24 February 2020

UK, Huawei and 5G: six myths debunked


Throughout the debate over the last few months over the potential use of Huawei equipment in UK 5G networks, the significantly increased cyber security risk is regularly highlighted as being a potential game changer. Here, Marcus Willett challenges the thinking behind this notion.

There are plenty of reasons why a country might ban Huawei from its networks, but an increased cyber security risk is not in reality a major one. If you are the US, it is rather because you are competing with China for dominance of the future development of cyber space, with all the economic and geostrategic advantages that come with it. This is probably the real reason the US has threatened to withhold intelligence from the UK. It’s not for reasons of security, since it knows that all intelligence shared is under state-of-the-art encryption and not carried over public networks. If you are not the US, you might ban Huawei because you agree with the US on the strategic issue and want to lend your support, or because your alliance with the US overrides every other consideration.

The US has probably rightly identified the strategic issue – the future shape of cyberspace and the global economy that depends upon it are at stake. But trying to prevent everyone from using Huawei kit will do more harm than good. It will instead drive China further and quicker down the path of building and exporting its competing version of the internet, with all the state surveillance that would entail. Far better to keep China, its companies and its economy thoroughly dependent on today’s single, multi-stakeholder, ‘free’ version of cyberspace. 

Six common myths


1. The UK doesn’t ‘get’ the cyber threat posed by China.

The UK is under no illusions as to the cyber threat posed by China. The UK government and critical industry sectors, such as defence, telecommunications and IT, have all been subject to Chinese cyber intrusions designed to steal data on an industrial scale. This was last called out publicly in 2018 by then-foreign secretary, Jeremy Hunt, who described Chinese attacks against UK managed service providers as ‘one of the most significant and widespread cyber intrusions against the UK … uncovered to date’.

Drawing on its own experiences in the cyber domain, the UK will also fully understand that espionage capabilities can quickly become sabotage capabilities – the hack of a network to steal data can quickly become the hack that brings the network down. And the UK knows that China’s intelligence law requires Chinese companies to provide it assistance if asked to do so. The UK’s assessment of the cyber threat posed by China does not differ from that of the US. 

2. The UK may have managed the use of Huawei kit in its 3/4G networks, but its use in 5G networks significantly increases the risk of Chinese espionage and sabotage.

Just as 3/4G networks are entangled together today, 5G will be entangled with 3/4G networks. Given that Huawei is already providing kit in the UK’s 3/4G networks, the theoretical ability of the Chinese to access and sabotage the UK mobile network would be little changed even if Huawei kit were not used in the 5G elements of the networks.

3. Even if the risk doesn’t increase from 3/4G to 5G, the UK shouldn’t be using Huawei in any ‘G’ network because the threat of serious cyber espionage cannot be mitigated.

The basic cyber security measures that have been used for 3/4G also apply to 5G, with the proper use of encryption to ensure the confidentiality and integrity of data being a crucial one. Ironically, it remains the case that those with the best chance of reading traffic on anyone’s mobile networks are the companies providing ‘over-the-top’ encrypted applications, as well as whichever government hosts those companies under the terms of their domestic lawful intercept (so in the UK that is overwhelmingly the Silicon Valley companies and the US government).

Increasingly, the UK finds itself unable to read the encrypted traffic between suspected terrorists in London and Manchester without Silicon Valley’s help. The presence of Huawei makes no difference – even if the Chinese government were able to use the Huawei kit to listen in, it would face the same problem as the UK government. Let’s be clear – Google can get to the content of gmail passing over a bit of Huawei kit, but China cannot. 

4. Ok, the real risk isn’t about spying, it is about China’s ability to use Huawei kit to sabotage the network.

The provision of kit into UK mobile networks and the interfaces between those networks and the rest of the UK’s telecommunications infrastructure are complex processes. Any kit that Huawei provides into UK networks will be integrated with kit and over networks run by other providers – such as BT, Vodaphone, Virgin Media, EE and others. Those providers have a degree of visibility and control over the various interfaces, with ‘redundancy’ built in – another basic UK requirement being to build redundancy into traffic routing to ensure the network as a whole can survive the loss of a single element (network resilience).

Additionally, many of the components inside Huawei kit are manufactured by other nations, particularly the US – software from Microsoft, microchips from Intel and Qualcom. Removing kit within a complex twenty-first century telecommunications network based simply on the nationality of the kit’s ‘supply chain’ is almost impossible. National ownership of a piece of kit is not the only deciding factor when it comes to ‘ease of interference’. As an illustration, if the US were behind the Stuxnet attack, as alleged, it interfered with the kit of a German company, Siemens.

In short, bringing down a complex modern telecommunications network is not easy, whichever bit of kit within the network you ‘own’. But even if you could, when would you do it? It is effectively a ‘one shot’ capability – if used by China, it would undermine the position of all Chinese companies in the world tech market, effectively handing the market to exclusively non-Chinese companies. China would therefore presumably save the ‘one shot’ for war or near-war, in which case it would need to be sure it would work. As I have outlined above, that is not easy.

The sabotage risk is, in reality, probably far subtler. It is more likely that China might try to insert damaging code via mobile networks remotely and deniably, with the Huawei kit used to facilitate an insertion or exfiltration of code/data into other networks – it is part of a pathway or a small but essential cog in a bigger wheel. Note again, however, that other countries could get into Huawei (or Nokia or Ericsson for that matter) kit remotely to do the same thing.

5. Given that there is a potential sabotage risk, can the UK really isolate the core of its network from Huawei?

5G is a cool technology, providing greater bandwidth, faster speeds, better quality and instant connections. It is this faster, smarter layer that will enable the truly innovative applications that we call the ‘Internet of Things’, for example, self-driving vehicles.

Sitting behind this are various technologies. The use of higher frequencies (ultimately including ‘millimetre waves’) means that the system can carry more information and support more devices (‘smart things’) at the same time (4G uses data at rates of 200–300 megabits per second, while service providers are ultimately looking to get 5G to above 40 and even up to 100 gigabits per second). There are many more and smaller transmitting and receiving antennae, using less power and covering smaller geographic areas – allowing the transmission and receipt of signals simultaneously through multiple antennae. 5G uses a Cloud Radio Access Network, meaning cheaper infrastructure and less maintenance. Unlike current generations, 5G base stations use ‘beamforming’ to detect and locate the user, and only transmit in that direction. 5G uses ‘Full Duplex Mode’ enabled by high-speed switching that can handle simultaneous transmission and receipt. Using all of the above, a 5G network can be ‘sliced’ and dedicated to a specific task (e.g. one part for phones and one part for driverless cars).

So 5G looks complicated and distributed. But it can still be divided into core and non-core. The latter refers to the myriad of small antennae, small cells and base stations distributed on masts, street corners and rooftops creating ‘smart’ environments. But there still has to be a controlling brain – the handful of main data centres at the heart of the network, with there being only two or three more centres needed in a 5G network than in a 3/4G network. That is the core, which can be owned and protected by UK service providers, such as Vodaphone and the like, including if held in the ‘cloud’. That is why the UK thinks it might be able to manage the overall risk by restricting Huawei kit to the ‘non-core’ network. 

6. But isn’t Huawei kit rubbish anyway? 

Perhaps the single-most important reason why Huawei 5G kit seems to outperform its rivals is the amount it has invested in R&D, and its deployment support is very good. The UK’s National Cyber Security Centre has, however, been very critical of Huawei’s coding. Nonetheless, kit can still perform well even when the underlying coding is a mess, meaning that it is not configured in a uniform way and is therefore very ‘buggy’, like Huawei’s. The presence of bugs in software is ‘normal business’ – they are not back doors in themselves, but they can be used to create back doors.

An international standard that set how coding is done would have reduced the number and type of bugs, and, therefore, made the kit inherently more secure. This is a crucial point: the international community should have baked security standards into the design of 5G networks from the outset, rather than now trying to retrofit security measures by means of, for example, the core/non-core debate. This is the key lesson from the current Huawei saga for future generations of critical technology, including Artificial Intelligence. If we did not do enough to establish the right standards for 5G, we should now start developing the best standards for the 6G that we will be installing in a decade.

No comments: