Germany Is Soft on Chinese Spying
Last week, New Zealand decided to exclude the Chinese technology company Huawei from providing equipment to operate its 5G high-speed mobile network due to “significant national security risks.” The country follows Australia and the United States, which have also excluded Chinese companies from supplying 5G infrastructure.
In Germany, meanwhile, security has so far hardly played any role in the debate over the fifth generation of cellular technology. In the terms of reference published last week by the German Federal Network Agency for its 5G auction, security was not even included in the conditions for awarding the contract. In October, the government announced: “A concrete legal basis for the complete or partial exclusion of particular suppliers of 5G infrastructure in Germany does not exist and is not planned.”
That is dangerously misguided. As Australia’s intelligence chief has pointed out: “5G is not just fast data, it is also high-density connection of devices — human to human, human to machine and machine to machine.” 5G will carry communications we “rely on every day, from our health systems … to self-driving cars and through to the operation of our power and water supply.” 5G will be the backbone of our industries and societies. “Critical infrastructure” hardly gets more critical. And the security risks are accordingly high. Wherever Chinese technology companies supply 5G infrastructure, they will have access to huge volumes of sensitive data and industrial secrets — and there’s reason to think they would eventually be forced to spy on behalf of Beijing. The Chinese government could also use these companies to disrupt other countries’ infrastructure in a future conflict.
Given the massive cybersecurity and national security risks, the only responsible decision is for Berlin to follow the Australian, New Zealand, and U.S. lead and ban Chinese providers from the German 5G network. In doing so, Europe’s strongest economy would send a crucial signal to the rest of the European Union members that are grappling with the same decision.
Contrary to Huawei’s claims, the decisions by Australia, New Zealand, and the United States were not motivated by crude protectionism. In none of these three countries will domestic suppliers be the primary beneficiaries. The anomaly of the 5G market is that there is no leading U.S.-based supplier covering the full technological spectrum. The companies profiting from a ban on Huawei and ZTE are mainly two European companies: Nokia and Ericsson.
Still, those calling for banning Huawei face an uphill battle across Europe. Huawei has strong supporters (not least due to its very professional lobbying operation and deep ties within the political scene). It markets itself as a private company, which is organized as a cooperative and is in no way under the control of the Chinese state. Network operators such as Deutsche Telekom are among Huawei’s cheerleaders. Deutsche Telekom warns against excluding “high-performance suppliers” such as Huawei if the country wanted to build its 5G network quickly and at cost. Huawei already supplies much of the existing German 3G and 4G infrastructure.
For Deutsche Telekom and other network operators, the situation is clear: Huawei offers innovative and reliable products at highly competitive prices. Legally, Deutsche Telekom does not bear any liability for the security risks associated with Huawei technology. And the company does not care about the fact that Huawei’s price advantage is the result of a highly skewed playing field in China. In the world’s largest market, domestic providers control 75 percent of the market, giving them unbeatable economies of scale.
Remarkably, Huawei’s defenders also include the Federal Office for Information Security (BSI), Germany’s cybersecurity agency. Its president, Arne Schönbohm, believes the agency has the capabilities to check on whether suppliers meet security requirements, providing “technically substantiated statements of trust.” Huawei, for its part, describes itself as “the most audited company in the world.” The company offers to put its equipment through any inspection in testing centers jointly run with governments. Last month, they put one such center into operation in Bonn in cooperation with the BSI. Schönbohm was enthusiastic: “We welcome the opening of this laboratory, which enables a further and deeper technical exchange between Huawei and the BSI.”
His ebullience is misguided. The Bonn center follows the British model, where the Huawei Cyber Security Evaluation Centre has existed since 2010 controlled by the British intelligence service GCHQ, among others. Yet just this year, the British inspection report could give “only limited assurance” that Huawei products do not pose any risks to national security. This prompted the government to warn network operators that current rules could be changed and that certain suppliers (i.e., Huawei) could be excluded. Speaking about building Britain’s 5G network, just this week MI6 chief Alex Younger said the UK needs to take decision on “the extent to which we are going to be comfortable with Chinese ownership of these technologies.”
The final British decision is still pending, but the conclusion for Germany should be clear. If the British GCHQ, which is technically far superior to the German BSI, cannot issue a clean bill of health for Huawei, we don’t have to wait for the BSI’s own efforts. In the future, the testing centers will be in an even worse position. Checking for possible hardware backdoors will only be a small part of the job. Virtualization (and related software) will play a central role for 5G. And with weekly software updates, infrastructure operators will have a front door to compromise systems. No testing center would be able to check weekly software updates in advance.
For good reasons, the German intelligence services, unlike the BSI, take a far more critical view of the Huawei risk. They share the Australian intelligence community’s negative assessment, which, according to anonymously sourced reports in November, is based on at least one case of Chinese intelligence agents using Huawei employees to obtain access codes for a foreign network.
Such subterfuge would be in line with the Chinese National Intelligence Law of 2017. This law stipulates that “all organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of national intelligence work they are aware of.” This reflects the logic of the Chinese party-state. Companies may be nominally private, but this does not protect them from absolute claim to power of the Chinese communist party, which can direct Huawei to cooperate in espionage operations and efforts to manipulate or shut down vital 5G infrastructure. In light of this party-state logic, positive “statements of trust” for the use of Chinese technology in critical infrastructure, as promised by BSI boss Schönbohm, are irresponsible.
For this reason, Germany should ban high-risk Chinese suppliers. The legal argumentation should be inspired by last year’s new investment law, which blocks investments that “endanger the public order or security of the Federal Republic of Germany or essential security interests of the Federal Republic of Germany.” This decision is bound to increase costs for network operators such as Deutsche Telekom in the short term and could also lead to delays in network expansion. But these costs are well worth bearing given the incalculable risks to its critical infrastructure that Germany would otherwise incur.
The faster the decision to exclude high-risk providers such as Huawei is taken, the sooner the network operators can adjust to this new reality. A quick decision would also send an important signal to the rest of Europe. In particular, the countries integrated into the German industrial value chain are looking to Germany, thinking: If Germany as Europe’s strongest economy that has the most to lose is not concerned about the security of its 5G infrastructure, then why should we be worried? These countries would likely follow suit if Germany decided to ban Chinese suppliers.
A decisive approach on 5G critical infrastructure risks would be a sign that Germany takes seriously the debate about the challenges of technological sovereignty — that is the ability to autonomously master crucial technologies domestically. More difficult decisions will soon be in store. The United States is pushing not only for a ban on Chinese 5G, but also for a larger decoupling between itself and China when it comes to cutting-edge technology. They have proposed a “trusted market” among allies. This would mean a full exclusion of China from supply chains. Right now, European 5G suppliers such as Nokia and Ericsson still rely in part on Chinese components.
This also necessarily raises the more vexing question for Europe as to whether it can and should rely on U.S. technology. Having put an ugly face on U.S. hegemony, President Donald Trump is forcing Europeans to confront their own vulnerabilities. With 5G, Europe is spared having to choose between subservience to China or dependence on the United States, since with Ericsson and Nokia it can rely on two leading European technology providers. In most other areas — for example in many artificial intelligence applications, high-performance computing, or advanced battery cells—that is not the case.
There is no point in talking about technological sovereignty, as Europe often does, if you don’t have the necessary technological base. It’s high time for Europe to invest in catching up.
…
This commentary was originally published by Foreign Policy on December 9, 2018.