For several years the Canadian telecommunications sector has been caught in what some call the “Huawei problem,” a set of controversies over whether Ottawa should allow telcos to buy 5G wireless equipment from the Chinese manufacturer amid allegations that it owes allegiance to Beijing.
While it is being squeezed by the United States to ban Huawei gear the Trudeau government’s decision is also complicated by China’s detention of two Canadians in apparent retaliation for our agreement to extradite Huawei’s chief financial officer to face charges in the U.S.
But a new report from a research group says the real issue is not communications security but Canada’s failure to have a cohesive approach to a secure telecommunications infrastructure regardless of the manufacturer’s country of origin.
The report issued Tuesday by Citizen Lab, a research unit of the University of Toronto’s Munk School of Global Affairs, says some allegations that the company has benefited from state- or corporate-driven corporate espionage appear to be true.
But, it adds, any 5G strategy shouldn’t be designed to solve a Huawei problem. Rather, it says, the strategy should “ensure the resiliency, security and availability of all 5G technologies regardless of the vendor that produces them.”
“Adversaries already probe and exploit Canada’s existing networking infrastructures on a daily basis,” writes author Christopher Parsons, a Citizen Lab senior research associate, “and they will continue to do so into the future regardless of which vendor’s products underpin our telecommunications networks. The solution to Canada’s 5G problems will not be found in policies that principally address one company. Instead, a robust and vendor-neutral approach is required.”
A mix of mitigations will be needed to reduce the 5G security risks, says the report. “Making a decision to ban Huawei from selling 5G equipment to Canadian telecommunications providers, as an example, will not solve the issue of foreign operators conducting espionage, disruption, or attack operations against the Government of Canada, private companies, or private persons who
rely on non-Huawei equipment.
Nor would a ban clearly address intellectual property or trading concerns linked with Huawei and China more broadly. Rather than trying to solve a Huawei problem, the Government of Canada should develop an integrated set of industrial, cybersecurity, and foreign policy strategies that are operationalized so as to mitigate the risks linked with all vendors’ 5G networking appliances and that broadly seeks to address risks, threats, and opportunities that face Canada as it moves to further digitize its economy.”
In some ways the report may be moot: Bell and Telus, whose 3G and 4G networks have lots of Huawei equipment, have decided not to wait until Ottawa makes a decision. Instead they have started their 5G network rollouts with gear from Nokia and Ericsson. Rogers is sticking with traditional equipment supplier Ericsson.
The Globe and Mail quotes industry sources expecting that not only will Ottawa eventually refuse to allow them to buy Huawei 5G network equipment, it will also follow the U.K. lead and require telcos to remove Huawei 3G and 4G equipment as well over several years.
A member of the Five Eyes intelligence co-operative with the U.S., the United Kingdom, Australia and New Zealand, Canada is the only country that either has not banned or restricted Huawei from 5G networks.
Huawei has rocketed to success among telco buyers largely due to the price of its gear. But the U.S., the U.K. and Canada have been concerned about the closeness of Huawei to the Chinese government for over a decade. In 2012, Parsons notes, Ottawa said it would invoke a national security protocol if Huawei tried to bid on supplying gear for the government’s telecommunications and email network.
Suspicion of Huawei and other Chinese network equipment makers only increased after China passed a law in 2017 obliging all companies based in that country to co-operate with its security agencies.
For several years Ottawa and the U.K. have forced Huawei gear to be independently tested for vulnerabilities in independent labs in their respective countries.
To some degree Canada has tempered the alleged risks of Huawei gear by reportedly insisting telcos here keep Chinese manufactured equipment out of their wireless network cores. Huawei routers are restricted to the access network on cell towers and buildings.
But the nature of 5G networks which reduce if not eliminate the network core has diminished that strategy. At the same time the ability of 5G networks to dramatically increase the amount of data they can carry — particularly possibly sensitive personal and national security data — has raised worries by security agencies and politicians, especially because 5G promises to hugely increase the number of data-gathering sensors in consumer and industrial devices.
Among the report’s suggestions to mitigate questions raised about Huawei:
- Canada should adopt a comprehensive national approach to address all cases of foreign corporate espionage to guarantee that such illicit activity can be prevented or sanctioned, regardless of the company alleged to have carried it out or to have benefited from such activities.
- Canada could deliberately increase research and development funding for Huawei’s competitors—such as Ericsson and Nokia—as well as to Canadian universities to conduct basic research related to next-generation telecommunications.
- Defensive security briefings could be provided to Canadian universities, which generate intellectual property around next-generation technologies. These briefings could help universities develop and implement public policies intended to mitigate any risks that their research partnerships might jeopardize Canadian economic or national security.
- Canada could more prominently engage with standards bodies to, at least in part, guarantee that such standards have security principles baked in and enabled by default. This could include allocating tax relief to corporations, as well as funding to non-governmental organizations or charities, so Canadian interests are more deeply embedded in standards development processes;
- To deal with allegations of deliberate vulnerabilities in Huawei gear the report suggests Canada beef up its security network equipment testing for all vendors; use intelligence agencies and the RCMP “to increase the costs of secretly inserting vulnerabilities into networking appliances as a way of dissuading any government from tampering with Canadian critical infrastructure; and possibly to Canadian government could adopt policies that are designed to make it more difficult to leverage vulnerabilities in 5G appliances. One might be to “forcefully” advocate integrating strong end-to-end encryption into the Internet of Things and end-point software systems to protect data.
- As for worries that Chinese-based companies have to co-operate with that country’s intelligence agencies, the report suggests the best ways to mitigate that may be in international groups where China can be pressured to prove it won’t ask firms to break the law. “In a worst-case, Canada and its allies may simply need to develop strategies that anticipate Huawei being forced to modify its products and develop robust information assurance programs to shame the company, and the Chinese government, while also serving as a way of issuing warnings to any company that has purchased similarly deficient products.”