Originally published 20 January 2020.
It is disappointing that the Brits are doing the wrong thing on 5G, having not exhausted other possibilities. Instead they have doubled down on a flawed and outdated cybersecurity model to convince themselves that they can manage the risk that Chinese intelligence services could use Huawei’s access to UK telco networks to insert bad code.
5G decisions reflect one of those quietly pivotal moments that crystallise a change in world affairs.
This is partly because the technology itself promises to be revolutionary, connecting not just humans but every device with a chip in it with super-fast, high-bandwidth and low-latency communications. That means if you have the keys to 5G networks, you will be trusted with the nervous system running down the backbone of every country which uses your gear and contracts you to service it. That includes critical infrastructure and safety-critical systems on which the lives and livelihoods of our citizens depend—traffic, power, water, food supply and hospitals. You get to be ‘The Borg’.
But 5G is also a touchstone for the coming age because it is the first in a line of revolutionary and highly intrusive emerging technologies in which China has invested heavily. Through means fair and foul, China has built world-leading companies with high-quality, competitive offerings for everything from video surveillance and industrial control systems to artificial intelligence and internet services via hyperscalers such as Tencent and Alibaba. So any decision to exclude Chinese companies from 5G is a threat to China’s economic and strategic positioning.
Having been caught off guard by BT’s decision to use Huawei equipment in the core of its network, in 2010 the UK government set up a Huawei-funded cybersecurity transparency centre ‘to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure’ by evaluating Huawei products used in the UK telecommunications market.
Australia has taken a different approach and reached a different conclusion. I was part of the team in the Australian Signals Directorate that tried to design a suite of cybersecurity controls that would give the government confidence that hostile intelligence services could not leverage their national vendors to gain access to our 5G networks.
We developed pages of cybersecurity mitigation measures to see if it was possible to prevent a sophisticated state actor from accessing our networks through a vendor. But we failed.
We asked ourselves, if we had the powers akin to the 2017 Chinese Intelligence Law to direct a company which supplies 5G equipment to telco networks, what could we do with that and could anyone stop us?
We concluded that we could be awesome, no one would know and, if they did, we could plausibly deny our activities, safe in the knowledge that it would be too late to reverse billions of dollars’ worth of investment. And, ironically, our targets would be paying to build a platform for our own signals intelligence and offensive cyber operations.
Legally compelled access to 5G vendors is game-changing for Chinese intelligence agencies because hacking is an increasingly tough business. The cybersecurity industry has lifted its game mightily over the past decade, and—certainly at the high end—the advantage is currently with the defender.
The hardest part of hacking is the access problem. How can you get into the network? For that you typically need to find vulnerabilities in the way software operates, which can be weaponised into an exploit. Exploitable vulnerabilities are hard to find. Often they are specific to a piece of equipment or a particular network. Often you need to string a chain of exploits together. And if they are super great, the chances are Five Eyes agencies will need to disclose them, as the US National Security Agency did recently when it found a Windows 10 security flaw.
As a citizen, I’m glad that hacking is difficult and that Five Eyes agencies think it more important to protect their own national networks than to pursue those of their adversaries.
But Chinese intelligence agencies have a mortgage on Jack’s proverbial beanstalk—scaled and persistent access to hundreds of foreign telco networks via legally compelled Chinese suppliers of competitively priced, high-quality technology to these telcos.
Cybersecurity is all about raising the costs for the attacker. Network access through vendors—which need to be all over 5G networks to maintain their equipment—effectively reduces the access cost to zero.
Much of the 5G debate has been about whether the core of the network—where sensitive data and functions reside in a 4G format—can be protected in a 5G setting. Telcos currently protect the core of their 4G networks by maintaining a physical and logical separation between the core and the less secure, customer-facing edge of the network.
But with 5G, all network functionality is virtualised and takes place within a single cloud environment. That means there is no physical or logical separation between the core and edge of the network.
A recent Financial Times editorial approvingly cites testimony to UK parliamentary hearings last year that ‘the distinction [between core and edge] would still be valid in Britain, however; geographical differences meant its networks would be designed differently from Australia’s’.
I struggle to understand what this means. It reminds me of the vague, faux authoritative language techies use to talk down to civilians with humanities degrees. If it means the relative size of the United Kingdom allows its telcos to avoid distributing sensitive data and functions right to the edge of the network, I’m still not convinced.
Geography is not a factor in how core–edge works. The reality is mature 5G networks actually require the collapse of the core–edge distinction. 5G can only reach its potential for speed and low latency if sensitive functions can happen at the edge of the network close to the customer. And 5G can only realise its cost-saving potential if any function can occur at the most efficient place in the network, wherever that is. In mature 5G networks, sensitive data and functions will be distributed throughout the network in a dynamic way which will be impossible to govern with certainty.
Sure, many telcos (including in Australia) are already operating networks branded as ‘5G’, on the basis that they deploy new, more efficient 5G radios at the edge of the network. But the hyperconnected, transformational 5G future marketed by the telcos can only be realised if there is no distinction between core and edge.
Telcos could limit their 5G offerings to smart radios at the edge, but that would be like a layer cake with one layer. Who would buy that?
In one sense, we should only be moderately concerned about the exposure of sensitive data which in a 5G world would no longer be protected in the network core. Even if an adversary had access to this data, implementation of strong encryption can theoretically protect its confidentiality (are my communications private?) and integrity (have my communications been altered?). This is not foolproof—adversary supercomputers would have direct access to all the ones and the zeros and exploitation of poor implementation of encryption is not uncommon in the signals intelligence game.
But we should be more concerned about the availability of our data and networks (can I continue to communicate?). Availability, after all, can be controlled by whoever has access to the radio network at the edge. This is a risk we face in 4G networks today.
The other argument reportedly put to the UK parliamentary committee was that a ‘diverse supply chain generally makes networks more resilient to technical and security problems’. The obvious question is, which parts of your network are you prepared to put at higher sovereign risk? And, if Huawei is limited to only 35% of the network, isn’t that an admission that there’s a risk which might not be able to be fully mitigated through cybersecurity controls?
While geography is immaterial in core–edge architectures, it is relevant to another Huawei argument. The company claims Australian farmers are missing out on the revolutionary benefits their Swiss counterparts are reaping from 5G.
But you don’t need to be William Farrer to work out that (a) 5G communications in cyberspace rely on a very expensive physical network of closely spaced antennae, and (b) Australia is about 188 times the size of Switzerland (our summer bushfires have so far burned an area equivalent to almost five Switzerlands).
That’s a lot of yodelling.
At the heart of Huawei’s proposition is the claim that it is cheaper than its competitors. An Oxford Economics report commissioned by Huawei last year claims that excluding the company from bidding for our 5G networks will cost Australia up to $12 billion in GDP out to 2035.
Leaving aside the obvious point that digital sovereignty and the integrity of critical infrastructure are priceless, I have not seen any independent analysis of the impact of excluding Chinese vendors from 5G. Beyond the market effects of restricting competition, any serious analysis would also need to consider the following factors:
- whole-of-life costs versus up-front sticker costs
- the risk that prices will rise once competitors are driven out of business
- the cost of a serious suite of mitigations any responsible government would need to put in place to manage the security risks of using a high-risk vendor (even mitigations which cannot provide full confidence are expensive and create network inefficiencies)
- the risk of ongoing US measures against Huawei to the operation of networks using its equipment.
The tools and language of traditional cybersecurity are ill-equipped to describe and manage a world in which the Chinese state entwines China’s tech giants. Old-style cybersecurity evolved to deal with threats from outside the network. The ecosystem itself was trusted, and cybersecurity’s job was limited to protecting that ecosystem from external bad actors. But none of this works if the threat is inside your network. In this new world, no number of impressive-sounding mitigation measures or cybersecurity standards can provide confidence that your networks are fully protected.
When you are one update away from being owned, a code review cannot provide any confidence that the code you checked reflects the code in your network. Even with expensive oversight by cleared personnel, it would be hard to spot malware developed by a top-notch intelligence agency, especially when the network is down and your customers are screaming.
By its own admission, the UK Huawei Cyber Security Evaluation Centre is not working as advertised. In its most recent report last year, the centre’s oversight board found that HCSEC ‘has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators …; [n]o material progress has been made on the issues raised in the previous 2018 report; [and] the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term’.
And yet this is the model that the UK government touts to the world as providing confidence that the risks of Huawei’s 5G products can be managed.
While technology is the setting for this sliding-door moment, the fundamental issue is one of trust between nations in cyberspace. And over the past decade, the Chinese Communist Party has destroyed that trust through its scaled and indiscriminate hacking of foreign networks and its determination to direct and control Chinese tech companies.
China wants it both ways—to be treated by the same rules as other countries but to break those rules when it suits.
Although I remain sceptical about some of Huawei’s marketing claims, my concerns are not about the company or the quality of its products. They relate to the legal and political power of the Chinese state to compel the company to do its bidding. It’s simply not reasonable to expect that Huawei would refuse a direction from the Chinese Communist Party, especially one backed by law.
When I look at the risk to 5G networks as an intelligence professional would, it’s all about capability, opportunity and intent. The ability to compel Chinese vendors of 5G equipment is a strategic capability for China’s intelligence services. Huawei’s competitive offerings in a revolutionary technology like 5G are an unsurpassable opportunity. And, as I mentioned, China has demonstrated ample malign intent in cyberspace.
So, if your telcos have a 5G operation and maintenance contract with a company beholden to the intelligence agencies of a foreign state, and that state does not share your interests, you need to consider the risk that you are paying a fox to babysit your chickens.