Title

The Future of Huawei in Europe

A ChinaFile Conversation

On October 9, the European Commission and the European Agency for Cybersecurity released their long-awaited risk assessment of the region’s 5G network. Written with input from all 28 European Union members, the report warned about a 5G supplier from a “hostile” country, or a country “where there are no legislative or democratic checks and balances in place.” But notably, the report does not explicitly warn against China.

American officials have been urging their European counterparts to take a stronger stance against Huawei, the Chinese firm that is the world’s largest producer of telecommunications equipment. The White House is considering financially supporting European makers of 5G technology, like Nokia and Ericsson (there are no major U.S. competitors to Huawei). At U.S. urging, Italy—which less than a year ago became the first major European economy to join China’s Belt and Road Initiative—broadened its powers to scrutinize Chinese equipment. The U.S. and Poland agreed to align their approaches to 5G. But in a setback to U.S. efforts, on October 15 Germany decided not to ban Huawei from helping to build its 5G network.

What does this risk assessment mean for Europe? What impact do the relations of individual member states with China and the United States have on their positions on 5G? And should European countries restrict Huawei from their 5G networks? —Michael Laha

Comments

The Trump administration did not anticipate the pushback it would face across the Atlantic in its campaign to convince European governments to ban Huawei. The divergence between the United States and Europe is not driven by different technical interpretations, but instead comes from fundamentally distinct views about the threat posed by the Chinese Communist Party (C.C.P.).

There are three approaches that governments around the world have taken with regards to Huawei in 5G networks. The first is an outright ban like in Australia and, as of May, in the United States. The second is what is known as “risk mitigation.” The United Kingdom has used that approach for 15 years; it is not clear if it will stick with it, but it seems likely to do so. According to U.K. officials, they’ve always been fully aware that working with Huawei risks Chinese cyberattacks, and that the C.C.P. sometimes calls upon Chinese companies to support intelligence operations. U.K. officials designed a system to account for these risks by keeping Huawei out of critical networks, while setting up a comprehensive evaluation center to test Huawei equipment. The third option is to ignore the risk altogether.

In the biggest setback to the Trump administration’s Huawei campaign, this week Germany announced it would not ban Huawei, but would subject all vendors to technical evaluations. The announcement came within days of the EU cyber risk assessment, underscoring the room for maneuver left to individual member states, even as some of the language in the report pays homage to U.S. messaging. Reportedly coming from Chancellor Angela Merkel herself, Germany’s decision came despite reported threats by the U.S. government not to share intelligence information with Germany if the country keeps Huawei in its network.

How to explain that cybersecurity experts around the world look at the same information (both public and classified), but come to such different conclusions about how to respond to the risk? Bill Evanina, a senior official in the Office of the Director of National Intelligence, captured the U.S. government view when he said, “Huawei, to me, in my position, is not the problem; it’s the Communist Party of China.”

This argument has not translated well to Europe. Perhaps the memory of Edward Snowden’s revelations—including the alleged tapping of Merkel’s phone—still looms large, or perhaps chances of confrontation with Beijing appear slim. When factored in with the economic downside of reducing trade with China and the cost of ripping out as much as 50 percent of existing networks, the threat of the C.C.P. is just one among a set of factors for which many governments may have concluded that technical mitigation measures address the issue.

The European Commission’s report signals a convergence of 5G network security risk assessment between the EU and the U.S. Without explicitly naming Huawei or the Chinese government, the report addresses both the intention and capacity of “threat actors.” This lays the groundwork for a broad spectrum of risk-prevention measures which could go well beyond strict technical standards for 5G equipment. The report’s nod to managing risks in information and communications technology (ICT) supply chains and boosting indigenous industrial capacity in areas such as software development and equipment manufacturing largely parallels network security discussions within the U.S. administration and the U.S. Congress.

Despite these steps to formulate a more coherent 5G strategy, the lack of EU competence on the issue allows member states to continue setting their own national security and law enforcement requirements. EU member states are also divided over their security assessments of Huawei telecommunications equipment, reflecting their respective bilateral ties and diplomatic stances toward China. Hungary, which under President Viktor Orbán has aggressively courted Chinese investment, declared that it has seen no evidence of security threats from Huawei equipment, and plans rapid 5G rollout in the country. And Germany, with its extensive trade ties to and large amounts of corporate investment in China, proposed this week that instead of banning Huawei from the country’s 5G networks, the German government would adopt a certify-and-monitor approach.

The EU is unlikely to follow the U.S. 5G strategy, which increasingly focuses on purging Huawei equipment from domestic telecoms networks, securing ICT supply chains, and boosting indigenous industrial capacity. The cost factor will continue to impede small service providers and EU member states in the highly fragmented and heavily regulated European telecoms market from resisting cheaper Huawei equipment. To expand European alternatives for key ICT components and scale up home-grown Huawei competitors, namely Nokia and Ericsson, the EU would need to revise its market competition rules.

The lack of a U.S. alternative to Huawei has spurred U.S. government officials to call for funding European companies like Nokia and Ericsson. While this presents an opportunity for transatlantic cooperation, its potentially large scope of market intervention, together with other hawkish U.S. policies such as technology export controls, could push the EU further from its comfort zone. Although multiple EU member states are parties to the Prague proposals, it’s hard to imagine most of these countries wanting a de facto tech decoupling from China.

As the EU seeks to preserve the rule-based international trading system, Brussels will be keen to ensure that its rhetoric about greater regulatory scrutiny of network security doesn’t translate into protectionism. Furthermore, the EU’s 5G hardware alternatives are no guarantee for transatlantic cooperation. To mitigate its disadvantage in hardware, the U.S. government could push for the implementation of American network software on a wide range of 5G hardware platforms. This could cause friction with the EU if Brussels attempts to lead global standard-setting on 5G software, like it did with its 2018 General Data Protection Regulation (GDPR) for privacy standards.

On October 15, just after the EU’s risk assessment, Berlin published its draft 5G security catalogue, which opens the door for high-risk providers such as Huawei to build Germany’s 5G critical infrastructure. All Huawei and ZTE need to do now is sign a declaration of trustworthiness vis-à-vis the network operators. Chinese high-risk providers will certainly all too happily furnish their signatures. In return, if operators so choose, Germany could soon have 5G networks that rely 100 percent on Chinese companies. The vendor diversity requirement limits the share of any single provider to two-thirds. But that allows for networks that rely, for example, two-thirds on Huawei and one-third on ZTE.

Chancellor Angela Merkel herself pushed for this decision, which means Berlin is foregoing a political risk assessment of technology providers. This flies in the face of draft EU Council conclusions that assessment of 5G risks should consider both technical and non-technical factors. It also runs counter to the Prague Declaration Germany signed, which pledged security and risk assessments taking into account “specific political, economic or other behaviour of malicious actors which seek to exploit our dependency on communication technologies.” And it undermines EU technological sovereignty. With Nokia and Ericsson, Europe has its own trustworthy technology providers for 5G. Instead of strengthening them in an unfair competition with authoritarian state capitalist champions such as Huawei, Germany is deciding to allow in high-risk providers.

Why did Merkel push through a decision that weakens EU unity, antagonizes both sides of the aisle in the U.S., and makes Germany appear weak vis-à-vis the Chinese Communist Party (C.C.P.)? The chancellor’s primary motive is fear of retribution by the Party-state against German business. Major German companies like Volkswagen, Daimler, and Siemens heavily depend on the Chinese market. To push through her pro-Huawei stance, Merkel sidelined parliament, the German intelligence services, and the Foreign and Interior Ministry, all of which have warned about the security risks of relying on Huawei and ZTE. She delegated drafting the 5G security guidelines to the German national cyber security agency BSI, which has close ties with Huawei. The head of BSI has argued that “it does not matter if components come from China, South Korea, or Sweden,” and that he doesn’t see any qualitative difference between the legal environment of Chinese and other companies. It’s only logical that BSI recommended allowing Chinese high-risk providers into critical infrastructure.

Will Merkel get away with outsourcing critical decisions on national security and industrial policy to a minor government agency? The draft guidelines have infuriated senior lawmakers from all major parties. Norbert Röttgen, chairman of the Foreign Affairs committee and a member of Merkel’s CDU, stated that the question “was not whether we trust Huawei but whether we trust the Chinese Communist Party to which Huawei is clearly beholden.”

It’s still not too late for the German parliament to assert itself by passing a law that takes security and technological sovereignty on 5G critical infrastructure seriously. Parliamentarians need to urgently take matters into their own hands.

Europe is finally getting tough on China—that is the story one hears again and again in Brussels, Berlin, Paris, and other concerned European capitals. The European Commission’s coordinated risk assessment on 5G, published last week, fits nicely into this narrative. It doesn’t mention China by name. But if you read between the lines, it is an ear-piercing alarm bell with flashing red lights, warning EU member states to think twice before allowing China’s Huawei to build their next-generation mobile networks. Because it amalgamates submissions from individual member states, it gives a powerful, if diffuse, glimpse of how European countries assess the Huawei threat. Put simply, they have grave concerns.

And yet, it would be wrong to read too much into this non-binding paper. In the end, EU member states will have to decide for themselves whether to allow Huawei a role in 5G. And here they may not end up looking so tough or unified. There are many reasons for this. But at the top of the list is Germany, the European country with the closest economic ties to China and the most to lose from alienating Beijing. Other member states are looking to Berlin to chart a European path forward on 5G. But Chancellor Angela Merkel and her government seem paralyzed about making a strategic decision with profound implications for Germany’s security, economic prosperity, and place in a world of escalating competition between the United States and China. Against this high-stakes backdrop, Berlin has shown an alarming willingness to outsource decisions about its 5G suppliers to obscure government agencies and telecommunications providers. Its recently published 5G security catalogue is a watered-down document that could pave the way for Huawei to play a substantial role in Germany’s mobile network for decades to come.

Perhaps concerned members of the Bundestag, led by Norbert Röttgen, a senior parliamentarian from Merkel’s own party, can mount an eleventh-hour challenge to the government’s China-friendly approach. But that seems like wishful thinking. The bigger risk now is that Germany’s soft stance shatters the fragile European front on China. France, which introduced a new law this summer that gives the government free rein to intervene on 5G for national security purposes, is watching Berlin closely and nervously. And it is not alone.

Certainly, President Donald Trump and overzealous U.S. officials deserve some blame for their clumsy messaging on 5G. As a U.S. election approaches, European countries are right to be concerned about Trump using Huawei as a bargaining chip in his trade talks with Beijing. But ultimately, the Huawei decision is about Europe’s own strategic interests, not about bowing to Trump’s whims—or refusing to do so. It is the first real test of whether Europe’s tough new approach on China is more than just empty rhetoric. And it is the first real test of whether Germany is willing to look beyond the narrow, short-term interests of some of its biggest companies, think more strategically, and ultimately, pay a price for European unity.

Brussels was late to respond to the China/5G question. But the process demonstrates the EU’s strength in collecting the necessary information and providing a frame of reference for its member states to decide about the role of high-risk vendors in their networks. The report’s timing is crucial. Member states are at different stages of awarding spectrum licenses to operators, while large-scale commercial roll-out of 5G is not likely until later in 2020. It is not too late to set the parameters for the future security of European mobile networks—but it is imperative to get the analysis right. The EU has found clearer words than most of its members could.

Member states submitted standardized reports on their security assessment in July, which the European Commission has compiled and synthesized. The report subtly challenges Chinese suppliers of telecommunications equipment: although it never names China, the wording could hardly more directly criticize its potential for interference.

The key stakeholders for upholding security are mobile-network operators and telecom equipment manufacturers, who provide the hardware and software for 5G networks. The report alludes that the corporate governance, ownership structure, and level of transparency of the Chinese suppliers Huawei and ZTE differs markedly from that of their European rivals Ericsson and Nokia—and that this matters.

While confidentiality and privacy remain key aspects in cybersecurity, the integrity and availability of the system are more important, as core functions of Europe’s societies will depend on 5G technology. The report underlines that vulnerabilities are abundant throughout the network, especially as functionalities are increasingly software-based. This requires close coordination with vendors for updates and security patches.

The real strength of the EU’s assessment lies in pointing to the non-technical aspects of providing cybersecurity under complex conditions: A supplier’s trustworthiness depends largely on where it is based and whether it is subject to interference from a non-EU country, especially one “where there are no legislative or democratic checks and balances in place.” The only country to which this applies is China. Trust needs to be earned.

If Europe wants to achieve some degree of technological autonomy, it needs competitive companies in this sector. A Huawei/ZTE-dominated European mobile-network infrastructure would be problematic because European vendors could be priced out of business. The report stresses the need for healthy competition, as ecosystems with a high dependency on a single supplier will likely be less secure. The survival of European companies is thus an economic as well as a security question.

The report presents another step in an ongoing EU process. While Brussels can only provide a non-binding framework at this stage, its assessment allows for member states to align their approach and share information. Recent developments in Berlin underline the need to pool cybersecurity competency at the EU level. EU efforts can help pressure member states, first and foremost Germany, which currently puts its immediate national economic interests ahead of security in Europe because its major industries depend on China.

In other words, don’t underestimate Brussels—but beware of Berlin.

Like the September Poland-U.S. declaration, the new European assessment underlines a key risk factor identified by the 32-nation Prague Proposals in May: a supplier “subject to interference from a non-EU country” with a “strong link” to its government, and a government's ability to pressure that country’s “legislation, especially where there are no legislative or democratic checks and balances in place.” On this point, which implies a recognition of vulnerabilities arising from Huawei’s involvement in 5G networks, EU and U.S. attitudes converge.

However, implementation at the national level will determine whether nations properly address this risk. Compared to the U.S. government, the European Commission has limited authority over its member states.

Attitudes toward Huawei vary by country, and correlate more with whether the country perceives the People’s Republic of China (P.R.C.) as a potential adversary than with how much the U.S. influences the country’s political decision-making process. Consider the Czech Republic. For years, Czech public intelligence reports have included warnings about the P.R.C.’s political influence, intelligence, and hacking activities (which has encouraged other European intelligence agencies to speak out). Their National Cyber and Information Security Agency (NÚKIB) issued a warning in December about Chinese equipment in critical infrastructure, triggering a strong reaction from the Chinese Party-state. It remains unique in Europe, and recently led to rejecting a bid by Huawei and ZTE for a public tender at the Václav Havel Airport in Prague. In private conversations, NÚKIB representatives have stressed, however, that they studied Australia’s example rather than the United States’.

The assessment’s stress on the risks of suppliers linked to the P.R.C.’s totalitarian government shows an emerging consensus between European and American decision-makers that could prove decisive to the presence of Huawei and other companies in 5G networks and other critical infrastructure. A growing body of European, Australian, and American research posits that Huawei is indeed strongly linked to the P.R.C. Party-state, which has already deployed political interference activities to exert pressure in the company’s favor. The researcher Alex Joske has identified Huawei’s efforts to conceal the importance of Party work within the company. Sinopsis research has shown that Chinese Communist Party-sponsored publications stress the central role of Party members in Huawei in Europe, while state-backed propaganda, political influence, and lawfare misrepresent the company’s relationship to the Party-state.

Indeed, P.R.C. propaganda organs and their local “friends” frame governments’ measures to tackle these risks as effects of American influence, and link them to the trade war. But as the scholar Łukasz Sarek points out, “to look at the recent developments in Poland only or mainly through the lens of the US-China technological competition misses the important issues of Polish national security and the scope of China’s influence in Poland.” The same applies to any EU country.

The risk assessment’s stress on suppliers’ state links presents new challenges to P.R.C. efforts to exploit transatlantic disagreements.

The EU’s 5G risk assessment report provides a great overview of the myriad challenges of building and maintaining trustworthy and resilient 5G mobile networks. Sadly, most media reports just skimmed over it to see whether the EU will ban Chinese vendors. The EU’s risk assessment and the U.K.’s July telecommunication supply chain review report show a good understanding of the threat landscape in mobile networks, and both reports point out that IT security is a shared responsibility between vendors, operators, and governments.The EU report warns of problems like a lack of trained security personnel, insufficient risk management practices, inadequate maintenance procedures, poor policies for remote access to network components, and a lack of security requirements during the procurement process. The U.K. report simply states that, “the telecoms market is not working in a way that incentivises good cyber security.” The media and policy community’s focus on Chinese vendors is ill-advised since the task ahead of securing mobile infrastructure is a true regulatory challenge.

Of course, to Europeans, the Chinese 5G vendors have a different risk profile than their Western competitors. Not because of inferior technology, but because of the Chinese Communist Party’s (C.C.P.’s) ability to pressure both Huawei and ZTE into surrendering data or granting access to foreign networks for malicious actions like network sabotage or industrial espionage. The C.C.P. could always exploit the vendor’s legitimate access to an operator’s network; technical measures cannot meaningfully reduce this risk. Yes, this is just one of many attack vectors, but this particular one differentiates Chinese from Western vendors.

Whether the C.C.P. will coerce its domestic vendors to infiltrate a foreign government’s network that uses Chinese equipment depends on geopolitics: Russia fully embraces Chinese 5G technology, while Japan effectively banned Chinese vendors. This is not the outcome of differing technical risk assessments: Russia is geopolitically much more aligned with China than Japan is and has thus little reason to worry about China disrupting Russia’s mobile network by coercing Chinese vendors. This geopolitical dimension makes it highly unlikely for the EU to end up with a common approach to Huawei and ZTE: EU member states have different geopolitical agendas and different foreign and trade relations with China. The “Huawei question” cannot be answered with technical measures by cybersecurity agencies, but needs a political answer, after assessing risks in trade, foreign relations, national security, and economy.

Even though IT and national security concerns drove the 5G debate, especially on the U.S. side, there are other legitimate concerns for Europe. In 2013, the Commission cited Huawei and ZTE for violating anti-dumping and anti-subsidy guidelines, and wanted to launch a formal investigation but did not. Since then, little has changed for those two companies with regards to state subsidies and price dumping. Europe should assess the risk of continued market access for Chinese 5G vendors from an economic and trade perspective to complement the technical risk assessment. To even have 5G vendors in the game in 10-15 years, Europe needs far better industrial policies.

The European Commission’s 5G recommendations will likely differ greatly from the Commerce Department’s anticipated regulations for information and communications technology security, primarily regarding how explicit the language is on China and Chinese companies. The EU continues to walk a fine line between calling China out and focusing on security threats to 5G broadly, as its member countries disagree on a common approach. The United States, on the other hand, will continue to have few qualms over naming names—even with a phase one trade agreement with China in the works—and sees the EU’s document as impeding its global anti-Huawei push.

EU countries considering a 5G rollout in the next few years will likely heed the EC recommendations, and the toolbox of risk mitigation measures that will follow. The recommendations cite not only technical concerns, like the dangers of relying more on software than hardware for 5G, but also political ones. One section looks at the risks of a strong link between the supplier and the government of a third country, the third country’s non-democratic legislation, and the ability of the third country to exercise pressure. Given that the preceding section states that Huawei (China), Ericsson (Sweden), Nokia (Finland), ZTE (China), Samsung (South Korea), and Cisco (U.S.) make up the majority of the 5G telecom market, it is not difficult to read between the lines.

Why, then, does it matter that Europe didn’t directly call China a threat? Because the commission’s inability to do so speaks to larger difficulties in aligning member countries on China. American pressure on European countries has also not been enough to align the commission’s messaging with Washington’s, even though the United States remains more important to the EU’s economy than to China’s. (Although China has been gaining ground, especially in smaller EU countries.)

As EU countries move forward with their 5G decisions, many countries will likely drift toward the central recommendation of the document to reduce dependency on a single supplier, rather than toward banning Huawei’s involvement in 5G like the United States has.

While the Donald Trump administration is likely frustrated by the commission’s wishy-washy approach to China’s involvement in 5G, it may be more frustrated by the impact this document will have outside the EU. Many non-Western countries are looking ahead to their own 5G rollouts and may follow these recommendations when weighing their own security concerns. While Huawei might not appreciate if countries turn to different companies for different components of 5G infrastructure, it would likely rather be partially included in, say, Brazil’s or India’s 5G networks, than be excluded altogether. This latest document, therefore, is not only a setback for Washington’s goal to exclude China from 5G in the EU, but also globally.