Why the Huawei ban and blanket bans on Chinese tech make no sense — Robert Hannigan
The chorus of voices calling for Chinese companies to be frozen out of telecoms in western countries, especially future 5G networks, seems to grow daily. They cite a variety of concerns from cyber espionage to the dominance of the Chinese technology sector, underpinned by fears about the direction of China’s foreign policy.
All this is lumped together into a perceived cyber threat, which can only be met by a blanket ban. But these arguments are short on technical understanding of cyber security and the complexities of 5G architecture.
The allegations of sanctions evasion levelled against Huawei are not trivial. If proven, no doubt the company will face the penalties for sanctions-busting that others have in recent years, including some household names in UK banking. It may leave the company with work to do to restore its corporate reputation, but it has nothing to do with telephony or cyber attacks.
US President Donald Trump’s disarmingly open statement that he might make the extradition of Huawei’s chief financial officer from Canada part of a trade deal, has reinforced the view that there is a wider geopolitical campaign in play. That will certainly have been the impression in Beijing, and possibly in Ottawa. Whether or not we sympathise with the Trump administration’s ambitions on trade, this again has nothing to do with telephony or cyber.
In assessing what the actual risk from Chinese tech may be, the UK has a unique advantage. The GCHQ-vetted facility, which has been evaluating Huawei’s presence in UK telecom networks for some years, has given us a detailed insight into the company’s hardware, code, processes and policies. No other western government has this. Based on this expert analysis, the National Cyber Security Centre has been blunt about Huawei’s shortcomings in security engineering and in its general attitude to cyber security. It is right to confront Huawei on this, even though its failures are not unique, as those who experienced the O2 mobile network outage in the UK last December will appreciate. Huawei has reportedly promised to address the criticisms and to spend huge sums doing so. The NCSC should wait and see how well it delivers.
The key point here, obscured by the growing hysteria over Chinese tech, is that the NCSC has never found evidence of malicious Chinese state cyber activity through Huawei. It is not naive: it has, for example, pointed to the scale of Chinese state-linked cyber espionage through attacks on IT-managed service providers around the world. But the fact that these attacks did not require the manipulation of Chinese sovereign companies such as Huawei merely underlines how ineffective a blanket security ban based on company national flags is likely to be.
Instead we should make technical judgments based on a clear-eyed view of the potential threat. Those who are now running for cover from Chinese companies, having welcomed their inward investment in recent years, behave as if we had only just discovered that China was governed by a Communist party that has reach, if it wishes, into every part of the Chinese private sector. But most of us had priced that into our threat calculations long ago; I expect China does the same in reverse.
If we are clear about the potential for a Chinese government to use this reach at some stage in the future to exert leverage in telecoms, we need to take that possibility into account in allowing access, and, when we construct our networks, to make sure it does not matter. That is what happened with 3G and 4G and explains why there were restrictions on Huawei access to the “core” of the UK networks.
The stakes are higher for 5G because so much could depend on these new networks, from future healthcare services to transport, and because 5G has very significant architectural differences that complicate security regulation. There will need to be sensible restrictions on exactly where foreign technology is deployed and a diversity of providers so that there is no single point of failure or potential leverage. But assertions that any Chinese technology in any part of a 5G network represents an unacceptable risk are nonsense.
The UK and other European countries should hold their nerve and base decisions on Chinese involvement in future telecoms on technical expertise and rational assessment of risk, rather than political fashion or trade wars. We should accept that China will be a global tech power in the future and start managing the risk now, rather than pretending the west can sit out China’s technological rise.
The writer was Director of GCHQ from 2014–17 and is a senior fellow at the Belfer Center, Harvard
Originally published at https://www.ft.com on February 12, 2019.