On December 8, 2020, the Citizen Lab published a report that investigates Huawei, 5G technologies, and Canadian telecommunications issues. Drawing exclusively on open-source reporting, it finds that Canada does not have a Huawei problem, per se; it has a 5G strategy problem that is linked to the Government of Canada lacking a principle-driven set of integrated industrial, cyber security, and foreign policy strategies that directly and meaningfully address the challenges raised by the current and expected 5G landscape. This document provides a summary of the research findings and questions and answers from the research team.
What is 5G?
5G refers to the fifth generation technology standard for broadband cellular networks. This generation of cellular connectivity will be deployed in two phases in Canada, with the first generally focused on increasing mobile broadband speeds, and the second generally enabling next-generation technologies such as the Internet of Things as a result of distributing sensors and actuators around the world that are tied into 5G networks. As a result, and as examples, homes might become better attuned to consumer preferences with the effect of reducing energy consumption; factories might be easier to reconfigure with the effect of enhancing productivity; and health care might be better offered across long distances with the effect of reducing government health budgets. If realized, 5G communications technologies could usher in significant social and industrial changes in the coming decades. But for any of these long-term potentials to be realized, 5G technologies must be available, installed, and trusted.
Why has so much talk of 5G adoption centred on Huawei?
Communications technologies are always political and 5G technologies are no exception. Much of the discussion about 5G has centred on Huawei because, first, the company has massively invested in research and development pertaining to 5G and, second, there are fears that the company might be forced to modify its products at the behest the Chinese government, which possesses technically sophisticated agencies that could take advantage of any compelled vulnerabilities.
Of note, and unlike when earlier mobile broadband networks were being deployed, there is no current equivalent to Huawei which means that western governments must grapple with the case that companies like Nokia or Ericsson cannot supply components for national networks as quickly or comprehensively as Huawei theoretically could. As a result, countries that block Huawei products may have to wait longer to have comprehensively national 5G infrastructures, to the effect that such countries may be placed at a competitive disadvantage against countries that do adopt the currently-available Huawei 5G equipment.
What are the perceived risks of Huawei?
The most widely raised risks linked with Huawei pertain to the company’s technical security. Specifically, the United Kingdom has documented that Huawei’s equipment is routinely rife with glaring security vulnerabilities that, if left unchecked, could leave UK networks vulnerable to hackers. All of the vulnerabilities found by the UK to date, however, are incidental—they are unintended coding errors by Huawei employees as opposed to vulnerabilities which were deliberately inserted as a result of compulsion by the Chinese government. In addition to these glaring incidental vulnerabilities, a variety of western government officials have warned that the Chinese government could compel Huawei to insert vulnerabilities into the company’s equipment so that the government, or parties operating in coordination with it, could use the vulnerabilities for espionage, disruption, or attack operations.
Beyond the technical concerns linked with Huawei’s networking equipment, there are also worries that the company’s growing international dominance could stifle its competitors’ abilities to produce equivalent products and, as a result, create situations where the Chinese government could leverage dependencies on Huawei equipment to force countries to adopt China-friendly policies. Further concerns are linked to the creation of technical monocultures, or situations where a single vendor’s products compose the entirety or majority of a country’s telecommunications infrastructure. In monoculture situations, a vulnerability in one router or radio would exist in all infrastructures across a country, to the effect that operators could use a common exploit to intrude into, or disrupt, all of the affected products in a country.
Has Canada undertaken a security assessment of Huawei?
Huawei products have been assessed in Canada since 2013, though the results of most of these reports are kept highly confidential. Specifically, Huawei products have been subjected to a Security Review Program that is overseen by the Communications Security Establishment, which is Canada’s equivalent to the NSA. This program has excluded designated equipment from sensitive areas of Canadian networks, imposed mandatory assurance testing on products before they are used in less sensitive areas of Canadian networks, and restricted some of Huawei’s services across Government of Canada networks and other critical Canadian networks
In addition to the Security Review Program, equipment manufactured by Huawei and other vendors is also assessed using the Common Criteria for Information Technology Security Evaluation (“Common Criteria”). The Common Criteria is intended to assess the security of a range of information technology products used in Government of Canada networks and that are involved with the transmission, storage, or processing of sensitive information. Common Criteria testing is performed by independent labs that are accredited by the Government of Canada in tandem with testing performed by other countries and laboratories around the world. Some of Huawei’s products have been assessed under the Common Criteria. Of note, the Common Criteria assesses whether a product does what it says it will do and meets the claimed security functionality, but does not go so far as to assure that companies have properly implemented claimed functionalities. It is only with higher-level evaluations that systems’ computer code is evaluated or assessments conducted to reveal how products actually work in practice.
If perceived risks are largely unfounded, what are some of the legitimate security concerns of Huawei?
To date, there has been no open-source evidence to clearly demonstrate that Huawei has inserted vulnerabilities into its products at the behest of the Chinese government, or any other government for that matter. Instead, there have been a number of allegations, including that the company’s products can be used to conduct illicit wiretaps without telecommunications providers knowing that a wiretap has been initiated, that Huawei was involved in ‘bugging’ the African Union headquarters in Addis Ababa, Ethiopia, and that Huawei has taken direction from the Chinese military, amongst other allegations.
While no evidence has been presented to strongly support these allegations to date, there remain a number of technical security concerns associated with Huawei’s equipment. First, there are the risks associated with incidental vulnerabilities in the company’s equipment, or vulnerabilities that are the result of unintentional coding errors by Huawei employees. Second, there are risks that Huawei might be compelled to modify some of its products in the future at the behest of the Chinese government. In either of these cases, the broader worry is that vulnerabilities in Huawei equipment might be exploited to enable espionage, disruption, or attack operations.
In addition to technical security risks, there are also concerns that Huawei’s dominance might impede the abilities of its competitors to produce equipment that is technically equivalent to Huawei’s, with the effect that Huawei may squeeze out competitors such as Nokia, Ericson, or even Samsung. Should this occur, then as Huawei products become even more widely used the Chinese government might use countries’ dependence on Huawei’s products as leverage when it comes to trade or diplomatic negotiations: countries that decline to adopt China-friendly policies might find it harder to import Huawei equipment, receive service updates, or companies could find it becomes more expensive to acquire Huawei equipment in the future, all to the detriment of a country’s ability to enjoy a secure digital communications infrastructure that can grow the digital economy.
How does Canada’s stance on 5G and Huawei compare to the other members of Five Eyes?
Canada, unlike its closest intelligence and military allies, Australia, New Zealand, the United Kingdom, and United States of America (i.e., countries that collectively comprise the ‘Five Eyes’), has yet to make a firm decision about whether Huawei’s 5G products will be permitted, partially permitted, or fully banned from Canadian telecommunications providers’ networks. In the absence of a decision, all major Canadian telecommunications providers have focused on predominantly purchasing 5G equipment from Ericson and Nokia. In November 2020, the Canadian parliament passed a non-binding resolution that called on the Government of Canada to come to a decision about whether to ban or permit Huawei equipment in private companies’ networks, with a decision expected in December or January.
In investigating Huawei, what did you discover about Canadian infrastructure as a whole?
Broadly speaking, what became apparent is that Canada does not need to solve a ‘Huawei problem’ per se but, instead, needs to develop a comprehensive strategy to address 5G issues as well as those linked to industrial policy and foreign relations with China. State-affiliated and criminal parties alike conduct espionage operations on a daily basis in Canada and they do not exclusively discriminate towards companies that use Huawei equipment: vulnerabilities exist in all vendors’ products, including those sold by Huawei’s competitors. Consequently, Canada needs to adopt a security strategy that includes assessing all companies’ networking equipment rather than focusing on any single company.
Part of the reason why Huawei has become such a concern in some circles is because their chief competitors—Ericson and Nokia—are perceived as being behind the 5G curve, leaving companies to either acquire Huawei equipment now or wait for Ericsson and Nokia to catch up. In the past, Canadian companies such as Nortel or American companies like Cisco might have also been competitors to Huawei but, due to Canadian and American industrial policy, this isn’t the case today. As a result, the Government of Canada needs to develop a strategy intended to enable Canadian companies to better participate in the telecommunications sector or, failing that, at least better enable Canadian companies and non-governmental organizations to participate in standards processes to shape how telecommunications technologies will be developed.
Finally, the core concerns that are regularly raised about Huawei tend to, really, be concerns pertaining to the Chinese government’s capability to potentially interfere with Chinese companies to advance the government’s aims, or to otherwise behave belligerently to try and compel changes in how governments like Canada’s treat China. The Chinese government’s unconscionable detention of Michael Kovrig and Michael Spavor, as well as repeated sentencing of Canadians to death in China, alongside the China’s aggressive trade and propaganda activities all speak to the need for the Canadian government to develop a strategy that can be clearly communicated to Canadians, to our allies and friends, and to competitors that lays out the terms of engaging with the Chinese government. Any such strategy will need to be developed in Canada, but with the intent of working with our allies and friends to implement it and, also, support similar strategies which are developed in coordination with those same allies and friends.
If the issues outlined speak to structural issues in Canadian policy, what can be done?
At the end of the day, Canada doesn’t have a ‘Huawei-problem’ per se, so much as a need to develop a principle-driven set of integrated industrial, cybersecurity, and foreign policy strategies. These strategies must be operationalized at the policy level so as to mitigate (in this case) the risks linked with all vendors’ 5G networking appliances, and they must broadly seek to address risks, threats, and opportunities facing Canada as it moves to further digitize its economy.
Elements of these strategies might, at a high level, include working to protect and develop intellectual property expertise in Canada by actively providing funding to non-Huawei vendors or to universities to engage in basic research and standards-setting that will become the basis for 5G technologies. These strategies may also entail actively working to foster a more diverse telecommunications market, by mandating vendor diversity in telecommunications providers’ networks to prevent any vendors’ products from being weaponized by the country they are headquartered from. And, finally, they may entail diversified security processes that include robust assessments of all vendors’ 5G products—perhaps in coordination with our closest friends and allies—while working to ensure that auditors of products are held to account for their findings, as well as ensuring that private businesses are also held to account for protecting their networks as best as possible.