Main Image Credit Courtesy of Peshkov/Adobe Stock.
The UK’s new approach to Huawei is more about the impact of US sanctions on supply rather than a fundamental rethink of technical security.
Today, Oliver Dowden, the Secretary of State at the Department for Digital, Culture, Media and Sport (DCMS), announced in the House of Commons that Huawei technology will no longer form any part of the UK’s future 5G telecommunications network. Existing Huawei technology will need to be stripped out of the UK 5G network by 2027.
A lot has changed in the past six months since the original decision to allow Huawei limited participation in the UK’s 5G infrastructure. But does this latest decision really represent a fundamental reversal of the original security assessment by the UK’s National Cyber Security Centre (NCSC)?
A Deteriorating Political Climate
It hardly needs saying that China’s standing in the world, and in the UK in particular, has taken a severe battering over the last few months. Significant criticism of China’s approach to the coronavirus pandemic, developments in Hong Kong, wider human rights concerns, and ongoing hostile actions globally (including an apparent major cyber campaign against Australia) have all impacted negatively on China’s reputation. Condemnation of China in the UK is now mainstream, and no longer limited to a few ‘ultras’ on the Conservative backbenches or in the conservative media. There is a growing narrative that China acts in a way that is fundamentally hostile to the UK’s interests and that UK dependence on China, in areas such as inward investment or technology, needs to be stopped, or at least limited as far as possible. And the position of the UK’s most significant ally – the US – seems pretty clear on this matter.
Set against this background, the latest 5G decision may be interpreted by some as the UK security establishment ‘coming to its senses’ about the threat from China.
In fact, the cyber threat from China has long been understood and arguably was one of the main spurs for the significant UK government investment in cyber security over the last decade or so.
Indeed, the security of 5G networks has been the subject of intense study in the UK for several years. DCMS worked closely with the NCSC to produce their Supply Chain Review in 2019, and several Parliamentary Committees have conducted their own enquiries. The UK has not been alone in this: for example, the EU produced its own risk assessment and corresponding toolbox for securing 5G networks.
Robust and Enduring Assessment
The original decision on Huawei’s involvement in 5G in the UK was based on valid principles of cyber risk management. The UK designates Huawei a ‘High Risk Vendor’, and the original position envisaged only a limited role for the company, away from the critical elements of the 5G network. Germany and France had similar policies, restricting Huawei access to the network but stopping short of a full ban.
Such a strategy emphasises the importance of implementing strong cyber security measures, creating resilient networks that avoid any single point of failure, employing tried and tested principles for network security, with security checks to monitor the quality of hardware and software, and achieving compliance with telecommunications security regulations. It also stresses the need for a diverse supply chain to avoid reliance on just one or two suppliers. In the UK, this approach is underpinned by the Huawei Cyber Security Evaluation Centre, which has now been operating for a number of years and potentially means the UK has been able to apply more scrutiny to Huawei technology than to that of any other provider.
This pragmatic risk management approach (which applies equally to other parts of the critical national infrastructure) remains the right solution. Indeed, in a world where we depend on complex global supply chains and have limited sovereign capability in key areas of technology, it is the only way forward.
What Has Changed
But circumstances have changed significantly for Huawei, leading to the revised advice from the UK security and policy machine. In May 2020, new US sanctions sought to close apparent loopholes in the existing regime by ending Huawei’s ability to use US technology and software, from any source. The sanctions essentially forbade any company using US intellectual property or manufacturing equipment from supplying Huawei. Soon after, it was reported that one of the world’s largest semiconductor manufacturers, TSMC, would stop supplying Huawei.
Semiconductors are fundamental to telecommunications technology. But China has shown limited success at producing them domestically. While Huawei asserts it has everything it needs to continue operations, including a significant stockpile of the necessary chips, many suggest that the comprehensive nature of this latest round of sanctions could decisively cripple Huawei’s business operations in the long-term. If US sanctions severely compromise Huawei’s ability to supply new equipment, or repair or replace existing kit, then the company’s basic ability to supply the necessary equipment to meet an even limited role in the UK’s 5G network has to be called into question.
So, the new technical advice to the UK government is not about any revised assessment about the potentially hostile intentions of China, or its ability to express those through Huawei, nor is it a change to the fundamental principles of how to manage risk in a global technology supply chain. It is essentially about Huawei’s basic ability to function as a supplier in the face of US sanctions that have now comprehensively cut off supplies of critical components that cannot readily be replaced. And underlying this must be a real sense that the US government is going to get Huawei one way or the other. That even if Huawei could find some way round this latest set of sanctions, the US would find another means of achieving the desired effect.
Naturally, some might say that these developments chime neatly with a very different political climate from even a few months ago. But that is a matter for politicians. It is the harsh reality of Huawei’s changed circumstances that lies behind the security and policy advice to ministers.
Of course, none of this means that the UK will now have a secure 5G network. Banning any vendor, including Huawei, does not automatically make the 5G network safer. For one thing, it does not alter the fact that the 5G network will still depend on long and complex global supply chains. Chinese companies play a key role in all of these supply chains, regardless of the primary vendor. So, banning Huawei does not remove China from the 5G equation; far from it.
Furthermore, there is already a lack of vendor diversity in the 5G ecosystem. The UK, for example, is currently dependent on just three companies for 5G equipment in key areas of its network: Nokia, Ericsson and Huawei. There are few other vendors currently well placed to enter the UK market. A ban on one company severely reduces – or even eliminates – the market competition, driving remaining vendors to increase the quality and security of their equipment. In other words, even if a ban reduces the risks posed by a high-risk vendor, it leads to over-reliance on a very small pool of other vendors.
Moreover, there is really no such thing as a ‘trusted’ vendor. The UK government has long been clear that a major concern with Huawei has been poor standards of engineering in the products. Such weaknesses inadvertently create vulnerabilities that can be exploited by hostile actors of any type, or simply make for an unreliable network. But Huawei is hardly unique in this.
Western tech companies are far from immune to errors or problems in engineering or implementation that create security vulnerabilities. And much also depends on how telecommunications service providers design and operate the network. In practice these vulnerabilities are the lifeblood of hackers and present far more of a threat than the national origin of a particular piece of equipment.
Finally, while telecommunications infrastructure is clearly a tempting target for hostile states, banning Huawei does not eliminate that risk either. Given the complexity of a 5G network it has always seemed rather fanciful to suggest that the limited role originally envisioned for Huawei would somehow have given the Chinese state the ability to suck out all our data or turn off our telecommunications infrastructure at will. And in any case hostile states are able to launch sophisticated cyber attacks against targets where they provide none of the underlying technology. It has frequently been noted that Russia represents a significant cyber threat to telecommunications networks despite not providing components of the infrastructure.
The single-minded US strategy of making Huawei effectively unviable may well mean that the company cannot be regarded as a sufficiently reliable supplier in the medium to long term. For the UK, this is about Huawei’s ability to supply verified components or conduct maintenance, rather than any dramatic new cyber security revelations. But the impact of sanctions aside, moving away from even the relatively small role envisioned for Huawei in the UK’s 5G network, this change in policy is unlikely to make the network materially more secure. Meanwhile, the economic and other implications of ending the relationship with Huawei, including stripping out its existing 5G technology, remain to be seen. Many concerns have been expressed, ranging from the financial implications to the risks of blackouts to the existing network. And of course, the Chinese reaction to all this has yet to play out.
It may make absolute political sense to square up to China and face up to what many see as the state’s increasingly malign influence; Huawei and 5G have become a totemic part of that debate. But the Huawei affair raises some fundamental questions that are yet to be answered. Unlike the West’s other bete noire, Russia, China is a critical player in the global economy and already has a deep commercial relationship with the UK. Many in business in the UK are likely to be concerned about the implications of any economic freeze.
The West’s dependence on China is clear; 5G is just one, relatively small, manifestation of this. If the UK’s new approach is to technologically decouple from China, it will need a serious and more coherent effort from Western governments and industry to do so.
The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.
Conrad Prince CB
Distinguished Fellow and Senior Cyber Adviser
Director, Cyber Research