Soon after the United States banned Chinese telecommunications giant Huawei from sourcing US goods and services last spring, the backtracking began. Despite labeling Huawei as a security threat, the US Bureau of Industry and Security (BIS) granted a short temporary reprieve to the company, which was extended on November 18 for the third time.
Disentangling the United States from Huawei has proven harder than anticipated. The two are locked in an economic bind. US chips and software are crucial for the functioning of Huawei’s networks, including portions of the US rural network. Huawei phones could lose access to Android security updates if a ban occurs. But such a ban could circle back to the United States in the form of losses to US suppliers and Chinese retaliation. These dilemmas are unfolding against the backdrop of a race for technological and strategic dominance by China and the United States.
For Washington, the decision on whether to shut Huawei—and China—out of the future 5G data networks in the United States pits economic arguments against security arguments. The two are measured by different scales, making it difficult to strike a balance. While the benefits from technology adoption, increased competition, and trade are well known, no analogous framework exists to help in thinking about the corresponding security risks. It is thus imperative to develop a framework that allows factoring in both sides of the issue.
With nearly 30 percent of the global telecommunications equipment market, Huawei is one of the world’s largest operators. Citing a number of security concerns, in mid-May the Trump administration added the company to the BIS entity list—a place reserved for those believed to be working against the security of the United States. A similar measure led Chinese tech company ZTE to a near shutdown in 2018. In order to mitigate the impact of the measure, however, the administration granted an initial 90-day reprieve in May—renewed in August and again in late November.
Entity listing is only the most recent in a series of salvos against the Chinese company over many years. In October 2012 a House Intelligence Committee investigation reported Huawei’s equipment as a potential national security threat. Shortly after, in March 2013, several US government agencies were banned from purchasing Chinese communication technology. The ban was expanded in August 2018 to all US government agencies and contractors. A new front against Huawei opened in January 2019, when the Department of Justice indicted the company for theft of trade secrets and sanctions violations. In May 2019, at the same time of BIS’s entity listing, President Trump declared a national emergency related to communication technology supplied by foreign adversaries. Commerce Department rules to assess the risk implied by transactions in such technology are currently under consultation. More action is therefore expected.
The United States also piled pressure on friends and allies to follow suit.
Market needs, security risks: Two scales, no balance
The case for a rapid deployment of 5G networks is compelling. With connections up to a hundred times faster and fifty times more responsive than what is currently on the market, 5G promises no less than a new industrial revolution. The new networks will support applications as diverse as self-driving cars, the Internet of Things, and remote surgery. The potential for economic growth lies both in the enormous capital outlays required and in the new network-intensive markets that the investment would spur. As the number of operators capable of laying 5G networks is limited, closing the market to one—by far the least expensive—could be costly.
At the same time, risks are significant but difficult to quantify. A long history of wire-tapping shows network infrastructure to be particularly sensitive to security concerns. A recent case of hardware implants in Chinese-made equipment demonstrates the risk stemming from compromised equipment. Huawei’s record is not particularly pristine or transparent: The company’s ownership structure is unclear at best, with alleged links to the Chinese national security bureaucracy. In the most extensive review of its equipment to date, the United Kingdom’s dedicated evaluation center, HCSEC, concluded it could “only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.” Indeed, undocumented backdoors have been found in Huawei-manufactured home equipment.
Security concerns arise from two dimensions. First, compromised infrastructures can be weaponized. Portions of the network, or crucial network-reliant applications, can be turned off or against an unsuspecting adversary. Russia’s shutdown of Ukraine’s power network in 2016 serves as an example. The Australian Signals Directorate found this applies with added force to 5G. Because 5G networks will support a much larger number of devices, the perimeter of attack increases exponentially. Unsafe infrastructure also lends itself to a second, more subtle, risk: Personal data can be siphoned off by hackers or foreign adversaries and used for cybercrime, identity theft, or blackmail.
Sketches of a framework
The possibility of the national grid being turned off is an obvious concern. So is the possibility that some embarrassing teenage footage is used for blackmail. These risks are impossible to assess. Yet recent history shows that security concerns need not always prevail: Soviet gas supplies continued to flow to Europe despite the Cold War and more recent tensions between Europe and Russia. As warfare moves to the digital and economic space, the call for a consistent framework to assess the risks and benefits of integration becomes increasingly urgent.
Rough contours of such a framework could include:
First, set non-negotiables. Certain matters of national and individual security trump economic arguments. While these need not be set in stone, they should include fundamental ethical principles and constitutional rights, and enable governments to enforce the rule of law and citizens to enjoy their rights. Control over cyberspace depends on control over network infrastructure. Should the presence of Huawei risk compromising non-negotiable principles, it would seem legitimate to ban the company and force—or even subsidize—the uprooting of its existing components.
Second, estimate and manage risks outside of the non-negotiable perimeter. Should the threat be considered non-vital, steps should still be taken to ensure network safety. This might include some UK-style vouching of software and equipment, as also proposed in the recent Department of Commerce regulation, or require cooperation with trusted providers.
Third, insure losses. As cyberattacks will inevitably take place and cause economic disruption, an insurance market for non-catastrophic risks should be fostered. While catastrophic losses should be averted through the first two steps, fostering an insurance and re-insurance market might also entail some form of government backstop.
Editor’s Note: Huawei was a supporter of the Peterson Institute for International Economics until 2018, when the relationship was discontinued.