Weighing the risks in building a 5G network
17 Jul 2019|

The global debate has shifted beyond why we shouldn’t trust Chinese telecommunications company Huawei to why we can’t trust any equipment vendor. How can we trust US companies after the Edward Snowden disclosures? Doesn’t the US also spy?

One way to look at mobile telecommunications networks is to divide them into two parts: a ‘core’ where sensitive functions such as billing and subscriber management occur, and a less sensitive radio access network, or RAN, which manages how towers talk to handsets.

In the RAN equipment sector, Huawei’s competitors are Ericsson, Nokia, Samsung and NEC. Beyond the RAN in the rest of a 5G network there are many other vendors, including US companies such as IBM, Hewlett-Packard, Juniper and Cisco.

In the past, the Australian government excluded ‘high-risk vendors’—vendors the government had security concerns about—from the core of critical networks. In 2012, for example, Huawei was banned from Australia’s National Broadband Network, and this informal policy was applied to Australia’s 4G mobile network. Huawei equipment was used in the RAN but not in the core of Australian networks.

But the assessment by the Australian Signals Directorate, Australia’s signals intelligence and information security authority, was that ‘the distinction between core and edge collapses in 5G networks’ and so ‘a potential threat anywhere in the network will be a threat to the whole network’.

Given that we can no longer restrict vendors to the low-risk part of our telecommunications infrastructure, how should we think about the decision to trust a foreign vendor with supplying equipment for our 5G network?

For all vendors of critical infrastructure, there’s what I call product risk—the risk that a product won’t perform as described, is insecure and will have bugs or flaws that will affect its security and reliability. Some vendors may have better processes than others and therefore make better or more reliable products and have lower levels of risk. A technical assessment of products from different vendors would be useful to determine the relative levels of product risk.

Coercive state policies are a second, separate source of risk that should be considered. A state may coerce or compel a vendor in a way that could damage another state’s critical infrastructure or make it less secure. Everyone thinks of back doors, but that’s only one type of coercion. An engineer could be compelled to give up passwords or to provide network infrastructure diagrams. Or an employee could use their access to the system to change something consequential, but perhaps in a way that is difficult to detect. This is a geopolitical risk that really should be examined at the national level as it’s not clear to me that individual companies can make risk assessments of this kind.

Without an entirely indigenous supply chain, there’s always some element of this type of geopolitical risk, so decisions must be made to reduce or manage the risk. That sometimes means choosing the lesser of two evils.

A number of factors make me think that the risk from Chinese vendors is far higher than it is with vendors from the US and most other countries.

The first has to do with the rule of law. In China, legislation tends to support the Chinese Communist Party rather than being independent of it. Chinese companies and individuals can be compelled to assist in intelligence-collection efforts. Prominent Chinese citizens disappear without explanation. In the US, by contrast, technology companies have publicly opposed state lawful access orders—for example, the Apple v FBI case over a locked iPhone and a US v Microsoft case on extraterritorial data—so there’s at least some transparency. Anecdotally, I’ve heard that tech companies in China may ‘go slow’ on government access orders—but they never say no.

Second, there’s the Chinese state’s history of wide-ranging cyberespionage. I’m particularly talking about theft of intellectual property for commercial gain; in some cases the People’s Liberation Army has created databases for Chinese companies to sift through the intelligence that it has gathered for them. Regardless of the scope of US espionage, there are no examples of the US directly aiding its own companies in that way.

Third, China has a history of supply-chain attacks in which vast numbers of devices are compromised to reach a small number of targets. The Cloudhopper attack involved the Chinese Ministry of State Security’s compromising of contracted IT service providers to steal corporate secrets from their customers. When CCleaner, a software utility tool, had its update process subverted, the computers of 700,000 customers were infected in order to upload more complex malware to just tens of individual computers in high-tech companies and telcos, including Intel, Microsoft, Cisco and Vodafone. Similarly, the Taiwanese hardware company ASUS had its software update tool compromised by Chinese hackers and half a million innocent customers were affected to reach just hundreds of target computers.

By contrast, the US approach to compromising supply chains—intercepting shipments destined for target organisations—is extremely precise. From the perspective of an innocent bystander, the Chinese approach undermines trust in the entire tech ecosystem; the US approach is far less likely to cause collateral damage.

Finally, taking an Australian perspective, when it comes to the constellation of non-China-based 5G equipment vendors—in the US, Finland, Sweden, Korea and Japan—it’s very difficult to imagine ourselves in a military conflict with these countries anytime soon. But we could very plausibly end up in a conflict involving China within a matter of weeks or months.

An accident in the South China Sea or some confrontation in the Taiwan Strait could lead the US and China into conflict. Washington would probably ask for our assistance, even if just for moral support—and we’ve never said no when the US has asked. In such a scenario I find it impossible to believe that China wouldn’t seriously consider using our networks against us—if it had access.

So it is all about trust, but I think there are very good reasons to trust some countries more than others.