the mainstream media. In mid-May, Donald Trump signed a regulation enabling the federal government to ban the acquisition and use of hostile foreign businesses’ technology if they carry a risk to US information and communications technology (ICT), critical infrastructure, the digital economy or national and citizen security.1 Although the regulation does not mention any country or business by name, it is seen as a move against Huawei and other Chinese ICT giants, whose solutions were already subject to restricted use in the federal infrastructure with an act signed in the summer of 2018.2 It is too early to predict the consequences of the regulation on the Chinese technology sector—China’s first response is still recent3—but it is clear that, if these prerequisites remain in place, the impact will not stop with Huawei’s global market share and the entire global ICT market will have to prepare for confusing times. Carl Bildt, a former Swedish foreign minister, put it best when he tweeted: “The world is dependent on smart phones shipped from China. The smart phones are dependent on chips shipped from the US. The chips are dependent on minerals shipped from China. We live in a world of interdependence, and we have better recognize it.”
It can’t be pinpointed whether US trade restrictions are a tool of security policy or whether security arguments provide a tool to restrict trade. Both reasons are interwoven in the goals and objectives of both the US and China. The apparent trade interest may reduce the credibility of security arguments, but it does not diminish their validity.
At the end of March this year, a report published by the NATO Cooperative Cyber Defence Centre of Excellence titled “Huawei, 5G, and China as a Security Threat” explored cyber safety and security, focusing on Huawei as a potential provider of next-generation cellular technology (5G).4 Our report dealt with factors that have given Huawei its current controversial status: the boost provided by China’s national innovation policy, the political and legal context that influences the activities of local entrepreneurs, and their known history of cyber operations. Based on this, we analysed the developing Western approach to Chinese-based 5G technology. This article is a summary of the CCDCOE’s analysis.
It is difficult not to notice the meteoric rise of Chinese technology manufacturers in the global marketplace over the last decade. The innovation readiness of Chinese businesses and the improved quality and affordable price of the products have improved their competitiveness, and this is reflected in their market share. It has taken Huawei less than a decade to become the largest manufacturer of telecommunications equipment in the world; last year it managed to take second place from Apple in the rankings of smartphone manufacturers, only falling behind Samsung.5
The number of 5G patents held by Chinese businesses and the country’s active participation in various international standards organisations convey China’s desire to dictate the course of 5G technology development. One in ten 5G core technology patents belongs to a Chinese business; Huawei has the greatest number, followed by ZTE. The Chinese have acquired many key positions in international standards organisations, such as the ITU and 3GPP.6
Huawei is the only manufacturer so far to make all elements of a 5G network. Its closest competitors, Nokia and Ericsson, are only able to offer alternatives to different segments of the supply chain and do not provide the entire value chain. Huawei’s ambition is an open secret: their goal is to dominate the 5G market.7 They have so far signed 40 agreements with various countries’ telecommunications operators, most of them in Europe.
There is one issue over the security features of Huawei devices that hasn’t been confirmed as yet: no one has seen the smoking gun, and no significant vulnerabilities that the company or China could have knowingly exploited have been identified. Still, knowing this doesn’t provide much reassurance. The latest monitoring report by the UK’s Huawei Cybersecurity Evaluation Centre (HCSEC) found that the significant shortcomings in Huawei’s supply and production chain provide only limited assurances that the security risks resulting from Huawei’s participation in the telecommunications networks can be mitigated in the long term.8 The HCSEC is one of the few official and independent oversight agencies that have analysed Huawei’s software and hardware over a longer period.
Like many other Chinese businesses, Huawei has also been accused of industrial espionage. The latest major investigation into fraud and theft of intellectual property involving the company has been underway since last winter; in connection with this, Canada arrested Huawei’s CFO, the daughter of the firm’s founder and CEO, in December 2018. Three months earlier, an intelligence report was published in the Australian media stating Huawei employees had taken part in an intelligence operation to “gain access codes for a foreign network”.9 In December, Poland arrested a Huawei employee on suspicion of espionage. The company denies that the employee had any connection with its business activity.10 This may be true, but the notion that Huawei employees are using the company’s technology and customer relationships for espionage on their own account rather than with its approval is little consolation. The Czech Republic’s National Cyber and Information Security Agency issued a warning in December 2018 about the practices of Huawei and ZTE. The warning referred to information gathered by experts, without providing any specific details.11
Huawei has resolutely denied these claims, stating that the business belongs to its employees and is not affiliated with any government, and that it has never used its technology to spy on or sabotage any other countries. It also refutes claims that it has ever shared its customers’ data with any country or organisation or that anyone has even asked it to do so.12 In order to improve the transparency of its products, Huawei has created so-called “security risk assessment centres” in the UK, Germany and recently in Brussels, to give its partners the opportunity to analyse its products and source code and evaluate security.
Although Huawei is in the spotlight because of its 5G capacity and ambitions, Western countries are also suspicious of ZTE, Hytera, Hikvision and Dahua for similar reasons. The technology constraints imposed by the US government extend to all of these businesses.
The Nervous System of the Digital Society
5G is not just faster than 4G; it allows more stable connectivity with near-zero latency and the ability to connect more devices concurrently. As expected, the next generation of technology accelerates the arrival of automation and robotics, virtual reality, artificial intelligence and the development of machine training. The expansion of the use of smart devices and applications is certainly going to change how digital societies function. It is also quite clear that we cannot predict the full extent and nature of the change today, just as a decade ago we could not predict how the arrival of smartphones—a portable internet connection accessible to everyone—would change society. When considering 5G’s possible role in enabling all kinds of cyber-physical services and sectors, it is no exaggeration to draw parallels with the nervous system of the digital society: 5G’s impact includes the economic environment, the organisation of essential services, internal security and national defence.
Put simply, everything that can be used can also be misused, and the improved virtualisation offered by 5G technology is expected to lead to the development of security threats too. More varied devices mean more targets for cyber-attacks and more tools with which to carry them out. The masses of data generated by providing services can be analysed for service development—and access to telemetric data constitutes a large signals intelligence platform. The way China uses current technology to experiment with social profiling and spying on the masses provides insight into the various possibilities. According to one extreme but not unrealistic prognosis, the introduction of 5G technologies could mean a large part of the planet is covered by a potential surveillance network.13
No technology is safe 100% of the time. Any possible security flaws—and broadly speaking, it does not matter whether they are in the product because of a developer’s human error or a deliberate action—must always be taken into account. The capability and usage of Chinese cyber operations as well as their attitude towards the West as a competitor and adversary are a source of concern. If Huawei’s devices are deployed in 5G networks, the West will become dependent on an infrastructure under the control of Chinese intelligence services both in peacetime and in crisis situations. The application of basic security requirements mitigates the most widespread risks, but that might not be enough to deter a powerful and determined attacker—and descending dependencies are probably not known and cannot be controlled by the infrastructure provider.
All this makes the 5G question more than just a single operator’s business choice—it has obvious economic effects and security ramifications. A serious cyber incident in an essential infrastructure involving, for example, loss of availability, confidentiality or integrity of the system or data, can significantly affect the vital interests of a country and even cause a crisis.
China’s communist government makes no secret of the fact that it regards the West as a strategic opponent and adversary and that it wishes to offer a political alternative to the current Western-dominated world order.14 Increasing technological and economic capabilities are part of foreign- and security-policy considerations. In 2006 China created a long-term national innovation strategy that set the objective of developing China’s innovation industry and disconnecting it from the West.15 Alongside its political leadership role, the government directs and monitors the implementation of the strategy by investing heavily in the technology industry. The bureaucratic constraints that are imposed on foreign businesses have also contributed to the growth of the global market power of the technology sector. Although the government has alleviated the restrictions in recent years, domestic businesses still control three-quarters of China’s domestic market and local industry gets most of the benefits deriving from the dominant position without worrying about competition from foreign businesses.16
China has an infamous reputation for economic cyber-espionage and influence operations against Western governments, research institutions and industrial companies. The most famous revelation dates back to 2013, when the cybersecurity company Mandiant provided a detailed summary of information theft involving more than 140 industry organisations that the Chinese People’s Liberation Army had been running for years.17 At the end of 2018, the UK and its allies announced that a group known as APT10 had organised a cyber-attack campaign targeting intellectual property and sensitive business information in Europe, Asia and the US on the orders of China’s Ministry of State Security. China participated in 90% of all the industrial espionage cases handled by the US Department of Justice between 2011 and 2018.18 Like our European counterparts, the Estonian Foreign Intelligence Service has discussed China’s activity with growing concern in its yearbooks.
China’s 2016 National Intelligence Law obliges businesses to support, assist and collaborate on intelligence activities and ensure the confidentiality of any information-gathering they become aware of, while the state ensures the protection of organisations supporting and cooperating with national intelligence activities. The 2014 Counter-espionage Law and its implementing acts require organisations and individuals to grant access to facilities and information and provide other assistance to national security authorities and organisations without the right of refusal.19 Neither piece of legislation leaves much room for refraining from creating back doors in products, should the state deem this necessary in the interest of national security.
The lack of transparency in the organisational and personal relationships between Chinese businesses and the state give cause for concern. Despite Huawei’s affirmation that the company belongs to its employees, this statement has little substance upon closer inspection.20 Even if there is no subordinate relationship between Huawei and the Chinese government, the legal environment leaves sufficient room for the private sector and its technology to be used for espionage. China’s understanding of individual rights and freedoms is fundamentally different from that of the West, putting the interests of the collective—i.e. the state—ahead of those of the individual. The EU’s data protection regulation and the protection of intellectual property, to which the US also subscribes, are mandatory for businesses operating in Western markets but, as a vertically integrated company, Huawei cannot ignore the liabilities it has under the jurisdiction of its country of origin.
The legal and political influence that China is exerting on its technology industry, China’s growing presence in key Western technology and infrastructure businesses and its links with state intelligence and the military make many Western security agencies wary.21 This was not a problem when Chinese manufacturers held a marginal market share, had no control over infrastructure and there were alternatives to be had. But as their market share grew, so did concerns over security: it is considered a serious threat that China can gain access to customer data through its manufacturers and may have control over the “off button”, and the supplier may prefer the political interests of its country of origin to those of the client or target country in a critical situation, for example when a major security vulnerability is revealed.
A Silver Bullet or Risk Management?
These concerns are the primary reason why many countries have limited the use of Chinese technology in their communication networks. The comprehensive US ban is an exception; other countries have not pursued such a radical approach. Australia, the Czech Republic and Japan have introduced mandatory security guidelines which prohibit the use of suppliers with foreign influence in critical systems or require case-by-case hazard identification and risk assessment. New Zealand halted an operator’s plans to deploy Huawei 5G, referencing significant security risks. There are also those who prefer non-binding recommendations or are sceptical about the risks (Germany, Slovakia). The measures imposed are generally risk-based—the critical importance of a particular sector, service or system is taken into account and restrictions are therefore limited to government agencies and essential service providers. Mobile network operators themselves have also shown initiative: BT Group in the UK, Deutsche Telekom and Orange are all reviewing their delivery principles, and TDC, Denmark’s largest operator, has decided to use Ericsson equipment.
So-called tailor-made risk management, in which each specific solution is separately assessed for admissibility, is a viable alternative only for the most capable countries; moreover, the solutions’ feasibility relies on Huawei’s willingness and ability to cooperate. The UK’s HCSEC is still the only institution with which this actually works. It is too early to assess the credibility and effectiveness of security centres that were recently opened in Germany and Belgium (Poland was also invited to host one) and they do not have a monitoring mechanism similar to the one in the UK—a competent partner who would be willing and able to ask uncomfortable questions systematically.
In any case, the monitoring mechanism of such bodies is limited to conventional cybersecurity practices. The UK’s National Cyber Security Centre admits that its assessment does not include China’s intelligence analysis and that Huawei’s technology is not used in local sensitive networks, including the government’s.22 That type of solution is probably unfeasible for smaller countries: they have a choice whether to rely on information from partner institutions or take the path of less nuanced restrictions.
The smart approach is to teach competing suppliers to diversify supply and avoid the dominance of a single provider in the market—irrespective of origin, it is good neither for competition nor from the viewpoint of managing security risks. Canada is a positive example: in January 2018 it gave Nokia a 40-million-CDN dollar research and development grant to further develop 5G.23 The existence of viable alternatives is not only needed for global competitiveness; it also involves considerable security dimensions in the case of key technologies.
It is clear that Estonia alone can do little to mitigate risk; a shared concern needs a joint solution. There is a clear intention in EU (and NATO) nations to reach a consensus on technologies originating from Huawei and other untrustworthy environments. This encompasses the conditions for better-coordinated radio frequency authorisations between allies and the introduction of foreign capital into key European infrastructure and cutting-edge technology, as well as the need for coordinated investment in artificial intelligence, quantum computing and cryptography so that coordinated action can deliver more than the sum of individual member states’ efforts. These are difficult challenges and the current means—which are based on the hope that all countries do their homework properly—may not be enough when one thinks how entangled, international and interdependent are both the digital infrastructure and the modern society that depends on it. This includes the European single market.
The current choices affect the socioeconomic development of society as well as security in ways that lead us to unknown results. Security goes wider than the question of allowing or prohibiting the technology of a particular country’s manufacturer(s): prohibition deprives Estonian entrepreneurs of the opportunity to develop new products and services, limits economic potential and restricts people’s access to benefits. Without analysing the risks and considering risk management with a view to the future, the rapid implementation of a more affordable technology may turn out to be more costly and painful than we are willing to accept as a society.
1 “Executive Order on Securing the Information and Communications Technology and Services Supply Chain”, 15 May 2019. https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/.
2 “John S. McCain National Defense Authorization Act for Fiscal Year 2019”. https://www.congress.gov/bill/115th-congress/house-bill/5515/text.
3 Gerry Shih, “China says it will blacklist ‘unreliable’ companies and individuals in response to technology ban”. The Washington Post, 31 May 2019. https://www.washingtonpost.com/world/asia_pacific/chinas-escalates-rare-earths-threat-at-us-in-response-to-technology-ban-/2019/05/31/361da536-8353-11e9-9a67-a687ca99fb3d_story.html?utm_term=.84685bf0768a.
4 Kadri Kaska, Henrik Beckvard and Tomáš Minárik, “Huawei, 5G, and China as a Security Threat”. NATO CCDCOE, March 2019. https://ccdcoe.org/library/publications/huawei-5g-and-china-as-a-security-threat/.
5 “Huawei’s share of smartphone shipments worldwide from 1st quarter 2012 to 1st quarter 2019”. https://www.statista.com/statistics/299128/global-market-share-held-by-huawei-smartphones/.
6 Parv Sharma, “5G Ecosystem: Huawei’s Growing Role in 5G Technology Standardization”. Counterpoint Research, 20 August 2018. https://www.counterpointresearch.com/huaweis-role-5g-standardization/.
7 Frank J. Cilluffo and Sharon L. Cardash, “What’s wrong with Huawei, and why are countries banning the Chinese telecommunications firm?” The Conversation, 19 December 2018. https://theconversation.com/whats-wrong-with-huawei-and-why-are-countries-banning-the-chinese-telecommunications-firm-109036.
8 “Huawei cyber security evaluation centre oversight board: annual report 2019”, 29 March 2019. https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019.
9 Corinne Reichert, “Huawei denies foreign network hack reports”. ZDNet, 5 November 2018. https://www.zdnet.com/article/huawei-denies-foreign-network-hack-reports/.
10 James Pomfret and Anna Koper, “Huawei sacks employee arrested in Poland on spying charges”. Reuters, 12 January 2019. https://www.reuters.com/article/us-huawei-poland-security/huawei-sacks-employee-arrested-in-poland-on-spying-charges-idUSKCN1P60E8.
11 National Cyber and Information Security Agency, “Warning” (reference 3012/2018-NÚKIB-E/110), 17 December 2018. https://www.govcert.cz/download/kii-vis/Warning.pdf.
12 Daphne Zhang, “U.S. Push on Huawei Ripples Through Markets”. The Wall Street Journal, 23 November 2018. https://www.wsj.com/articles/u-s-push-on-huawei-ripples-through-markets-1542981918.
13 Heather Woods, “Do I want an always-on digital assistant listening in all the time?” The Conversation, 16 July 2018. https://theconversation.com/do-i-want-an-always-on-digital-assistant-listening-in-all-the-time-92571.
14 See, for example, the summary of a speech by Xi Jinping, President of the People’s Republic of China and General Secretary of the Communist Party of China, in “Xi Jinping And His Era”. China Daily, 18 November 2017. http://www.chinadaily.com.cn/kindle/2017-11/18/content_34683261.htm.
15 Mikk Raud, “China and Cyber: Attitudes, Strategies, Organisation”. NATO CCDCOE, 2016. https://ccdcoe.org/uploads/2018/10/CS_organisation_CHINA_092016_FINAL.pdf.
16 Thorsten Benner, “Germany Is Soft on Chinese Spying”. Foreign Policy, 9 December 2018. https://foreignpolicy.com/2018/12/09/germany-is-soft-on-chinese-spying/; Erick Fang, “Barriers To Entry Into The Chinese Mobile Market”. Forbes, 21 December 2018.
17 FireEye, “Mandiant Releases Report Exposing One of China’s Cyber Espionage Groups”. https://www.fireeye.com/company/press-releases/2013/mandiant-releases-report-exposing-one-of-chinas-cyber-espionage-groups.html. About later operations see, e.g., FireEye’s catalogue of “Advanced Persistent Threat Groups” reports, https://www.fireeye.com/current-threats/apt-groups.html.
18 Cristina Maza, “China Involved In 90 Percent Of Espionage And Industrial Secrets Theft, Department of Justice Reveals”. Newsweek, 12 December 2018. https://www.newsweek.com/china-involved-90-percent-economic-espionage-and-industrial-secrets-theft-1255908.
19 Samantha Hoffman and Elsa Kania, “Huawei and the ambiguity of China’s intelligence and counter-espionage laws”. The Strategist, Australian Strategic Policy Institute, 13 September 2018. https://www.aspistrategist.org.au/huawei-and-the-ambiguity-of-chinas-intelligence-and-counter-espionage-laws/.
20 Christopher Balding and Donald C. Clarke, “Who Owns Huawei?”. SSRN, 17 April 2019. https://ssrn.com/abstract=3372669.
21 An excellent overview of European infrastructure belonging to Chinese capital is provided by Andre Tartar, Mira Rojanasakul and Jeremy Scott Diamond in “How China Is Buying Its Way Into Europe”. Bloomberg, 23 April 2018. https://www.bloomberg.com/graphics/2018-china-business-in-europe/; see also Jerker Hellström, “China’s Acquisitions in Europe: European Perceptions of Chinese Investments and their Strategic Implications”. FOI (Swedish Defence Research Agency), December 2016. https://www.foi.se/rapportsammanfattning?reportNo=FOI-R–4384–SE.
22 “Ciaran Martin’s talk in Brussels” at CyberSec. NCSC, 20 February 2019. https://www.ncsc.gov.uk/news/ciaran-martins-cybersec-speech-brussels.
23 David Olive, “What’s at stake for Trudeau, Canada and Huawei”. The Star, 28 January 2019. https://www.thestar.com/business/opinion/2019/01/28/whats-at-stake-for-trudeau-canada-and-huawei.html.
This article was published in ICDS Diplomaatia magazine.