18 February: The Financial Times (FT) is reporting that the National Cyber Security Centre (NCSC) has already formed a view about the risk posed by Huawei to British and European communications networks. You can read the report on their website: http://www.ft.com (if it has moved, sites such as the BBC News are also carrying the story.) The Ministry for Culture and Sport is leading a major government review into this problem and is due to report in April. It says that any report that suggests that the government review has already reached is “inaccurate”. The NCSC has made no official announcement.
The British government’s attitude to the Chinese cyber threat has been questioned for some time. The threat is a long-standing one. Intelligence professionals have been warning for almost ten years about the cyber threat posed by China, in particular the threat posed by Chinese technology and component firms. Huawei, the subject of the review, has been active in the UK since 2005. The general problem was first detected in imports such as motherboards for traffic light control systems and water treatment plants. Chip sets were found which seemed to have no obvious purpose and when challenged, Chinese companies claimed commercial confidentiality. Concern soon spread to the possibility of “back doors” in software coding.
The threat seemed to be clear, yet the British government prevaricated. Following the international financial crash of 2008, the UK wanted to encourage inward Chinese investment and also to utilise cheap Chinese technology in British products. So rather than stop using Chinese components, the UK government adopted what it called “a balanced approach” to the problem. It continued to use Chinese components and expertise, but at the same time increased security monitoring. For instance, there is a well-known cyber-security evaluation facility in Banbury, Oxfordshire known as “The Cell”. The Cell was set up in 2011 at Huawei’s expense. It is supervised by the NCSC and it is where the security profile of Huawei’s components is tested. The government claimed that this was sufficient. Privately, some figures in China expressed the view that they “couldn’t believe they had gotten away with it.”
And so it proved. These protections clearly weren’t sufficient. In June 2013, the Intelligence and Security Committee (ISC) studied the problem, criticised the government and called for an urgent review of the problem. The government set up a review led by then National Security Adviser Sir Kim Darroch and procedures were then tightened further. Yet there have been further cyber attacks. The current government security review is simply the latest in a long line.
Intelligence professionals have continued to warn of the threat. As recently as 3 December 2018, Alex Younger, head of MI6, made the cyber threat posed by China the central point of his speech to students at St Andrews University. And other countries have not followed the UK’s lead. The US, Australia and New Zealand have already banned Chinese technology from their new 5G networks. They see the risk posed by Chinese cyber attacks as simply too great. The UK insists that the risks can be managed. Why the difference?
There is an argument by some intelligence professionals that the economic consequences of Brexit may now be playing a part. The UK government must sign international trade deals to counter-balance losses that may be caused in European markets. It hopes to maintain friendship with China at a time when other nations are imposing technology bans. That way it hopes to secure an economic advantage over its rivals. But this approach brings the UK into conflict with its allies, in particular the US which is trying to rally its allies around a unified position.
The government’s latest review is set to respond just after the economic settlement with the European Union becomes clear. If it continues the trend set before, post-Brexit economic realities seem almost certain to mean that the needs of the UK economy will trump UK security yet again.
There is of course one obvious mitigation to interception in the core network, a risk not solely associated with Chinese equipment, and that is the use of end to end encryption. However intelligence agencies and police are vehemently opposed to this technology.