The British government is expected to approve a restricted role for Huawei in Britain’s 5G network. We look at the arguments for that decision.
As debate continues around how governments should manage the presence of Chinese technology in the rollout of 5G infrastructure, it appears that the UK has finally decided that cyber risk from Huawei’s 5G components can be managed in a pragmatic way. The UK will likely exclude Huawei technology from the most sensitive parts of the 5G network, while allowing it to supply peripheral components such as mobile phone masts and antennae. From a purely technical perspective, this is a practical and realistic decision that adheres to the principles of cyber risk management and reflects the expert view of the UK’s national technical authority, the National Cyber Security Centre (NCSC). It should inform the way the UK manages cyber risk from the globalisation of technology over the next decade and beyond.
Realistic Risk Tolerance
5G networks have inherent vulnerabilities. Whether they include Huawei equipment or not, they will present a common set of technical risks and challenges (such as supply chain complexity and a lack of vendor diversity). It is impossible to eradicate all risk, especially in complex, technology-dependent activities. Furthermore, there is no such thing as completely ‘trustworthy’ equipment or vendors in any context. The challenge is to set a realistic risk tolerance informed by the degree of confidence in the security of components and infrastructure. Risk tolerance should be based on evidence and also influenced by national context, including the geographic location of equipment, national cyber security experience, vendor availability and cost.
The apparent national origin of any given product is in no way a reliable guide to where its components may actually have been designed or manufactured. The growing dominance of China in tech means that, in many cases, there will be a Chinese element present somewhere. In addition to telecommunications, energy, health, civil aviation, manufacturing and many other sectors, all include digital products that have some Chinese dimension.
Challenges Facing Decision-Makers
Is it sensible or realistic to ban it all? This is the question the UK National Security Council has to consider, and ultimately common sense should prevail. A complete ban on Huawei as a 5G vendor is not the golden ticket to prevent Chinese presence and influence in supply chains, nor will it reduce the cyber threat from a range of hostile state actors (such as Russia) who do not provide components to the UK telecommunications network but nevertheless have shown themselves highly capable of launching successful attacks against it.
Much of the technical debate about 5G relates to whether or not the core and edge of the network remain technically distinct. The core consists of components that have much greater control over the network than access layer (edge) components. Core components know much more about the context of the 5G network and include routing and switching functions on base stations. If it is assessed that it is no longer possible to distinguish between critical and non-critical parts of the network, this has serious consequences for risk management approaches to 5G cyber security. In theory, a threat actor could gain access to any part of the network and move laterally to more sensitive parts of the network without any restrictions.
However, core and edge functions do remain technically distinct in 5G networks. 5G is not a technology where every component is of instrumental importance to network security and the failure of individual components at the edge, such as a radio access network (RAN) antenna, usually only affects a small area of the network. There are a range of measures to manage risk to 5G networks, including resilient network architecture, access management and testing and monitoring. It is important not to dismiss multiple measures that have historically isolated and localised risk in telecommunications networks. 5G is evolutionary technology, not revolutionary. Past approaches to cyber security remain applicable.
Confidence in Huawei is low. The company has previously been accused of producing poor-quality equipment that is significantly more likely to have flaws than that of other vendors. However, despite serious doubts about Huawei, no one has presented clear evidence that the company is deliberately installing back doors in its equipment.
The Wider Perspective
The 5G debate is clearly not just about cyber security. It has become part of a wider geopolitical conversation. It relates to political issues about China’s place in the world and what other nations feel about that, as well as to economic factors, including Western reliance on Chinese technology and manufacturing, advanced Chinese innovation in technology and fears that the West is falling behind. There are also human rights concerns – for example, about how Chinese technology companies have allegedly enabled the Chinese government to suppress its citizens. Not least, the UK has had to consider the strong, and highly public, political pressure from the US to ban Huawei outright.
The US government has threatened that it will no longer share intelligence with countries who include Huawei in their 5G networks, stating that it would put US information at risk. Officials have gone so far as to say that it could not base US resources, such as a military base or an embassy, in a country that uses Huawei equipment. This is part of an ongoing effort to pressure the UK and other countries to exclude Huawei entirely from 5G networks, and comes as a bold threat which the British government will no doubt have considered carefully when coming to its final decision.
The technical argument for a complete ban of Huawei as a 5G supplier to UK mobile networks appears to have been lost. Critics of the UK’s decision may be better off focusing on the geopolitical argument about the longer-term impact of Chinese influence over tech and the internet, human rights concerns and the pivot of technology innovation from West to East, rather than relying on technical risk arguments that do not stand up under scrutiny.
For some nations, political, economic or human rights considerations may end up being the overriding factors that lead to the decision to ban a particular vendor. This may be an entirely legitimate national approach. But nations must be clear about the extent to which political, rather than technical, factors inform their decision-making relating to 5G and other technology. They should not seek to mask these political considerations with weak assertions about technical risk management. All that will do is confuse the argument and undermine the authority of our national technical experts.
James Sullivan is a Research Fellow in cyber threats and cyber security and leads RUSI’s cyber-related research programme.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
WRITTEN BY
James Sullivan
Director, Cyber Research
Cyber