Executive Summary
Communications technologies are always bound by politics. The ability to communicate more quickly, decode other parties’ secret communications, interfere with the integrity of communications, or control what communications infrastructures are available can empower governments and corporations alike. The rise of the fifth generation (5G) mobile broadband cellular technology has brought all of these issues into stark relief as governments, telecommunications providers and vendors, security experts, academics, and citizens have increasingly questioned whether next-generation networks can be trusted to provide reliable, secure, and robust service.
Bringing many of these questions into focus has been the gradual loss of North American capabilities to independently conduct domestic research and development, and to produce, full-scale 5G communications systems and infrastructures that are promised to power the next generation of economic growth. In tandem with the rise of the Chinese company Huawei as a leading telecommunications vendor for 5G systems and China’s increasing willingness to forcibly assert its interests internationally, governments in Australia, Canada, New Zealand, the United Kingdom, the United States (the ‘Five Eyes’ security and intelligence alliance), as well their European allies, have publicly worried and debated about the implications of their nations’ telecommunications networks being substantively composed of products manufactured, sold, and maintained by Huawei. Publicly, those concerns have tended to be similar. Some quieter concerns have surrounded whether Huawei has fairly acquired all of the intellectual property it has used to develop its technologies and, more broadly, the business and political influence risks associated with Huawei becoming the world’s predominant telecommunications vendor. Some concerns have been raised more loudly about whether the Chinese government could compel Huawei to modify its technologies to facilitate cyber-espionage or disruption operations that could potentially threaten national economies, undermine military capabilities, or otherwise weaponize Western and Western-allied countries’ communications networks.
The actual evidence that supports many of these concerns tends to be somewhat murky. This is especially the case when it comes to the Canadian debates concerning Huawei and 5G technologies. This report, “Huawei and 5G: Clarifying the Canadian Equities and Charting a Strategic Path Forward,” draws exclusively on open-source reporting to clarify the concerns, assess their seriousness, and outline possible mitigations. But, perhaps most substantially, the report asserts that Canada does not have a ‘Huawei problem’ per se. Instead, Canada has a 5G strategy problem that is linked to the Government of Canada lacking a principle-driven set of integrated industrial, cyber security, and foreign policy strategies that directly and meaningfully address the challenges raised by the current and expected 5G landscape. In essence, the Huawei problem should really be reframed as a problem about the Government of Canada’s ongoing failure to coordinate across and outside of government to develop a cohesive approach to secure communications infrastructures regardless of whether the vendors powering those infrastructures are based in China, Korea, Norway, or Sweden.
The first three parts of this report provide a background on 5G technologies and its prospective deployments in Canada, on the Chinese telecommunications vendor Huawei, and on the stances that Five Eyes countries have taken toward Huawei and other Chinese telecommunications vendors. More specifically, Part 1 of this report provides a brief background to 5G technologies in Canada and emphasizes how early decisions concerning the choice of 5G vendors can make it challenging and expensive for telecommunications providers to switch equipment vendors during mid- and late-stages of 5G deployments. Part 2 outlines key features of Huawei. It recognizes that Huawei has massively invested in research and development, to the effect that the company has accumulated a large volume of key patents that underlie 5G technologies, and it briefly recounts many of the concerns that Western governments have raised concerning the prospect that the Chinese government could influence the company. This part of the report also acknowledges the difficulties in assessing the accuracy of Western governments’ concerns based on their common failure to publicly present reliable evidence that would support their security- and influence-based worries. Part 3 discusses the varied and changing stances that Australia, Canada, New Zealand, the United Kingdom, and the United States have taken toward Huawei. Whereas some of these countries have, as at the time of writing, formally banned Huawei or are in the process of requiring at least some of the company’s networking equipment be removed from national networks (Australia, United Kingdom, United States), New Zealand has adopted an ostensibly vendor-neutral security assessment process, while Canada has delayed making a decision as to whether to permit, ban, or partially ban Huawei from selling 5G technologies to Canadian telecommunications companies.
Parts four through seven tease out a range of concerns that Canadian agencies have raised about Huawei and its products in Canada and by our closest diplomatic and military allies. Part 4 takes up questions about the propriety of Huawei’s intellectual property portfolio, the company’s dominance in the 5G space, and allegations that the company has benefited from state- or corporate-driven corporate espionage. After recognizing that at least some of the allegations appear to be grounded in verifiable fact, a set of mitigation actions are proposed. First, Canada should adopt a comprehensive national approach to address all cases of foreign corporate espionage to guarantee that such illicit activity can be prevented or sanctioned, regardless of the company alleged to have carried it out or to have benefited from such activities. Second, Canada could deliberately increase research and development funding for Huawei’s competitors—such as Ericsson and Nokia—as well as to Canadian universities to conduct basic research related to next-generation telecommunications. Third, defensive security briefings could be provided to Canadian universities, which generate intellectual property pertaining to next-generation technologies. These briefings could help universities develop and implement public policies intended to mitigate any risks that their research partnerships might jeopardize Canadian economic or national security. Finally, the Government of Canada could more prominently engage with standards bodies to, at least in part, guarantee that such standards have security principles baked in and enabled by default; such efforts could include allocating tax relief to corporations, as well as funding to non-governmental organizations or charities, so that Canadians and Canadian interests are more deeply embedded in standards development processes.
Part 5 accounts for some of the monopoly and trade-related concerns linked with Huawei and with the company being domiciled within China. Specifically, Huawei benefits from trade policies fostered by the Chinese government with the effect that the company is able to compete globally in ways that are difficult for their competitors to match. This uneven competitive playing field includes the presence of Chinese trade barriers that inhibit non-Chinese telecommunications vendors from widely selling products into China and the availability of state-backed, low-interest loans for Huawei’s customers. Broadly, these benefits may increase the likelihood that Huawei could become the dominant global telecommunications vendor and, by extension, leave countries such as Canada more likely to be dependent on Huawei in the next stages of 5G development and future 6G deployments. Such dependence would also heighten the security risks posed to Canadian telecommunications companies if these companies predominantly purchase Huawei equipment that possesses either unintentionally or deliberately inserted vulnerabilities. Finally, as China becomes increasingly assertive internationally, it might use any country’s dependence on Chinese telecommunications vendors’ products as a bargaining chip in diplomatic or trade negotiations. At least some of these challenges might be mitigated by the Canadian government working with allies to appeal to the World Trade Organizations about financial benefits Huawei enjoys from the Chinese government’s policies, and to reduce potential risks linked with vendor lock-in by promoting a more vibrant telecommunications vendor community, and thus ensuring that national telecommunications networks can be serviced by a range of companies; these measures could reduce the ability of any country to use their vendors’ products as leverage in either bilateral or multilateral negotiations or disputes.
Part 6 attends to what have been the core set of concerns raised about Huawei’s products: that its technologies might possess incidentally or deliberately inserted vulnerabilities that the Chinese government or parties operating on its behalf could exploit to the detriment of Canadian interests. This part is, almost by necessity, somewhat speculative as relatively little public evidence has been provided by any government to confirm the assertions that the Chinese government has forced vulnerabilities into Huawei products; most of the open-source evidence of security deficiencies in the company’s products, to date, has emerged from the United Kingdom’s Huawei Cyber Security Evaluation Centre. After outlining how such vulnerabilities could prospectively be used to enable either espionage or disruption activities, a set of made-for-Canada mitigations are outlined. These focus on three sets of proposals. First, Canadian information assurance operations could be expanded. Such operations would be used to intensively assess products sold by Huawei—as well as other telecommunications vendors—as a way to reduce the likelihood that they contain accidentally or deliberately injected vulnerabilities that could be used to negatively affect Canadians or their governments. Such information assurance operations might be coordinated with close allies to comprehensively assess the security properties of many vendors’ networking appliances and other critical infrastructures. Second, security and foreign intelligence operations might be conducted by the Canadian Security and Intelligence Service and Communications Security Establishment, perhaps sometimes with the involvement of the Royal Canadian Mounted Police as appropriate, to increase the costs of secretly inserting vulnerabilities into networking appliances as a way of dissuading any government from tampering with Canadian critical infrastructure. Third, the Canadian government could adopt policies that are designed to make it more difficult to leverage vulnerabilities in 5G appliances to the detriment of Canadians. Such policies might include, as an example, forcefully advocating for the development and integration of strong end-to-end encryption into the Internet of Things and end-point software systems so that compromising 5G networking appliances will not necessarily lead to the revelation of the contents of communications or automatically confer the ability to tamper with the content of those communications.
Part 7 takes up the broader issue of the state of China’s rule of law. The Chinese government has sought to improve on its citizens’ legal literacy to legitimize the government’s activities. At the same time, the Chinese Communist Party and key national security organs of the Chinese state remain elevated above the reach of the courts. The effect of this, in tandem with national security legislation that was passed in 2017, is that should Huawei be compelled to modify its products, the company’s ability to resist such pressures in Chinese courts are unlikely to succeed. Consequently, any effort by Canada or its allies to mitigate the risks associated with the Chinese government exercising its domestic powers on Huawei are most likely to take place in international fora where the Chinese government can be pressured into demonstrating robust domestic rule of law, if only so international companies can be assured of the trustworthiness of Chinese products as China seeks to grow its export markets. In a worst case, Canada and its allies may simply need to develop strategies that anticipate Huawei being forced to modify its products and develop robust information assurance programs to shame the company, and Chinese government, while also serving as a way of issuing warnings to any company that has purchased similarly deficient products.
Finally, Part 8 outlines some key elements of a 5G strategy for Canada. It focuses on why such a strategy should not be designed to solve a Huawei problem, but to ensure the resiliency, security, and availability of all 5G technologies regardless of the vendor that produces them. These elements draw from earlier sections of the report and specifically suggest ways of protecting and developing intellectual property expertise in Canada, ways of building processes to foster a more diverse market of 5G vendors to mitigate many of the risks linked with vendor monocultures, and ways of ensuring that Canada develops a diversified security posture. In this last category, the Canadian government should work with its allies to engage in coordinated assessment of vendors’ networking products, similar to the way the United Kingdom’s Huawei Cyber Security Evaluation Centre currently operates. Simultaneously, Canada’s security intelligence and foreign signals intelligence agencies should focus their efforts on protecting next-generation infrastructures while remaining subject to strict review to ensure that Canadians can trust that these agencies’ activities are lawful, proportionate, and necessary; such trust is essential if Canadians are to trust any reviews or public assertions made by Canada’s intelligence and security community. And Canadian companies and other external-to-government stakeholders must be involved in any cybersecurity strategy pertaining to 5G, both so that the government can tap into expertise and knowledge outside of government agencies and because the actual next-generation infrastructures will predominantly be privately run and managed: Canada’s 5G challenges can only be overcome in partnership with parties outside of government itself.
A Canadian 5G strategy will need to be coordinated across government in partnership with non-government stakeholders, and it should be designed to mitigate the risks associated with how foreign governments could try to exploit the technology to the detriment of Canadians. Adversaries already probe and exploit Canada’s existing networking infrastructures on a daily basis, and they will continue to do so into the future regardless of which vendor’s products underpin our telecommunications networks. The solution to Canada’s 5G problems will not be found in policies that principally address one company. Instead, a robust and vendor-neutral approach is required. It is my hope that this report, in its entirety, sufficiently lays bare why an interwoven set of Canadian experts and organizations is necessary to create and execute Canada’s 5G strategy, and why any effort to address issues linked with Huawei products in isolation will almost certainly fail to functionally address the broad collection of political, technological, and security issues linked to 5G technologies.