Australia and the great Huawei debate: risks, transparency and trust
11 Sep 2019|

US President Donald Trump’s muddled messaging on Chinese tech giant Huawei has had us all confused this year. The tweets, mixed signals and excessive focus on trading away policy positions for a ‘deal’ don’t always paint a picture of an administration with a long-term strategy for national security and technology.

The Australian government, while it certainly can’t always be held up as a strategic public communicator, does have clear messaging on its side when it comes to 5G. In August 2018, the Australian government banned ‘high-risk vendors’—including Huawei—from involvement in the country’s 5G networks. The government’s decision on Huawei was a too-rare example of policy contestability. It was fostered by a strong and in-depth public debate and involved input from multiple departments and agencies that spanned economic, technical, geopolitical and—importantly for Australia given its geographic location—strategic considerations.

Huawei is now unable to participate in Australia’s 5G build. Before that, in 2012, the company was banned from participating in Australia’s national broadband network. But beyond those pieces of critical national infrastructure, the company has free rein and continues to do plenty of business in Australia.

So, what motivated the Australian government’s decision on Huawei? The 5G network is critical national infrastructure, not public Wi-Fi for a local swimming pool. Critical parts of the economy will sit on top of—and rely on—5G. This is about far more than telecommunications; it’s about whole-of-economy security assurance.

While the media narrative has often been that the US applies pressure to its allies to ‘ban Huawei’, that wasn’t Australia’s experience. In fact, Australia’s former prime minister Malcolm Turnbull, who was ousted in mid-2018, has gone to great lengths this year to carefully and publicly explain why the decision was made. He is also on the record explaining that it was he who encouraged Trump to make 5G a greater priority.

Once the decision was done and dusted, it was clear that Australia’s choice came down to a combination of three overlapping issues: risks, transparency and trust.

There are many risks when it comes to working with a company like Huawei, and the Australian government’s appetite for risk on 5G wasn’t large enough to absorb them all.

When making various decisions related to 5G—and other critical technologies—the potential for ‘back doors’ is only one risk being weighed. Governments also need to make assessments about the integrity and availability of the data on the network, in addition to the confidentiality of information. They also need to worry about public relations and perception. For example, how closely do governments want to work and associate with a company that is complicit in enabling human rights abuses in Xinjiang through its work with the region’s public security apparatus?

A range of risks of working with Huawei are already on the record, from allegations of systematic intellectual property theft and dubious ethics to allegations of sensitive data theft that occurred under the company’s watch. Increasingly, governments also need to ensure they analyse, and fully understand, the laws that govern a company’s home environment. This is particularly critical when such laws mean a foreign government can exert extrajudicial direction, something that would obviously never be publicly acknowledged.

The UK government’s approach—testing Huawei’s equipment via the Huawei Cyber Security Evaluation Centre—provided a beacon of hope for governments wanting a middle-of-the-road solution. But, unfortunately, it’s turned out not to be the palatable policy option many governments were hoping to replicate. First, the evaluation centre’s mandate is purely technical, which means it can’t mitigate all the non-technical risks that come with working with a company like Huawei in 5G. Second, the centre’s annual reports have become progressively more negative in their outlook, and earlier this year Ian Levy, the technical director of the UK National Cyber Security Centre, gave a damning assessment of Huawei’s equipment: ‘The chance of a vulnerability with a Huawei piece of kit is much higher than other vendors.’ Third, the approach has the perverse effect of giving the most problematic major vendor an advantage over its competitors by providing it with tailored advice to improve its products.

Getting a straight answer out of Huawei—on a range of important issues—is difficult. This lack of public transparency puts the onus back on governments to conduct their own investigations to inform 5G policymaking. That’s a burden they don’t have to carry with other 5G vendors like Ericsson and Nokia.

For example, Huawei has struggled to explain who exactly owns the company and how its governance structure works. This is no small matter. Huawei has also struggled to prove its independence from the state. On the issue of internal Chinese Communist Party branches, a Huawei overseas executive said that while the company has one such branch, it ‘has no say in our operations. It meets in non-working hours and looks after staff social issues and activities. It has nothing to do with the management of the company and is run by a retired employee of the company.’ But through Chinese-language sources, we know this number and explanation are not correct.

In 2007, Huawei had reportedly established more than 300 CCP branches and counted 12,000 CCP members among its employees. The CCP’s expectations of these party committees—and associated branches—are clear. Article 32 of the CCP’s constitution outlines their responsibilities, which include encouraging everyone in the company to ‘consciously resist unacceptable practices and resolutely fight against all violations of party discipline or state law’.

The company has also struggled to explain what happened in the African Union headquarters  between 2012 and 2017, when there was reportedly a data breach that whisked sensitive information to servers in Shanghai every night. Huawei was the key ICT provider in the African Union headquarters and was responsible for protecting data from security threats. Huawei CEO Ren Zhengfei hasn’t denied the hack took place, instead telling the media: ‘For the breach of equipment used by the African Union, it had nothing to do with Huawei.’

That may well be true, but wouldn’t a private company conduct an independent review to figure out how, over a period of five years, it all went so wrong? Meanwhile, Huawei’s work in Xinjiang is increasingly in the spotlight, and for good reason. In July 2019, the company argued that it is providing equipment in Xinjiang ‘via a third-party’. That is not true. In fact, many of Huawei’s business dealings in Xinjiang are done directly with local authorities, police and security agencies.

The announcement of one Huawei public security project in Xinjiang in 2018 even quoted Huawei director Tao Jingwen as saying, ‘Together with the Public Security Bureau, Huawei will unlock a new era of smart policing and help build a safer, smarter society.’

Because 5G is critical national infrastructure, most governments must make sure they can trust the companies they partner with. The suite of risks, combined with a lack of transparency, has resulted in a crippling trust deficit. It would have been negligent of the Australian government to allow high-risk vendors, like Huawei, into Australia’s 5G network. In many ways, it wasn’t just the right decision. Given the evidence available, it was the only possible decision.

A version of this piece was published in The Diplomat magazine’s August 2019 issue as a section in the cover article, ‘Asia’s great Huawei debate’; it has been republished with permission.

Author

Danielle Cave is the deputy head of ASPI’s International Cyber Policy Centre. Image: Kevin Frayer/Getty Images.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2024