To Huawei or not to Huawei - EU’s 5G future

The upgrade to 5G will steer the next wave of digital economy, making it not merely a technological issue, but a matter of strategic importance for the entire European bloc. To ensure a free and safe cyberspace, the EU must define its supply chain for 5G through a united response and a clear, rules-based certification system. And it has to do so fast, as both China and the US are trying to influence individual member states on this issue.

5G has the potential to offer up to 20-times faster download and upload speeds, along with lower latency. This will pave the way for disruptive business models and enable a wider deployment of solutions powered by artificial intelligence (AI) and ‘Internet of Things’ (IoT) products. However, the greater reliance on software components that this entails will make networks more vulnerable. Moreover, the deployment of 5G-powered AI and IoT products will dramatically increase the amount of sensitive data put online.

The supply chain for 5G has only recently begun to form through interaction between manufacturers, operators and regulators. The immense hardware and software upgrades will translate into lucrative contracts with a handful of key manufacturers – Ericsson (Sweden), Huawei (China), Nokia (Finland), Samsung (South Korea) and ZTE (China). Realistically however, Europe’s choice is between Ericsson, Nokia and Huawei, as Samsung’s and ZTE’s 5G offerings are primarily focused on Asian markets. Furthermore, while Huawei’s offer is cheaper, it has already prompted several security concerns.

Because of the complexity of the system and the software-heavy nature of 5G, there is no way to ensure full safety. Indeed, even thorough screenings cannot guarantee that malicious code will not be added later during software updates.

It is therefore crucial that centres responsible for constant monitoring be established. But according to the Cooperative Cyber Defence Centre of Excellence (CCDCOE) – the NATO-accredited cybersecurity hub – only about one-third of EU countries have the necessary resources to do so, and even then full protection is not guaranteed. Consequently, operators need to trust the manufacturers and their ability to defend the privacy of the network.

In Huawei’s case that very trust is being questioned. China’s recent ‘National Intelligence Law’ forces companies to cooperate with national intelligence agencies. Huawei’s alleged close relationship with the government is also said to be earning the company special credit lines. In addition to this, the company’s ownership structure remains unclear. Thus, trusting Huawei may also mean trusting Beijing. The situation has been further complicated as 5G has become part of the Sino-American tech and trade war. Both sides now seek to influence European countries via warnings of limited security and economic cooperation respectively.

Still, an unconditional ban on Chinese companies like Huawei and ZTE could decrease Europe’s position within the innovation supply chain. It would significantly limit competition among 5G manufacturers and, according to an unpublished report by the Groupe Speciale Mobile Association (GSMA), the cost of radio-access network would increase by 40%. Moreover, it could slow the development of 5G in Europe, as Ericsson and Nokia would struggle to double their output to compensate for the banned Chinese manufacturers. This would delay deployment of innovative products and business models within the EU and give other actors a head start.

There are four ways the EU can prepare itself for the coming 5G revolution.

First, the EU should design a ‘standard-based response’. This would minimise the security risks without ignoring the economic rationale and could be communicated to international partners outside of the ‘with us or against us’ dichotomy.

The EU’s strategy should be based on the interests and realities of the entire EU-bloc. The EU-wide consultation plan unveiled by the European Commission in March 2019 is a step in the right direction. It will help to form the much-needed consensus. However, the deadline for developing a toolbox of 5G risk management measures – 31 December 2019 – should not be missed as the EU-wide 5G deployment will really commence in 2020.

Moreover, European member states still need to develop a unified stance on Huawei. Over time, they have taken divergent stances regarding the company. For example, Germany favours a regulatory solution that still leaves room for Chinese companies to participate in development of its 5G networks, and Poland has signed a 5G-focused security agreement with the US that indirectly targets the company. Italy and Hungary, on the other hand, stand ready to embrace Huawei. Although not decisive, those diverging stances add to the confusion among European operators, many of which have already inked contracts with Huawei.

Still, the EU-wide coordinated risk assessment report released in October 2019 (in accordance with the timeline suggested by the European Commission) seems to provide some – albeit limited – space for consensus. While the primary challenge is clearly focused on state actors, the authors do not advocate an outright ban on any specific companies giving room for the EU to develop a more nuanced response.

Secondly, the common response should take a neutral regulatory form. The EU Cybersecurity Act from June 2019 empowered the European Union Agency for Cybersecurity (ENISA) to set up and maintain the European cybersecurity certification framework. This should involve setting up standards for 5G manufacturers and operators irrespective of their country of origin. These standards and regulations should focus on minimising cyber risks and involve stipulations such as diversifying equipment providers, setting limitations on operators implementing lawful interception capabilities, and regulating and monitoring software updates.

Thirdly, new watchdog institutions monitoring cybersecurity should be established on either European or regional bases, given the insufficient resources of two-thirds of the member states. Regardless of whether the telecommunication infrastructure will be built with or without Huawei, 5G networks will be more vulnerable and the lives of European citizens and businesses will be increasingly digital. In this regard, it may be useful to analyse the operation of the UK’s Huawei Cyber Security Evaluation Centre (HCSEC).

Finally, the EU needs to strive for greater strategic digital autonomy. As the Fourth Industrial Revolution approaches, the European economy cannot afford to take the recipient’s role in the innovation supply chain. It is, therefore, essential to boost innovation and – importantly – business implementation of European innovations via the Digital Single Market and Horizon Europe initiatives. 5G is one of the many tech-related strategic choices that the EU has to brace itself for.