But Even as Political Pressure from the US Mounts, Expert Consensus on Potential Huawei 5G Network Security Risks Remains Elusive

Last week Canadian Industry Minister Francois-Philippe Champagne gave the latest signal that Canada was preparing to formally ban Chinese telecommunications equipment giant Huawei from the country’s 5G networks.

“National security comes first, when it comes to something like that. We often think about infrastructure in terms of roads and bridges, but the network infrastructure, the telecom infrastructure, is really the way of the future,” Champagne told reporters[i], without specifically naming Huawei, when asked about the pending 5G decision.

“I think people want to see this kind of virtual network of trusted partners to be ensuring resiliency to people for generations to come.”

The announcement is now expected to come not long after the Canadian Parliament’s formal return next week.  With the anticipated ban of Huawei, Canada would be the last member of the Five Eyes intelligence alliance to take such a step, the US, UK, Australia and New Zealand having already disqualified Huawei on national security grounds.

The decision on Huawei had been delayed pending the resolution of the extradition case against Huawei CFO Meng Wanzhou and the return of Canadians Michael Kovrig and Michael Spavor, who had been arrested by Chinese authorities on espionage charges shortly after Meng’s arrest in Vancouver in December 2018.  Now that the US has released Meng with barely even a slap on the wrist[ii] and with the Two Michaels now safely back in Canada, the Trudeau government is ready to proceed. 

With more than 75%[iii] of Canadians in favor of a ban, up from 53% in 2019, the decision to exclude Huawei from the list of approved vendors for Canada’s 5G networks appears to be a forgone conclusion.  The poll was conducted the week following the release of the Two Michaels, reflecting a hardening of negative views towards China.

US Pressure Campaign

Concerns about national security risks presented by Chinese telecoms suppliers Huawei and ZTE have been brewing for nearly a decade in the US.  As early as 2012, a US congressional report[iv] declared Huawei and ZTE to be a threat to national security threat.

Chief among the national security concerns typically cited are the risks that Huawei 5G technology may contain back doors to allow Chinese authorities to collect data transmitted over the Huawei networks or that the underlying software programs may contain a “kill switch” that could enable China to cripple critical communications network infrastructure as part of a cyberattack against the West.

Over the last several years, however, Huawei, which is the world’s largest telecom equipment supplier with a strong leadership position in 5G technology, had started to make significant inroads into 5G networks in both developing and developed countries, including close allies of the US, suggesting that other countries did not fully share these concerns. 

Numerous network operators and regulators have conducted tests on Huawei’s 5G equipment over recent years, and in one case (Belgium) test identified no issues[v], and in a second (the UK) researchers originally found that the risks were manageable[vi].  Under pressure from the US, however, the UK then reversed its position[vii] and late last year declared that Huawei would not be permitted to bid on UK 5G network projects.

In late 2019, reports surfaced that Canadian spy agencies[viii] were also split over the proposed Huawei 5G ban.  The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) were tasked with conducting a cybersecurity review to assess potential risks.  The CSE reportedly supported an outright ban while CSIS believed the risks could be mitigated with robust testing and monitoring.

The incessant drumbeat of the relentless anti-Huawei campaign on the part of the US, however, now appears to have drown out all divergent voices, at least among the US’ closest allies.

Assessing 5G Risks Generally

The roll out of 5G networks is still in its early stages (only about 15 percent[ix] of global mobile device users are projected to use 5G by 2025), but 5G promises to usher in the era of the Internet of Things (IoT), which will connect billions of new devices[x] to the network, including car infortainment systems, smartwatches, thermostats, speakers, baby monitors and other everyday household appliances.

Many experts see this exponential proliferation of IoT devices as introducing new vulnerabilities since many new IoT-enabled devices have only minimal security[xi] and so will present the proverbial weak link that hackers prefer to actively target.  Moreover, 5G core networks are virtualized in software, which allows for greater customization enhances speed, capacity and responsiveness, but this software core is also seen as a key vulnerability[xii] of 5G generally.  And with more devices and more bandwidth comes more data to be hacked.

But not all experts agree with this assessment that 5G networks generally will be more vulnerable to security breaches.  Others cite to the robust security protocols built into the 5G specifications by Intel and Qualcomm which should make it harder[xiii], not easier to hack.

Still others note that 5G networks will be built on top of existing 3G and 4G networks[xiv], which demonstrably are already vulnerable to attack, so the risk level for 5G may not be significantly greater than for the existing installed networks.

There is also a dispute among experts as to whether there are different levels of risk at the core versus the edges.  Some maintain that the edges or access elements of the networks present less risk[xv], and this assessment formed the basis of the original decision (since revoked) of UK regulators to allow Huawei to participate in non-core elements of the 5G networks.

Others see no distinction between the core and edge[xvi] in 5G networks in terms of risk given that with 5G data will travel along the edge at the speed of light.  As such, these experts see elevated risk with any infrastructure connected to the network, even at the edge.

In addition, there is a debate about how much additional protection against spying or hacking is afforded by encryption of data.  Certain telecommunications professionals note that the proper use of encryption[xvii] as currently employed for 3G and 4G networks will also be critical in connection with 5G networks.

On the other hand, other experts note that the way that wireless telecoms networks are currently structured, much data passes through the network in unencrypted form[xviii], some of which can viewed by base stations at the edge of the network.  But even this latter group acknowledges that the accessible data at the edge of the network may be limited to the “envelop” of the message and not the content.

“Buggy” Software or Nefarious “Back Doors”?

As such, it is generally acknowledged that no technology, and by extension, no 5G telecoms network, can ever really be secure[xix].  So what is it about Huawei’s 5G technology that has attracted so much political opposition in leading industrialized nations?  The objections take many different forms, and in each case, there are independent experts on both sides of the issue, all citing different sets of objective facts.

The primary arguments against deployment of Huawei 5G technology advanced by government authorities in many leading industrialized Western countries are based on claims of purported heightened risks of spying and cyberattack.  Given the core role of telecommunications infrastructure in modern society and business, these concerns must be taken very seriously, but once again, these are areas where credible independent commentators have reached very different conclusions.

A common theme in the attacks on Huawei 5G technology is a claim that Huawei’s software is “buggy,” which makes it more vulnerable to hacking.  US authorities have taken the position that this alleged “bugginess” means that Huawei’s software has “front doors”[xx] accessible by both the company and by bad actors, suggesting that this is intentional and nefarious conduct on the part of Huawei.   US officials have also insinuated that Huawei’s practice of updating the software remotely is somehow improper, when that in fact is in line with standard industry practice.

Most other commentators are less likely[xxi] to ascribe ill intent to Huawei, noting that all companies build upon legacy code and fix problems as they arise, while still taking the view that the base code layer of the Huawei software may be more “buggy”[xxii] than that of some of their competitors.  Still other experts note that the presence of bugs in software is simply “normal business”[xxiii] and that bugs are not “back doors” in and of themselves, but they can be exploited to create “back doors.” 

This purported “bugginess” of Huawei software has led to fears on the part of some experts that Chinese authorities could demand access[xxiv] to Huawei code with the intention of identifying “back doors” that it could conveniently exploit for later espionage or sabotage.  In late 2018, Bloomberg sought to ratchet up related concerns, reporting[xxv] that the Chinese military had compelled a Chinese server supplier to insert a tiny chip into its hardware that would facilitate covert access by China.     But then The Washington Post did follow-up reporting[xxvi] that challenged the fundamental factual premise of the Bloomberg story.

In fact, there has never been any evidence[xxvii] presented that Huawei has collected information for the Chinese government from its networks abroad, and if intelligence agencies have information supporting the allegations against Huawei, they remain tight-lipped[xxviii] about it.  The national security arguments against Huawei 5G technology have all been framed as a hypothetical – it may not have happened to date, but it could happen in the future. 

This speculative concern is buttressed by critics who refer to China’s National Intelligence Law, which they cite for the proposition that the Chinese government can compel Huawei to access and share data transmitted over its networks.  However, this is an assertion that is undercut by the conclusions of two top law firms. 

Beijing-based Chinese law firm Zhong Lun and highly respected London-based international law firm Clifford Chance[xxix] confirmed that as a telecom equipment supplier Huawei is not subject to the provisions of the law, which applies only to telecom operators and internet service providers inside China.  Furthermore, the law has no extraterritorial effect, so could not apply to Huawei’s activities outside of China even if it were subject to the law.

 

On the other hand, other US-based China legal scholars[xxx] note that China can exert other types of pressure to compel cooperation with state espionage activities, but that brings us back to the question of what data can be captured.  If it is encrypted, then neither Huawei nor the Chinese government could unlock it to discover the contents of the messages.  Only the companies providing the “over the top” encrypted applications[xxxi], such as Apple or Google, would have access to the keys to decrypt the data.  Everyone else, including government officials, would have to rely on these tech players who hold the encryption keys.

Assessing the Threat of Network Sabotage

Beyond spying, the other worry voiced by critics is that the Huawei 5G kit could have an embedded “kill switch” that could be triggered as part of a cyberwar weapon of mass destruction to bring down the core telecommunications networks of China’s adversaries.  A subtler approach[xxxii] could be for Huawei to facilitate the insertion of code that could damage the broader network at the behest of the Chinese government.

This is theoretically possible, but also entirely unnecessary.  Cyberattacks can be made just as effectively by state-sponsored cyber-warriors or even independent rogue hackers[xxxiii] who have no special access facilitated by the network equipment supplier.  That has been the history of mass hacks to date over 3G and 4G networks, and is expected to continue to be the rule rather than the exception in respect of 5G networks.

Moreover, the nature of cyberwarfare is such that any such catastrophic attack is a single-time action[xxxiv] – once the cards are played, they cannot be played again because the targets will be in a position to take appropriate defensive and retaliatory steps. 

Were it to be determined – or even credibly suspected – that Huawei had conducted or facilitated such an attack against a target in one country, then all of its remaining good will with customers in all other markets would completely dissipate in a single stroke, an outcome that would be the end of Huawei as a global company.

What Will Be Achieved by the Canadian Ban?

As intimated in the comments of Canadian Industry Minister Champagne cited above in respect of the pending decision on Huawei 5G in Canada, it is clear that the key issue is lack of trust.  In the aftermath of the arrests – and later releases – of Huawei CFO Meng Wanzhou and the Two Michaels, trust on both sides continues to be in short supply. 

The different responses to and impacts from the continuing pandemic also have contributed to the rise in mutual skepticism on the part of each side of the motives of the other side.  This trust deficit will not be remedied before the final decision is made on Canada’s 5G networks in the next few weeks.

As a result, Canada is expected to embark along the path of “ripping and replacing” all Huawei equipment from its domestic networks as now underway in the US, UK, Australia and New Zealand.  The cost in terms of time and money for this process is also the subject of debate, but the costs is in the billions, and UK operators now project a minimum five-year period[xxxv] and perhaps as long as ten years[xxxvi] to transition fully away from Huawei equipment currently deployed in its 2/3/4G networks.  Going any faster could risk periodic service blackouts across the networks.

Banning Huawei also reduces[xxxvii] the number of 5G suppliers, which brings its own commercial risks – and, in the view of some experts, also potentially additional security risks[xxxviii].  In addition, the removal of Huawei from 5G networks will only accelerate the growing technological divide[xxxix] between East and West, which will also impose heavy costs on Western technology players and telecom operators.  This process is already well advanced as a result of the semiconductor chip ban imposed by the US on Huawei.  

Questioning Motives and Rebuilding Trust

Just as the West questions China’s and Huawei’s bona fides, China questions the motives of the US, and even respected third parties share many of these concerns.

The US role in the expanding ban of Huawei 5G technology has been indispensable, and although the campaign against Huawei began before and has continued after his administration, the US position may have been best personified by Trump’s bellicose blanket harassment of Chinese tech companies as part of the overall US-China trade dispute. 

It is certainly well within the rights of the US to determine what constitutes a national security risk.  It is also legitimate and appropriate for the US to undertake to persuade friends and allies to adopt positions that align with its own.  In this case, however, other US strong-arm tactics appear to have tipped the scales in terms of persuading its allies to join the Huawei 5G ban.

For example, a key reason for the UK’s change in heart on procurement of Huawei 5G kit was due to the impact of the US chip ban against Huawei, on the basis that these US-generated new facts on the ground tended to further erode the reliability[xl] of Huawei equipment going forward.  In other words, it was not simply that the original assessment that the national security risks associated with the Huawei kit were manageable was reversed as much as it was that the US had made it harder for Huawei to source key components.

In Canada, negative sentiments against China have hardened due to the arrest of the Two Michaels, which was viewed by many as a form of hostage diplomacy[xli].  Whatever view one may have on the legitimacy (or illegitimacy) of China’s actions, it is undeniable that they were in response to the arrest of Meng by Canada at the request of the US, so once again, US action triggered the series of events which created an environment which the Huawei 5G ban was not only more likely but perhaps inevitable. 

The fact that the US case against Meng appeared to fall apart[xlii] at the extradition stage, with the Canadian judge opening questioning the sufficiency of the charges, only tended to reinforce China’s suspicions of US motives.

China is not alone in calling foul at what it perceives to be US economic and technological hegemony.  At the time of Meng’s arrest, the Financial Times[xliii], noting that it is extremely rare for corporate executives to be charged personally in a sanctions violation case, called the arrest of Meng “provocative,” and further suggested that the arrest of Meng risked being interpreted as “the use of American power to pursue political and economic ends rather than straightforward law enforcement.”   A Canadian law professor[xliv] likewise suggested that the timing of Meng’s arrest “seemed odd to many,” coming as it did at the very time that the US was trying to persuade Canada to join the Huawei 5G ban.

Similarly, others saw the Huawei chip ban as part of a broader “struggle for economic and technological dominance”[xlv] between the US and China, and the ban of Huawei 5G equipment correspondingly has raised questions in the minds of other tech experts as to “where does the concern for cybersecurity end and American protectionism[xlvi] begin?”

Still others see the Huawei 5G ban as an effort to mask the fact that US 5G policy has been a failure, effectively ceding the 5G technology leadership role to China.  Rather than imposing bans, experts say, the US should be offering competitive alternatives[xlvii]

Creating an Opening for More Productive Engagement

With 16 of the top 30 countries with the highest digital revenue as a share of GDP now situated in the developing world, “[p]rice, not politics, will be the decisive factor[xlviii] for many nations when deciding which companies will be permitted to tender for their national 5G networks.”

As Huawei founder Ren told the BBC[xlix], “If the lights go out in the West, the East will still shine.  And if the North goes dark, there is still the South.”  The US has been successful in checking the growth of Huawei, but experts concede that it is doubtful[l] that the US can crush Huawei as a global technology powerhouse.

The Huawei 5G ban in the West thus will exacerbate the widening technological divide, which may ultimately backfire[li] on Western technology companies.  Concurrently, the geopolitical divide similarly is proceeding apace at an alarming pace.

Taking Canada as an example, recent polling data indicates that 36% of Canadians believe the relationship with China had been “permanently damaged”[lii] as a result of the jailing of the Two Michaels.  But therein lies the potential silver lining: nearly two-thirds of Canadians may be open to reengagement with China, perhaps not now in the immediate aftermath of the national trauma surrounding the arrest and later release of the two Canadian nationals, but more likely following a reasonable interval.

Here, too, Canada is seeking a reset of the Sino-West relationship along the lines of the Tony Blair “light Cold War”[liii] model of cooperation, competition and confrontation with China (or in the Canadian framing, collaborate, compete and challenge).  To that, the Canadians appear prepared to add a fourth “C”: coexist[liv].

Huawei and China will be able to weather the current storm of apparently now irreversible decisions to ban Huawei 5G technology by the US and its core allies, but now that the Meng case has been resolved and the Two Michaels have returned home, in order to achieve an equilibrious state of more productive coexistence, the Huawei chip ban will need to rescinded. 

The US can extract its pound of flesh from Huawei to save face, but a well-established template[lv] for such a resolution exists.  Then Huawei can compete in the open market, and the US can continue its pressure campaign within its sphere of influence.  But the blatant anti-competitive overreach of the US chip ban will have been removed as an obstacle to dialogue within the scope of what is possible given the numerous other issues that plague the multi-lateral relationships between China and the West.