Jeremy Swinfen Green, teiss Editor-in-Chief, explains why the UK Government was right to push back on politicians who want to exclude Huawei from 5G roll out
Last night, Boris Johnson’s government won a victory against Conservative Party rebels who wanted to stop his plans for including the Chinese company Huawei in plans for rolling out 5G across the UK.
Those plans are of course controversial. Many people distrust Huawei simply because it is Chinese-owned and its founder Ren Zhengfei is a member of the Chinese Communist Party. “They are going to steal our data”, people cry, “or worse, switch off all the lights!”
Is this a realistic fear? I think not. And in an interview yesterday on Russia Today, I tried to explain why.
Of course 5G does bring new and different security risks. The nature of the technology with some parts being “virtualised” means there is more software involved than with 3G and 4G and that expands the threat, or at least changes its nature.
In addition, the network architecture that 5G brings, with more technology “at the edge” instead of tucked away in secure data centres, further erodes the ability of organisations to create secure perimeters for their IT systems. This means that cyber security professionals will need to rethink some of the ways they approach security.
And Huawei (like Ericsson and Nokia who are also heavily involved in 5G) is owned and headquartered outside the UK.
Keeping 5G secure
The National Cyber Security Centre (NCSC) has recognised this. They have assessed the risks posed by Huawei in particular and proposed mitigations. (Their logic is explained in a very easy to read blog post by Ian Levy.)
Put simply, they propose that:
- Huawei is limited to providing no more than about a third of the 5G equipment the UK will need: that way it cannot get market dominance.
- Huawei’s installations are limited geographically, so that for instance they can’t be placed near sensitive military installations.
- Huawei is limited to the provision of non-core systems: Huawei technology won’t be used for sensitive functions like access management or data processing and instead they will be limited to the periphery of the 5G network where they will build things like masts and antennas.
The government feels that these really quite tight restrictions should manage any additional risks that Huawei poses over other lower risk suppliers.
And so they should. What is important at this stage (if you accept that there are risks with any supplier) is to consider the advantages that Huawei brings. They are a lot easier to explain.
Benefiting from Huawei
Without Huawei, the roll out of 5G in the UK would be seriously delayed. And 5G is essential for our international competitiveness. Unfortunately there are simply no other suppliers that can do some of the things that Huawei can do. That’s hardly Huawei’s fault however.
And, apart from capability, they bring three other things to the 5G programme:
- Innovation: Huawei are a highly innovative company who build great technology (I love their phones!) and really understand their consumers
- Competition: with Huawei on board, there is more competition in the programme and this should drive prices down as well as increasing quality
- Resilience: another large company in the mix means that if things go wrong for one supplier there are others who can step in: this added resilience in fact reduces risk
Huawei have been working in the UK since 2003. That’s plenty of time for security specialists, like the NCSC, to get to know them and understand how they work.
A threat to the whole 5G network?
But it’s one thing feeling confident that the government is proposing careful risk management. Things could still go wrong, people argue. Huawei could still “switch the lights off”.
And it’s right to worry. Could Huawei, instructed by the Chinese Government, stop our 5G network from operating simply by switching it off?
“Probably not” is the answer. Remember, Huawei won’t be operating the network. They will simply have built some of the infrastructure. They won’t have access to the “off switch”.
Unless of course they have built “back doors” into their systems that enable them to do so remotely. Is this likely? Well, obviously it’s a possibility that people are aware off and one that will be monitored closely.
In fact Huawei’s systems are monitored at the Huawei Cyber Security Evaluation Centre (HCSEC). This is a partnership between the mobile giant and the UK authorities that aims to ensure that UK infrastructure isn’t compromised by the involvement of the Chinese firm.
One thing that has come out of the HCSEC is that Huawei’s coding practices are lower quality than they might be and need improvement. Perhaps that is the real reason that Huawei is a risk, not its Chinese parentage. But whether or not that analysis of the risk is true, it might also indicate that Huawei isn’t capable of building back doors that could remain hidden.
(Unless of course they are incredibly sneaky and are just pretending to be sloppy coders…)
It’s all about privacy, isn’t it?
There is also a genuine fear that, through Huawei, the Chinese Government will be spying on UK citizens. And with personal data passing through software and hardware Huawei have built, it’s possible they could be listening in.
So, let’s ignore the professionalism of GCHQ and the NCSC at preventing this, and disregard the fact that China is proposing some very strong privacy laws that will rival GDPR. We are then left with the possibility that someone in the Chinese Government will force someone at Huawei to tell them about what I am doing on my mobile phone.
Creepy? Certainly. Likely? I think they have better things to do.
Of course they are probably not interested in me. But they might be interested in my company, especially if I am manufacturing nuclear widgets. And yes there is a risk there. But it is a risk that exists already.
Industrial espionage isn’t a new concept. It happens, and it’s not just the Chinese doing it. The threat to confidential company data isn’t the entry of Huawei into the British telecoms market (after all they have been with us for 17 years). It’s lax information security.
And that’s a risk we should all be concerned about.