There's More to Cyber Than Huawei
Debate continues as to how governments should manage the presence of Chinese technology in 5G telecommunications networks. But the argument risks obscuring the critical question of how states such as the UK will best achieve the cyber security they need.
US President Donald Trump’s recent visit to the UK was characterised by rather less public rhetoric than might have been expected on the subject of Huawei and 5G. This may be because the issue now seems to have been caught up in the UK’s Conservative leadership election, with the real possibility that the next prime minister might take an approach more in line with that of the president. The long-awaited UK government review of telecommunications infrastructure security has still not been published, and now seems unlikely to be issued under the current prime minister. Meanwhile, being tough on Huawei has been one of the differentiator policies adopted by a number of the Conservative leadership candidates, and the US continues to promote its narrative of banning business with Huawei with a series of engagements in the UK led by current and former senior officials.
This is a pity, as this issue is a complex one and does not lend itself to soundbites. In an increasingly heated and politicised environment, there is a tendency to try to boil it down to simplistic, binary equations which do not reflect the full picture. And the overwhelming focus on one technology, one company and one state – while perhaps understandable – masks a much broader set of issues about the globalisation of technology in the age of the Internet of Things, and how best to manage the risks that come with that.
At the risk of going over old ground, it is worth briefly reflecting on what 5G is and is not. 5G is not a revolutionary telecommunications transformation. It is not fundamentally different from existing telecoms technology, and as a matter of principle it does not require a drastically different approach to risk management. 5G brings a lot more capacity, with the ability to move much more data around, much more quickly, to many more users. Hence its potential to play a significant role in enabling the Internet of Things. 5G does require some changes in the underpinning infrastructure, but a lot of this is evolutionary, building on the current 4G infrastructure, not sweeping it away.
5G networks will be made up of multiple different components, hardware and software. These will be sourced from many different suppliers in complex globalised supply chains. Some of these components will be central to the secure operation of the telecommunications network; others will not be. 5G is simply not a technology where every component is of instrumental importance to network security. The challenge is knowing which components are and managing the risks accordingly.
This is the approach the UK has been taking with Huawei for the last decade. It is based on a clear-headed recognition of the Chinese state’s ability to influence Chinese companies, and the fact of large-scale Chinese cyber-enabled intellectual property theft targeting the UK for many years. The UK government has exercised extremely close scrutiny of Huawei technology through its oversight centre, and has not hesitated to call out Huawei’s poor security engineering and the risk that represents. The UK approach is fundamentally about making informed risk management judgements, and keeping Chinese (and certain other) technology out of key parts of the network where that is necessary.
This approach provides a foundation for handling equivalent issues in the future, when coupled with other elements advocated by the National Cyber Security Centre (NCSC) – a relentless focus on improving cyber security standards, design and engineering so that a failure in one component does not bring down the whole network, and a diverse supply chain that avoids over-dependence on one supplier.
To the UK’s experts in the NCSC, this represents a pragmatic way forward. On the face of it, it seems a more realistic approach than one that seeks to ban Chinese technology outright. This is not least because it is a false hope to imagine that a ban on Chinese technology would guarantee a network invulnerable to cyber attack. In practice, decades of cyber attacks by hostile actors have achieved success without needing to exploit the sort of advantage potentially offered to China by the prevalence of their own technology. Russia, North Korea and Iran are not noted as significant global tech players, but represent some of the most successful hostile cyber actors for both espionage and destructive attacks. So it is essential not to exaggerate the importance of the nationality issue.
Critically, this question is about far more than the next phase of the UK’s telecommunications infrastructure. All aspects of economy and society are increasingly digitally dependent. The technology that underpins this dependency is sourced from multiple vendors in many different countries. The apparent national origin of any given product is in no way a reliable guide to where its key components may actually have been designed or manufactured. The growing dominance of China in tech means that in many cases there will be a Chinese element present somewhere. Not just telecommunications, but also energy, health, civil aviation, manufacturing and many other sectors are all likely to involve digital products that have some Chinese dimension. Is it sensible or realistic to ban it all? The narrow focus on Huawei and 5G risks obscuring this much broader question.
Some form of risk management approach has to be the answer. In some cases, this may involve blanket bans on Chinese technology in certain parts of the UK’s infrastructure, but this will have to be done in a thoughtful way with a clear focus on the risk/benefit calculation. The NCSC has strongly advocated this approach for 5G and the same principles surely apply elsewhere.
As the UK approaches the halfway point of its groundbreaking 2016 National Cyber Security Strategy and considers the next phase of strategy beyond 2021, there are many issues that need working through: how to build a strong public–private partnership on cyber and accomplish the widespread adoption of critical approaches to cyber security such as active defence and secure by design; how further to develop UK cyber capacity, whether in the UK’s skills base, cyber industry, or research sector; how to make the most of national strengths in cyber security in shaping the UK’s place in the world; and how to ensure the right resources are brought to bear to keep the UK ahead of the game.
Addressing the security challenges stemming from the globalisation of technology – well beyond 5G – is important issue question to be addressed, but it is just one among many. It is essential that the UK government does not let it absorb all focus when it comes to considering how best to secure the UK in cyberspace for the future.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.
Latest News from
Training Day: North Korean Missile Tests Underscore a Diversifying Missile Arsenal24/09/2021 14:25:00
The recent near-simultaneous missile tests conducted by the governments of South and North Korea are illustrative of an emergent dynamic in which a growing South Korean counterforce capability is incentivising North Korean efforts to achieve a more diversified missile arsenal that can be rapidly dispersed.
The Lessons Not Learned: Afghanistan After the Fall of Panjshir10/09/2021 14:38:00
A truly successful rebellion will have to reckon with a much more astute Taliban than that which ruled Afghanistan during the 1990s.
The War Might be Over, but ‘Yesterday’s Problem’ has Not Gone Away10/09/2021 14:25:00
Two decades on from 9/11, the West faces a continuing threat from Islamist terrorism, as well as the question of how to deal with the Taliban and other entities which reject the Western narrative.
Omani Mediation: A Chance for Yemen?09/09/2021 14:25:00
As international efforts to end the war in Yemen – and the concomitant humanitarian crisis – continue to tread water, Omani mediation efforts could offer some hope of progress.
Analysis: The Government's Plans For Health And Social Care09/09/2021 11:15:00
Credit where credit is due: we finally have a Government willing to take on the social care question.
The UK’s New Armed Forces Bill07/09/2021 14:25:00
A new legal framework governing the UK’s armed forces is reaching its final parliamentary stages. A brief on its main features and controversies.
The Taliban Takeover in Afghanistan: Opportunities and Challenges for Pakistan06/09/2021 14:25:00
Recent developments in Afghanistan constitute a strategic gain for Pakistan, at least for the moment.
Russia Defines Its Post-Takeover Role in the Afghan Conflict03/09/2021 14:25:00
Russia looks to the Taliban as a stabilising force in Afghanistan – and this may mean formal recognition of the new regime in the country.