The Five Eyes partners have not seen eye to eye on the Huawei issue for years. The U.S. has taking more of a 'ban' position, while the UK prefers what it calls a more ‘managed risk’ approach, assigning government oversight of Huawei teams it works alongside.
The former Director of the UK’s GCHQ, Robert Hannigan, told The Cipher Brief last year that “the obvious answer is that we’ve got to find a way to manage the risk and that means national security working with the technology companies to see what we can do to assure ourselves of what is the appropriate level of exposure for buying, or acquiring, or using, or connecting, to anything. I don’t think that it’s viable simply to ban stuff because it’s made in a particular country,” said Hannigan.
But with the latest warning delivered by Pompeo, how is the British government re-thinking the way it manages risk, and balancing that against its relationship with the U.S.?
The Cipher Brief tapped two of our experts for their perspective on how the British think about China and Huawei.
Conrad Prince, Former Deputy Director, GCHQ
Former Director General for Operations and Deputy Director of GCHQ
Served as the Director General for Operations and Deputy Director of GCHQ from 2008 – 2015. In those roles he led GCHQ’s intelligence operations and was responsible for the development of the UK’s national offensive cyber capability. From 2015 – 2018 he was the UK’s first Cyber Security Ambassador, leading cyber capacity building work with a number of key UK allies. He retired after 28 years of Government service in January 2018, and now holds a range of advisory roles in cyber and security.
Nick Fishwick, Former Senior Member, British Foreign Office
CMG retired in 2012 after nearly thirty years in the British Foreign Service. He did postings in Lagos, Istanbul and Kabul. His responsibilities in London included director of security and, after returning from Afghanistan in 2007, director for counter-terrorism. His final role was as director general for international operations. Fishwick also spent three years on a secondment to UK Customs, specialising in international drug enforcement and tax evasion issues.
U.S. Secretary of State Mike Pompeo was in London recently, warning British Prime Minister Theresa May and Foreign Secretary Jeremy Hunt of the dangers of involving Chinese tech companies like Huawei in 5G services.
This came after a meeting of the UK’s National Security Council on 23 April. The meeting apparently included a discussion of Huawei/5G, and the outcome of that discussion was – unprecedentedly – leaked to the UK media. Defence Minister Gavin Williamson was alleged to be the source of the leak and Mrs May booted him out of her government.
The leak showed that it’s not just Brexit that arouses passions here and divides members of the UK government.
How should we approach China? There has been a schizophrenic attitude for many years. When David Cameron became prime minister in 2010, many on the National Security Council warned of aggressive Chinese activities in areas like cyber, human espionage, the South China Sea and so on. Others saw a potential partnership in trade and investment with the world’s second biggest economy.
Arguments over the role of Chinese telecom firm Huawei’s role in developing 5G networks often seem to generate more heat than light. There is a tendency for them to get boiled down to simplistic, binary equations which, while easy to communicate in the media, don’t really reflect the genuine complexity of the issues involved. And the relentless focus on one technology and one company masks a much broader set of issues about the globalisation of technology in the age of the internet of things, and how to manage the risks that come with that.
5G is not some revolutionary, big bang transformation in the basics of telecommunications. It is not fundamentally different from existing telecoms technology, and its adoption does not sweep away the well-established principles for mitigating cyber security risk. The significant change is in capacity – 5G brings the ability to move much larger volumes of data around, much more quickly, to many more users. So, it has the potential to offer a much better user experience, and the capacity to play an important part in new Internet of Things (IoT) technologies. There are some changes in the underpinning infrastructure, but many of these are essentially evolutionary, building on the current direction of travel. A lot of 5G implementation will involve building on existing 4G infrastructure, not something completely new.
For the UK, the key point is this: As with all telecommunications infrastructure, 5G networks will be made up of multiple different components, hardware and software. To hear the debate sometimes, it sounds like there is some monolithic hermetically-sealed 5G black box that constitutes a take-it-or-leave-it package. You either buy the Huawei 5G or you don’t. But the reality is very different.
Like any complex technology, a 5G network is made of multiple elements and components, which can be sourced from various different suppliers. And like other complex multi-faceted things – whether they are aircraft, power stations, or high-speed rail networks – some of those components are absolutely central to the safe operation of the capability, and some of them are peripheral to that.
The trick is knowing which is which and acting accordingly. This has been at the heart of the UK approach to Huawei and telecommunications for the last decade. This posture fully assumes that the Chinese government can essentially compel any Chinese entity to do anything, and that China will carry out cyberattacks against the UK (and the UK has publicly attributed cyberattacks to the Chinese state). The UK is a world leader in cyber security, investing over £2.5 billion in transformative cyber security initiatives, a programme inspired amongst other things by a clear understanding of the nation-state cyber threat to the UK, including industrial scale intellectual property theft by China.
The UK’s position, then, is all about understanding and mitigating the risk. It has a long, established set of security principles relating to telecommunications technology. This means, first, using multiple vendors and keeping the riskier vendors out of sensitive functions inside the network. For nearly a decade, a special security cell has analysed Huawei technology, highlighting discovered security issues. The UK government and the telcos it works with have an unrivalled set of insights into Huawei systems. This has enabled the identification of issues around Huawei software engineering standards and poor cyber security capabilities.
Focus on the telecoms supply chain. Following a painstaking review our National Cyber Security Centre, the UK has set out some core principles regarding securing future networks, while building on those already in place. These focus on ensuring a diverse supply chain for 5G, building resilience in the network so a failure or compromise of one component does not bring down everything, and a significant improvement in cyber security standards across the board.
As has long been the UK position, this means keeping dodgy technology out of the most sensitive parts of the network. UK experts believe this is an achievable approach. Others have argued that no part of a 5G telecommunications infrastructure can be regarded as lower risk. This rapidly becomes a deeply technical argument, hard for non-specialists to penetrate. And the UK government has yet to make a final decision on 5G security.
The issue is becoming highly politicised. It would be an entirely legitimate political position to conclude that banning Huawei technology was worthwhile to avoid fundamental damage to the UK-U.S. relationship. But based on the years of careful analysis and behind-the-scenes work done by UK security experts, it would seem harder to justify that decision as one made in the interests of cyber risk management.
While the Huawei debate may have helped to put the issue of the globalisation of technology on the public agenda, it has not really served to illuminate the much broader issue.
Our technology today is fundamentally globalised. Components come from all over the world. Our supply chains are becoming ever more complex and difficult to unravel. The apparent nationality of the manufacturer doesn’t tell you much about where its technology was made – and China is manufacturing vast numbers of components for vendors worldwide. This creates fundamental security challenges, which mostly stem from the poor quality of the security engineering in these products, not least because security is still not seen as a market differentiator. How governments tackle this and gain enough assurance about the security of core components of our critical infrastructure, is a challenge that goes well beyond one Chinese company and one telecommunications technology.
China is a rising global power and this is not always comfortable for us. Its ideas of personal and civil liberties are, to put it mildly, challenging. But the same is true of a lot of other countries.
It is not an “enemy” in the way that the Soviet Union was but it believes that its size, and military and economic power, entitle it to a growing influence in very different parts of the world and over the way the world is run – the rules of the international order. It is not above using covert means at its disposal to grab power, knowledge and influence and it is not the first great power in history to do so.
The U.S. is the established leading global power and has specific regional interests in the Pacific which make rising Chinese influence a potential challenge. Unsurprisingly, the perspective on China from Europe looks different.
The challenge for Britain is how we avoid falling into some very different traps: of treating China like an enemy; fluffing the opportunities that 5G offers; being naïve about how to respond to a rising power with different values and ways of behaving; and alienating our friends, not just the U.S., but Australia and others as well.
The UK is taking a risk-based approach. Despite our differences, a red line for the UK will be not to jeopardise the existentially vital intelligence relationship with the U.S. The UK will also need to assure itself that it does not make its infrastructure a potential hostage. But way beyond this, is the challenge not just for the UK but for all the established powers in the west to come up with a strategy of critically engaging China on technology, trade, climate change, security and international diplomacy in the years, and decades, ahead.
We should remember what we learned on counter-terrorism: the holistic approach is the best one, one shared across our country, and with our friends abroad. Finding a holistic approach to China will be far more difficult but is rapidly becoming not a “nice to have” but an existential necessity.
Read more from experts Nick Fishwick and Conrad Prince in The Cipher Brief
