RUSI Commentary, 7 December, 2018
The surprising announcement that Meng Wanzhou, deputy chair of Huawei’s board and daughter of company founder Ren Zhengfei, was detained in Canada on an extradition request from the US over allegations that the Chinese telecommunications giant may have exported US–licenced technology to Iran in contravention of US sanctions has come at a tumultuous time for the company. Earlier in the week, British Telecom stated that it intends to strip out Huawei components from the core of its 4G network. And this comes on the heels of a speech by Alex Younger, Chief of the Secret Intelligence Service, who warned against the use of the Chinese telecommunications firm in the development of Britain’s 5G network. Given the ongoing review being undertaken by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) seeking to ensure that Britain’s ‘critical national infrastructure remains resilient and secure’, it is clear that there has been a significant shift in both global and UK stances towards the company.
The perception that Huawei might be too close to the Chinese government – and its military signals department – has been there from the very beginnings of the company. It is partly a legacy, perhaps, of founder Ren Zhengfei’s prior career as a military technologist in the PLA’s Information Technology research unit. According to Philippe Le Corre, an expert based at the Harvard Kennedy School, Chinese state banks have been extremely generous to the company as it expanded its operations across key sectors of the European telecommunications market.
However, Huawei is perhaps also the victim of the past reputational damage caused by the first wave of Chinese companies and their international behaviour. Concerns about how private Chinese companies moved hand-in-hand with the Chinese state first arose in the late 1990s, when a US Congressional study – the so-called Cox Report – revealed how the Chinese state used family ties, social connections and party membership to get Chinese corporations to carry out industrial espionage across the US defence and information technology sectors. Unlike the Soviet model, which gave primacy to the official intelligence organs, the Chinese model preferred a widely dispersed approach, using front companies, non-intelligence agencies and individuals, educational research exchanges, and friendly Chinese companies.
It is only a small leap for those same companies to be pressed from carrying out industrial espionage to transferring data – especially when their business model is handling data. Indeed, Huawei was accused of hacking the African Union (AU) IT system it helped build – including computing, data storage, and WiFi. Servers were transferring data from inside the AU’s Addis Ababa headquarters to servers in Shanghai every night between 12 midnight and 2am. The fact that such practice has been codified in Chinese law, whereby Chinese companies are obliged to assist the nation’s intelligence agencies, puts paid to the idea that Huawei could resist pressure from Beijing.
This very concern was uppermost in the mind of Malcolm Rifkind when he oversaw the publication of an Intelligence and Security Committee report in 2013, Foreign Involvement in the Critical National Infrastructure: The Implications for National Security. This report and one published the year before by the US Congress Permanent Select Committee on Intelligence identified a number of systemic risks in allowing Huawei or ZTE – another Chinese telecommunications giant – to insert technology into the national network. First, it would allow the entity to modify or steal data from the government, private citizens, and corporations. While one might argue that China could simply hack those entities, the 2013 report quotes the Joint Intelligence Committee’s argument that network access ‘would be very difficult to detect or prevent and could enable the Chinese to intercept covertly or disrupt traffic’. Second, insertion of backdoor code or malicious hardware could allow an entity to shut down or degrade critical national security systems in a time of crisis or war. When one thinks of the importance of data on the UK financial network, one realises what a capable weapon this network access would be. Nor would this be a one-time risk, when 5G infrastructure is being laid down. Huawei also offers a service known as systems maintenance. This provides technicians with authorised access in the form of software updates and patches to glitches. Such access offers additional avenues for inserting malicious code.
Until this year, the British answer to such concerns was the creation of a Huawei Cyber Security Evaluation Centre (CSEC) at Banbury, which was staffed by employees and technicians from GCHQ who checked over all code and hardware used by Huawei in the United Kingdom. This has sought to mitigate risk and identify threat somewhat successfully for over eight years – until this past summer. This July, just prior to the announcement of the DCMS/NCSC review, the evaluation centre at Banbury issued a report which found that ‘shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management’. Whether this means that Huawei will be banned from developing 5G in the UK – as it has in the US, India, Australia and New Zealand – is unclear. It might well be that the UK mitigation model can adjust to the more severe levels of scrutiny required by 5G code. If we were to read into Younger’s speech this week, it would appear that the intelligence agencies have – for the moment, anyway – come to their own conclusions about the future viability of the CSEC system.
While there are no easy answers to the debate over Huawei, it is important to note that in asking for Meng Wanzhou’s detention and extradition, the US is sending its allies a strong signal about doing business with the company. Whether or not those reasons are fully substantiated remains to be proven. However, the conclusions of the 2013 Intelligence and Security Committee report are worth bearing in mind: ‘The Government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences’. While the chances might be low, the consequences of malicious infiltration by the Chinese state into our network would be disastrous.