4 April 2019 | By Dinah Spritzer
Public procurement
Banning China’s Huawei?
EU countries are divided on whether or not to allow the Chinese telecommunications giant build 5G network infrastructure
It might be a small, rather sedate country whose policies are not expected to trigger international trade wars, but the Czech Republic’s warning against Huawei was a cyber-security shot heard around the world. And the legal reverberations are still coming.
When the Czech cybersecurity agency warned in December that both the software and hardware of China’s Huawei and ZTE telecoms posed a threat to state security, European lawmakers took notice. The watchdog cited a 2017 Chinese law that requires any domestic organization to “support, cooperate with, and collaborate in national intelligence work.”
A geopolitical storm followed. Huawei threatened legal retaliation, and Czech Prime Minister Andrej Babis visited the White House as an alleged reward for backing US efforts to globally ban Huawei. The firm is accused of acting as China’s spymaster.
On 12 March 2019, the European Parliament passed resolution expressing “deep concern” over the use of Chinese technology in building Europe’s 5G network, the circuitry to be rolled out soon to increase internet speed and connectivity over the next decade.
European lawmakers sought to highlight “recent allegations that 5G equipment may have embedded backdoors that would allow Chinese manufacturers and authorities to have unauthorized access to private and personal data and telecommunications in the EU.”
Along with the non-binding resolution, the European Parliament passed the Cybersecurity Act to upgrade the security vetting of all products sold in the EU. The European Commission, following in the steps of the Parliament, announced on March 26 that it wants a united front on cybersecurity, requiring member states to create a assessment and prevention plan for 5G by the end of 2019.
The Commission’s vice-president in charge of digital affairs, Andrus Ansip, acknowledged concerns over Huawei and China’s 2017 intelligence law. “I think we have to be worried about this,” Ansip said.
However, in its recommendations to member states, the Commission rejected calls to ban the Chinese tech company from taking part in the European roll-out of the 5G network. Huawei, a $7.3 billion company and the world’s second-biggest smartphone maker, denies that it is controlled by China’s ruling Communist Party and insists it does not deploy equipment to aid spying.
The Czech debate sheds light on the transatlantic battle over what to do about the firm, especially given that it is best-suited to build the 5G network in terms of technology, price and know-how, according to experts.
Europe’s evolving response to the potential risks Huawei poses has long-term legal consequences for competition and national security.
No united European position
Many public and leaked pronouncements regarding Huawei are inconsistent and some might say, murky.
In December 2018, following non-stop prodding from the United States, Germany’s Deutsche Telekom, which uses Huawei components in its network, said it would review its procurement strategy. It added it took “the global discussion about the security of network elements from Chinese manufacturers very seriously.”
Yet behind the scenes, analysts were not sure what that meant.
The same question arose after one of Britain’s most senior intelligence officials noted that his country needed to evaluate Chinese ownership of telecoms technologies more closely. Enter the French, who are underwhelmed by Huawei phobia.
Alluding to the US campaign against the firm Stéphane Richard, the CEO of the leading French telecoms company Orange, told ‘Reuters’ that concerns over Huawei were based on politics: “We’re in the realm of fantasy: ‘They’re Chinese. They have links to the Chinese army, thus there are spies, thus we can’t let them touch our telecom equipment’.”
The US has already banned Huawei from doing any work with the US government, and thanks to American efforts, there are wide-ranging bans on Huawei network technology in place in Japan and Australia. Such a country-by-country approach might allow Huawei to cite unfair competition and a lack of spy proof, as its leaders have been doing across Europe in a publicity campaign.
However, the pressure from the US has been relentless. Washington went so far as to warn Germany that it may limit information sharing if Germany uses “untrusted vendors” in its 5G telecom infrastructure.
Ulrich Kelber, Germany’s data protection commissioner, was not amused, pointedly telling ‘Handelsblatt’ newspaper that he found it “very interesting that of all people, the Americans are now warning against Huawei”, given that they had put similar legal provisions in place.
However, Reinhard Bütikofer, a German member of the European Parliament and co-chair of the European Green Party, is in favour of stricter EU-wide rules, along the example of Australia. “Practically, that would mean to exclude all firms from participating in rolling out the digital backbone infrastructure which in their countries of origin are obliged by law, and without oversight by an independent judiciary, to transmit information to their national intelligence agencies,” he wrote in the newspaper ‘Die Welt’.
National security vs. unfair competition
But how could Huawei be banned? “They already are involved in nearly every EU country’s infrastructure,” noted Radim Polcak, a Czech law professor at Masaryk University in Brno who specializes in cybersecurity.
And there is nothing in the new Cybersecurity Act that mentions an American-style ban. The new law requires the European Commission to “provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment, for example by diversifying equipment from different vendors, introducing multi-phase procurement processes and establishing a strategy to reduce Europe’s dependence on foreign cyber security technology.”
There is already a European Union guideline that could help countries deal with Huawei, explained Polcak. The 2016 Directive on Security of Network and Information Systems (NIS) was the first Europe-wide attempt to deal with cybersecurity. The law is aimed at forcing countries to step up their protection of digital networks in essential services – energy, transport, water, banking, financial market infrastructures and healthcare. Responsibilities in different countries might fall on intelligence agencies, ministries or separate bodies.
With the new act, there will be pan-European testing centres where equipment can be proven safe. So does this take the pressure off countries to stand alone against Huawei? “I am optimistic that these labs will be effective,” said Polcak, a former adviser on data security and artificial intelligence. “This gives member states a tool to use in public procurement procedures.”
Another option the Cybersecurity Act offers is for countries to require a diverse distribution of companies whose products are used in networks, thus ensuring that no single company dominates. “We don’t know whether this will work. We have the tools, now we need the leadership,” he said.
For Polcak, the European Commission is in a better position to implement the Cybersecurity Act than most member states. He said the telecoms ownership structure and security rules among states was too varied. A country like Malta, with low regulation – for instance in the arena of online gambling – might be more generally open for investments from companies with security issues.
Will technical measures suffice?
So can any country limit procurement proceedings based on so-called national security interests? “EU member states have the right to decide whether to exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework,” said Nathalie Vandystadt, spokeswoman for the European Commission.
Germany’s cybersecurity agency BSI is convinced the risk of using a Chinese supplier is manageable. Stricter vetting and a certification process for all hardware and software updates could help to contain the threat of spying, BSI believes. However, Reinhard Bütikofer remains sceptical: “In the end, no matter how many technical fixes and no-spy deals the government dreams up, there are no weaselly ways to resolve this,” he told the ‘Berlin Policy Journal’.
The question of exclusion has come up repeatedly in the case of Russian gas. And the outcome of a WTO ruling might give some hints regarding Huawei.
Russia launched the dispute in 2014, claiming that the EU’s “Third Energy Package” and the EU’s energy policy overall unfairly restricted and discriminated against Russia’s gas export monopoly Gazprom, but the WTO rules mostly in favour of the EU, although the ruling is under appeal.
As for the fate of the Czech Republic and a possible legal tangle, Polcak noted that the Cybersecurity Agency’s warning was not a ban. Hence, Huawei’s legal threats are unlikely to evolve. He also denounced the European complaint, heard in many quarters, that the US was hitting out against Huawei for pure competitive reasons and the desire to protect its own tech companies.
“I understand the American approach, they have a certain presence in Europe, and they are concerned. They do consider Huawei a serious threat, and there are very good indications that it is a threat. ”
However, critics of the US argue that after all, they were pointing the finger at China when the US itself is accused of using an American company’s systems to carry out spying operations. “Yes, we have to be fair to the US concerns and to the Chinese concerns. But the big difference is that the US is our ally,” Polcak noted.
INFOBOX
Certifying cybersecurity
As the European Union tightens its cybersecurity rules, there are a few points that are crucial for companies hoping to sell technology-related products across the bloc.
Spearheading the effort to ensure technology is “safe “is EINSA, the European Union Agency for Network and Information Security. This new body, based in Heraklion, Greece, will now work more closely with member states to establish more streamlined, common and effective procedures among member states for evaluating cybersecurity.
The Cybersecurity Act gave EINSA greater resources and greater influence. It also establishes the first framework for European Cybersecurity certificates for products, processes and services that will be valid throughout the EU. However, these certificates are still in development.
Companies that produce information and technology (ICT) products will see much stricter certification rules by 2020 as the EU tries to come up with a single testing and security approach. Testing centres will be established to evaluate products and particularly those involved in telecommunications will face greater scrutiny.
The European Commission wants to end the system whereby a product that one country deems unsafe is considered an acceptable risk by another country.
Although EINSA is dedicated to support a fight against cybercrime such as the dramatic increase in ransomware attacks, the agency is now gearing up to address the concern that telecoms technology can be used to spy on major population swathes. Through EINSA, the EU plans to issue clear and consistent guidelines about how to comply with certification rules. Once a product is certified in one country, it will be considered safe to use in all member states.
The Commission states that one an EU-wide certificate will eliminate market-entry barriers for SMEs and new businesses, such as cost. For instance, the British Standards Institution “Smart Meter Gateway” certificate costs more than €1 million (highest level of test and assurance, concerns not only one product but the whole infrastructure around it as well), while the cost for smart-meter certification in the UK and France is about €150,000.
Companies can expect that within the next few years, having an EU certification will be part all member states public procurement rules in the area of ICT.
Perhaps the most important recommendation from the European Commission affecting ICT companies emerged in March 2019: “Member states should make certification in this area mandatory through national technical regulations.” In other words, the Commission guidelines would then become part of national legislation. And countries will be required to make sure the telecoms companies that operate on their territory will use the same certification rules as national governments.