The 5G fallout: Brexit triggers a global wireless fault line
The grounds for a technological split in 5G Wireless are shakier than many expected, as Huawei mounts a clever defense. Now, in the face of pressure from the US and China, the UK is facing technological isolation.
"A fast internet connection is not some metropolitan luxury," wrote incoming UK Prime Minister Boris Johnson, in an op-ed for The Telegraph last June. "It is an indispensable tool of modern life. . . It is becoming the single giant ecosystem in which all economic activity takes place.
"It is, therefore, a disgrace that this country should suffer from a deep digital divide," Mr. Johnson continued, "so that many rural areas and towns are simply left behind."
On Tuesday, July 2, Vodafone officially switched on its first 5G Wireless service in 15 metropolitan areas throughout the United Kingdom, including London, Liverpool, Glasgow, and Birmingham. In his Telegraph op-ed earlier this month, Vodafone CEO Nick Jeffery also invoked that curious, critical phrase: "The fifth generation of wireless mobile technology is about much more than ultra-quick downloads and Web pages that are faster than ever to load. The technology has the potential to end the digital divide in the UK at the same time as boosting the UK economy and helping society."
Typically, the phrase "digital divide" has been used to describe those who have broadband and those who don't or can't afford it. In the US, Federal Communications Commission Chairman Ajit Pai invokes it as the cornerstone of his agency's policy, reminding people that some 30% of Americans lack access to broadband simply because of their geography. It's a void strong enough to slow down the economy -- a force you can feel when you leave the city limits and enter the farmland.
In the UK, there is a much more ominous divide scheduled for October 30. It is now up to Mr. Johnson to broker an agreement between the UK Parliament and the European Union which would enable the two parties to continue some measure of their trading partnership, once the former revokes its membership in the latter on Halloween.
The EU is already well underway with having implemented a mutual trade platform called the digital single market. In it, all member countries are treated as one unit when their citizens and merchants conduct business online. The UK was due to be one of its members. In the absence of any agreement, the EU will be forced to treat the UK as an outsider.
The United States -- the UK's most important ally -- has typically set the standard for their mutual policy regarding digital intelligence activities. Presently, the US is involved in a trade war with China. One pawn in that dispute has been Huawei, the Chinese technology firm responsible in large measure for the acceleration and development path of 5G. The US accuses Huawei of conspiring with the Chinese government (which is hard not to do, given the fact that China is its principal stakeholder). Such a conspiracy, US lawmakers and regulators allege, could give China direct line-of-sight into Western intelligence networks, by way of "backdoors" strategically built into Huawei network equipment. After having threatened to make permanent a ban on US companies conducting business with Huawei, the US president unilaterally suspended that move in late June, after a meeting with China President Xi Jinping.
Unencumbered by EU bureaucracy, the UK will be expected to make its way regarding 5G policy. The US will expect Britain to tow whatever line it tosses out there, even if it reels that line back in and tosses another one in its place. But many EU countries have opted to continue working with Huawei, especially now that it is one of only three major providers of 5G transmitter technology to the world's telecommunications companies.
In an interview for The New Statesman, Vodafone CTO Scott Petty warned, "All of the operators use Huawei and therefore instead of being ahead of the rest of Europe on 5G, we're all going to slow down."
Today, a 5G smartphone on one side of the world will probably work just as well if it travels to the other side. But if a digital divide does split the UK from one hemisphere or the other, it threatens to tear all the way down the planet. And from that point on, the next generations of wireless technology may go their separate ways, along with the people who use them.
"We stand naked in front of the world," testified John Suffolk, Huawei's Global Cyber Security and Privacy Officer, before a session of the UK Parliament's Science and Technology Committee in early June. "And it may not be a pretty sight all of the time, but we would prefer to do that, because it enables us to improve our products, and we all benefit from that."'
Huawei is at the fulcrum of the 5G split. Suffolk was defending Huawei against insinuations and allegations from MPs that it could exploit vulnerabilities in its networking equipment to conduct surveillance on behalf of China. His defense sounds strangely familiar: The vulnerabilities, which Huawei concedes have been present in its equipment, were discovered through an open and transparent process involving government agencies, private firms, and individual contributors. Could a malicious actor exploit these vulnerabilities? Sure, but if they're not exploiting the telecom network, they'll be phishing through your e-mail regardless.
"Our starting point, in the 170 countries in which we operate," testified Suffolk, "is, what is the law? What does the law define as... acceptable and unacceptable? And I think it's right for governments to determine, in essence, their objectives and enshrine that in law."
If a company provides telecommunications equipment for a government, which in turn uses it to conduct persecutory surveillance in Xinjiang Province, isn't that company complicit in human rights abuses? Huawei does not sell directly to the Xinjiang project, Suffolk responded, instead of dealing with Xinjiang through a third-party representative. Still, MPs persisted, if that country's government passes a law ordering technology firms to provide it with clandestine intelligence used to subjugate its citizens -- doesn't the company have an obligation to refuse? Suffolk [pictured below] responded it's not for Huawei to pass such a judgment about any country, softly implying that if it were, why stop with China?
"The reality is, all software, regardless of whether it's new or old, has the likelihood of having some vulnerability," he told the committee. And therefore everybody is going through a patching exercise." He cited work conducted by the independent Huawei Cyber Security Evaluation Centre (HCSEC), which turned up several problems that it said, in a recent report to Parliament, it didn't trust Huawei to be able to fix on its own. Suffolk's testimony continued:
Our model is simply this: We allow any country and any company to come and review and inspect our products, not because we expect them to find hundreds of the issues -- because if we did that, we wouldn't be in the telecommunications business. We'd be in the software engineering business. Because we believe passionately, the more people looking, the more people inspecting and poking and prodding, the more chance you have of finding something.
It's an effective counter-argument, shrinking the issue from a global human rights conspiracy to an open-source community spat. MPs felt the sting of being scaled down, and there wasn't much they could do to stop him.
One of the HCSEC's stated purposes is to ensure that Huawei doesn't introduce any potential vulnerabilities into British networks. In its annual report issued July 2018, couched in several pages of glowing praise for the security standards process, HCSEC warned, "Huawei's processes continue to fall short of industry good practice." Specifically, Huawei was relying on third-party components, which in turn relied on software and software updates produced by those third parties. But no one was distributing those updates, and as a result, security audits were revealing holes in the network.
Last January, US lawmakers introduced bills seeking to ban Huawei from inclusion in US 5G networks, alleging that the company is "an intelligence-gathering arm of the Chinese Communist Party." That same week in the UK, Rt. Hon. Norman Lamb [pictured above], chairman of the Sci/Tech Committee, wrote to his country's Secretary of State for Digital, Culture, Media, and Sport, Jeremy Wright. In MP Lamb's letter, he asked MP Wright what assurances he could give that UK telecom networks were secure, given the extent to which outside interests were involved -- particularly Huawei. Could Huawei be called upon by China to assist in clandestine intelligence gathering activities?
Although he cited China's notorious November 2016 Internet Security Law, which took effect the following June, Wright's response of March 6 [PDF] was surprisingly ambivalent:
We have serious concerns surrounding the ability of both state and non-state actors to gain access to our telecoms critical national infrastructure. As part of the Telecoms Supply Chain Review, we are closely examining Huawei's role, and that of other vendors, in our 5G networks and will also take account of the approaches taken by our international partners.
Nothing raises the alarm like language engineered specifically not to raise alarms. MP Lamb soon responded by issuing a call for the government to publish the rest of its report on Huawei, so it could finally make clear what the country's policy should be toward making any long-term deal that carries such a deep and long-term security risk.
It's here where we reintroduce our ZDNet panel of expert players in the game of 5G geopolitics.
"If you're a government, you have the responsibility -- just like Maslow's Hierarchy of Needs -- to assure the safety of your citizens," argued Herbert Blum, a management consultant with Bain & Company, speaking with ZDNet. Blum continued:
When you reach a level where the infrastructure that you as an enterprise are selling to a country becomes mission-critical, vital to how that society functions, you hit the radar screen of governments. Their job is to make sure that this stuff works. And it has to work even in extreme situations -- when society is less stable, for all sorts of reasons. So they have to go through scenarios to say, "Can we guarantee, in most circumstances, that society will function well?" And some governments are asking for certain assurances. I see this more as the normal course of business, of good governance, versus fearmongering... [and] a very valid question that governments need to ask, because 5G and all of the network infrastructure is becoming more and more vital to the way we live our lives. This stuff can't go down.
In its report last March, the UK's National Cyber Security Centre (NCSC) warned that it could not guarantee the country's network infrastructure was safe from exploitation or espionage, on account of Huawei's apparent failure to address the HCSEC concerns. "Overall, the Oversight Board can only provide limited assurance," the Centre wrote, "that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long-term."
The apparent fact of Huawei's loosely-knit, unbureaucratic, relatively unmanaged approach to code sharing and development -- of standing naked in front of the world, to borrow John Suffolk's phrase -- may be at least partly to blame for the existence of code defects being characterized by political interests as windows for international espionage. It sounds as though Huawei's political opponents are arguing China's intense interest in subverting the affairs of other nations is made clear by its laissez-faire approach to the security practices of the same technology company they claim China rules with an iron hand.
It's a stretch, to be sure.
Part of Suffolk's case before the parliamentary committee was the statement that less than one-third of the componentry of Huawei-branded network equipment -- the "teardown," in industry parlance -- is made by Huawei itself. A majority of the components' hardware, and perhaps nearly all of its software, could rightly be described as international in origin -- not "Made in China." Indeed, this is evidently part of HCSEC's problem with the company: its inability to keep a tighter rein over its supply chain, as that chain becomes more globalized.
Dr. Henning Schulzrinne, former CTO of the FCC and co-creator of many of the protocols driving internet conferencing, including SIP, read those HCSEC reports when they were first published. Rather than uncovering evidence of clever subterfuges and back doors, Dr. Schulzrinne told ZDNet, the firm cited what appeared to be sloppy coding, poor testing, and less-than-efficient best practices. In the process, he was reminded of another company that tech news sites used to accuse of clever and underhanded conspiracies: Microsoft. As Schulzrinne continued:
They [Huawei] have a reputation of being behind other companies in that space. Not that any of them are perfect, but they certainly have had issues, partly because they've grown very fast. I think they have a reputation for a somewhat less bureaucratic, but also a less formal, code development culture compared to, say, Nortel and AT&T, which had more traditional, reliability-oriented cultures in terms of software development. They do have a real quality problem that I don't think one should completely discount.
That's not the case certain MPs were making against Huawei -- that its engineers were disorganized and sloppy. Leaning somewhat upon US intelligence, they were alleging China could force Huawei (if it had not already done so) into injecting intentional vulnerabilities into its components, and then pleading the ill effects of globalization and openness once those vulnerabilities were inevitably discovered.
"I think that is highly unlikely," remarked Dr. Schulzrinne, "because of the difficulty of doing that without detection. Detection would mean a corporate death sentence for Huawei, at least in many parts of the world."
Besides being a reprehensible act, the former FCC CTO asserted, poisoning a country's 5G network may be technically unfeasible even with backdoors. Just because a company builds routers and network equipment, he noted, does not give that company a route through that network.
It would be quite difficult, on an ongoing basis, for Huawei to inject bad code, exploits, or snooping software. They would also have to exfiltrate the data out of the carrier network without anybody noticing. From a Huawei perspective, given that you would have to do that on a continuing basis to be useful, the danger that somebody would discover that strange traffic that doesn't have an obvious explanation is leaving the Verizon network eastbound, would be the end of the company as a competitor in the Western world. So that seems somewhat unlikely that this would be a concern.
Put another way, any data that a nefarious actor may gather from a network, through backdoors or magic, about the status of a telecom network, would only be valid for a few brief moments, if that long. Unlike the circuit-switched networks that politicians keep imagining, digital networks are dynamic. As such, they are always re-composing themselves. There are a variable number of layers to these networks, and none of them are centralized around a single "core." For Huawei to conduct espionage even with a network comprised exclusively of its own components, Schulzrinne's explanation reveals to us, would require supercomputer-scale precision and atomic clockwork.
Besides, if all you're trying to do is eavesdrop on a conversation, it may be easier to hack the software than hack the network. But China probably already knows that.
The walls closing in
"People think this is just about US corporate interests -- people who are commentators on this topic," remarked Dr. Sarah Logan, a research fellow with the Dept. of International Relations at Australia National University. Dr. Logan continued:
People are like, "Well, you know, the US is just bullying other countries into banning China." But it's in those US interests to have a unified global standard. So that's not necessarily the case. And I think that point is lost. People who don't understand how technology works, or how production works, think that there is a clear kind of national interest dividing line in the production chain. And that's not true.
If indeed the US is attempting to bully the world into joining its side of the platform, it's not working very well, especially in recent months:
In March, even after the US threatened to scale back its intelligence cooperation with Germany, Chancellor Angela Merkel declared her country would not exclude Huawei equipment from its 5G network simply because it's Chinese.
In an April interview recorded in China, Italy's Prime Minister Giuseppe Conte told Sky Italia that he had personally assured Huawei it would not be unfairly discriminated against, as it continues to pursue its 5G plans in his country.
France has opted to leave its options open, with the chairman of its telecom regulatory body telling reporters in May that, even as Google opts to deny Android licenses to Huawei in compliance with US restrictions, the effect of that denial on the 5G market as a whole would be minimal.
In a stunning rebuke of what US officials had been characterizing as evidence that Huawei was leaving open avenues of espionage to Chinese benefactors, the cyber defense hub of NATO (of which the US and UK are member nations) denied the existence of such evidence. In its March report [PDF], CCDCOE said, "There is, to date, no public evidence of serious technological vulnerabilities in specific Huawei or ZTE equipment. That said, it is fundamentally impossible to rule out potential technology flaws that can be exploited in the future. It does not matter that Chinese technology is, in this regard, no different from technology produced elsewhere."
While the UK continues its departure from the European Union, it's beginning to feel like it's peeling away from the planet. Every signal it sends is being scrutinized for hidden meanings, and every message it didn't intend to send is being treated as a signal.
As The Guardian first reported in late April, then-Prime Minister Theresa May communicated to fellow cabinet ministers what appeared to be a Solomonic judgment, banning the government from making deals with Huawei for the "core" of the 5G network, but not the periphery -- without any technical explanation of what that might mean. But after that news was disseminated, the PM fired her defense minister, Gavin Williamson, despite his strong denial of having leaked the information to the paper. Indeed, Williamson was on record as opposing any deal with a China-based firm and had earlier blamed unnamed Cabinet Office sources for the leak.
After at least some of the smoke and much of the fog has cleared, though, what remains is the same indeterminacy the UK exhibited at the start of the year. Tugging against it from one side is the US, whose temporary hold on an export ban against key Huawei components is set to be lifted on August 19. Last June 16, US Deputy Assistant Secretary of State Rob Strayer publicly warned the UK Parliament to join the US in banning Huawei, telling attendees according to Bloomberg, "There's not going to be a future" for Huawei in their 5G supply chain. On the other side is China, whose diplomat has warned the UK through the BBC that her country would withdraw its investments in Britain if it were to follow the US' lead.
Remarked the Carnegie Endowment's Erik Brattberg:
One could make the argument that the UK would be more flexible to find other arrangements with other countries, once it has a better sense of clarity about what Brexit means. But the challenge the UK is facing is, it wants relationships with other players around the world for trade and investment purposes, but it also wants to maintain a close relationship to the United States. And at a time when the US is actively lobbying European countries not to do business with China, especially in the area of 5G, that's going to politically and strategically be a very difficult decision for London to make. They're going to have to balance all of these things.
The country's decision in this matter has direct repercussions on its future as a united kingdom, especially if it intends to continue including Northern Ireland and Scotland. Should the course of events continue as they are, the UK will leave the European Union on Oct. 31. No trade deal exists between the two governments, and amid the absence of one, World Trade Organization rules governing trade and interactions between countries would immediately go into effect.
"UK companies would not be able to operate in Europe in the way that they have enjoyed as members of the European Union," asserted Brattberg. "They would have to pay tariffs under WTO laws, in order to do business elsewhere in Europe." And unless UK telcos happen to have foreign subsidiaries throughout Europe, as Vodafone does, roaming agreements would have to be hammered out immediately from page one. The lack of any formal arrangement between the EU and the UK would render the process of negotiating any deal between companies across borders, warned Brattberg, exceedingly difficult. He continued:
Any British company, and any foreign company operating in the UK, would be subject to an extended period of uncertainty, most likely, where it will be very hard to make long-term planning decisions. That's unavoidable... Should there be a no-deal Brexit scenario, that would have a crippling effect on the British economy. Certainly there will be voices in London arguing for cutting ties with Europe and approaching other economic partners around the world, including China. But I think ultimately, the security concerns and the strategic considerations will trump those short-term economic potentials.
In his UK Telecoms Supply Chain Review Report [PDF] issued in early July, MP Wright weighed the risk of allowing Huawei to remain a supplier to Britain's 5G system against another significant risk: succumbing to basically a single supplier for some services, after purging Huawei from the process. Although Nokia and Ericsson are major players in this game, with Samsung filling in some gaps, the report acknowledges that Ericsson is either a minor player or completely absent in some 5G technology areas, most notably fixed wireless. As Wright's team wrote:
National dependence on specific vendors may mean that the UK telecoms market is more susceptible to risks relating to products and suppliers. Taken in conjunction with the findings of the security assessment... national dependency on individual high-risk vendors, in particular, could pose significant security concerns. Additionally, the growth of large firms with high market shares and weaker rivals can drive down competition, potentially increasing prices, reducing quality and stifling innovation in the longer term.
Put another way, if Britain were to follow America's lead, both could find themselves having ended up captive customers to a single Scandinavian firm.
The vulnerability gap
As the rest of Europe, along with the rest of the world, closes ranks, Great Britain finds itself in a ridiculous, potentially humiliating, situation. It would like to be able to take an assertive stand vis-à-vis Huawei. Such a stand would demonstrate its ability to set its own course in international relations -- an ability that Brexit's "Leave" supporters promised it would rediscover.
But either of its binary choices could be interpreted as an act of appeasement: If it bans Huawei altogether, the EU could interpret it not as an act of defiance but rather of capitulation to the US. That, in turn, could endanger the UK's ability to strike a trade deal with the EU, should Brexit go through as scheduled on October 31. If it takes a stand similar to Germany's or even France's, as the US State Dept. warning makes clear, it could conceivably retaliate by punishing Britain, ostensibly for restricting the import of genetically modified agricultural goods. In a worst-case scenario, the US President could unilaterally order the imposition of tariffs on UK imports, regardless of any pledge the US may have made to the contrary.
What may yet help the UK make up its collective mind (if it still has one) is a scenario for the planet Earth in the 2020s -- perhaps unlikely, though not impossible. It involves the re-establishment of a long-absent and much missed cold war, this time with information technology assets replacing nuclear missiles as weapons.
It's a chilling scenario articulated by Henning Schulzrinne. In the event of two disparate telecommunications platforms, countries investing in one platform would utilize vulnerability data assessed about the other.
There is going to be a temptation to exploit any known back doors or ability to remotely cripple a system. That's much harder to prevent. If there is some code in the system that, if you sent just the right magic packet through the network, it causes the system to freeze up and self-destruct -- unlikely to be physically true -- then you could theoretically, with relatively little effort, cause major disruptions in US cellular networks, with just a few strategically planted people with cell phones that press the right button.
Huawei would not need to commit this digital act of terrorism directly, or even indirectly. However, in the end (or preferably before it) it may be declared the responsible party. Arguably, with Huawei's lax security practices, Chinese intelligence agents would already have access to just the right vulnerabilities in Huawei network components. Forestalling such an act would require a degree of code review that the HCSEC reports indicate Huawei may be incapable of enabling, at least presently. Even so, Schulzrinne noted, one would need assurances that the reviewed code and the deployed code in the network were the same -- an unlikely situation for a modern digital network.
"For me, that seems from a cybersecurity perspective the least fanciful version," said Schulzrinne. "It's harder to dismiss simply because it's harder to protect against."
Here is where the scenario takes a twist right out of Dr. Strangelove: Mandating such a code review for one platform may be a bad idea for anyone seeking to avoid a similar code review for their own platform. The US National Security Agency may want the option of pressing a similar self-destruct button. So each side may conclude it to be in its own best interests not to make too much of a fuss about vulnerabilities, lest anyone start paying attention to them and fixing them.
Are we seriously talking about mutually-assured destruction -- where if one side presses the button, the repercussions of the damage it causes to the other side's telecom platform effectively triggers its own death sentence? "It seems only likely in the case of a real-world military conflict," Schulzrinne responded, "between China and the United States -- a Taiwan issue, something like that. In that sense, the calculus changes simply because worrying about the competitiveness of one company in an industry, suddenly recedes from consideration."
Meaning, Huawei could be blamed for any Chinese attack on a Western platform, including by China itself... and Ericsson or Nokia could be blamed for an attack in the other direction. The whole issue of these companies' respective roles in the global economy would be diminished, as they would be rendered expendable.
If that seems like a worst-case scenario, Schulzrinne reminds us that active preparation for such a scenario could be bad enough. For example, he perceives the potential for an assessed vulnerability gap -- an asymmetry in the number of exploitable conditions one platform may have, compared to the other one. Specifically, the percentage of non-Chinese equipment in China's networks may be less than the percentage of non-Huawei equipment in Europe's or the US' networks. In this world, knowledge of network equipment vulnerabilities could be treated as assets. He continued:
I wouldn't quite call it "mutually assured destruction," but it would certainly have secondary impacts on any post-conflict relationship. I wouldn't discount that it's at least a legitimate fear that somebody might have, particularly in the 5G context, where this is not just about mobile networks that are used for largely personal communication, and things of that nature, but where there's now a push to integrate 5G networks into industrial control networks, and others with more direct implications to the functioning of other parts of the economy.
Not with a bang
There is no "6G," and should tension continue to rise, there may never be one. But since the US President declared leadership in this as-yet-non-existent platform a national goal, both the leaders of the telecommunications industry and the world's geopolitical organizations have held conferences, meetings, and think tanks as to what "6G" should be, and whether the goalposts for industrial innovation should be, once again, reset. The first global 6G Wireless Summit did indeed convene last March in Finland.
For any technology to be successful in the 21st century and thereafter, it must be global and remain global. 5G Wireless is a portfolio of technologies whose foundations and standards are being worked out by 3GPP, a global consortium of telecommunications interests founded during the formation of 3G Wireless. Every stakeholder here has specified its intent to implement 5G in cooperation with the world's other stakeholders.
But despite the likely state of China's investment portfolio, countries are not telecommunications companies. Countries compete with one another based upon, among other things, the strength of their technological infrastructure. In just the last few years, the trend toward what appeared to be inevitable globalization has reversed itself. Battle lines are being formed around countries and their allies that want to be no longer perceived as also-rans and followers on the world stage. Treaty partners and unions that seemed inseparable as recently as 2015 have torn themselves apart at the seams.
Now the portfolio of standards that rely upon globalization for its very existence has become a geopolitical football. Whether or not 5G's stakeholders perceive it this way, or prefer it to be this way, their respective countries have made 5G supremacy into imperatives for their national security.
"I very much see the risk that 5G will be impacted by broader geopolitical developments," remarked the Carnegie Endowment's Brattberg, "where especially the US and China seek to create their own separate standards." He continued:
We increasingly see a polarized world, technologically and digitally. From a European perspective, what European leaders really need to do is think long and hard about what it means [to] potentially becoming dependent on a Chinese model, in terms of economic dependencies and security dependencies, but also in terms of its own security relationships... Europe really ought to do a thorough security vetting and assessment, and think about this issue long and hard before jumping into that too quickly, with something that can have long-term effects for years to come, especially in a world that is increasingly becoming competitive between Washington and Beijing.
Starting now and continuing over the coming months, many of the world's wireless service customers will find themselves using something with a "5G" brand slapped on it. Some of it belongs to the official 3GPP standard, and some doesn't. Whatever it may be and however else it may be decorated, it will wear a 5G logo, and someone will claim victory. That's already begun. But suddenly there is a real chance that the trend toward technological globalization ends here.
5G has become one of the pawns in a game of geopolitics. And no one yet knows the rules.
"This isn't going to be the only battleground of this nature," warns ANU's Dr. Logan, "as critical infrastructure increasingly depends on technological advancement in a way we haven't seen before. This feels like the first front."