What to Make of the Huawei Debate? 5G Network Security and Technology Dependency in Europe 1/2020
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1/2020
What to Make of the Huawei Debate?
5G Network Security and Technology
Dependency in Europe
—
Tim Rühlig & Maja Björk
PUBLISHED BY THE SWEDISH INSTITUTE OF INTERNATIONAL AFFAIRS | UI.SE
Abstract Europe is controversially discussing whether to ban the Chinese tech-giant Huawei from the roll- out of the new generation of mobile infrastructure, better known as 5G, not least due to conflicting pressures from the governments of the United States and the People’s Republic of China. 5G is a critical infrastructure and will penetrate European society and its economy to an unprecedented extent. Proponents of a ban argue that Huawei is closely allied with the authoritarian Chinese party-state, which could utilise Huawei equipment for espionage and sabotage. The argument is that banning Huawei is a matter of increasing network security in Europe. This paper explains that while scepticism is reasonable, and the security concerns are valid, a ban on Huawei is not an effective solution for generating network security. Other technological measures – first and foremost better encryption, and redundancies coupled with vendor diversity – would be more effective, although complete network security can never be achieved. Scepticism of China’s influence over Huawei is reasonable. However, the idea of banning Huawei stems, rather than from concerns over network security, from a geopolitical logic. In this context, a ban on Huawei would help decrease European technological dependency on China. The geopolitical fear is that China could leverage this dependency to extract political concessions from Europe in the future. We argue that Europe should indeed respond to this challenge but instead of striving for technological self-reliance, we discuss how the European Union could preserve access to strategic technology by means of diversification of the supply chain and underlying patents, coupled with “protectionism light”. We believe this could help respond to the emerging geopolitical rivalry over high-technology such as 5G while at the same time attempting to preserve free trade as far as possible. In short, our sceptical view on the idea of banning Huawei from the roll-out of 5G in Europe does not stem from a trust in China or Chinese tech companies, but rather from the perspective that it is not the most effective response to the future challenges of 5G networks and technology dependence. Tim Rühlig Maja Björk Research Fellow Analyst The Swedish Institute of International Affairs The Swedish Institute of International Affairs © 2020 The Swedish Institute of International Affairs Language editing: Andrew Mash Cover photo: Stefan Wermuth / AFP
Content Introduction .................................................................................................................................. 4 Centrality and innovation of 5G .................................................................................................... 6 Network security concerns: the current debate ........................................................................... 8 Geo-economics and dependencies ............................................................................................. 19 Towards a European response .................................................................................................... 25 Conclusion ................................................................................................................................... 29 References ................................................................................................................................... 31 © 2019 The Swedish Institute of International Affairs
Introduction People’s Republic of China (PRC). China has
taken an active role in technology and
innovation, and Chinese technology
The new “fifth” generation of mobile
companies have become significant players
internet connectivity (5G) will unlock new
in 5G equipment and infrastructure in recent
and improved ways of using wireless
years. The most prominent supplier is the
technology and is expected to revolutionise
Chinese tech-giant Huawei Technologies
multiple spheres of society, not least
Co., which is also one of the world’s largest
manufacturing, construction, electricity
telecom companies.
networks, transportation and health care.
The new networks will support innovative
Huawei currently finds itself at the centre of
technologies and enable a powerful
a heated international debate over 5G
increase in the application of artificial
deployment, which has also raised serious
intelligence (AI) and the Internet of Things
security concerns and accusations against
(IoT), while also allowing societies to
the company. Western intelligence services
become significantly more connected. The
and observers have expressed concerns
5G mobile internet has already been tested
about Huawei’s ties to the PRC as well as
and launched in certain locations, but is
the company’s legal obligations to
expected to launch more widely in 2020, 1
cooperate with the Chinese security
and account for around 20% of global
apparatus. 4 The main concern is that
mobile connections by 2025. 2 While 5G will
Huawei equipment could be used as an
not change the world overnight, its
inroad for Chinese espionage, and China
importance to society will grow over time to
gaining access to data on and control over
achieve an unprecedented level. 3
critical infrastructure. Such security
concerns led the US earlier this year to place
For 5G networks to be deployed, huge
a ban on Huawei and the Chinese state-
investments in new digital infrastructure
owned telecom equipment manufacturer,
will be needed. The ongoing competition
ZTE, preventing Huawei from participating
over 5G, however, is not solely among giant
in the country’s 5G roll-out, a measure also
tech companies racing for market share and
taken by Australia and Japan. 5 Many
royalty payments. It is also turning into a
governments have been pressured to follow
geopolitical conflict among states, first and
suit, and a number of countries have either
foremost the United States (US) and the
1 Matthew Wall, “What is 5G and What Will It Customers, Washington DC: RWR Advisory
Mean for You?,” BBC, July 24, 2018, at: Group, 2019. Christopher Ashley Ford, “Huawei
https://www.bbc.com/news/business-44871448. and its Siblings, the Chinese Tech Giants:
John McCann and Mike Moore, “5G: Everything National Security and Foreign Policy
You Need to Know,” Rechradar, August 20, Implications,” Remarks at the Multilateral Action
2019, at: on Sensitive Technologies (MAST) Conference, 11
https://www.techradar.com/news/what-is-5g- September 2019, Washington DC: US State
everything-you-need-to-know. Department, 2019. Tom Uren, “Weighing the
2 David Bond and James Kynge, “China Spying Risks in Building a 5G Network,” ASPI The
Risk Hits Huawei's UK Ambitions,” Financial Strategist, Barton: ASPI, 2019.
Times, 3 December 2018. 5 Li Tao, ”Japan Latest Country to Exclude
3 Steve Lo and Kevin Lee, China Is Poised to Win Huawei, ZTE From 5G Roll-out Over Security
the 5G Race, Hong Kong: EY, 2018. Concerns,” South China Morning Post, December
4 RWR Advisory Group, Assessing Huawei Risk: 10, 2018, at: https://www.scmp.com/tech/tech-
How the Track Record of the CCP Should Play into leaders-and-founders/article/2177194/japan-
the Due Diligence of Huawei’s Partners and decides-exclude-huawei-zte-government.
© 2020 The Swedish Institute of International Affairs 4implemented or are currently considering already cooperate with Huawei. Outside of
various forms of restrictions on Huawei’s China, Europe is the region in which Huawei
access to domestic markets for 5G has grown its market position the most in
infrastructure. Not only New Zealand, recent years.11 Pressure from western allies
Canada and India, but also member states combined with the authoritarian nature of
of the European Union (EU), namely the Chinese party-state give many
Denmark, the Czech Republic and Poland Europeans a sense of unease over
consider taking a similar approach.6 cooperating with Huawei, while European
Estonia,7 Poland 8 and Romania 9 have governments are under increasing pressure
signed documents with the US voicing to decide their position.
scepticism about Chinese 5G vendors, while
Germany and the United Kingdom (UK) This UI Paper engages with the debate
among others remain more hesitant toward about whether to ban Huawei from the roll-
such a decision. While EU member states out of 5G in Europe. We take a sceptical
have initially adopted different responses, view of such a ban, even though we believe
moves are now under way to coordinate an that the concerns regarding Chinese party-
EU-wide approach. The first step has been a state control over Huawei are valid, and that
coordinated risk assessment and a joint the security concerns raised are genuine
communication from the Council of the and need to be addressed We do not follow
European Union, and recommendations to the mainstream argument put forward by
all member states will follow. 10 critics of a ban that the use of Huawei
technology is essential to avoid losing
Europe finds itself in a difficult situation, ground in the development and roll-out of
positioned between the US and China, and 5G. If banning Huawei was an effective
facing pressure from both sides. European means of containing the security risks, it
states are in a close security alliance with would be worth paying an economic price
the US, which includes comprehensive for it. The problem with a ban on Huawei,
intelligence cooperation. China, on the however, is that it does not offer an
other hand, is emerging as the effective solution to the security challenges.
technological leader in 5G and many China would be able to shut down 5G
European telecommunication operators networks regardless of whether Huawei
6 Andreas Kluth, “Huawei Is a Paralyzing https://www.whitehouse.gov/briefings-
Dilemma for the West,” Bloomberg, November statements/joint-statement-president-united-
23, 2019, at: states-donald-j-trump-president-romania-klaus-
https://www.bloomberg.com/opinion/articles/20 iohannis/.
19-11-23/huawei-s-5g-networks-are-a- 10 NIS Cooperation Group, EU Coordinated Risk
paralyzing-dilemma-for-the-west. Assessment of the Cybersecurity of 5G Networks,
7 White House, United States – Estonia Joint October 9, 2019, Brussels: European
Declaration on 5G Security, November 1, 2019, Commission. Council of the European Union,
at: https://www.whitehouse.gov/briefings- Council Conclusions on the Significance of 5G to
statements/united-states-estonia-joint- the European Economy and the Need to Mitigate
declaration-5g-security/. Security Risks Linked to 5G. Council Conclusions,
8 White House, “US-Poland Joint Declaration on 14519/19, December 3, 2019. Brussels: Council of
5G,” The White House, September 5, 2019, at: the European Union.
https://www.whitehouse.gov/briefings- 11 Worldwide Asset Management, The New Tech
statements/u-s-poland-joint-declaration-5g/. War and the Geopolitics of 5G, 2019, at:
9 White House, Joint Statement from president of https://cworldwide.com/media/PDF/WP_2019_T
the United States Donald J. Trump and President he_New_Tech_War_and_the_Geopolitics_of_5
of Romania Klaus Iohannis, August 20, 2019, at: G.pdf.
© 2020 The Swedish Institute of International Affairs 5technology were included in the build-up of technology by means of diversification and European infrastructure. Similarly, a ban on “protectionism light”. Huawei would not be an effective measure for significantly reducing Chinese To unfold this line of argument, we first espionage, which is mainly carried out summarise the central innovations and through applications and phishing rather revolutionary potential of 5G, before than infrastructure. Even where turning to the current debate over 5G infrastructure is necessary for espionage, network security and what measures would there is little reason to believe that China best address the main security concerns. needs Huawei equipment for its operations. We then turn to the underlying geopolitical Banning Huawei would instead increase logic of a Huawei ban and its potential political tensions and contribute to a consequences. Finally, we address the technological divide between a western and European position and recommended a Chinese sphere, ultimately fuelling the response before concluding with a brief existing rivalry and fears of a major summary. confrontation between the PRC and the US. Most importantly, however, there are other Centrality and innovation of more effective means of containing the security risks than banning Huawei. Instead, 5G banning Chinese companies from, or limiting their access to, Europe’s build-out While previous generations of wireless of 5G adheres more to a geopolitical logic, technology – from 1G to 4G – have brought by addressing politically motivated issues improvements and new capabilities to and trust. A ban on Huawei would aim to cellular communications, the shift to 5G is weaken China’s political and technological predicted to be the most significant since influence in the world rather than the invention of the mobile phone.12 The effectively addressing network security fifth generation of mobile technology will risks. We believe instead that reducing not only bring changes for consumers but European technology dependency on also transform entire industries in a way not Chinese vendors should be the policy goal previously possible. 13 This also means that of the EU. This ties in with ongoing society will become increasingly dependent European discussions on European strategic on mobile networks and rely on them for autonomy and European sovereignty. We some of its most critical functions, including are sympathetic to this approach but services such as autonomous vehicles, believe that the debate should not fully health care monitoring and remote medical focus on strengthening the digital industrial surgery, as well as emergency service base of Europe, since this tends to put the response. As a consequence, society will focus on protectionism rather than the become more vulnerable to attacks on, and preservation of global cooperation. We the malfunction of, its 5G networks, and the therefore discuss a different take on damage potential of such incidents could be reducing dependency on Chinese and US catastrophic as connectedness and technology: the question of how Europe can dependence increase. secure access to strategically important 12 Miriam Tuerk, "How 5G Networks Will Change 13Edison Lee and Timothy Chau, “Telecom America," Forbes, February 27, 2019, at: Services. The Geopolitics of 5G and IoT,” https://www.forbes.com/sites/miriamtuerk/2019 Jefferies Franchise Note, Hong Kong: Jefferies, /02/27/how-5g-networks-will-change- 2017. america/#4466acae11b5. © 2020 The Swedish Institute of International Affairs 6
The shift from 4G to 5G will also be more In Europe, the introduction of 5G
complicated than past mobile technology will take place first as non-
communications revolutions, as the standalone (NSA) 5G, which will use existing
intentions of 5G go beyond previous goals 4G infrastructure and mainly provide higher
which were focused mainly on increasing data speeds, to eventually be followed by
data speeds and serving the needs of standalone (SA) 5G, which will require an
mobile handsets. Instead of just focusing on entirely new network architecture. 15 A
person-to-person or person-to-device cellular mobile network functions
communications, 5G will also support essentially through the connections
machine-to-machine networking. This between mobile devices, through a Radio
makes 5G entirely different from previous Access Network (RAN) that consists mainly
technology. 5G technology is expected to of base stations (such as antenna towers)
deliver three significant new capabilities: and a core network. Standalone 5G
technology will bring changes to both base
1) Enhanced mobile broadband stations and the core network, and make
(eMBB): higher data service speeds, the distinction between their functions less
managing more traffic and more clear. 16 One of the most important changes
demanding services (e.g. faster with the shift to standalone 5G is its new
download and upload speeds, as virtualised core technology. By replacing
well as virtual and augmented the previous core network (Evolved packet
reality (VR/AR)). core), which relies mainly on physical
network elements, 5G will introduce a
2) Ultra-reliable and low latency virtualised core designed for software-
communications (URLLC): with based infrastructure running on standard
response times as low as one servers. 17 This will enable features such as
millisecond, enabling close to real- Network Function Virtualisation (NFV) and
time services (e.g. remote medical network slicing. 18 While cloud computing is
surgery, self-driving cars and not new in itself, these features enable new
industry automation). aspects of cloud use that extend beyond
storage to include communication and
3) Massive machine-type remote real-time services. In other words,
communications (mMTC): software and cloud functions are essential
connection for a very large number to the new 5G technology and will therefore
of devices (enabling e.g. the become increasingly important with the
Internet of Things, smart cities and development of 5G networks.
automated agricultural
processes). 14 NFV allows network functions that have
traditionally run on function-specific
14 Christian de Looper, What is 5G?, Digital Challenge, Berlin: Stiftung Neue Verantwortung,
Trends, November 18, 2019, at: 2019, pp. 7-8.
17
https://www.digitaltrends.com/mobile/what-is- Iwan Price-Evans, "Introducing the 5G Core
5g/. Network Functions,"Metaswitch, February 7,
15 Edison Lee and Timothy Chau, “Telecom 2019, at:
Services. The Geopolitics of 5G and IoT,” https://www.metaswitch.com/blog/introducing-
Jefferies Franchise Note, Hong Kong: Jefferies, the-5g-core-network-functions.
2017. 18 Stephane Teral, IHS Markit Technology White
16 Jan-Peter Kleinhans, Whom to Trust in a 5G Paper: 5G Best Choice Architecture, London, IHS
World. Policy Recommendations for Europe’s 5G Markit, 2019.
© 2020 The Swedish Institute of International Affairs 7hardware to be replaced by virtual servers, position in the global value chains of
which essentially share one physical server Information and Communications
and can be available at any location. NFV Technology (ICT) equipment, and Huawei
technology concentrates these functions in has, not least with the help of the Chinese
centralised data centres. 19 This technology state authorities, become the leading
also enables network slicing, which entails supplier of 5G equipment and
subdividing different flows of data traffic in infrastructure. 22 Huawei has also become
the network for different services, to ensure the focus of the ongoing debate around 5G
that each network slice makes use of the deployment that results from a number of
kind of connectivity it requires. For security concerns raised over the company’s
example, the communication necessary for ties to the Chinese government. While all
self-driving cars might be different from, global Chinese firms are subject to some
and more latency-sensitive than, other level of party-state control, 23 Huawei is
services within the network. 20 Some of the thought to have particularly strong ties to
expected use cases of 5G mobile technology the PRC security apparatus. 24 Reports
also create the need for so-called edge suggest the existence of a high degree of
computing, which reduces latency and personal overlap between China’s security
improves data speeds by enabling data apparatus and the company. There have
processing closer to the end-users, long been concerns over the background of
presenting – in this sense – a less centralised the company’s founder, Ren Zhengfei, as a
architecture. 21 former Director of General Staff of the
People’s Liberation Army (PLA). Ren’s
Network security concerns: daughter and Huawei’s Chief Financial
Officer, Meng Wanzhou, held a “Public
the current debate Affairs” passport (i.e. a diplomatic passport)
for many years.25 A much-debated article
Given the importance and potential of 5G studying the CVs of Huawei employees,
technology, there is much to be gained published earlier in 2019, similarly suggests
from achieving leadership in its close ties between Huawei personnel and
development. China holds a very strong the party-state’s security apparatus. 26
19
Yuri Gittik, “Distributed Network Functions 22 David Bond and James Kynge, “China Spying
Virtualization. An Introduction to D-NFV,” RAD Risk Hits Huawei's UK Ambitions,” Financial
White Paper, March 2014, at: Times, 3 December 2018.
http://crezer.net/Newsletter/archivos/Distribute 23 Mark Wu, “The “China, Inc.” Challenge to
d-NFV-White-Paper.pdf. Global Trade Governance,” Harvard
20
EMF Explained Series, 5G Explained – How 5G International Law Journal 57: 2, pp. 261-324,
Works, without year, at: 2016.
24
http://www.emfexplained.info/?ID=25916. Douglas Black, “Huawei and China. Not Just
21 Robert Gibb, “What is Edge Computing?” Business as Usual,” Journal of Political Risk 8:1,
Stackpath, June 18, 2019, at: 2019.
25
https://blog.stackpath.com/edge-computing/. Ashley Feng, “We Can't Tell if Chinese Firms
Kris Beevers, “Why 5G is Bringing Edge Work for the Party,” Foreign Policy, February 7,
Computing Automation Front and Center,” 2019, at:
Network World, February 14, 2018, at: https://foreignpolicy.com/2019/02/07/we-cant-
https://www.networkworld.com/article/3255426 tell-if-chinese-firms-work-for-the-party/.
/why-5g-is-bringing-edge-computing-and- 26 Christopher Balding, “Huawei Technologies’
automation-front-and-center.html. Links to Chinese State Security Services,” SSRN,
July 9, 2019, at:
© 2020 The Swedish Institute of International Affairs 8Huawei, along with other Chinese tech- Huawei’s ownership structure is not
giants, not only facilitates the build-out of transparent, raising suspicions of effective
surveillance systems within China, but also party-state control over the company.31
exports these technologies to third Moreover, of Huawei’s 160,000 employees,
countries facilitating what has been called 12,000 are party members, and they form
“digital authoritarianism”. 27 Chinese no fewer than 300 party cells within the
engagement in the development of company. Furthermore, Huawei receives
international technical standards of facial preferential treatment, not least by means
recognition technology is only one of the of soft loans which already amounted to
most recent subjects of western concern more than US $30 billion before 2011,
regarding the spread of digital mostly from the state-controlled China
authoritarianism. 28 There can be little doubt Development Bank (CDB). In the period
that Huawei is more than just a normal 2012–2018, CDB and another state-
company and plays a strategic role in the controlled bank, the China Import Export
policy of the PRC. 29 More recent concern, Bank, granted the company at least another
however, has focused on various pieces of US $9.8 billion for overseas projects. 32
Chinese legislation, in particular China’s Strikingly, however, Huawei is not that
Cyber Security Law of 2017, which legally different from any other Chinese company.
requires Chinese companies to turn over In fact, even the subsidiaries and joint
information and comply with China’s ventures of non-Chinese tech companies,
intelligence and security services, such as Ericsson and Nokia, face Chinese
essentially on all matters, – not just Communist Party (CCP) control not least by
domestically (article 14) but also means of party cells and the need to comply
internationally (article 10). 30 This concern with domestic Chinese laws – including the
becomes especially significant with regard Intelligence Law of 2017. 33
to Huawei, given the company’s strong
position in the 5G equipment market.
30
https://papers.ssrn.com/sol3/papers.cfm?abstra Huawei has denied this interpretation of the
ct_id=3415726. Cybersecurity law, but experts are not
27 Danielle Cave et al., “Mapping China’s convinced. Jichang Lulu, “Synopsis: Huawei's
Technology Giants,” ASPI Issues Paper Report Lawfare by Proxy,” China Digital Times, February
1/2019, Barton: ASPI. 2019, at:
28 Georgina Torbet, “Chinese Companies Want https://chinadigitaltimes.net/2019/02/sinopsis-
to help Shape Global Facial Recognition huaweis-lawfare-by-proxy.
Standards,” Engadget, December 2, 2019, at: 31 Christopher Balding and Donald Clarke: “Who
https://www.engadget.com/2019/12/02/china- Owns Huawei?,” SSRN, May 8, 2019, at:
facial-recognition- https://ssrn.com/abstract=3372669/.
standards/?guccounter=1&guce_referrer=aHR0c 32 Mathieu Duchâtel and Francois Godement,
HM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referre Europe and 5G: The Huawei Case, Paris: Institut
r_sig=AQAAAKcP2n- Montaigne, 2019. Bob Seely et al., Defending
viXPHG8Lg5mkOjmdZu8gmP9WLUrOWrFcjGH Our Data: Huawei, 5G and the Five Eyes, London:
pxN- Henry Jackson Society, 2019.
yxHCjDcTZSfaFTBe0hbvNR4w3_oo4FaKswdCG 33 Richard Baker, “Top 5G Suppliers Linked to
Yj8tBBq3oGZyrjCEYY- China's Communist Party,” Sydney Morning
OuAKozXYYjm1IzV9_tm36fHDrg12n6OsuLVllK Herald, August 13, 2018, at:
qNYXAi37gDPBTQTycuU-lbLPX4jZv8cc. https://www.smh.com.au/business/companies/t
29 Rick Umback, “Huawei and Telefunken: op-5g-suppliers-linked-to-china-s-communist-
Communications Enterprises and Rising Power party-20180812-p4zwzt.html.
Strategies,” ASPI Strategic Insights 135. Barton:
ASPI, 2019.
© 2020 The Swedish Institute of International Affairs 9There is indeed reason not to trust PRC foremost the Intelligence Law. 40 Hence, the authorities and Chinese vendors. Huawei Council of the European Union states in a has an opaque governance structure, 34 has communication that “also non-technical been accused of multiple intellectual factors such as the legal and policy property thefts and of ignoring international framework to which suppliers may be sanctions against authoritarian states,35 subject to in third countries, should be does not issue financial statements since it considered.” 41 is not a publicly listed company, 36 and shows significant software engineering and In addition, while there have also been cyber security problems.37 Not least the cases of US espionage in Europe, significant example of the Chinese company Lenovo differences remain between the US and demonstrates that even in the authoritarian China. After the Snowden revelations, US PRC, corporates can do more to reassure companies signed public letters advocating their international customers. 38 Most surveillance law reform, filed lawsuits for Chinese companies, however, have done more transparency, and brought cases little to increase transparency over its against breaking encryption of digital organisational structure 39 and the party- communication to court; which has led to state has failed to reassure international changes in US policy. 42 It is unrealistic to partners of its legal framework, first and think that a company like Huawei or ZTE 34 Colin Hawes and Grace Li, “Transparency and 39 The Russian tech company Kaspersky, in Opaqueness in the Chinese ICT Sector. A contrast, has moved storage and processing of Critique of Chinese and International Corporate its data to Switzerland, a measure that is far Governance Norms,” Asian Journal of more reassuring than the cybersecurity centres Comparative Law 12: 1, 2017, pp. 41-80. opened by Huawei. Kaspersky Lab, Kaspersky Christopher Balding and Donald Clarke: “Who Lab Starts Data Processing for European Users in Owns Huawei?,” SSRN, May 8, 2019, at: Zurich and also Opens First Transparency Center, https://ssrn.com/abstract=3372669/. November 13, 2018, at: 35 RWR Advisory Group, Huawei Risk Tracker, https://www.kaspersky.com/about/press- 2019, at: https://huawei.rwradvisory.com/. releases/2018_kaspersky-lab-starts-data- 36 Andrew Foster and Nicholas Borst, “Time Is processing-for-european-users-in-zurich-and- Ripe for Huawei to Launch an IPO, to Address also-opens-first-transparency-center. Alliott Political and Security Concerns Once and for Zaagman, Huawei’s Problem of Being too All,” South China Morning Post, May 27, 2019, at: “Chinese”, January 24, 2019, at: https://www.scmp.com/comment/insight- https://supchina.com/2019/01/24/huaweis- opinion/article/3011510/time-ripe-huawei- problem-of-being-too-chinese/. launch-ipo-address-political-and-security. 40 Donald Clarke, “The Zhong Lun Declaration on 37 Huawei Cyber Security Evaluation Centre the Obligations of Huawei and Other Chinese Oversight Board, Annual Report: A Report to the Companies under Chinese Law,” SSRN, March National Security Adviser of the United Kingdom, 28, 2019, at: March 2019, at: https://papers.ssrn.com/sol3/papers.cfm?abstra https://assets.publishing.service.gov.uk/govern ct_id=3354211 ment/uploads/system/uploads/attachment_data 41 Council of the European Union, Council /file/790270/HCSEC_OversightBoardReport- Conclusions on the Significance of 5G to the 2019.pdf. European Economy and the Need to Mitigate 38 Alliott Zaagman, Thinking About Working For a Security Risks Linked to 5G. Council Conclusions, Chinese Company? First, Find Out If It’s a 14519/19, December 3, 2019. Brussels: Council of “Lenovo” or A “Huawei”, October 9, 2017, at: the European Union, p. 4. https://supchina.com/2017/10/09/thinking- 42 Jan-Peter Kleinhans, Whom to Trust in a 5G working-chinese-company-first-find-lenovo- World. Policy Recommendations for Europe’s 5G huawei/. © 2020 The Swedish Institute of International Affairs 10
would bring cases about government “kill-switch”. Western observers fear that a
surveillance practices to Chinese courts, and large-scale deployment of Huawei network
even if they did they would face a judiciary equipment would provide such a kill switch
subordinate to CCP rule. and make it easier for China to shut down
5G infrastructure. While it is unlikely that
These concerns have led to discussions China would shut down an entire 5G
across many western states about whether network and risk irreparable damage to
Huawei should be excluded from the build- Huawei’s reputation in times of peace, such
out of 5G infrastructure. The US and a switch could be used for partial
Australia in particular favour a ban, and the shutdowns, accompanied by coercive
US has been pressuring European and other threats, or used in the event of an interstate
states to fall in line, warning about future war.
European-US security cooperation. 43
Commentators and policymakers in the
Focus on espionage and sabotage west also fear that Huawei’s 5G equipment
While concerns have been raised over could come with backdoors that would
various risks, including privacy issues and allow undetected Chinese access and
dual-use technology, the overwhelming enable economic and political espionage.
focus has been on the risks of espionage There are similar concerns that the
and sabotage. The fear is that 5G company might simply hand over sensitive
equipment from Chinese vendors would information to the Chinese government,
allow the Chinese government to control especially in the light of the Chinese
critical domestic infrastructure and to gain cybersecurity laws. China has a worrying
access to the information that travels on it. track record of espionage in general and
cyber theft in particular. 44 There have been
In discussions about the risk of sabotage, allegations of backdoors, espionage and
the main – and probably the most crucial – technology theft against the company.45
concern is about the ability to shut down Thus far, however, no “smoking gun” has
networks – a scenario often referred to as a been discovered to confirm these, 46 but
Challenge, Berlin: Stiftung Neue Verantwortung, attorney-general-rod-j-rosenstein-announces-
2019, p. 16. charges-against-chinese-hackers.
43
Nikos Chrysoloras and Richard Bravo, "Huawei 45 For example, Vodafone allegedly found
Deals for Tech Will Have Consequences, US backdoors in Huawei equipment they used in
Warns EU," Bloomberg, February 7, 2019, at: Italy in 2011 and 2012; Huawei was found liable
https://www.bloomberg.com/news/articles/2019 for stealing robotic technology in a US court in
-02-07/huawei-deals-for-tech-willhave- 2017; and in early 2019 a Huawei employee was
consequences-u-s-warns-eu. Paul Triolo, et al., arrested in Poland on grounds of suspected
“One Company, Many Systems. US Forces espionage. See: Bloomberg News, How Huawei
Governments to Choose Sides on Huawei,” Became a Target for Governments, Bloomberg,
Special Report Prepared by Eurasia Group, January 23, 2019, at:
Washington DC, Eurasia Group, 2019. https://www.bloomberg.com/news/articles/2019
44 Kadri Kaska et al., Huawei, 5G and China as a -01-23/how-huawei-became-a-u-s-government-
Security Threat. Tallinn: NATO Cooperative target-quicktake.
Cyber Defence Centre of Excellence, 2019, pp. 46 Ole Moehr, My Way or the Huawei: 5G at the
10-11. US Department of Justice, Deputy Center of US-China Strategic Competition, The
Attorney General Rod J. Rosenstein Announces Atlantic Council, July 23, 2019, at:
Charges Against Chinese Hackers, December 20, https://www.atlanticcouncil.org/blogs/econogra
2018, at: phics/my-way-or-the-huawei-5g-at-the-center-
https://www.justice.gov/opa/speech/deputy- of-us-china-strategic-competition.
© 2020 The Swedish Institute of International Affairs 11nobody can rule out the possibility of the technology will bring new challenges,
Chinese government exploiting technical mainly through its technological
vulnerabilities – in any manufacturer’s innovations and the increase in network
equipment.47 However, experts have also dependency throughout society. New forms
pointed out that mobile internet of technological security risk arise primarily
infrastructure has not been the main focus from the increased use of virtualisation and
of Chinese espionage, and that spear- of centralised software. The software focus,
phishing and social engineering are more as well as the transferring of functions from
efficient for such purposes.48 the core network to edge computing, create
larger attack surfaces and greater
Assessments made by the United opportunities to introduce vulnerabilities,
Kingdom’s Huawei Cyber Security which, in turn, enables methods to access
Evaluation Centre (HCSEC) suggest that and control data on the network. 51 In
Huawei’s equipment comes with serious addition, as virtual servers replace
weaknesses, a problem irrelevant to the specialised hardware, different parts of the
origin of the vendor that indicates that network technology will no longer be
access could easily be obtained even physically isolated from each other, which
without built-in backdoors. In addition, means that if one vulnerability is found, it
British experts at the HCSEC make clear could potentially be exploited to access
that no certification can rule out the other parts of the network. In other words,
existence of backdoors and malicious it could make the damage much more
code. 49 Since hackers normally focus on dramatic if a vulnerability is found and
tracking weaknesses in the equipment of exploited.52
competitors, non-Huawei equipment would
also be a more likely target for Chinese Security concerns also arise from the use of
espionage.50 The Chinese government network slicing, which entails separating
decided in 2018 to prevent Chinese hackers flows of data on a network, and creating
from participating in international hacking slices that can be used for different services
contests, which Chinese teams have often by tailoring their use of functions to the
dominated, allegedly for national security requirements of each service. Ensuring that
reasons. each network slice is secure will be a
challenge, and there are potential risks that
While it remains unclear whether 5G will be vulnerabilities in one slice could be used to
more or less secure than 4G networks, 5G access traffic on other slices. 53 There are
47 Jan-Peter Kleinhans, 5G vs. National Security: 50 Author interview with an anonymous
A European Perspective. Berlin: Stiftung Neue engineer, Berlin, May 2019.
Verantwortung, 2019. 51 Christopher Ashley Ford, “Huawei and its
48
Jan-Peter Kleinhans, 5G vs. National Security: Siblings, the Chinese Tech Giants: National
A European Perspective. Berlin: Stiftung Neue Security and Foreign Policy Implications,”
Verantwortung, 2019. Remarks at the Multilateral Action on Sensitive
49
Huawei Cyber Security Evaluation Centre Technologies (MAST) Conference, 11 September
Oversight Board, Annual Report: A Report to the 2019, Washington DC: US State Department,
National Security Adviser of the United Kingdom, 2019.
March 2019, at: 52 Author interview with Pontus Johnson,
https://assets.publishing.service.gov.uk/govern professor in cyber security at KTH, Stockholm,
ment/uploads/system/uploads/attachment_data June 2019.
/file/790270/HCSEC_OversightBoardReport- 53 NIS Cooperation Group, EU Coordinated Risk
2019.pdf. Assessment of the Cybersecurity of 5G Networks,
© 2020 The Swedish Institute of International Affairs 12also concerns that targeted attacks on that makes this issue such a crucial one. In
specific slices could be motivated if what addition to the services that will be enabled
each slice is used for becomes known. 54 by 5G technology, increasing amounts of
personal and sensitive data will be
Security risks also arise from the existence processed on the networks, which could be
of large numbers of connected devices. exploited if accessed. 56
Another form of sabotage that 5G
technology is likely to facilitate, by enabling Would banning Huawei solve the
massive machine communication and IoT, is problem?
distributed denial-of-service (DDoS) The risks of sabotage and espionage are
attacks. Such attacks are carried out by genuine and valid concerns and should be
finding and hacking machines with weak addressed and mitigated as best as
security and using them to overwhelm a possible. However, banning Huawei from
website or machine with more traffic than it the roll-out of 5G networks would not
can handle. With the development of IoT, effectively address or remedy these
the number of internet-connected devices is concerns. Excluding Chinese companies
expected to grow from 14.2 billion to 25 such as Huawei from providing 5G
billion by 2021, which increases the infrastructure in Europe might make it
potential for and power of DDoS attacks. 55 somewhat more difficult for the Chinese
This essentially means that DDoS attacks authorities to access and exploit European
can be used to shut down parts of the networks. However, a ban would only
internet, which could be very serious for 5G marginally address the network security
networks given the importance and scale of risks of Chinese sabotage and espionage.
the services that it is planned to support. Experts argue that if China were interested
in accessing a network for whatever reason,
In a nutshell, the specific vulnerabilities of it would have the capacity to do so with or
5G networks lie mainly in the complexity of without the help of Huawei equipment.
5G infrastructure resulting from Already today, China carries out extensive
technological innovation (discussed above) espionage for economic, political and
and the multitude of use cases penetrating military purposes. APT 1, APT 3 and APT 10
future societies. It is the centrality of 5G to are the most famous hacker groups
the economies and societies of the future attributed to the Chinese party-state. 57
October 9, 2019, Brussels: European expands-so-do-concerns-over-privacy-
Commission. 11551236460.
54 Michael Heller, “Nokia: 5G Network Slicing 57 PwC, “Operation Cloud Hopper,” PwC, 2018,
Could Be a Boon For Security,” Techtarget, April at: https://www.pwc.co.uk/cyber-
10, 2019, at: security/pdf/cloud-hopper-report-final-v4.pdf.
https://searchsecurity.techtarget.com/news/252 Brian Barrett, “How China’s Elite hackers Stole
461410/Nokia-5G-network-slicing-could-be-a- the World’s Most Valuable Secrets,” Wired,
boon-for-security. December 20, 2018, at:
55 Nick Huber, “A Hacker’s Paradise? 5G and https://www.wired.com/story/doj-indictment-
Cyber Security,” Financial Times, October 14, chinese-hackers-apt10/. FireEye, Mandiant
2019, at: https://www.ft.com/content/74edc076- APT1. Exposing One of China’s Cyber Espionage
ca6f-11e9-af46-b09e8bfe60c0. Unites, February 19, 2013, at:
56
Matthew Kassel, “As 5G Technology Expands, https://www.fireeye.com/blog/threat-
So Do Concerns over Privacy,” Wall Street research/2013/02/mandiant-exposes-apt1-
Journal, February 26, 2019, at: chinas-cyber-espionage-units.html. Thomas
https://www.wsj.com/articles/as-5g-technology- Brewster, “Chinese Trio Linked to Dangerous
APT3 hackers Charged with Stealing 407GB of
© 2020 The Swedish Institute of International Affairs 13However, the main attack vectors are spear- We do not adhere to the popular argument
phishing and social engineering, not using promoted by critics of a Huawei ban that
mobile communication infrastructure or focuses on the economic costs and
hacking into base stations. In other words, competitive disadvantages that would be
regardless of a ban on Huawei, measures caused by the resulting delay in 5G roll-out,
will be needed to strengthen the security of or other negative impacts on western
future 5G networks against third party competitiveness not least stemming from
access and disruption.58 In addition, a ban Chinese retaliation.60 Another argument
would risk generating other costs and have suggests that the debate over excluding
further implications – both economic and Huawei from 5G participation is merely part
political. Decisions about how to manage of the current trade dispute between China
risks related to sabotage and espionage and the US. Such arguments might be true,
should avoid being locked into a logic that but this is also not what we are saying. The
focuses entirely on the fear and presence of risks of espionage and sabotage are valid
risk without considering other aspects of concerns. We are rather addressing the
the situation, such as the potential damage compatibility of issue and response and
linked to the risks, costs and consequences suggest that there are more effective and
of a ban. 59 appropriate means available to address the
network security concerns at the centre of
the 5G debate than to ban Huawei from
Data from Siemens,” Forbes, November 27, https://www.project-
2017, at: syndicate.org/commentary/cheney-doctrine-us-
https://www.forbes.com/sites/thomasbrewster/ war-on-chinese-technology-by-jeffrey-d-sachs-
2017/11/27/chinese-hackers-accused-of- 2019-11.
siemens-moodys-trimble-hacks/. 60 Handelsblatt, “Deutsche Telekom warnt.
58
Author interviews (including telephone and Huawei-Ausschluss würde 5G-Einführung
Skype interviews) with hackers, engeneers, and verzögern,” Handelsblatt, January 29, 2019,
technical experts in several European cities, https://www.handelsblatt.com/unternehmen/it-
February-October 2019. The German IT expert medien/neuer-mobilfunkstandard-deutsche-
Jan-Peter Kleinhans exemplarily summarizes: telekom-warnt-huawei-ausschluss-wuerde-5g-
“The current public debate around Huawei einfuehrung-
implies that a 5G network built with Chinese verzoegern/23921762.html?ticket=ST-38734491-
equipment makes it easier for the Chinese 9lY7UMO0LFL0PSMFVweD-ap5. Telecomlead,
government to conduct industrial espionage – Huawei Grabs 28% Share in Global Telecom
this assumption is at least questionable. […] A Equipment Market, December 7, 2018, at:
skilled, persistent state actor with a practically https://www.telecomlead.com/telecom-
limitless budget will always be able to equipment/huawei-grabs-28-share-in-global-
compromise networks and exploit assets.” Jan- telecom-equipment-market-87863. Andreas
Peter Kleinhans, 5G vs. National Security: A Kluth, “Huawei Is a Paralyzing Dilemma for the
European Perspective. Berlin: Stiftung Neue West,” Bloomberg, November 23, 2019, at:
Verantwortung, 2019, p. 9, 16. https://www.bloomberg.com/opinion/articles/20
59 Jeffrey D. Sachs makes a comparison of the 19-11-23/huawei-s-5g-networks-are-a-
United States’ policy on Huawei and the US paralyzing-dilemma-for-the-west. Jodi Xu Klein,
decision to invade Iraq, and argues that the “The Huawei Dilemma. Washington Still Stuck
same tactic is being used. He refers to it as ‚the Trying to Balance National Security Against US
Chaney Doctrine’ and involves the use of fear Tech Spremacy,” South China Morning Post,
over small risks to motivate drastic and November 1, 2019, at:
ultimately misguided action. See Jeffrey D. https://www.scmp.com/news/china/article/3035
Sachs, “America’s War on Chinese Technology,” 832/huawei-dilemma-washington-still-stuck-
Project Syndicate, November 7, 2019, at: trying-balance-national-security-against.
© 2020 The Swedish Institute of International Affairs 14European 5G mobile infrastructure. In number of other measures are more
addition, excluding Huawei from European promising.
markets would not change the fact that
non-Chinese companies, such as Ericsson Remedies to network security risks
and Nokia, will continue to face the same While there is no solution that would
challenges and legal environment as effectively eliminate these network security
Huawei in any production or business they risks, there are ways to reduce them and
have located in China. make it more difficult for anyone – not just
Responding to recent developments, in China – to disrupt future networks. A
September 2019, Huawei founder Ren number of possible measures have been
Zhengfei offered to sell access to the brought up for discussion, such as greater
company’s 5G code, patents, licences, redundancy of equipment and diversity of
technical blueprints and production vendors, as well as the use of encryption,
expertise to a foreign company in return for certification and assessments, and network
a one-off fee. However, this offer is flow monitoring.
irrelevant as long as there is no buyer.
Ericsson and Nokia have no technological Redundancy and diversity are interlinked
need to purchase Huawei’s source code, and and about improving resilience and securing
US companies have no interest, not least availability of coverage. Their purpose is to
due to the lack of political will. Regardless provide an overlap of equipment and
of which company provides it, security vendors in case of network failures, to
concerns would persist over Huawei ensure that there is always some back-up
equipment, as well as the fact that any available. Given the critical services that are
buyer would still probably need to produce expected to rely on future 5G networks,
much of it in China. 61 The case has also been ensuring a reliable connection will be one of
made that Huawei licences will continue to the most important aspects of network
come under Chinese law, which would security. Time and again, technical experts
require compliance with the PRC’s security have emphasised how crucial redundancy
services.62 and diversity are, most recently during an
expert hearing in the German Parliament.63
In short, the existing vulnerabilities of 5G Diversity of vendors means ensuring that
networks need to be addressed, but neither many different actors participate in the
a ban on Huawei nor the purchase of its market, in order to prevent networks from
source code would provide a sufficient becoming fully reliant on a single supplier. 64
solution beyond marginal improvements in The logic is essentially that different
European mobile network security. A vendors are unlikely to be subject to the
same problems at the same time. 65 Most
61 The Economist, “Ren Zhengfei May Sell Mobilfunkstandard 5G,“ Deutscher Bundestag,
Huawei’s 5G Technology to a western Buyer,” November 11, 2019, at:
The Economist, September 12, 2019, at: https://www.bundestag.de/dokumente/textarch
https://www.economist.com/business/2019/09/1 iv/2019/kw46-pa-auswaertiges-5g-665414.
64
2/ren-zhengfei-may-sell-huaweis-5g- Mathieu Duchâtel and Francois Godement,
technology-to-a-western-buyer. Europe and 5G: The Huawei Case, Paris: Institut
62 BBC, “Huawei Chief Offers to Share 5G Know- Montaigne, 2019.
how for a Fee,” BBC, September 12, 2019, at: 65 Government Offices of Sweden, Ministry of
https://www.bbc.com/news/technology- Infrastructure, national 5G Risk Assessment-
49673144. Sweden’s Response, memorandum
63 Deutscher Bundestag, „Experten gegen (unpublished), 2019.
Ausschluss von Anbietern beim
© 2020 The Swedish Institute of International Affairs 15recently, the Council of the European Union demand access to enable lawful
explicitly acknowledged the importance of interception of data, so there are usually
vendor diversity. 66 Similarly, network ways to get around encryption in order to
redundancy refers to building additional access information.
layers of equipment within the network
infrastructure (for example base stations) Another approach to strengthening
provided by multiple vendors. 67 The aim is network security has centred on evaluation
to ensure that alternative equipment is and certification of products and processes,
available for network connections to fall which aims to reduce the risk of backdoors
back on to ensure continuous coverage in or vulnerabilities that could be easily
the event of network outages or exploited by hackers. Products can be more
malfunctions. While ensuring network or less secure, and security audits have the
redundancy can be costly, it is also effective potential to assess the overall product
at minimising the risk of large-scale quality, while also testing products and
network failures.68 processes against certification
requirements. One measure relevant to
Encryption addresses the safety of data discussions on assessments is source code
traffic by protecting the information that review, a process of evaluating the
flows on a network from unauthorised programming language of a device or other
access. End-to-end encryption refers to a equipment to confirm it works as intended
system in which only the communicating and to search for potential defects that
parties can access the encrypted could be exploited. 71 Since reviews are
information sent between them, and no costly and time-consuming, however, there
third party in between.69 Improving data are limited incentives for companies to
security by means of encryption from a undertake them in any number internally.
policy point-of-view could involve devising Regulation could be one way to create such
standards of encryption requirements that incentives.72
operators must meet. There is, however, a
tension between strong encryption and the One example of such auditing is the HCSEC,
ability of law enforcement to access data for which was established in the UK in 2010
judicial purposes.70 While encryption is a with the purpose of providing insight into
reliable method of securing data, law Huawei’s products and strategies there. In
enforcement and intelligence agencies its most recent annual report, from March
66 Council of the European Union, Council at: https://www.wired.com/2014/11/hacker-
Conclusions on the Significance of 5G to the lexicon-end-to-end-encryption/.
European Economy and the Need to Mitigate 70 Council of the European Union, Law
Security Risks Linked to 5G. Council Conclusions, Enforcement and Judicial Aspects Related to 5G,
14519/19, December 3, 2019. Brussels: Council of 8983/19, May 6, 2019, Brussels: Council of the
the European Union, p. 5. European Union.
67 Jamie Davies, “Germany Outlines Its 5G 71 Douglas Busvine, “Exclusive: China’s Huawei
Security Requirements,” Telecom News, March 8, Opens Up to German Scrutiny Ahead of 5G
2019, at: http://telecoms.com/496135/germany- Auctions,” Reuters, October 23, 2018, at:
outlines-its-5g-security-requirements/. https://www.reuters.com/article/us-germany-
68 Dali Wireless, Whitepapers: Fault-Tolerant telecoms-huawei-exclusive/exclusive-chinas-
Public Safety System, November 22, 2017, at: huawei-opens-up-to-german-scrutiny-ahead-of-
http://www.daliwireless.com/whitepapers/ 5g-auctions-idUSKCN1MX1VB.
69 Andy Greenberg, “Hack Lexicon. What Is End- 72 Author interview with Pontus Johnson,
to-End Encryption?” Wired, November 25, 2014, professor in cyber security at KTH, Stockholm,
June 2019.
© 2020 The Swedish Institute of International Affairs 162019, the HCSEC oversight board highlights What complicates this issue even further is
serious vulnerabilities in Huawei product the fact that this work is complex and many
code and systematic defects in the operators involve vendors in the
company’s software engineering and maintenance work on the mobile
cybersecurity competences. 73 Aiming to infrastructure, providing them with direct
replicate the UK approach, Huawei has access to the core functions of the system.
erected transparency centres in Bonn, Even if restrictions were to be imposed on
Germany and Brussels. 74 In contrast to the access for maintenance purposes, however,
UK, however, these centres are not under such as excluding certain vendors from
the oversight of state authorities. making VPN connections to certain
equipment for remote maintenance or
Even more crucially, auditing and assigning maintenance work to specific
certification have their technological qualified and vetted personnel (as is the
limitations, not least that the heavy reliance case in the UK), auditing and certification
on software-based solutions instead of would be insufficient measures for
hardware in 5G technology requires providing meaningful reassurance of the
extensive maintenance work, updates and security of any given mobile infrastructure
security patches. This means that a certified technology. 76
source code will be continuously updated,
providing opportunities to include new Another suggested measure to mitigate
vulnerabilities or backdoors. Hence, even if attempts at espionage as well as sabotage is
auditing and certification could prove a level network flow monitoring, which essentially
of security of the source code at the time of entails gathering and analysing metadata.
its assessment, it would be practically Operators have access to information about
impossible to review all patches individually, the data that flows into and out of their core
leaving aside the vulnerabilities that can network, and could therefore track data in
result from a combination of updates. Due order to detect and investigate
to the complexity of today’s IT systems, it is abnormalities, such as traffic rerouting or
impossible to cover the millions of lines of leaks in which information could be
code present in devices and equipment, or redirected or transferred from the network
to confirm the absence of backdoors. In to some third party.77 However, while
other words, occasional audits are network flow monitoring can be used to
ineffective, and attempts to assess new create comprehensive views of network
code before every update unrealistic. 75 activity, it might be less useful for tracking
specific targets or individuals. 78 In addition,
73 Huawei Cyber Security Evaluation Centre 75 Achour Messas et al., 5G in Europe: Time to
Oversight Board, Annual Report: A Report to the Change Gear! Paris: Institut Montaigne, 2019.
National Security Adviser of the United Kingdom, We do not argue that certification is not helpful
March 2019, at: but rather emphasise that it is not sufficient.
https://assets.publishing.service.gov.uk/govern Improvement of certification such as GSMA’s
ment/uploads/system/uploads/attachment_data NESAS can only be a minor contribution to a
/file/790270/HCSEC_OversightBoardReport- multifaceted risk mitigation.
2019.pdf, p. 20. 76 Jan-Peter Kleinhans, 5G vs. National Security:
74 Adam Satariano, “Huawei Security “Defects” A European Perspective. Berlin: Stiftung Neue
Are Found by British Authorities,” The New York Verantwortung, 2019.
Times, March 28, 2019, at: 77 Achour Messas et al., 5G in Europe: Time to
https://www.nytimes.com/2019/03/28/technolog Change Gear! Paris: Institut Montaigne, 2019.
y/huawei-security-british-report.html. 78 Author interview with an anonymous
engineer, Berlin, May 2019.
© 2020 The Swedish Institute of International Affairs 17You can also read
