Huawei has been defending its “trustworthiness” amid comments from Germany’s spy chief, though the country’s government has already drafted new security guidelines allowing the Chinese equipment maker to supply equipment for Germany’s future 5G network.
Bruno Kahl, head of the German Federal Intelligence Agency, claimed that Huawei can’t be fully trusted. In response, Huawei Germany issued a statement repeating that it is independent of China’s Communist Party and has a good track record working with network operators worldwide.
In an ironic twist, German authorities drafted new security guidelines issued on October 15, calling for would-be suppliers to 5G network operators to submit a document self-declaring their trustworthiness, a similar sentiment to Huawei’s statement.
Equipment vendors, such as Huawei and ZTE, would produce the document confirming that they are not obliged to reveal personal data, equipment design, or any other critical information to third parties.
“Certain telecommunications providers and network operators with increased risk potential may only use certain critical system components if they have been purchased from trusted sources,” Michael Reifenberg, a representative for German regulatory office, the Federal Network Agency (FNA), told TechNode by email.
Reifenberg referred to the trustworthiness document as a “no-spy declaration” for dealings between equipment suppliers, such as Huawei, and network operators, such as Deutsche Telekom. Operators would then submit the declaration to the FNA. The document binds the supplier or manufacturer with the network operator in case of data breaches, meaning that they will bear joint liability in case of a leak.
“It is the weakest link in this entire document,” said Jan-Peter Kleinhans, Project Director of Security and the Internet of Things at Stiftung Neue Verantwortung, a think-tank in Berlin. The certification will be based on technical standards, but the vendors’ declaration of trustworthiness “is not double-checked by [cybersecurity agency] BSI , it is not evaluated. It is not enforced, there are no sanctions,” he said.
“Details of the implementation are not yet specified,” Reifenberg said. When a declaration is breached, the Agency “may give orders, take other measures to secure compliance and may set penalty payments” on an ad hoc basis, he said.
The draft guidelines also provide for the certification of 5G network equipment, which will be issued by Germany’s cybersecurity authority, known as the Federal Office for Information Security.
Regulators have yet to decide whether the certification, based on an upcoming technical guideline, will be a mandatory process for suppliers.
Germany is one of many countries worldwide facing pressure from the US to exclude Chinese firms from the development of 5G networks. Washington claims that Chinese vendors’ have a close relationship with the government, which may force them to turn over critical information.
Back in May, US Secretary of State Mike Pompeo issued a veiled threat during an official visit to Berlin, saying there is “a risk we will have to change our behavior in light of the fact that we can’t permit data on private citizens or data on national security to go across networks that we don’t have confidence (in).”
‘Hostile third countries’
Days before Germany released the guidelines, the EU Commission released a risk assessment on 5G, warning “hostile third countries” against colluding with 5G equipment vendors to conduct cyberattacks on member states. But the German agencies which drafted the security catalog are not trained to account for political risk, “in the eyes of the BSI, the origin of the vendor doesn’t matter,” said Kleinhans.
“In a way, you are asking the wrong question to the wrong person,” he said. “You have two completely technocratic agencies that are very much focused on technical aspects, drafting a technical document, which suddenly the world and some Germans included, expect that will have geopolitical impact.”
This is in line with Angela Merkel’s overall approach to the security of 5G, which has “pushed the debate into the technical realm,” Kleinhans said. Analysts say that Merkel’s government is trying to protect Germany’s industrial prowess, which relies heavily on access to the Chinese market.
The guidelines have caused controversy within the German Parliament, not only because of the content. The draft needn’t be voted on by parliamentarians before it is enacted, since it is not a new law but an updated version of technical guidelines created by the responsible agencies.
“A question of such strategic meaning should not be being decided at the administrative level,” said Norbert Röttgen, a member of Merkel’s party, the Christian Democrats.
The draft will be open for public comment until 13 November 2019.