By Christian Leuprecht and David Skillicorn, March 1, 2019
For the 21st century, communications (the internet and its successors) and data will be as vital as oil and electricity were for the 20th century. Communication networks are the basis of business and industry, and increasingly, of social and political life.
Countries are developing and deploying a growing range of capabilities to leverage the cyber domain for their national interest using such techniques as theft of intellectual property, influencing other nations’ internal politics, conducting cyber-espionage, and even developing cyber weapons that can be used to inflict the kind of damage that has up to now required more typical weapons.
Sovereignty thus depends on the extent to which a country is able to exploit or defend national networks and assert control over the connectivity that the global communications infrastructure enables.
The importance of cyberspace to this century is why Huawei has been in the news. Quick to realize the importance of cyber capabilities, China has been strategic in enabling Huawei to compensate for the greater wealth and skill of the U.S. and other Western rivals.
Thirty years ago, Huawei had already leveraged intellectual property theft to leapfrog technological milestones: early versions of Huawei’s switches are said to be complete replicas of those developed by Nortel and Cisco, down to the pages of their operating manuals.
Network switches have an unavoidable inside track — they necessarily see all of the traffic that passes through them. Even when that traffic is encrypted, as most traffic on the internet now is, switches can analyze the patterns of flow — this so-called meta-data is key intelligence.
They can also slow some traffic, divert it somewhere (perhaps temporarily so that it can be analyzed), or even cut it off completely. Can countries in the West trust that Huawei network switches cannot, in the worst case, be controlled by Huawei, and ultimately by the Chinese government?
The U.K. government set up a joint organization between its signal intelligence organization, GCHQ, and Huawei to see if they could reach a workable level of trust in Huawei’s equipment. Their latest report suggests this has proven impossible. Even if a switch could be proven to be harmless, all switches must be able to update their software, usually over the internet itself; something that’s innocuous today can readily turn into a vulnerability tomorrow.
In this context, Huawei’s repeated claim that no Trojan Horse has been found in its systems is meaningless. Australia, the U.S., Japan, Germany, France, Poland and the Czech Republic have concluded that Huawei parts put their next-generation communications infrastructure at risk.
On the one hand, there will be a cost to banning Huawei equipment: less competition, higher prices and perhaps a slower build-out of 5G infrastructure. Deutsche Telekom has not raised objections to Huawei — even though one of the U.S. indictments is for alleged Huawei espionage of Deutsche Telecom’s U.S. subsidiary — and two of Canada’s three large telcos are lobbying aggressively against a ban. Along with the regulatory chill from its 2012 foreign investor protection agreement with China, that explains why Canada has been tepid about cyber defence and readiness measures that impose limits on equipment and service providers.
Since 2013, the Canadian Security Review Program has led to (1) excluding designated equipment in sensitive areas of Canadian networks, (2) mandatory assurance testing in independent third-party laboratories for designated equipment before use in less sensitive areas of Canadian networks; and (3) restricting outsourced managed services across government networks and other Canadian critical networks. Were selective exclusion to be expanded, someone else will have to provide the infrastructure instead. The array of potential suppliers is small to begin with, which will drive up cost.
On the other hand, there is also a cost do doing business with Huawei. Cyber manipulation poses an existential threat. That is why China refuses to extend reciprocity and has long barred non-Chinese companies from Chinese network infrastructure. The recent Review of the 2018 National Defense Strategy by the United States National Defense Strategy Commission found that the U.S. is likely to lose a war against China or Russia: a pre-emptive cyberattack by an adversary on, say, critical infrastructure would effectively paralyze the U.S., and its ability to retaliate. We know that the Chinese government has been mapping critical infrastructure systems — electrical grids and oil pipelines — in North America and elsewhere, probing their configurations and possible weaknesses to incorporate into their attack sets.
Banning Huawei is but one in an array of defensive measures that are necessary to raise the state of Canada’s cyber readiness: it will not deter digital exploitation by China, nor does it protect from unrelated vulnerability such as poorly constructed or designed network infrastructure; but it does deprive China of a key advantage.
Expanding the ban on Huawei equipment and services would have been straightforward if it had been made in concert with our allies. The ongoing U.S. push for NATO consensus on Huawei is proving elusive, in part because of the way the U.S. is perceived to be instrumentalizing the issue for political and economic ends. Absent a common allied front to counter China’s United Front, Canada’s decision is much more difficult, although it is the right thing to do. Slow-rolling the decision so as not to strain the relationship gives China unprecedented leverage and effectively amounts to abrogating Canadian sovereignty under duress of extortion. The integrity of Canada’s sovereign democratic decision-making processes and institutions is not discretionary.
Christian Leuprecht is Class of 1965 Professor in Leadership at the Royal Military College and Queen’s University, and Munk Senior Fellow in Security and Defence at the Macdonald-Laurier Institute. David Skillicorn is Professor in the School of Computing at Queen’s University.