ArgumentWhy Britain's Spooks Are Wrong to Downplay the Risks of Huawei

The U.K. wants Huawei’s 5G technology because of what John Hemmings, writing in The Telegraph, correctly describes as the company’s “laughably cheap prices” (Huawei’s prices are cheap because the company is heavily subsidized by the Chinese government). Hemmings writes that it is this desire for inexpensive technology which leads British decisionmakers – among them Sir Andrew Parker, the outgoing director of MI5, Britain’s spy agency — to ignore the geopolitical context of an increasingly authoritarian China, which is funding Huawei’s expansion across Europe, and also ignore the reason behind China’s promotion of Huawei: The fact that China is the leading source of global cyber espionage. .

The importance of Huawei as the eyes and ears of China’s sprawling intelligence establishment is evidenced by the fact that China uses not only the carrots of the company’s inexpensive technology, but sticks as well: China has recently threatened economic retaliation against Germany and Denmark if they exclude Huawei in their 5G networks. The Chinese ambassador to the U.K. threatened the government of Boris Johnson that unless the U.K. allowed Huawei technology to be installed in the U.K. telecom infrastructure, China would reconsider investments in the U.K.

Hemmings writes that to understand how decisionmakers in some European countries are deluding themselves that installing Huawei technology would not undermine their countries’ national security, we need to look at how telecom networks are built.

According to the U.K. National Cyber Security Center (NCSC), the telecoms network is structured around three functional components, or layers: The transport layer, which comprise the physical nodes which transport data; the routing layer, which works out the best transport route for the data to use; and the edge, which where consumers interact with the data being transmitted.

Hemmings write:

Huawei, they tell us, will be kept out of the core, which is a functional name for all the bits that decide who you are, where your data needs to go, and so on. That means they’ll be restricted to antennas, routers, switches, and products at the consumer end such as WiFi boxes, and away from the intelligent bits that have more access to the data.

But this argument – recently made, for example, by Sir Andrew Parker – ignores the nature of 5G networks:

5G will be a virtual network, in which components of the network are “white-boxed”, meaning that network administrators can upload patches for fixes and updates remotely. Think of 5G as something akin to your phone. When an app on your phone is updated, that is because someone in Silicon Valley pushed a button, sending updated code – a patch – to all phones with that app.

This feature is what makes 5G so attractive to network administrators – site visits become increasingly unnecessary as more repairs to the network infrastructure can be done remotely.

It also gives network administrators the ability to move functionality – including the intelligent bits – around the network to fit requirements.

But it is this flexibility that makes the trustworthiness of telecoms vendors so important when it comes to 5G. In a virtual network, an untrustworthy vendor can send the good as well as the bad.

In order to stop such malware, the NCSC would have to watch hundreds of thousands of antennae and components across an entire national network. As with terrorism, we’d have to be lucky every time, but a cyber hacker would have to be lucky only once.

In a report issued in July 2018 by Huawei Cyber Security Evaluation Center (HCSEC) – the NCSC created the HCSEC, which is payed for by Huawei, to pre-check for backdoors and vulnerabilities in Huawei code – HSSC wrote that it “continued to identify concerning issues in Huawei’s approach to software development, bringing significantly increased risk to UK operators, which requires ongoing management and mitigation.”

The HCSEC said that it can only give “limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the U.K.”

Hemmings notes a recent report by cybersecurity firm Finite State sought to replicate HCSEC’s review of Huawei source code – but that instead of using code provided by Huawei, Finite State used code found in Huawei products already on the market. “Alarmingly, not only did [Finite State] find significantly more vulnerabilities than other brands, it found efforts to disguise those vulnerabilities” Hemings writes.