The decision to remove Huawei has been signposted for weeks, and comes as international scrutiny of their equipment continues. In this post we explore why the UK has changed its stance on Huawei and the cyber security challenges the decision highlights.
The sanctions placed on Huawei will impact how products are designed and where their internal components come from, in turn leading to probable security and reliability issues as these changes are made.
In May the United States sanctioned Huawei, restricting their ability to use US technology or software by placing them on what is known as the ‘entity list’.
Subsequent changes in the US export control rules meant that no-one, anywhere in the world can produce Huawei’s own designed components to Huawei if US technology was used in the design and manufacture process of those components.
This sanction essentially aims to cripple Huawei and forces Huawei to seek non-US components and technology to use in its products and manufacturing processes. This will lead to major changes in how Huawei products are designed and manufactured, as well as where the internal components come from, in turn likely leading to more security and reliability issues. The UK has therefore taken the decision to remove Huawei from UK telecoms networks.
Critics of the US decision feel that Huawei has fallen victim to anti-globalization policies from the US and is a casualty of the ongoing American trade war with China.
Security and reliability issues
The level of change required in Huawei products should not be underestimated. Widespread technology design changes are likely to create security vulnerabilities, even if well tested.
All commercial engineering efforts contain defects, even in safety critical sectors such as aviation where every effort is made to remove them.
There is also the need to ensure that the design and manufacture of Huawei equipment does not contain malicious functionality, or other security issues. If this ban were not in place the UK would need to assure itself that these changes do not undermine national security, which is both an expensive and time consuming exercise.
The UK 5G networks are likely to become prevalent and vital in many sectors, including the critical national infrastructure. The reliability and continued availability of Huawei equipment in these networks therefore becomes more critical. If the 5G network, or other telecommunications that relied on Huawei could be disrupted by China this poses a risk to national security.
The circumstances in which this would happen are hard to imagine. Highly offensive cyber attacks are only currently plausible under warlike geopolitical conditions or during international crisis.
If Huawei does have the capability and were to carry out such an action it would likely only happen once. Once detected, the evidence of such an issue would force major changes and removal of the offending equipment.
The only counterpoint to this is if Huawei were the sole provider of a nation’s entire infrastructure and could not be replaced. This may reduce the perceived risk from carrying out such an attack.
The broad risks associated with these types of equipment should not be ignored. Vulnerabilities in the supply chain of network hardware and software has been, and will continue to be a threat to the security of telecoms organisations and national networks.
Removal of Huawei Equipment
The Government has been sensible in giving the telecommunications sector until 2027 to remove Huawei equipment. Huawei equipment is widespread throughout UK telecoms networks and will take considerable effort to remove.
This period allows service providers to replace Huawei piece by piece, and removes the need for an immediate change. A different US administration could lead to this change being reversed, and the UK telecoms sector may not want to rush to replace this equipment.
Even if Huawei finds a way around US sanctions, it will take considerable effort to gain confidence in their new designs and components.
The impact for technology businesses
Global technology businesses should take note of the Huawei decision. As a business if you are on the wrong side of US sanctions, it will now have wider implications. It is becoming difficult to separate the country of origin from a business, for example Nokia is held up as a poster child for Finland.
Businesses who may end up in these situations now need to consider two strategies. Firstly transparency initiatives, to remove criticisms of opaque business practices and to create assurance in customer countries. Whilst costly, this strategy is likely to help sales into government, defence and critical infrastructure sectors.
Secondly it is wise to plan for how products can be designed and manufactured outside of the US, and how all US technology can be removed from the design and manufacture processes. This is likely to be a costly and difficult exercise, but may be worth considering as a direction of travel.
The US sees no downside to reducing competition at the same time as increasing national security. Only time will tell, but taking a competitor out of the market could lead to US companies becoming complacent, which would mean US innovation and development could be slowed.
Global technology providers should take heed of the impact of a product being placed on the US entity list, and how that effects their supply chain, as well as the macro economic impacts of being on the wrong side of US policy.
The future for Huawei
The response from China is likely to be muted in the short term. Huawei already designs its own components, and is now likely to accelerate this. It is also likely that Huawei will look to develop internal versions of any US technology involved in the design and manufacturing process, or that the Chinese government will encourage innovation efforts in this area.
Huawei has embraced transparency and assurance activities, such as those they managed with the UK National Cyber Security Centre. A change of administration in the US, coupled with a relaxing of sanctions may lead to these activities resuming and a limited role being found for Huawei in the UK.