Newly released draft rules for network security in Germany, which indicate that the German government is prepared to accept Huawei as a supplier for the country's 5G networks, are causing major controversy.
Local politicians are calling on parliament to take back control of the vetting process and overturn the new rules, while experts believe the rules could deepen technological divisions between European member states and worsen an increasingly cool trans-Atlantic relationship.
"A question of such strategic meaning should not be being decided at the administrative level," complained Norbert Röttgen, the chairman of the parliamentary committee on foreign affairs and a member of Chancellor Angela Merkel's Christian Democrats.
SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)
To protect Germany's critical infrastructure, he has suggested that parliament should debate measures that go beyond these new draft rules.
The rules – the so-called 'security catalog' – were released on Tuesday by two agencies, the Federal Office for Information Security and the Federal Network Agency and will now undergo a short consultative process. They could be in effect by the end of the year or early next year.
"The big question right now is whether we will stick with this process, where critical decisions on national security and industrial policy are being outsourced to two minor [German government] agencies," Thorsten Benner, director of the Berlin-based thinktank, the Global Public Policy Institute, told ZDNet.
Benner earlier described the draft as a "catastrophic failure" and believes that nothing much will change during the consultative process if parliament doesn't step in.
The publication of the security catalog confirmed leaks from a day earlier that Chinese network supplier, Huawei, would not be excluded from taking part in the construction of Germany's next generation of network technology.
Although they have never been definitively confirmed and Huawei denies them, there are suspicions that the telecommunications giant is too close to the Chinese government.
This much-discussed relationship has led to concerns that if Huawei plays a key part in establishing essential aspects in a national network, then sensitive information could end up being passed to the Chinese government, or critical communications infrastructure could potentially be sabotaged during international conflicts.
After warnings from the US that Germany's ongoing use of Huawei technology would endanger trans-Atlantic information sharing, observers had expected a clause in the new security catalog to effectively ban the Chinese company from the country's 5G infrastructure.
But, as German business newspaper Handelsblatt reported earlier this week after seeing a leaked version of the draft rules, the clause was removed, apparently thanks to intervention from chancellor Angela Merkel's office.
According to insiders, the German chancellor herself defended the removal of the clause on Tuesday during a private meeting of her own party. The argument is that, instead of simply excluding Huawei, there should be stricter standards for all potential providers.
"The primary motive for chancellor Merkel to push for opening the door to Huawei is fear of retribution, that they [the Chinese] would retaliate against German tech providers in China," Benner says. "Major German companies – VW, Siemens, BMW – are very dependent on the Chinese market. I think that's the concern in the chancellery."
The draft rules now say any company taking part in the construction of Germany's 5G networks will only have to sign a contract guaranteeing they won't take part in espionage or build so-called back doors into their software.
"A violation of the self-declaration by manufacturers or providers could lead to considerable security breaches," the catalog's writers concede.
This contract is simply a more elaborate version of a no-spy clause that already existed for public procurement of some IT systems, Jan-Peter Kleinhans, a 5G networks expert at the thinktank, Stiftung für Neue Verwantwortung, or the Foundation for New Responsibility, pointed out.
"There is no language on sanctions or repercussions in the security catalog, or anything about how [violations] would be evaluated or monitored. It's purely a 'please trust me' statement from the vendor," he says.
The draft rules also say networks must avoid a "monoculture" by any one company. In certain vital parts of network infrastructure, products from at least two different companies must be used. And products from any single company may only make up a maximum of two-thirds of the infrastructure.
In many ways, the new rules are appropriate, Kleinhans told ZDNet. From an IT security perspective, there are two main kinds of threats, he explained: attackers who exploit software vulnerabilities and attackers who exploit legitimate access.
"Out in the field, the bigger issue is software vulnerability because of the complexity of networks," Kleinhans says.
A smaller risk is presented by the vendor of equipment, who has access to the equipment to, say, repair it or update firmware. But few network operators keep a careful eye on vendors as they do this, he cautioned.
"On the whole, this [the new security catalog] is politically agnostic and offers the right answer to technological challenges brought about by software vulnerability," Kleinhans argued. "But it does not address the geopolitical aspects at all."
Kleinhans suspects that the decision was deliberately pushed onto the smaller and mostly technocratic government agencies so that the German government could avoid the political ramifications of banning major Chinese companies from its 5G networks.
Benner believes that bureaucrats at the agencies may even have welcomed being asked to make this decision because, if the security catalog is approved, they will get more funding and gain in importance.
For all Germany's talk of the importance of European digital sovereignty and European tech champions, allowing Huawei and ZTE access could also disadvantage their main competitors, the Finnish and Swedish companies, Nokia and Ericsson.
A spokesperson from Deutsche Telekom told ZDNet that it currently has a multi-vendor strategy and are using Ericsson, Nokia, Cisco and Huawei.
"Given the ongoing expert discussion, Telekom is currently reappraising its procurement strategy," the spokesperson said. "There have been no firm decisions made which manufacturers we will use to build the 5G network."
The Stiftung für Neue Verwantwortung's Kleinhans says there has been so much consolidation in the telco sector, that there are only four vendors left worldwide.
SEE: Europe warns 5G will increase attack paths for state actors
There are multiple reasons for this, he says, including bad management and bad luck. But the Chinese success is also due to state subsidies and the kind of government support that other international companies haven't had.
"And in a few years, there's a real chance we won't have Nokia and Ericsson anymore," he warns.
Benner is blunter: "In a situation where, for once, Europe has the right technology – in the form of Nokia and Ericsson – Germany decides to open the door to high-risk providers instead. It's absurd."
This move not only undermines European digital sovereignty, it also endangers European unity on the subject, Benner continues. Approaches toward "high-risk providers" in other countries, such as the UK, France and Poland, already differ markedly from Germany's, Benner continues.
A European Commission cybersecurity risk assessment on this subject came out last week – Benner calls it "bad timing for Germany" – and it too emphasized the risk of too much reliance on single suppliers and "threat actors" from non-EU states.
"It's also important to understand this is not just a hobby horse for the Trump administration," Benner says of the trans-Atlantic differences on this subject. "Concerns about critical infrastructure are shared by key Republicans and Democrats in the US, too."