Amid the steady deterioration of the US–China relationship in recent years, China has become the focus of a new narrative on cyber risks, with one company targeted in particular, China’s champion of 5G technology, Huawei.
Australia was the first country to ban Huawei from a 5G rollout, in 2018. At the time, the intelligence advice was that Australia lacked capabilities to mitigate the elevated risks of 5G connectivity. To be sure, new tech connecting smart devices and networks at high speed will generate many more points of vulnerability to cyberattacks.
Might there be better ways to manage the complex risks of an interconnected digital future?
Following the Australian decision, the United States not only banned Huawei on (as yet unproven) claims of espionage, but embarked on a campaign to block supplies of advanced semiconductors to many Chinese firms and is advocating wholesale decoupling from Chinese tech.
But is simply branding China a risk, and campaigning to block its technological rise, sustainable in the long run? Or might there be better ways to manage the complex risks of an interconnected digital future?
The usually unspoken irony about the espionage fears in relation to Huawei is that the United States and its Five Eyes partners do exactly what they are accusing China of doing.
There is nothing new about espionage, it’s often referred to as the second-oldest profession. The primary argument against Huawei, that the Chinese state could direct the firm to do its bidding, appears on the face of it a reasonable fear, as indeed it might equally be a reasonable fear in relation to the United States and other countries. The difference, of course, is that China may be unlikely to produce an Edward Snowden to reveal its secrets anytime soon.
Yet, state-sponsored cyberattacks are not usually conducted in collaboration with telecommunications carriers, but more commonly by third parties hacking in without invitation. That underlines why top-to-bottom cybersecurity ought to be supplier-blind. After all, cyberattacks could come at any time from any direction, including states, criminal organisations and dedicated hackers.
Huawei has fought back, including with legal actions and by opening up its equipment and source codes for scrutiny in testing centres around the world.
So we shouldn’t pat ourselves on the backs too fast that all is solved by banning this or that company or blaming this or that superpower. It is understandable that, in the absence of strong cyber defences, Australia and a number of others have chosen simply to avoid the hypothetical risk posed by China in banning its leading supplier of 5G equipment and services. But the Huawei debate, wrapped up in the current geopolitical contest, could be a distraction from the need to mount comprehensive cyber defences and prevent authorities from taking a pragmatic, sustainable approach to a global problem.
Notably, Huawei has fought back, including with legal actions and by opening up its equipment and source codes for scrutiny in testing centres around the world, in countries such as Belgium, Canada, Germany and the United Kingdom. It offered a testing centre to Australia, but was rebuffed. This month it opened, in Dongguan, China, its “largest global cyber security and privacy protection transparency centre”, which claims to offer scrutiny of how Huawei prevents backdoors, malware and malicious behaviour.
But this attempt to answer Huawei’s critics is providing an engineering answer to a geopolitical problem. The real issue is plummeting trust in China. Yet whether China engages in cyberattacks is not the real question; it surely does, just like the United States, Russia and many others. In cybersecurity, zero-trust in all actors is the more appropriate strategy. “Zero-trust” is how the experts interviewed in my research on cyber risks have characterised a robust approach; to defend against threats, no matter their source.
Governments, firms and individuals everywhere need to invest much more in cybersecurity. Unfortunately, there may never be 100 per cent cybersecurity (just as in any other form of security), but in the 21st century all nations arguably need a “Cybersecurity Force” as an integral part of national defence.
A Cybersecurity Force should have the capacity to activate firewalls with lightning speed and to protect national data without snooping on it. That is why it should not be housed within national intelligence agencies, who play cyber offence, but as a part of national defence. It should have the power to demand inspection of all equipment and source codes at all times, and the capacity to take over a network if the supplier firm refuses to cooperate with a cybersecurity baseline.
At the international level, rigorous and enforceable rules are needed, along with norms and standards for cybersecurity.
A Cybersecurity Force should ceaselessly scan for malicious actors based on zero-trust and proportionate risk assessment. It would need to be nimble, deploying up-to-date technical capabilities to block cyberattacks, not only on critical public infrastructure but also working with the private sector to protect against major attacks that could cripple the economy. If an adversary engages in cyber confrontation or attack, a Cybersecurity Force may need to threaten or mount a counter-attack, but it should be as transparent as a military deployment and subject to the same scrutiny, calling out bad actors with evidence rather than just assumptions. It would be about the state stepping up, with capabilities equal to the challenge, regulating where necessary, deterring and defending always.
However, even strengthened national cyber defence is not enough. Global solutions are needed to make the globally connected technologies of the future as safe as possible. At the international level, rigorous and enforceable rules are needed, along with norms and standards for cybersecurity. Reliable and secure governance will be essential for the cross-border interdependence implicit in the Internet of Things (IoT).
As difficult as this is to swallow for some, developing global rules will mean pragmatically working with China, given its likely continued central role in global value chains. The great lost opportunity of the post-Cold War era was the failure of the single remaining superpower to invest in strengthening the United Nations system. But it’s time to consider a new multilateral framework to tackle the security and other challenges of new tech.
A change of administration in the United States could be the opportunity to bring them back to the table on practical rule-making at the multilateral level. Just as the Biden administration is engaging with China on climate change and other key global challenges, it’s time to grapple with a less ideological and more pragmatic approach to cyber risks.
It’s time to consider a “World Cybersecurity Organisation” to manage and enforce rules for a safe digital economy. Such an organisation, strengthening and coordinating the currently dispersed and disjointed attempts to build rules, could be empowered to relentlessly develop and enforce proportionate security standards. It would need to be blind to the country of origin of tech firms. It could oversee testing centres, bringing an equal measure of scrutiny to all firms in all countries to ensure compliance. If the two competing superpowers would agree to that, it would be a major step forward. Without their commitment, of course, it cannot happen.
A world of weaponised tech and anarchic law of the cyber jungle is unthinkable.
That there is no serious discussion about global rules for cybersecurity, at a time when digital transformation is about to connect us all in unprecedented ways, is extraordinary to say the least.
It may seem unrealistic to propose a new multilateral approach at this time. Rule-making and enforcement also seemed unrealistic in the early years of the US–Soviet geopolitical competition, but the International Atomic Energy Agency and a slew of arms control agreements became essential in building trust and preventing disaster, as well as ultimately playing a role in ending the Cold War. As Ronald Reagan used to say, “trust, but verify”.
A zero-trust approach to cybersecurity — pragmatic and defensive rather than ideological — together with effective global rules for new tech, could yet demonstrate that, as in previous eras, it is possible to coexist, verify and enforce minimum standards to protect citizens from harmful actors. The alternative — a world of weaponised tech and anarchic law of the cyber jungle — is unthinkable, but through a lack of thought we are drifting in that direction.