Does Huawei, the Chinese technology giant, pose a security threat? As a new UK government wrestles with the 5G telecoms question, and the challenge of staying friends with both the US and China, it is worth looking at a Chinese defence white paper released in July. In it, the party state lays out its view on the evolving shape of warfare in the 21st century. Technology plays a key role.
“Cutting-edge technologies such as artificial intelligence, quantum information, big data, cloud computing and the ‘internet of things’ [are] gathering pace in the military field,” it says. “War is evolving in form towards informationised warfare.” The paper pledges to “develop cybersecurity and defense means” consistent with the status of “a major cyber country.”
Like the security services of any important power, the Chinese military has invested heavily in both offensive and defensive cyberwarfare capabilities, and Chinese hackers have been among the most active on the planet. The list of major breaches listed by the Center for Strategic and International Studies reveals a wide range of targets, from technology companies in the US, the UK, Norway and Canada to the EU’s information system, in search of access to sensitive diplomatic cables, and military targets including the US Navy and Japanese security services. The list is long, and should not come as a surprise.
The UK originally acquired Huawei technology through inattention, when Tony Blair ordered the modernisation of BT’s network. The post-installation monitoring that UK security services have conducted ever since, as the company points out, has not discovered any backdoors. But the most recent report pointed to weaknesses in the integrity of Huawei’s code that created potential vulnerabilities. Just by setting up the monitoring, the UK government acknowledged that Huawei equipment, manufactured by a company ultimately answerable to the Chinese Communist Party, was an obvious security risk.
If that was true with 3 and 4G, it is infinitely more so with 5G. 5G telecoms networks will support a huge number of connected devices and enable a massive increase of bandwidth. These characteristics make the network transformative, but also create a hugely expanded threat landscape. In technology there is no longer a clear boundary between civilian and military use. After all, why launch a missile if you can shut down a nation’s energy network?
Huawei argues that it has no connection with China’s security services. It would be astonishing if true, but intelligence analysts do not judge the company’s account either of its structure or its military ties credible. Besides, Chinese law obliges every citizen and entity to cooperate when required. 5G technology will be essential to Chinese control of information flows and the functioning of critical national infrastructure, including defence.
That leaves the question, if China wished, under some future threat scenario, to exploit access to the UK’s critical infrastructure with ill intent, would the presence of Huawei equipment in the network help? One answer comes from an earlier age: the UK succeeded in turning off some of Saddam Hussein’s key command and control systems because a British company had installed them. To date New Zealand, Australia, Japan and the US have banned Huawei from 5G. Other countries are undecided or have upgraded their security.
Huawei argues that it would be bad for business to co-operate with Chinese security against the interests of its clients. But the job of a security analyst is not so much to look at what is, but to ask, “what if?” In this case there are three “what ifs?” that the company’s assurances fail to address. What if malign intrusions went undetected, highly possible given the scale of 5G? What if a country that had installed a Huawei 5G network later discovered there were vulnerabilities? It is unlikely to be in a position to rip it out and start again. And what if Huawei’s survival depended on collaboration with the Chinese state? Given what we know about China’s long track record of hacking, IP theft and espionage, crossing our fingers is not a smart security policy.
This piece features in Prospect’s new cyber resilience supplement