The action being taken by various governments to limit the involvement of China’s Huawei in the provision of equipment for 5G has brought into sharp-focus an issue that has been around for some time, but is now becoming more acute for national security of individual countries. That is, how to ensure that purchased Information and Communication Technology (ICT) hardware and software does not contain aspects, either at time of purchase or later, that offer the possibility of being maliciously used on a large scale – either for espionage or sabotage of crucial national infrastructure.
Australia has totally banned the use of Huawei equipment in its future 5G telecommunications network, while the US has banned its use by official organizations. The US, UK and a number of other developed countries may eventually follow the Australian lead.
Recent focus has been very much on 5G because of the role that it will play in supporting the use of Artificial Intelligence (AI), Internet of Things (IoT), Cloud etc; and, the outsized role that Chinese companies in supplying much of the needed infrastructure (eg Huawei and ZTE) around the world.
The international developments seem almost certain to put Russia in a difficult position. Is it anti-Huawei, pro-Huawei, or somewhere in the middle. If it is in the middle, how does Russia ensure its national security interests?
A Russian National Technology Initiative (NTI) document in 2016 saw the world as being increasingly divided up into closed “economic-trade” blocks formed on the basis of a combination of economic and political issues. It was argued that these blocks, or “alliances, aim to develop and retain production value added chains” that are protected from outside competition by ensuring that their rules and standards become the norm. The NTI document went on to say that countries and companies which are outside these blocks/alliances and their value added chains cannot break into them because the technological standards have already been set to disadvantage them.
Thus, according to the document, the NTI was given the goal of making Russia “one of the ‘big three’ major technological states by 2035, and have its own high-tech specialization in the global chain of creating additional value”. In order to achieve this, Russia will need is own block/alliance or participate in others in such a way that it becomes a leader in “developing and confirming international technical standards”.
President Putin, in his address to the St. Petersburg economic forum on 17 June 2016, said: “Today we see attempts to secure or even monopolize the benefits of new generation technologies. This, I think, is the motive behind the creation of restricted areas with regulatory barriers to reduce the cross-flow of breakthrough technologies to other regions of the world with fairly tight control over cooperation chains for maximum gain from technological advances.”
Then US Secretary of State played-up the security aspects of such economic-trade blocs: “I have worked from day one to emphasize that foreign policy is economic policy and economic policy is foreign policy. Without a doubt, these trade agreements are at the center of defending our strategic interests, deepening our diplomatic relationships, strengthening our national security, and reinforcing our leadership across the globe.” “Even as we seek to complete TTIP and strengthen our bonds across one ocean, we know that our future prosperity and security will also rest on America’s role as a Pacific power. Central to that effort is the adoption of (Transpacific Partnership) TPP.”
However, given the prospective Brexit and the rise of Trump as an economic nationalist, such blocs seemed very unlikely when I first wrote about the NTI in 2016. Since then, Trump’s strident America first approach to the economy, abandonment of TPP, and lack of interest in an US role in international security issues would seem to have confirmed my earlier view.
Nevertheless, “Western” concern about advances in Chinese technology, the way it is being acquired (allegations of IP theft and heavy-handed treatment of companies seeking to invest in China), and the way it is being used (Xinjiang) seems to be leading to at least partial technology blocs — with the possibility of broadening to aspects of international trade and investment.
Whereas the NTI idea of economic / trade blocs was largely based on the political and economic consequences of growing global value-added chains in high-tech and Russia’s need to be part of this trend, we may now be in a situation where such economic / trade blocs will be formed by a perceived urgent need to tear existing high-tech value-added chains apart in the name of national security and create new ones. National Security is now very much in the driver’s seat!
Putin’s point about “attempts to secure or even monopolize the benefits of new generation technologies” remains valid, as does the issue — in a different form — of what bloc if any can or should Russia join.
Concerns about the security aspects of Huawei telecommunication equipment in the UK led to the establishment of the Huawei Cyber Security Evaluation Centre” (HCSEC). While Huawei pays the costs of this centre, it has no control over its operation. A HCSEC Oversight Board was established in 2014. Its fourth report in 2018 concluded that:
“5.2 The key conclusions from the Board’s fourth year of work are:
It is evident that HCSEC continues to provide unique, world-class cyber security expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UK ii. However, Huawei’s processes continue to fall short of industry good practice and make it difficult to provide long term assurance. The lack of progress in remediating these is disappointing. NCSC and Huawei are working with the network operators to develop a long-term solution, regarding the lack of lifecycle management around third party components, a new strategic risk to the UK telecommunications networks. Significant work will be required to remediate this issue and provide interim risk management.
iii. The HCSEC Oversight Board is assured that the Ernst & Young Audit Report provides important, external reassurance that the arrangements for HCSEC’s operational independence from Huawei Headquarters is operating robustly and effectively, and in a manner consistent with the 2010 arrangements between the Government and the company. The issue identified was rated as low risk and two further advisory issues were identified.
5.3 Overall therefore, the Oversight Board has concluded that in the year 2017-2018, HCSEC fulfilled its obligations in respect of the provision of security and engineering assurance artefacts to the NCSC and the UK operators as part of the strategy to manage risks to UK national security from Huawei’s involvement in the UK’s critical networks. However, the execution of the strategy exposed a number of risks which will need significant additional work and management. The Oversight Board will need to pay attention to these issues.”
The qualified nature of the HCSEC reports has led to come commentators to offer strong support to the Australian bans on Huawei participation in Australian 5G. This is particularly the case with the ASPI International Cyber Policy Centre. The Centre’s Tom Uren says that the contents of the four HCSEC oversight board annual reports (2015, 2016, 2017 and 2018) “show that it is very difficult indeed” to “assess products to make sure they won’t be used to spy on us”.
However, the underlying issue is broader than Huawei and 5G. A 2018 book by Olav Lysne concludes that:
“Industrialized nation states are currently facing an almost impossible dilemma. On one hand, the critical functions of their societies, such as the water supply, the power supply, transportation, healthcare, and phone and messaging services, are built on top of a huge distributed digital infrastructure. On the other hand, equipment for the same infrastructure is made of components constructed in countries or by companies that are inherently not trusted. In this book, we have demonstrated that verifying the functionality of these components is not feasible given the current state of the art. The security implications of this are enormous. The critical functions of society mentioned above are so instrumental to our well-being that threats to their integrity also threaten the integrity of entire nations. The procurement of electronic equipment for national infrastructures therefore represents serious exposure to risk and decisions on whom to buy equipment from should be treated accordingly. The problem also has an industrial dimension, in that companies fearing industrial espionage or sabotage should be cautious in choosing from whom to buy electronic components and equipment. Honest providers of equipment and components see this problem from another angle. Large international companies have been shut out of entire markets because of allegations that their equipment cannot be trusted. For them, the problem is stated differently: How can they prove that the equipment they sell does not have hidden malicious functionality? We have seen throughout the chapters of this book that we are currently far from being able to solve the problem from that angle as well. This observation implies that our problem is not only a question of security but also a question of impediments to free trade. Although difﬁcult, the question of how to build veriﬁable trust in electronic equipment remains important and its importance shows every sign of growing.”
The basic technical reason for Australia banning Huawei has been put forward by the head of its Signals Directorate: “5G is not just fast data, it is also high-density connection of devices – human to human, human to machine and machine to machine – and finally it is much lower signal latency or speed of response. Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks. But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network. In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks. At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks.”
The technical issues of 5G are very complex and there is no universal agreement in any country about the introduction and operation of networks. International technical standards are still being developed. Initially, many basic 5G features will be delivered in most cases by upgraded 4G infrastructure, but getting the most out of 5G – in terms of speed and capacity – will require significant new investment in telecommunications infrastructure.
A controversial US proposal to build secure 5G as a “single, inherently protected, information transportation super highway” was produced by members of the US security establishment in early 2018 – and found its way into the public arena. The document says that presently “data traverses cyberspace through a patchwork transport layer constructed through an evolutionary process as technology matured”. “Measures to secure and protect data and information result in an ‘overhead’ that affects network performance – they reduce throughput, increase latency, and result in an inherently and inefficient and unreliable construct. Additionally, the framework under which access and services are allocated is suboptimal, yielding incomplete and redundant networks. Without a concerted effort to reframe and reimagine the information space, America will continue on the same trajectory – chasing cyber adversaries in an information environment where security is scarce.”
It goes on to say that “the advent of ‘secure’ network technology and the move to 5G presents an opportunity to create a completely new framework.” “Whoever leads in technology and market share for 5G development will have a tremendous advantage towards ushering in the massive Internet of Things, machine learning, AI, and thus the commanding heights of the information domain.” “The transformative nature of 5G is its ability to enable the massive Internet of Things.” “Using efforts like China Manufacturing 2025 (CM2025) and the 13th Five Year Plan, China has assembled the basic components required for winning the AI arms race.”
While the proposal for a such extensive government involvement in US 5G infrastructure seems to have been rejected, it does indicate the level of attention being focused on the issue.
The Russian Ministry of Communications is advocating that private Russian telecommunications companies share much of the 5G infrastructure, which may to some degree allow a more secure network to be built. However, this does not solve the problem of where to source the equipment.
What should Russia do if the concerns about Huawei and Chinese technology more generally start to lead to the formation of an anti-Chinese technology based economic bloc?
There is little reason to believe Russia will be any better than Western countries in evaluating the security related aspects of Chinese technology, and there would be a strong case for Russia to follow the lead of Australia, the UK, USA etc. However, there would be several arguments against such a course of action.
Firstly, Russia will not want to jeopardize its present good political relationship with China. Apart from energy sales the economic relationship between Russia and China is not strong, however geography means that Russia has a huge stake in the political relationship.
Secondly, if it is possible for Huawei and other Chinese companies to do the harmful things that are claimed then presumably non-Chinese suppliers could also do the same to Russia at the request (or demand) of their country’s security agencies. While Western commentators make much of China’s June 2017 National Intelligence Law that obliges “all organizations and citizens” to “support, cooperate and collaborate in national intelligence work”, Western high-tech companies would almost certainly do the same when it comes to Russia given its very poor image in those countries and the perceived Russian threat to those countries.
Thirdly, at a purely technical level there is nothing to suggest that Russia could build 5G infrastructure without importing most of the equipment. While Russia has a solid reputation in the software field, Russian manufacturing capacity and quality is not high. Russia’s efforts to promote the high-tech sector from the top have not been particularly successful. Even China is very dependent on crucial imported 5G components.
Fourthly, my September 2016 report on the NTI suggested that Russia needed to put more emphasis on using available digital technology rather than trying to develop new leading-edge products. In early 2017, the Russian government announced its “Strategy for the Development of the Information Society in the Russian Federation for 2017-2030” While much can be done using existing 4G infrastructure, a good 5G network will be necessary well before 2030 to maximize the benefits of the strategy as well as take best advantage of any NTI successes.
As things now stand, Russia is likely to use Chinese Huawei (and other Chinese) hardware while attempting to ensure that Russian software is used wherever possible. However, as already noted, this will be no easy task.
It is difficult to avoid the conclusion that when it comes to 5G and national security, Russia is between a rock and a hard-place. It has neither the 5G infrastructure manufacturing capacity of the US and China, nor any real friends that are capable of helping it.