5G Choices: A Pivotal Moment in World Affairs

We asked ourselves, if we had the powers akin to the 2017 Chinese Intelligence Law to direct a company which supplies 5G equipment to telco networks, what could we do with that and could anyone stop us?

We concluded that we could be awesome, no one would know and, if they did, we could plausibly deny our activities, safe in the knowledge that it would be too late to reverse billions of dollars’ worth of investment. And, ironically, our targets would be paying to build a platform for our own signals intelligence and offensive cyber operations.

Legally compelled access to 5G vendors is game-changing for Chinese intelligence agencies because hacking is an increasingly tough business. The cybersecurity industry has lifted its game mightily over the past decade, and—certainly at the high end—the advantage is currently with the defender.

The hardest part of hacking is the access problem. How can you get into the network? For that you typically need to find vulnerabilities in the way software operates, which can be weaponized into an exploit. Exploitable vulnerabilities are hard to find. Often they are specific to a piece of equipment or a particular network. Often you need to string a chain of exploits together. And if they are super great, the chances are Five Eyes agencies will need to disclose them, as the US National Security Agency did recently when it found a Windows 10 security flaw.

As a citizen, I’m glad that hacking is difficult and that Five Eyes agencies think it more important to protect their own national networks than to pursue those of their adversaries.

But Chinese intelligence agencies have a mortgage on Jack’s proverbial beanstalk—scaled and persistent access to hundreds of foreign telco networks via legally compelled Chinese suppliers of competitively priced, high-quality technology to these telcos.

Cybersecurity is all about raising the costs for the attacker. Network access through vendors—which need to be all over 5G networks to maintain their equipment—effectively reduces the access cost to zero.

Much of the 5G debate has been about whether the core of the network—where sensitive data and functions reside in a 4G format—can be protected in a 5G setting. Telcos currently protect the core of their 4G networks by maintaining a physical and logical separation between the core and the less secure, customer-facing edge of the network.

But with 5G, all network functionality is virtualized and takes place within a single cloud environment. That means there is no physical or logical separation between the core and edge of the network.

A recent Financial Times editorial approvingly cites testimony to U.K. parliamentary hearings last year that ‘the distinction [between core and edge] would still be valid in Britain, however; geographical differences meant its networks would be designed differently from Australia’s’.

I struggle to understand what this means. It reminds me of the vague, faux authoritative language techies use to talk down to civilians with humanities degrees. If it means the relative size of the United Kingdom allows its telcos to avoid distributing sensitive data and functions right to the edge of the network, I’m still not convinced.

Geography is not a factor in how core–edge works. The reality is mature 5G networks actually require the collapse of the core–edge distinction. 5G can only reach its potential for speed and low latency if sensitive functions can happen at the edge of the network close to the customer. And 5G can only realize its cost-saving potential if any function can occur at the most efficient place in the network, wherever that is. In mature 5G networks, sensitive data and functions will be distributed throughout the network in a dynamic way which will be impossible to govern with certainty.

Sure, many telcos (including in Australia) are already operating networks branded as ‘5G’, on the basis that they deploy new, more efficient 5G radios at the edge of the network. But the hyperconnected, transformational 5G future marketed by the telcos can only be realized if there is no distinction between core and edge.

Telcos could limit their 5G offerings to smart radios at the edge, but that would be like a layer cake with one layer. Who would buy that?

In one sense, we should only be moderately concerned about the exposure of sensitive data which in a 5G world would no longer be protected in the network core. Even if an adversary had access to this data, implementation of strong encryption can theoretically protect its confidentiality (are my communications private?) and integrity (have my communications been altered?). This is not foolproof—adversary supercomputers would have direct access to all the ones and the zeros and exploitation of poor implementation of encryption is not uncommon in the signals intelligence game.

But we should be more concerned about the availability of our data and networks (can I continue to communicate?). Availability, after all, can be controlled by whoever has access to the radio network at the edge. This is a risk we face in 4G networks today.

The other argument reportedly put to the U.K. parliamentary committee was that a ‘diverse supply chain generally makes networks more resilient to technical and security problems’. The obvious question is, which parts of your network are you prepared to put at higher sovereign risk? And, if Huawei is limited to only 35 percent of the network, isn’t that an admission that there’s a risk which might not be able to be fully mitigated through cybersecurity controls?

While geography is immaterial in core–edge architectures, it is relevant to another Huawei argument. The company claims Australian farmers are missing out on the revolutionary benefits their Swiss counterparts are reaping from 5G.

But you don’t need to be William Farrer to work out that (a) 5G communications in cyberspace rely on a very expensive physical network of closely spaced antennae, and (b) Australia is about 188 times the size of Switzerland (our summer bushfires have so far burned an area equivalent to almost five Switzerlands).

That’s a lot of yodeling.

At the heart of Huawei’s proposition is the claim that it is cheaper than its competitors. An Oxford Economics report commissioned by Huawei last year claims that excluding the company from bidding for our 5G networks will cost Australia up to $12 billion in GDP out to 2035.

Leaving aside the obvious point that digital sovereignty and the integrity of critical infrastructure are priceless, I have not seen any independent analysis of the impact of excluding Chinese vendors from 5G. Beyond the market effects of restricting competition, any serious analysis would also need to consider the following factors:

·  whole-of-life costs versus up-front sticker costs

·  the risk that prices will rise once competitors are driven out of business

·  the cost of a serious suite of mitigations any responsible government would need to put in place to manage the security risks of using a high-risk vendor (even mitigations which cannot provide full confidence are expensive and create network inefficiencies)

·  the risk of ongoing US measures against Huawei to the operation of networks using its equipment.

The tools and language of traditional cybersecurity are ill-equipped to describe and manage a world in which the Chinese state entwines China’s tech giants. Old-style cybersecurity evolved to deal with threats from outside the network. The ecosystem itself was trusted, and cybersecurity’s job was limited to protecting that ecosystem from external bad actors. But none of this works if the threat is inside your network. In this new world, no number of impressive-sounding mitigation measures or cybersecurity standards can provide confidence that your networks are fully protected.

When you are one update away from being owned, a code review cannot provide any confidence that the code you checked reflects the code in your network. Even with expensive oversight by cleared personnel, it would be hard to spot malware developed by a top-notch intelligence agency, especially when the network is down and your customers are screaming.

By its own admission, the U.K. Huawei Cyber Security Evaluation Centre is not working as advertised. In its most recent report last year, the centre’s oversight board found that HCSEC ‘has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to U.K. operators …; [n]o material progress has been made on the issues raised in the previous 2018 report; [and] the Oversight Board can only provide limited assurance that all risks to U.K. national security from Huawei’s involvement in the U.K.’s critical networks can be sufficiently mitigated long-term’.

And yet this is the model that the U.K. government touts to the world as providing confidence that the risks of Huawei’s 5G products can be managed.

While technology is the setting for this sliding-door moment, the fundamental issue is one of trust between nations in cyberspace. And over the past decade, the Chinese Communist Party has destroyed that trust through its scaled and indiscriminate hacking of foreign networks and its determination to direct and control Chinese tech companies.

China wants it both ways—to be treated by the same rules as other countries but to break those rules when it suits.

Although I remain skeptical about some of Huawei’s marketing claims, my concerns are not about the company or the quality of its products. They relate to the legal and political power of the Chinese state to compel the company to do its bidding. It’s simply not reasonable to expect that Huawei would refuse a direction from the Chinese Communist Party, especially one backed by law.

When I look at the risk to 5G networks as an intelligence professional would, it’s all about capability, opportunity and intent. The ability to compel Chinese vendors of 5G equipment is a strategic capability for China’s intelligence services. Huawei’s competitive offerings in a revolutionary technology like 5G are an unsurpassable opportunity. And, as I mentioned, China has demonstrated ample malign intent in cyberspace.

So, if your telcos have a 5G operation and maintenance contract with a company beholden to the intelligence agencies of a foreign state, and that state does not share your interests, you need to consider the risk that you are paying a fox to babysit your chickens.

Simeon Gilding is a senior fellow at the Australian Strategic Policy Institute (ASPI) and, until December 2019, was the head of the Australian Signals Directorate’s (ASD) signals intelligence and offensive cyber missions.This article , first posted to The Strategist, the commentary and analysis site of ASPI, is published courtesy of ASPI.