The campaign against Huawei: is there a threat?
Assessing whether foreign technology companies pose a security risk should be done with a view of the complete picture, writes Greg Austin.
OPINION: The case against Huawei’s participation in bidding for the 5G network in Australia appears to be based on incomplete information, at least as far as the public record allows us to judge.
For a full picture, there are several fields of knowledge we need to understand and reconcile: espionage, computer science, information and communications technology, cyber security, business studies, foreign policy, China studies, political science, international political economy, and globalisation. But there are also political perspectives and biases. The latter issue was rather brilliantly captured in a recent Norwegian study.
This study saw the Huawei challenge, the Snowden revelations about NSA, and the Volkswagen emissions-monitoring scandal as part of a common problem: assurance of supply chain components in the information age. The study concluded that “the problem [of supply chain assurance] should therefore receive considerably more attention from the research community as well as from decision makers than is currently the case”.
The consensus of global scholarly opinion on these issues suggests that those in Australia advocating for a ban on Huawei in the 5G network – mimicking the opinion of US intelligence chiefs expressed in February 2018 – have not reviewed all of the available information and perspectives. Public policy analysts in Australia should be wary of their own government when it so closely mirrors senior officials in the Trump administration on any issue of intelligence policy, for two reasons.
The first, and most worrying, is the poor record of the US intelligence community on big issues of analysis if they’re highly politicised. Remember Iraqi WMD as one in a 70-year saga of great US intelligence failures. The second is that internal political disputation within the Trump administration and the US Congress on relations with China is at fever pitch.
So what does the study of espionage tell us about the campaign against Huawei?
There’s no doubt that countries like China, the United States, Russia, Israel and France find it easier to implant back doors in commercially available equipment manufactured by companies domiciled in their territories. For this and a variety of other reasons, wise governments, corporations and citizens should assume that all equipment in their supply chains, regardless of the country of origin, can be compromised from a cyber security point of view. The Norwegian study found that such back doors are often very difficult to detect.
We can add to this the overwhelming evidence that vulnerabilities in Microsoft Windows have been responsible for a very large share of security breaches globally, including in Australia. As argued in a study I co-authored with German scholar Sandro Gaycken for the New York-based EastWest Institute in 2014, “highly secure computing”(that is, non-vulnerable systems) has to be the approach.
Huawei estimates that 50% of Australians rely on its systems of some kind for their telecommunications. This is probably a radical underestimate.
The national security damage caused by vulnerabilities in Microsoft Windows puts into the shade the unsubstantiated claims (unsubstantiated in the public domain, at least) that Huawei equipment has directly produced security breaches. Moreover, NSA cyber weapons based on the vulnerabilities in Windows, such as Eternal Blue, have caused more documented security breaches globally, and in Australia, than any Huawei products. Yet Australia’s Defence Department uses Microsoft Windows.
We also need to assess the relative intelligence value of back doors in Huawei products if they in fact exist. We can assume they do, either by design or by error. But the share of high-grade intelligence collected by this means would be minuscule. Chinese and American spy agencies already have easy access to most unclassified or unencrypted telecommunications from Australia without relying on back doors in telecoms equipment.
If China wanted to use a domiciled company for implanting back doors, it would not rely on the Chinese Communist Party cell in Huawei to set that up. The Huawei party cell would not be in the chain of command for Chinese intelligence operations of this kind. The cell is not oriented towards espionage, though its members would report on internal security issues to the Ministry of Public Security.
If the US wanted to plant back doors in the equipment of a US-domiciled company, it would not need a law to compel the cooperation. It would simply get consent from people at the top of the company, as it did with NSA’s PRISM program, where US telecoms companies, such as AT&T, and information utilities, such as Google, provided a direct feed to NSA headquarters of all communications, according to documents leaked by Snowden.
Beyond intelligence studies, we need industry knowledge. Huawei estimates that 50% of Australians rely on its systems of some kind for their telecommunications. This is probably a radical underestimate – I think it would be closer to 95% if we’re talking about all Chinese-made systems. Most of Australia’s unclassified communications today probably depend on systems using at least one component manufactured in China.
I base this very rough estimate on several considerations. According to a 2018 study on smaller countries like Australia, the bulk of our domestic internet traffic and email is probably routed through foreign servers and internet gateways. A large slice goes to countries like the UK where BT is the provider using Huawei equipment, not to mention other Chinese equipment manufacturers like ZTE. And not to mention the share of our communications traffic to and from China itself. According to a 2018 Chinese study, the diversion of internet traffic through other countries is increasing in spite of intensifying claims to internet sovereignty.
The campaign against Huawei imagines that Australia has a cyber border. It does not. It’s deeply entangled in a globalised laissez-faire ICT economy and diffuse internet traffic pathways. Our public policy is still learning the nature and scope of this reality.
Greg Austin, a former intelligence analyst, is Professor of Cyber Security, Strategy and Diplomacy at UNSW Canberra. He is the author of Cyber policy in China (2014), Cybersecurity in China (2018), and several other books on China’s security policies.
This article was originally published by The Australian Strategic Policy Institute’s The Strategist.
source: The University of New South Wales