At a glance.
- US expresses satisfaction at the EU's decision on 5G security.
- The significance of the UK's decision to allow Huawei into its networks will be determined by the details of the decision's implementation.
- Former head of Shin Bet advocates preemptive cyber strikes.
The US finds some positives in the EU's decision on 5G security.
The US has welcomed the EU’s decision on 5G network security, seeing it as amounting to European acknowledgement of the unacceptable risks untrusted suppliers bring. “We call on our European allies and partners to implement the EU recommendations by adopting strong, risk-based security measures that exclude high-risk suppliers from all parts of their 5G networks,” Secretary Pompeo said in his statement.
The statement twice mentions what makes a supplier high-risk: they are, “e.g., companies based in third countries that lack democratic checks and balances,” and the EU has recommended that such suppliers should face restrictions that other vendors don’t. The Secretary of State also notes with gratification that the European Union’s “toolbox” calls upon “EU member states to exclude high risk suppliers from critical and sensitive parts of their 5G networks, which includes the Radio Access Network.”
How to use the tools in the EU’s 5G security toolbox is up to the member states. German security officials have expressed unease over evidence the US has provided that supports the contention that Huawei is engaged in espionage, but Guillaume Poupard, who directs France’s cybersecurity agency ANSSI, told Bloomberg that as far as he was concerned he hadn’t seen any "smoking guns." “Maybe elsewhere, but not in Europe,” he said. Still, French authorities have taken good care to keep Huawei away from Airbus headquarters in Toulouse.
Italy’s Industry Undersecretary, Mirella Liuzzi, said this week that Italy wouldn’t prevent Huawei or ZTE from trying to play a role in Italy’s 5G networks, that it wouldn’t keep them from the doorstep, but that they would exercise due caution in where they allowed any suspect vendor to participate.
On vetting Huawei.
Britain’s confidence in its ability to exercise its own version of due caution rests on the work of the Huawei Cyber Security Evaluation Centre (the HCSEC), a forty-person unit in Banbury, vetted by GCHQ, that’s charged with checking Huawei equipment for security issues before permitting it into the country’s networks. The HCSEC has been in operation for almost six years. Its Oxfordshire facility is a Huawei facility overseen by an NCSC-chaired board whose members are drawn from other elements of the British Government. The vice-chair is a Huawei executive appointed by the company.
The board's last annual report, rendered in March of 2019, found that the HCSEC was for the most part able to operate independently of Huawei, but some of its other conclusions were less encouraging, such as this final one: “Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.” It will be worth watching for the next report to see what progress if any has been made. Quite apart from Huawei's participation in its own vetting, skeptics point to the disparity of resources: HCSEC has forty members; Huawei has nearly two-hundred-thousand other employees.
Computing reports that Secretary of State Pompeo has expressed confidence that the US and UK will reach a mutually satisfactory understanding over Huawei. The British policy announced this week will exclude Huawei from “core” elements of the 5G network, which would presumably include the critical networks the Huawei oversight board alluded to in its last annual report. It will also cap the company’s participation in the remainder at 35%. It will also be interesting to see how much of the 5G infrastructure winds up in the "core."
The former head of Israel's Shin Bet security service advocated, at the Cybertech conference in Tel Aviv yesterday, that preemption become a more widely used strategy against cyberattacks. The Jerusalem Post reported that Yuval Diskin argued that it was now possible to develop indicators and warnings of an impending attack with sufficient confidence to make preemptive cyber strikes a realistic possibility.