19 February 2020

5G and Huawei: The UK and EU Decide

By John Lee

The U.K.’s decision in late January to allow “high-risk vendors” to equip parts of its 5G telecommunications networks permits the continuing involvement of Huawei, a company described by U.S. legislators and officials as an arm of the Chinese state. The decision has been widely portrayed as a sacrifice of the U.K.’s security and that of partner nations to short-sighted material greed. It has been blasted in the U.K. Parliament and by critics abroad, who have blamed it on post-Brexit fear of retaliation from China and the clout of “Beijing-backed business interests.”

In fact, the controversy reflects deeper disagreements over engineering and security design for 5G networks, and about whether the basic problem involved is one of risk management, or of fundamental incompatibility with the Chinese political system in which Huawei operates. These diverging views can be expected to surface in other contexts as Chinese firms expand their presence across the global economy.


The technical debate over securing 5G networks centers on claims that they will collapse the distinction between “core” and “edge.” A commentary from the technical director of the U.K.’s National Cyber Security Centre (NCSC) describes this proposition as “untrue.” He asserts the continued feasibility in 5G of separating high-risk vendors from sensitive data and functions, and therefore of successfully protecting the latter with security measures, although this may require design restrictions that limit the network’s performance. The NCSC assesses the risk of malicious functionality (“backdoors”) being inserted into equipment as manageable, through avoiding excessive dependence on high-risk vendors.

These judgments are disputed by the Australian cybersecurity official whose assessments reportedly catalyzed the U.S.-led campaign against Huawei’s presence in 5G infrastructure. In this analysis, to reach their full potential 5G networks will need to distribute sensitive data and functions throughout the network dynamically, in ways impossible to thoroughly supervise. Complete exclusion of untrusted vendors is therefore justified, as they could give hostile actors access to potentially any element of the network or data being transmitted across it. This is a zero-risk approach to the potential for Huawei to facilitate Chinese espionage, which treats the security of telecommunications infrastructure as “priceless” and China’s political system as the decisive factor in decision-making.

This position, advocated by the U.S. government, has apparently been rejected in both London and Brussels. The day after the U.K.’s decision, the European Commission published its “toolbox” of risk mitigation measures to guide EU member-states’ 5G deployments. Produced under a mandate to coordinate a common European approach toward 5G, this draws on individual risk assessments by member-states and was reportedly inspired by the U.K.’s mitigation approach. The EU framework similarly recognizes that a vendor’s relationship with foreign governments can affect its risk profile.

Both the U.K. and EU frameworks thus apply political, not just technical, criteria to determine the extent to which a company should be allowed involvement in 5G networks. But they do not exclude any company outright, instead offering solutions to manage risk imposed by the politics of a vendor’s home jurisdiction. The U.K. under its framework has defined Huawei as a “high-risk vendor,” taking into account China’s legal system and the history of cyberattacks by the Chinese state. High-risk vendors are restricted the network’s “edge,” and even that presence is capped at 35 percent.

The EU toolbox does not list specific measures or refer expressly to Huawei, as individual member-states will decide how to implement its recommendations. But like the U.K. framework, it directs that vendors assessed as high-risk based on factors including country-specific threat assessments be subject to “necessary exclusions [from] key assets defined as critical or sensitive.” Given that this approach was developed by representatives of all member-states alongside those of the Commission and the EU cybersecurity agency ENISA, it can be taken to reflect general agreement – despite the controversy over Huawei in the domestic politics of some member-states – that security of telecommunications is not “priceless,” but must be balanced against other priorities.

Those priorities are clear, and they concern less short-term greed than long-term economic security and strategic positioning. The U.K.’s statement about its decision and quotes from U.K. officials show the importance placed on protecting the U.K.’s future economic competitiveness through rapid roll-out of 5G, and consequent imperative to avoid potential delays and costs from banning Huawei.

The EU’s goal is more ambitious: achieving “technological sovereignty” through fostering firms and industries that capture value from the vast data flows generated within the EU. Making the EU “the most dynamic data-agile economy in the world” and establishing “European leadership in network technologies” requires world-leading 5G infrastructure and wresting dominance from foreign digital technology firms, whether Chinese or American. In this context the United States is expressly viewed as a “competitor,” explaining European decision-makers’ reluctance to delay their 5G roll-outs at Washington’s behest at a time when the United States is increasingly using its economic power to coerce allies against their interests.

Decision-makers in London and around Europe seem to have concluded that the risks of the Chinese state exploiting their interdependence with Huawei, when weighed against the potential gains from rapid progression to 5G-enabled economies by using Huawei equipment, can be managed through judicious controls. Both the EU and the U.K. aim to avoid dependence on high-risk vendors, and to promote market diversity in vendors and technical solutions as a long-term risk mitigation strategy.

These judgments will be reinforced if the United States fails to deliver on warnings of consequences for governments that take divergent approaches to Chinese companies. In mid-January, the EU Trade Commissioner advocated calling Washington’s bluff that intelligence-sharing with allies would be jeopardized by Huawei’s presence in their 5G networks. This confidence seemed to be vindicated after the U.K.’s decision, with U.S. Secretary of State Mike Pompeo saying that the Five Eyes partnership would remain strong and that the U.K. remained at the front of the line for a new free trade agreement.

Pompeo nonetheless doubled down in describing the Chinese Communist Party (CCP) as “the central threat of our times.” This highlights the core argument for excluding Huawei: that the CCP’s malevolence, stemming from its political nature, justifies sacrificing the benefits of connections with Chinese actors against the chance of the CCP exploiting them for malicious purposes. This logic appears to be driving U.S. efforts to “decouple” from China across a swathe of activities, at significant cost to U.S. firms and the U.S. economy, and in the face of conflicting views within the U.S. government.

But it has largely failed to persuade governments in Europe and elsewhere, most of whom seem to view the Huawei issue as one of risk management within larger strategies for preserving strategic autonomy, not of fundamental conflict with China over political values. The policies developed by the EU and U.K. on 5G reflect how much of the world is dealing with expanding Chinese influence: by treating the CCP’s political nature as a relevant, but not decisive, factor.

The stress this puts on relations with a United States that seems increasingly committed to a Manichean struggle with China will be a defining international dynamic over the coming decade. The 5G controversies point to how states will grapple with new approaches to deal with challenges posed by China’s rise, and that of an interconnected digital world in which China’s influence will likely rival that of the United States. For many, the evolving paradigm seems to be one that accepts a level of calibrated mutual vulnerability with China, involving managed interdependence rather than implacable opposition.

No comments: