When the Australian or US governments raise the potential national security risk posed by having Huawei routers at the core of national telecommunications networks, the telecommunications giant gnashes its teeth.
Inevitably company spokespeople bring up Huawei’s role in British Telecom’s network in the United Kingdom, and its long and ongoing cooperation with the UK Government: if it can satisfy the UK, why shouldn’t Australia and the US listen?
But it’s interesting that the company hasn’t trumpeted last months findings of the UK Parliament’s bipartisan Intelligence and Security Committee report, which looked specifically at Huawei’s involvement in BT’s systems.
The report damned the lack of proper processes undertaken by BT and the UK government at the time of signing the contract eight years ago, and at various stages since. The report concluded that the UK’s Critical National Infrastructure (CNI) had been potentially threatened as a result.
The report observed that “the handling of the BT/Huawei case highlights a number of weaknesses in the UK’s approach to deployment of equipment within the CNI...The Government is therefore sometimes put in the position of trying to shut the stable door after the horse has bolted."
To counter, when and if it finally does, Huawei will offer its poster child for security assurance, the so-called Cyber Security Evaluation Centre, located in Banbury, England. Staffed and funded 100 percent by UK Huawei, the centre is tasked with looking for security holes in Huawei code. A cynic may ask what could possibly go wrong with such an arrangement. So too did the UK Parliamentary Committee. Of the Banbury facility it concluded:
"A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance. We therefore strongly recommend that the staff in the Cell are GCHQ employees. We believe that such a change is not only in both Huawei’s and Government’s interests, but that it is in the national interest."
In other words, the Committee recommended that government IT security staff should look for security holes in Huawei equipment, not Huawei personnel But is such an arrangement sustainable or even desirable?
The report concluded that “it is not practicable to seek to constrain CNI companies to UK suppliers, nor would that necessarily provide full protection given the global nature of supply chains.” Instead, it called on the UK to address five issues:
- an effective process by which government is alerted to potential foreign investment in the CNI;
- an established procedure for assessing the risks;
- a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond;
- clarity as to what powers government has or needs to have; and
- clear lines of responsibility and accountability.
These recommendations are sensible and obvious. And they raise the debate from that of whether Huawei (alone) should or shouldn’t be in networks, to one where there are policies and procedures and responsibilities - for both telcos and government - in place, no matter who the hardware provider is. If adopted the tone of the debate would therefore be raised from one of accusations of xenophobia and restricted trade, to one of risk management, prudence and common sense.
The UK Committee could have saved itself some ink and instead just said: 'do what the Australians are proposing.”' In fact, just over two weeks after the UK Intelligence and Security Committee report was tabled, the Australian Parliament’s Joint Parliamentary Committee on Intelligence and Security released its Inquiry into potential reforms of National Security Legislation, which went largely unreported. The reports that did emerge were focused on telecommunications interception and metadata, certainly popular topics right now. Chapter three of the report, however, was most interesting.
In Chapter three, the bipartisan parliamentary committee supported a regime first proposed by the Commonwealth Attorney General’s Department some time ago:
- instituting obligations on the Australian telecommunications industry to protect their networks from unauthorised interference;
- instituting obligations to provide government with information on significant business and procurement decisions and network designs;
- creating targeted powers for government to mitigate and remediate security risks with the costs to be borne by providers; and
- creating appropriate enforcement powers and pecuniary penalties
The committee noted “warm, if cautious support” shown by the telecommunications industry for these measures.
This debate has never really been about Huawei, despite Huawei and others attempting to make it so, rather it is a debate about the security of Australia’s telecommunications infrastructure, and through that our national security and society.