In the end, the prospect of eye-watering costs and delays to the rollout of critical technology proved more daunting for the British government than American threats.
On Tuesday, the U.S. lost its long battle to persuade the U.K. to ban China’s Huawei Technologies Co. from fifth-generation wireless networks. The decision to let Huawei build the periphery of the 5G system showed the awkward position of U.S. allies asked to choose between Washington and Beijing. It also reflects waning U.S. leverage in Europe — including post-Brexit U.K. — at a time when the transatlantic alliance is strained.
President Trump’s administration has been clear about what it sees as the problem: a potential Chinese breach of allied national security. It’s been less clear on a viable solution for countries desperate not to fall behind in the race for the infrastructure that will underpin such advances as driverless cars and automated factories.
With few alternative companies able to supply the 5G market, the U.S. couldn’t counter the significant added costs and delays involved in banning Huawei outright. Secretary of State Michael R. Pompeo arrives in London on Wednesday and it’s now up to the U.S. to decide whether to raise the temperature in a public dispute between close allies.
The threats so far have included cuts to intelligence sharing, although that would come at significant cost to the U.S. itself and British officials don’t believe it would follow through. GCHQ, the British equivalent of the U.S. National Security Agency, operates a hub for the “Five Eyes” members — Australia, Britain, Canada, New Zealand and the U.S.
But as Britain leaves the European Union on Friday, there’s much more in play. The response to the Huawei decision has potential to bleed across to trade negotiations, British plans for a digital tax on tech giants and the broader post-Brexit relationship, including a budding political friendship between Trump and Prime Minister Boris Johnson.
“It’s in the U.S. gift to accept that even if we disagree in the details, we agree on the fundamentals and move on to the much more important issue of developing western vendors” for 5G telecommunication networks, said Malcolm Chalmers, a former U.K. diplomat and now deputy director of the Royal United Services Institute, or RUSI, in a briefing.
The EU is expected to announce on Wednesday guidelines for member states to use in deciding 5G issues, including rules that would permit, but not require, governments to restrict or ban the use of Huawei equipment.
Going forward, said Chalmers, countries will need to redress the market failure at the root of the Huawei dispute: The tiny number of vendors — none of them American — that are able to build 5G networks at scale. Not only does that force an over-reliance on Chinese suppliers, it also reduces options to build backups into networks — a key cybersecurity tool — so that if one manufacturer’s antenna stops working, another’s will continue.
Britain’s reliance on just three suppliers, including Huawei, is “crazy,” according to Ian Levy, technical director at Britain’s National Cyber Security Centre. He made the comment in a blog post published Tuesday to explain how U.K. security agencies plan to protect its 5G network.
Samsung Electronics Co. Ltd. said last year it aimed to boost its share of the global telecommunications equipment market to 20% gear from less than 7%. But the hurdles to new entrants Levy checked off in his post — including low margins, high research and development costs, patent license fees and scale— are considerable.
This month, Thomas Donahue, a former senior director for cyber operations on the U.S. National Security Council, wrote that the federal government had three options: invest heavily in Huawei’s European alternatives, Ericsson AB and Nokia Oyj, buy one of them, or massively fund the development of a U.S. competitor.
The U.S. Defense Science Board recommended in June that the federal government should provide seed funding for “western industrial base alternatives” to Huawei.
When it comes to an immediate Huawei ban, though, the U.S. has struggled to persuade European countries to follow the lead it has set with Australia, a Pacific nation that faces a more immediate security threat from China.
The argument centers on whether, in the new world of 5G, risks posed by a potentially hostile equipment supplier can be managed. Britain’s electronic intelligence agencies appear to have rejected U.S. claims that in 5G networks the core has become “virtual” and so widely distributed that the distinction at the heart of Tuesday’s decision — between a sensitive core and dumb periphery — no longer exists.
The edge of a network will still face the consumer and, if hacked, give access almost exclusively to metadata, not the sensitive materials in the core, said James Sullivan, RUSI’s head of cyber research. “5G networks are not revolutionary,” said Sullivan, who just completed a nine-month study on the issue. “They are evolutionary.”
Huawei has been building mobile network infrastructure in the U.K. for more than 15 years. British officials were concerned enough about the security risks involved that in 2010 they set up an inspection center to reverse-engineer the company’s equipment and assess it for security risks.
The center’s annual reports have been damning. Last year’s concluded that “it will be difficult to appropriately risk-manage future products in the context of U.K. deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.”
It was because of the center’s work “that we know more about Huawei, and the risks it poses, than any other country in the world,” U.K. Foreign Secretary Dominic Raab told Parliament on Tuesday. He also pledged to attract more 5G vendors.
But if it shares U.S. concerns about Huawei, the U.K. is also in a very different starting position. To ban Huawei it would need to first rip out existing Huawei 4G hardware, causing significant costs and delays. That’s in addition to forgoing the steep price discount the company offers over competitors. In the U.S., the Chinese company has sold equipment only to some smaller rural networks.
That cost raises questions about how much more secure it would be to use non-Chinese hardware, another gray area. Equipment supplied by Western companies is shot through with Chinese components, while some of the most prolific hacking is done by Russia, which does not produce any of the hardware it hacks.
“The initial argument — why would you allow a Chinese provider, a frenemy, right into the core of your network — does sound crazy,” said Emily Taylor, chief executive of Oxford Information Labs, a cyber consultancy. “But when you look at it, no piece of equipment will ever be 100% secure.”