A version of this article first appeared in our members-only newsletter on June 22, 2019. Become a member and read it first.
The current debate about whether Chinese mobile network equipment vendors pose a threat to European security is messy, and heavily driven by a US perspective and agenda. Compared to the United States, however, the situation here in the European Union is much more complicated.
Some facts to keep in mind: Huawei has been in Europe for almost 20 years, employs more than 12,000 people, and has research collaborations with roughly 150 universities. Since 2016, Huawei has consistently been one of top three patent applicants at the European Patent Office. Almost every EU member state has at least one mobile network operator deploying Huawei (and/or ZTE) equipment—especially in Radio Access Network (RAN). As an example, roughly 50% of Germany’s 75,000 base stations come from Chinese vendors.
But many policymakers in Brussels and in member states think that Huawei became the world market leader for mobile network equipment through industrial espionage and price dumping. In fact, the company’s R&D budget is significantly and consistently higher than that of direct competitors Ericsson and Nokia. Huawei leads in 5G by almost every metric—the number of 5G Standard Essential Patents (SEP) filed, the number of employees sent to 3GPP standards meetings, the number of contributions to the 5G standards.
The case of Huawei and 5G is part of a broader development in information and communications technology (ICT). We are moving away from a unipolar world with the US as the technology leader, to a bipolar world in which China plays an increasingly dominant role in ICT development. Europe is accustomed to technological dependency on the US—but how do we feel about increasing dependency on China?
Why it matters where technology comes from
The digitalization of our society and industry is built on highly complex, constantly changing, interconnected, and interdependent ICT systems that are ultimately untrustworthy. They are untrustworthy because, as I argued in a paper earlier this year, IT security certification, code reviews, and audits do not scale and are not up to the task of identifying malicious code among millions of lines of code running on billions of transistors.
Committed state actors with limitless budgets and time will always find a way to infiltrate and compromise foreign ICT systems. Thus, one has to rely on manufacturers to keep their systems secure through software updates—and not to abuse their privileged access. The extent to which one trusts the manufacturer depends on the legal and regulatory environment out of which it operates.
The Snowden revelations show why rule of law matters for trust: The documents showed that the National Security Agency (NSA) intercepted parcels containing network equipment. The NSA would open the parcel, install custom malware on specific network equipment, repackage it, and send the parcel on its way to the customer. All of that happened unbeknownst to the manufacturer.
Even though Cisco holds more than 50% of the global network switch market, there was never a debate in Europe about ripping out US network equipment. Why? Partly, because Europe was confident in US rule of law and the country’s legal system. Rightly so. Of course, US intelligence agencies and law enforcement have extensive and overbearing powers. But its companies fight in court against government attempts to break into devices or access to sensitive customer data. How realistic is it that Huawei would fight in front of a Chinese court against handing over customer data to the Chinese police?
That is why the Prague Proposals, a memorandum by 30 member states from NATO and the European Union on 5G security, state that “security and risk assessments of vendors and network technologies should take into account rule of law, […].” That said, just because China lacks the rule of law does not mean that Chinese vendors should be banned from participating in 5G rollout.
What are we worried about?
The debate about Huawei and 5G often conflates two very different issues—the challenge of building and maintaining trustworthy and resilient communication networks, and the question of technological dependency. The current focus in the US is dependency on Chinese technology, as the US Department of Defense wrote in a key report. But we need to distinguish between the two issues, as they call for very different policy responses. If we replaced all Chinese equipment in our mobile networks, it would not magically make us secure—but it would make us less dependent on China.
Two security scenarios are most often discussed: industrial espionage and network sabotage.
Industrial espionage of Chinese origin is a massive problem for European and other businesses, and we need better and stronger tools to fight it. But so far mobile networks have not played a role in espionage campaigns. State-sponsored hackers often infiltrate computer networks through spear-phishing mails, clever social engineering, and exploits for desktop operating systems or internet network equipment. A well-written, infected e-mail sent to a CEO or IT administrator is still (and will continue to be) a highly efficient attack vector.
Of course, mobile network-based attacks might become more common with 5G. That is exactly why governments are right to be worried about the security of our future digital infrastructures. There is a lot they can do to improve the trustworthiness and resilience of our mobile networks. That said, these measures will never eliminate risk, only reduce it. This fact of life has not stopped us from connecting other critical infrastructure—from nuclear power plants to hospitals to energy grids—to the internet.
In a nutshell, building and maintaining trustworthy digital infrastructures is a shared responsibility between vendors, operators, and national regulatory authorities—and should be addressed on four different levels: standards, implementation, configuration, and processes. 3GPP needs to develop standards that utilize strong end-to-end encryption to shield traffic from network equipment. Vendors are responsible for the secure implementation of those standards in their equipment, and there should be mandatory baseline requirements. Secure configuration of the deployed equipment is then the responsibility of the operator. That is not an easy task and will require a lot of coordination between all actors.
Network sabotage, which disrupts the flow of information and renders network resources unavailable, is a different beast entirely. Attackers can prepare a kill-chain well in advance and only use it once it is necessary—the famous “kill-switch.” Both because of the complexity of today’s mobile network equipment, and because of regular and continuous manufacturer software updates, security audits and certification processes are of limited help here. They certainly reduce the risk but do not eliminate it.
Risk mitigation against network sabotage has to address the mobile operator’s processes and network planning. The European Commission’s 5G Recommendations talk about “cybersecurity through diversity of suppliers,” and Germany’s (preliminary) 5G security requirements proposed similar requirements. Diversity of network equipment and thorough network planning have a significant impact on the resilience of those mobile networks.
The UK National Cyber Security Center already sits down with operators during the network planning phase. Redundancy and shared network infrastructure is another way to improve resilience against network sabotage. National roaming would definitely improve resilience.
The UK has arguably the most experience with assessing the trustworthiness of Chinese mobile network equipment. If their ongoing Telecoms Supply Chain Review comes to the conclusion that Chinese vendors should be excluded from certain core network functions, such as lawful interception for law enforcement agencies, Europe would do well to follow suit.
These steps would do a lot to improve the trustworthiness and resilience of our networks, and we aren’t doing them yet. But banning companies does very little to fix the countless flaws present in today’s ICT systems.
It would also put us on a costly and unproductive road toward paranoia: If we ban Huawei and ZTE from the 5G rollout, do we need to ban Chinese 5G modules in autonomous cars? What about the AI coprocessors from China in your smartphone? What about solar technology from Huawei in your energy grid?
It’s about dependency, stupid
The more challenging discussion and the real driver of the current 5G debate is the fact that Europe and many other Western nations have become increasingly dependent on Chinese technology. China is no longer just the “factory of the world,” but instead an economic competitor and at the same time a “systemic rival.”
For ICT, and especially semiconductors, the country still lags behind and is highly dependent on foreign designs, IP, and chips. This is why US export control measures against Huawei are so effective in disrupting their supply chain. But for how long? The collateral damage is massive, and China has already announced its own “entity list” to halt business with foreign companies. The semiconductor industry is susceptible to these types of geoeconomic strategies, because of the (for now) global nature of the semiconductor supply chain.
But where is this leading us? Chinese companies are doubling down on self-reliance to ensure business continuity. Disrupting ICT supply chains through export control measures hurts innovation and might very well lead to decoupling. In this scenario, technology will be developed with two different sets of standards—the US and its allies on the one side and China and its allies on the other. This would pose a huge challenge to companies that need to maintain different supply chains for different markets. Most importantly, it would not result in more trustworthy or resilient ICT systems and digital infrastructure.
Europe is correct not to follow the US call to entirely ban Chinese equipment. The problem is much more complicated than that. Indeed, we are becoming more and more dependent on ICT systems from a country that we perceive as a systemic rival. That’s not good. But banning Chinese companies would do a disservice to our own industry: 5G is first and foremost an infrastructure that companies need to adopt in order to develop innovative services and applications for their own industries.
An indiscriminate ban against Chinese 5G vendors would significantly delay the 5G rollout in Europe and give Chinese industries an even greater head start in developing services, applications, and new business models to fully utilize future 5G infrastructure. This could very well mean that in a few years, our industry will have to rely on those more innovative and efficient 5G applications and services to make the most use of our infrastructure – making us even more dependent.
Thus, instead of banning, the answer should be to strengthen our own industry in key technologies and critical sectors. That also means we need to do the hard work of properly assessing risks in a highly connected society and industry.
Europe does a great job of articulating responsibilities and defining requirements. But in a highly software-defined world where “code is law,” maybe there is no way around getting our hands dirty, spending the money, and creating our own systems again?