Trans-Pacific View author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Ewan Lawson – Senior Research Fellow in Military Influence at the Royal United Services Institute for Defence and Security Studies in London – is the 172nd in “The Trans-Pacific View Insight Series.”
What is the basis of U.K. and EU fears over Chinese 5G cyberspying?
The roots of concerns are in the aggressive way that Chinese actors conducted cyber espionage and data theft in recent years. At its heart were different conceptions of what constituted legitimate national security interests as whilst the U.S. and others conducted cyber espionage to understand China’s military capabilities, China was stealing intellectual property and handing it on to private and state-owned companies. Whilst this appeared to decrease after the 2015 Xi-Obama agreement, as recently as December 2018, the U.S. was indicting Chinese actors for data thefts.
Chinese manufactured hardware that would be valuable in new 5G networks comes from companies such as Huawei that, according to the U.K. National Cyber Security Centre (NCSC), have in the past been slow to deal with vulnerabilities. To add to the concern, Chinese companies are legally obliged to assist the state when required, which leads to questions about the extent to which vulnerabilities are being built in to allow exploitation of the networks at a later date.
Analyze Brussels’ plans to map Chinese electronic infrastructure across the EU.
Recognizing there is a risk, the EU is seeking to understand its extent. As member states hold auctions to engage potential 5G network providers, there is a clear opportunity to identify the extent to which individual contracts are reliant on Chinese hardware. Given that the hardware is reasonably cheap and effective, it is clearly tempting for potential suppliers to use it in their solutions unless member state governments have explicitly banned it.
Evaluate London’s approach to restricting Huawei’s presence in the U.K.
Until now, the U.K. has approached managing the risk from Huawei differently to some of its Five Eyes partners. Rather than banning Huawei products from its critical national infrastructure, it has sought to mitigate the risk through a screening process. In a center run under the auspices of the NCSC, equipment is checked for vulnerabilities, which Huawei is then expected to address. This in part reflected a desire to maintain good trading relations at China although reports from NCSC suggest increasing frustration with Huawei’s failure to deal with problems in a timely manner. This may lead to a change in policy when it comes to the 5G network in due course.
Assess the long-term global implications of China’s growing dominance in 5G technology and the international community’s cybersecurity concerns.
The implication in the longer term is that China potentially has the ability to access data transmitted across those networks or disrupt them if it chooses to do so. It has to be recognized that whilst there have been concerns about vulnerabilities in hardware and software sourced from China, and evidence of Chinese espionage and data theft, there has been no specific evidence presented to support this concern. Rather if risk is envisaged as the combination of capability and intent, China’s control over its commercial entities gives it potential capability should its intent be to disrupt those networks.
How much influence does U.S. cybersecurity policy have on U.K. and EU policymakers’ defensive approach to Chinese 5G technology expansion?
There is little doubt that U.S. cybersecurity policy is influential. This is not just on its own stance towards Chinese-sourced telecoms products (and indeed products from other nations) in its critical national infrastructure but also the way it has publicly indicted Chinese actors for cyberespionage. Within the “Five Eyes” community, Australia and New Zealand have followed the U.S. lead, but it is noteworthy that the U.K., arguably its closest cyber security partner, has chosen not to do so. This is despite those five countries largely having access to the same sensitive intelligence material. This in turn indicates a different perception of the risk and/or risk appetite, and may in part reflect the additional costs potentially associated with using non-Chinese sourced equipment. Apart from the U.K., EU members will not have the same access to intelligence but may have different sources of their own. Whilst the EU and its member states will look to the U.S. example with interest, different perceptions of the detailed cybersecurity risk and indeed of the geopolitical and economic challenge from China are likely to lead to more nuanced policy positions rather than simple bans.