Huawei and 5G: A Crisis for Cyber Security Governance?
The security of mobile networks relies on cooperation between private companies and governments. How have public-private partnerships in the telecom sector dealt with the new risks of fifth-generation (5G) mobile network technology, and how did the introduction of Huawei affect existing cooperation?
Over the course of 2019, discussions about fifth-gen (5G) mobile network technology, and the controversial role of Chinese telecom company Huawei as 5G supplier have made various headlines in Dutch newspapers. As well as the security risks 5G will introduce in health care services, self-driving cars and so on, there are concerns surrounding Huawei and the risk of espionage. The Dutch intelligence agency, the AIVD, states that the Netherlands should not become dependent on 5G suppliers from countries that exercise an offensive cyber-programme against the Netherlands. Not just in the Netherlands, but all over the world countries are faced with possible security concerns, and have to deal with the question: “What do we do about Huawei?”.
Other countries have also grappled with this question. For example, in January, the UK Prime Minister Boris Johnson published the UK’s approach to Huawei, allowing limited access, in contrary to the US urging the UK to ban Huawei completely. Similarly, the Netherlands only allow Huawei to supply equipment for antennas and so on, and exclude them from supplying more vulnerable parts. The distinction between less and more vulnerable parts of the network is based on a risk analysis, discussed below.
Public-Private Partnerships in Cyber Security
The issue of Huawei and 5G becomes more complex when considering that mobile networks are maintained by private telecom companies (mobile providers), and that the security of these networks relies on cooperation between these private entities and the public sector. Huawei is generally considered to be one of the best as well as one of the most affordable out of the limited number of 5G suppliers prepared for 5G network roll-out at this time. This results in a conflict of economic interests of the private companies versus security interests of the government.
I wrote my thesis on the security risks of 5G, and focused specifically on this cooperation: the public-private partnerships necessary to maintain the 5G network, and the conflict of interests between public and private entities. I used the case of Huawei as a ‘crisis’ to the existing public-private cooperation in the telecom sector, highlighting this conflict of interests, and analysing how various countries dealt with this ‘crisis’.
In my thesis, I looked at the United Kingdom and the Netherlands, and compared the two countries on their performance with regards to three core elements of public-private cooperation in cyber security. These elements are: clear definition and common understanding of roles and responsibilities, an active private sector shaping regulation, and information sharing based on trust.
The introduction of Huawei motivated both governments to redefine responsibilities and expand the role of both sides of the partnership, improving common understanding as a result. Additionally, the private sector was actively involved through cooperation with the National Cyber Security Centres (or NCSCs) in both countries, as well as the collaborative risk analyses into the risks of 5G suppliers and the telecom supply chain. In the Netherlands, this risk analysis was performed by a ‘Taskforce’ lead by the Dutch NCTV, including the telecom companies and representatives from the AIVD, MIVD, the Ministry of Defense and other public institutions. The UK conducted a similar risk analysis, as detailed in the ‘Telecoms Supply Chain Review’.
The third element, information sharing based on trust, was more difficult to research. I approached this by focusing on the ‘trust’ part, arguing that issues like a delayed decision can damage trust. In contrast, actively engaging with the companies themselves, and including private companies in the regulation-shaping process, can be beneficial for effective information sharing.
Don’t treat Huawei as a one-off event
Learning from the way these two countries dealt with Huawei, it is important that Huawei is not viewed as a unique event in the context of dealing with cyber risks. Huawei is special in the sense that it has gained a lot of media attention, and of course other geopolitical factors like the US-China trade rivalry also distort the discussion.
Based on my analysis, constant cooperation between sectors and continued adaptation is vital for cybersecurity, especially in the context of new technologies like 5G. Institutions like the National Cyber Security Centres played a core role in facilitating this cooperation, and the Dutch ‘Taskforce’ risk analysis is a concrete example of public-private cooperation in practice.
Reflecting on their response to Huawei, governments should focus on translating these one-off ‘crisis’ responses to Huawei, like the Taskforce or UK risk analysis, into a more structured approach to dealing with risks of 5G suppliers, closely cooperating with the telecom companies.