Reading one of Canada’s biggest newspapers, you might get the impression our electronic spy agency doesn’t see a need to forbid this country’s telecom carriers from buying equipment from China’s Huawei Technologies for their next-generation 5G cellular networks.
“No need to ban Huawei, Ottawa says,” a Globe and Mail headline said last month after Scott Jones, the assistant deputy minister for IT security and the new head of the Canadian Centre for Cyber Security, testified before a parliamentary committee. And then last week, after Jones gave the keynote at the annual SecTor conference in Toronto, the headline was “Ottawa’s top cybersecurity official: Canada has ‘layers’ to protect against Huawei threat.”
However, in an interview with ITWC the day before that keynote Jones raised the possibility Canada may follow Australia and the U.S. — two of its partners in the Five Eyes intelligence partnership — from turning thumbs down on Huawei for the impending new networks.
Jones made a distinction he didn’t make in his testimony: There’s a difference between Ottawa’s strategy for current 4G/LTE networks, where carriers use some Huawei equipment — but not, reportedly, in their network core — and the faster upcoming 5G networks, which some analysts believe will create a great leap in capabilities.
“In the 5G context [Public Saftey] Minister [Ralph] Goodale has been clear we are doing a security review of how cyber security – amongst other elements — needs to be brought into the question of 5G security,” he said. “What I was really talking about [before the parliamentary committee] was today’s environment – 4G or LTE – …. and the program that we have in place that has a robust layer of cyber security elements in it.
“5G is a fundamental technology shift. But we don’t want to presuppose what the outcome [of the review] is going to be. We want to look through and make security decisions based on the broader understanding as standards are being set (of) how to we put security into that. Because really, we’re talking about the security of the system, not the security of the product here. We need to take a very sophisticated approach to this, beyond something that’s product based – how do we make a system that is able to be cyber secure, that can take into account what’s secure today might not be secure tomorrow because of vulnerabilities? We need to make sure that we’re resilient.”
To put this in context, a little background: For several years there have worries the Chinese government uses Huawei and other Chinese telecom equipment makers to infiltrate carrier, government and private-sector networks. This in part is because of the sometimes opaque nature of the government of China, because a number of serious Canadian and U.S. government data breaches have been blamed on China — regardless of what’s on the network — and, because, as the Globe points out, Chinese companies are mandated to help with that country’s national intelligence work.
Meanwhile, Huawei has developed close relationships with wireless researchers in universities around the world, including here, as well as the province of Ontario.
It’s also known that almost eight years ago Huwaei and the U.K. government — which is also a Five Eyes member — jointly run a cyber security evaluation centre to find and mitigate any perceived risks arising from Huawei gear in parts of Britain’s critical national infrastructure. What hasn’t been known until a recent Globe story is there’s a similar unit here doing the same thing.
Finally, in August Australia told its carriers they couldn’t put gear from Huawei and China’s ZTE in their 5G networks, following a U.S. decision.
Which led to the Jones’ Sept. 20 testimony before the Commons public safety and national security committee. Conservative Party member Glen Motz asked him why Canada hasn’t followed moves by other Five Eyes countries who “have come out against Huawei.” Here’s how Jones answered:
“As we look at our telecom networks, we take the approach that we want to look at this as an entire system, and defend against all forms of cyber risk. So we look at it from a number of different areas: Number one, how do we make sure we increase resilience regardless of product’s origin? We want to build in security measures no matter what [product]. So, how do you make sure the supply chain is adequately protected, for example. Make sure that as you bring in products that have good built-in security practices. How do you use the technology in a way that’s secure? So, you could take a very secure product, for example, but if you open it up to the world you can unsecure our technology very quickly. We have a well-established relationship with all telecommunications providers in Canada to work on raising that resiliency bar regardless of the vendor, regardless of where equipment comes from… it’s really about trying to protect against all risks and not just one specific one.”
‘Deals with risks’
Asked later if Canada’s position now is creating division within the Five Eyes group, Jones replied that the other countries are aware of its strategy, which is “very comprehensive in terms of dealing with the full risks across the telecommunications spectrum, [and they know] the really productive relationship with have with all of the telecommunication providers in terms of sharing information, sharing risks. Collaboratively building solutions to cyber security challenges is something not all countries enjoy. That’s something that is a good Canadian strength …”
“It’s important we look at risk across all vendors and also all products in terms of how do we layer cyber security in and make sure it’s being addressed as a systemic issue … We’re looking at the next generation of telecom networks, making sure we’re able to evolve that program, looking at ways to innovate in cyber security, but also to increase the base cyber security in every product that’s purchased regardless of where it comes from. That’s one of the biggest challenges — it’s not about one piece, it’s about how do we make the whole system resilient.”
U.S. cyber experts reportedly laughed
Ten days after that testimony the Globe ran a story quoting a Conservative MP who was at a meeting of U.S. cyber experts dismissing Jone’s testimony. “I asked the question [about Huawei] and gave the example of Scott Jones and they started to laugh when Canada says we can manage this company. They just started to laugh and said ‘no we can’t,’” the Globe quoted Pierre Paul-Hus in an interview. Paul-Hus was quoted as saying the Americans believe the Canadian and British approach to test Huawei equipment rather than ban it is inadequate to uncover potential backdoors in the Chinese firm’s gear. The Globe wasn’t at the meeting.
Asked by ITWC to comment on that news story, Jones replied, “I don’t comment on the state of other nations’ cyber security. If they chose to comment on Canada, that’s their choice. The fact is our program is something we’ve been working on. It is very robust and has multi-layers of security. We’re very confident in the context of 4G with the work we’ve done. It is not simply just about one lab — that’s just one element of a very broad program and I think the fact is, for those who know about our program we believe that we have really addressed the broader cyber security risk to Canada in the current context of 4G.
“But as we look to the future at the technology that underpins 5G, it’s part of a broader cyber security review that the government is undertaking right now.”
In an ITWC interview in August, Huawei Canada vice-president of corporate affairs Scott Bradley vigorously defended his company. “We only go by what we are told by the government of Canada,” he said – which so far hasn’t banned carriers from using Huawei equipment. “We hope that the fact that we operate in Canada suggests we are doing everything we need to do to meet the requirements of the government in the security front. If there were security issues we would not be operating in Canada.”