Debate continues as to how governments should manage the presence of Chinese technology in 5G telecommunications networks. But the argument risks obscuring the critical question of how states such as the UK will best achieve the cyber security they need.
US President Donald Trump’s recent visit to the UK was characterised by rather less public rhetoric than might have been expected on the subject of Huawei and 5G. This may be because the issue now seems to have been caught up in the UK’s Conservative leadership election, with the real possibility that the next prime minister might take an approach more in line with that of the president. The long-awaited UK government review of telecommunications infrastructure security has still not been published, and now seems unlikely to be issued under the current prime minister. Meanwhile, being tough on Huawei has been one of the differentiator policies adopted by a number of the Conservative leadership candidates, and the US continues to promote its narrative of banning business with Huawei with a series of engagements in the UK led by current and former senior officials.
This is a pity, as this issue is a complex one and does not lend itself to soundbites. In an increasingly heated and politicised environment, there is a tendency to try to boil it down to simplistic, binary equations which do not reflect the full picture. And the overwhelming focus on one technology, one company and one state – while perhaps understandable – masks a much broader set of issues about the globalisation of technology in the age of the Internet of Things, and how best to manage the risks that come with that.
At the risk of going over old ground, it is worth briefly reflecting on what 5G is and is not. 5G is not a revolutionary telecommunications transformation. It is not fundamentally different from existing telecoms technology, and as a matter of principle it does not require a drastically different approach to risk management. 5G brings a lot more capacity, with the ability to move much more data around, much more quickly, to many more users. Hence its potential to play a significant role in enabling the Internet of Things. 5G does require some changes in the underpinning infrastructure, but a lot of this is evolutionary, building on the current 4G infrastructure, not sweeping it away.
5G networks will be made up of multiple different components, hardware and software. These will be sourced from many different suppliers in complex globalised supply chains. Some of these components will be central to the secure operation of the telecommunications network; others will not be. 5G is simply not a technology where every component is of instrumental importance to network security. The challenge is knowing which components are and managing the risks accordingly.
This is the approach the UK has been taking with Huawei for the last decade. It is based on a clear-headed recognition of the Chinese state’s ability to influence Chinese companies, and the fact of large-scale Chinese cyber-enabled intellectual property theft targeting the UK for many years. The UK government has exercised extremely close scrutiny of Huawei technology through its oversight centre, and has not hesitated to call out Huawei’s poor security engineering and the risk that represents. The UK approach is fundamentally about making informed risk management judgements, and keeping Chinese (and certain other) technology out of key parts of the network where that is necessary.
This approach provides a foundation for handling equivalent issues in the future, when coupled with other elements advocated by the National Cyber Security Centre (NCSC) – a relentless focus on improving cyber security standards, design and engineering so that a failure in one component does not bring down the whole network, and a diverse supply chain that avoids over-dependence on one supplier.
To the UK’s experts in the NCSC, this represents a pragmatic way forward. On the face of it, it seems a more realistic approach than one that seeks to ban Chinese technology outright. This is not least because it is a false hope to imagine that a ban on Chinese technology would guarantee a network invulnerable to cyber attack. In practice, decades of cyber attacks by hostile actors have achieved success without needing to exploit the sort of advantage potentially offered to China by the prevalence of their own technology. Russia, North Korea and Iran are not noted as significant global tech players, but represent some of the most successful hostile cyber actors for both espionage and destructive attacks. So it is essential not to exaggerate the importance of the nationality issue.
Critically, this question is about far more than the next phase of the UK’s telecommunications infrastructure. All aspects of economy and society are increasingly digitally dependent. The technology that underpins this dependency is sourced from multiple vendors in many different countries. The apparent national origin of any given product is in no way a reliable guide to where its key components may actually have been designed or manufactured. The growing dominance of China in tech means that in many cases there will be a Chinese element present somewhere. Not just telecommunications, but also energy, health, civil aviation, manufacturing and many other sectors are all likely to involve digital products that have some Chinese dimension. Is it sensible or realistic to ban it all? The narrow focus on Huawei and 5G risks obscuring this much broader question.
Some form of risk management approach has to be the answer. In some cases, this may involve blanket bans on Chinese technology in certain parts of the UK’s infrastructure, but this will have to be done in a thoughtful way with a clear focus on the risk/benefit calculation. The NCSC has strongly advocated this approach for 5G and the same principles surely apply elsewhere.
As the UK approaches the halfway point of its groundbreaking 2016 National Cyber Security Strategy and considers the next phase of strategy beyond 2021, there are many issues that need working through: how to build a strong public–private partnership on cyber and accomplish the widespread adoption of critical approaches to cyber security such as active defence and secure by design; how further to develop UK cyber capacity, whether in the UK’s skills base, cyber industry, or research sector; how to make the most of national strengths in cyber security in shaping the UK’s place in the world; and how to ensure the right resources are brought to bear to keep the UK ahead of the game.
Addressing the security challenges stemming from the globalisation of technology – well beyond 5G – is important issue question to be addressed, but it is just one among many. It is essential that the UK government does not let it absorb all focus when it comes to considering how best to secure the UK in cyberspace for the future.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.
Conrad Prince CB
Distinguished Fellow and Senior Cyber Adviser