The security risks in Chinese tech dominance — Robert Hannigan

The UK government’s announcement this week that it will take greater powers to scrutinise and block foreign takeovers on national security grounds brings it closer to the approach of the US and other countries, including Germany and Australia.

It follows decades of peculiarly British vagueness about who had the responsibility for worrying about these security implications, still less the power to do anything. It is also part of an international trend, as western nations wake up to the intellectual property they may be losing, or dependencies they may be inviting. Add to that the realisation in recent years that sophisticated cyber attacks are increasingly being delivered through the supply chain and buried deep within the internet infrastructure, and western jitters are understandable.

US president Donald Trump ‘s castigation of Germany for supporting the Nord Stream 2 gas pipeline and his defence of domestic steel production on national security grounds fit this recent pattern. Steel tariffs may be driven by protectionism, but Mr Trump is making a sensible point. Concern about over-dependence on a particular energy source or security of supply for key commodities is hardly new in foreign policy.

But Russia and China present very different challenges at the intersection of economic and national security. Russia’s limited leverage is old-fashioned energy rather than technology. As its unreformed economy declines it will lash out and the west will aim to contain this. Viewed from the offices of Moscow’s securocrats, the internet is a huge US conspiracy, albeit one which is conveniently open to asymmetric exploitation, whether through cyber attack or propaganda. But Russia’s misuse of the internet is essentially tactical.

The challenge presented by China is radically different and brings both opportunity and risk on an entirely new scale. China manufactures an estimated 90 per cent of the world’s IT hardware, including some three-quarters of all smartphones. That has been true for many years, and it means the world economy is increasingly sitting on a global IT infrastructure manufactured in China.

Quantifying the risks involved in this dependency is difficult. Cyber space therefore presents traditional policymakers with a novel challenge. In the past we were used to disputes about who ruled and navigated the high seas, but never about who made the water.

Even this acknowledgment of the scale of China’s achievement misses the point. The real challenge for the west in this century is not that Chinese technology is ubiquitous, but rather that increasingly it is world leading. This has been best illustrated in recent months in the mobile telecoms sector. Governments need to deliver faster broadband and next generation 5G telephony for their data-hungry populations. The leading suppliers of this technology are all Chinese.

Short of creating domestic alternatives, which looks unrealistic, the options range from denying ourselves Chinese technology and investment in the name of a potential threat, or finding ways to manage the security risk.

Faced with this dilemma, governments have reacted in a variety of ways. The US has partially banned some Chinese companies and Australia looks set to do so as well. Others across Asia, Africa and Europe have enthusiastically welcomed them. The UK has taken a middle way, trying to assure itself on the risks by scrutinising the software and hardware installed by Huawei in UK networks.

The UK experiment has broken new ground in developing capabilities to scan vast amounts of code to achieve some level of security assurance. But it also illustrates the difficulty of understanding, let alone policing, the IT supply chain. There are a number of reasons for this. Dependencies in IT are complex and not easily visible. The supply chain can be very long indeed. A software vendor may subcontract its code writing many times over.

Even where hardware and software can be scrutinised, spotting the difference between an engineering mistake and a deliberate “backdoor” is often a matter of judgment. And the skills and resources needed to vet the global supply chain at scale are simply not there.

But telecoms companies are only the beginning. Over the next 20 years, China will emerge as pre-eminent in numerous areas of technology. President Xi Jinping has explicitly set the goal of leading the world in artificial intelligence and other advanced technologies by 2030. He has backed this up with an impressive and well-funded development plan. Last year, there were more research papers on this subject published in China than in the US. We tell ourselves that western liberal democracy is the key to creativity in technology, but it turns out that a centralised command economy can do innovation pretty well.

The west needs a policy response rooted in the understanding of technology as well as foreign policy. Some of that will be down to industry, a point acknowledged by Brad Smith, Microsoft president, this year. We must not cut ourselves off from the brilliance of Chinese technology, but we need a more mature assessment of the risks.

The writer is executive chairman of BlueVoyant Europe and a former director of GCHQ, the UK’s technical intelligence and cyber agency

Originally published at https://www.ft.com on July 27, 2018.