Interoperability is the solution to the Huawei dilemma
5G is the upcoming fifth-generation of mobile internet connectivity, designed to support a hyper-connected world of fast-speed and low-latency communications, in which our houses, factories, power stations, operating theatres, vehicles and everything else is capable of being remotely controlled.
Huawei has a year of R&D advantage over the rest of the world in this technology, and they are poised to supply the hardware and software to make 5G work throughout the world. But a vexed question has arisen: should the UK let a Chinese company provide national critical communications infrastructure? China and the West have a documented history of spying on each other, and China has laws which some have claimed can mandate its companies to help their country’s intelligence operations.
This question has a significant political aspect. The strong stance against Huawei in the USA may be based on commercial considerations as much as security ones. After all, Huawei has recently overtaken Apple to become the Number 2 mobile phone producer in the world after Samsung, and is likely to become Number 1 next year. In contrast with the USA, European countries including the UK has taken a much softer approach. Experts have emphasised the need to base the decision on facts, and primarily technical ones. Politicians appear to have decided that Huawei 5G equipment will be welcomed in UK mobile networks, except in a relatively small but imprecisely defined “core” that is deemed to be particularly sensitive. The UK may be taking a softer stance partly because, in the context of Brexit, we can’t afford to turn our backs on international trade. But our emphasis on basing the decision on technical facts makes good sense.
In spite of the rhetoric around spying, the concern isn’t so much that backdoors in Huawei products could be used for that purpose. These days, communications can be routinely and automatically end-to-end encrypted, so the infrastructure that carries the bits should have no possibility of understanding their meaning. It’s true that encryption doesn’t hide the “metadata” of communications; the frequency and timing of messages between two end-points can reveal useful information, even if the content is encrypted. But that is not the main concern either. The big threat is that the equipment could have secret commands that allow it to be switched off remotely, or allow its service to be downgraded. This could be used by adversaries at a time of international tensions or disagreements, and could cause huge economic damage in the UK and even loss of life.
Concern about this kind of possibility has led Huawei and GCHQ to collaborate since 2010 in running the Huawei Cyber Security Evaluation Centre (HCSEC). Funded by Huawei but with terms of reference determined by GCHQ, its purpose is to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s existing critical national infrastructure. Through HCSEC, the UK Government is provided with deep technical insight into Huawei’s UK’s strategies and products. Each year, HCSEC produces a report detailing their findings. This year, the report has been distinctly more pessimistic than previous ones, identifying issues in Huawei’s approach to software development that bring significantly increased risk to UK mobile network operators. Importantly, these concerns are not about deliberate backdoors that might allow malicious interference with the deployed equipment: no evidence of such facilities exists. Rather, the fears are about whether Huawei’s software development standards are secure enough to resist attacks from third parties. In the rush to get products to market, companies very often take shortcuts that can lead to security vulnerabilities, and it seems that Huawei is no exception. But American companies make telecoms equipment with security vulnerabilities too. Cisco Systems, a major US networking equipment manufacturer, had to issue 40 security patches in May 2019 alone, and that included several backdoors.
So, should the UK accept 5G infrastructure from Huawei? Putting nationalistic sentiments and prejudices aside, there is no evidence that Huawei products have any features that would deliberately compromise or weaken their security (something that may be more difficult to say for Cisco). The right way to mitigate against perceived risks of this kind is to build a heterogeneous network, comprising equipment from a variety of companies, in order to avoid being overly dependent on any particular company. It is useful to make a comparison with the situation of Microsoft in the 1990s. At that time, Microsoft had a stranglehold on information technology. Microsoft Office documents were ubiquitous, but proprietary; they were stored in file formats that have closed specifications. The only way to edit or view files was to buy a PC running Microsoft Windows and Office. Microsoft had a monopoly, because it owned the formats of documents that everyone was using, and prevented other parties developing software alternatives. OpenOffice partly reverse-engineered the document formats, and in 2008, Microsoft bowed to public pressure and officially released the format specification. Today, modern Office formats have open standards.
The way to avoid technology lock-ins and monopolies is to have open international standards, and encourage lots of organisations and individuals to develop hardware and software that matches them. By making the standards open and unambiguous, we can ensure that products are interoperable, so that nobody is forced to buy equipment from any particular manufacturer, and can swap devices made by different manufacturers with no loss of compatibility. The 3GPP is the organisation that coordinates 5G standards, and its technical specifications are available for anyone to view and implement. Patents exist on some technologies, but 3GPP mandates licensing on fair, reasonable and non-discriminatory (FRAND) terms.
Today, Huawei is the only ready supplier of 5G equipment. We have the opportunity of being an early adopter, and start trialling the technology and deploying it in cities across the country. As other companies catch up with Huawei, we can integrate their products into our infrastructure. In the long term, the UK should source 5G equipment from a wide variety of companies across different countries, benefiting from and supporting the interoperability efforts of the 3GPP. By building infrastructure incorporating equipment from several manufacturers working interoperably, we can avoid being overly vulnerable to issues that arise with any particular one. Meanwhile, we should use our negotiating position to encourage Huawei to clean up its secure software development act, and get top marks in the GCHQ evaluation next year.
Mark Ryan is Professor of Computer Security at the University of Birmingham. His research is partly funded by several companies, one of which is Huawei, and he is a member of Huawei’s academic Security Advisory Board.