EVENT TRANSCRIPT: The Geopolitics of 5G Supply Chain Security
DATE: 2:00 – 3:00 pm, 19 June 2019
VENUE: Committee Room 9, House of Commons, Westminster, SW1A 0AA
SPEAKERS: Ambassador Robert L Strayer & Dr. John Hemmings
EVENT CHAIR: Bob Seely, MP
BS: Hello everyone, my name is Bob Seely and I’m a Member of Parliament for the Isle of Wight – the huge privilege of being MP for the Isle of Wight – and with a bit of luck, if we deliver Brexit, I may continue to be MP for the Isle of Wight. I’m also on the Foreign Affairs Select Committee and I have an interest in, my background as somebody who is interested in Russia and more generally interested in authoritarian states and how free societies interact with authoritarian states. That has led me to do some reasonable specific research and work in the last two years as a Member of Parliament, both on defining Russian warfare and recently a ‘defending our data’ report into Huawei and how we deal with high-tech.
Thank you all for being here whether you’re a journalist, Members of Parliament, and from various embassies great to see you all here. I’ve got two brilliant speakers today; one is John Hemmings who is very well known to many of you, Asia Studies Director at the Henry Jackson Society and was one of the co-authors of our four nation report into Huawei and Five Eyes that I’ve just mentioned. Our guest speaker today I’m very proud to have Ambassador Robert Strayer here who is a lawyer by background, a telecommunications lawyer by training, from Ohio – very different from the Isle of Wight clearly. His title, Deputy Assistance Secretary for Cyber, International Communications, and Information Policy, putting it bluntly, is one of the most interesting jobs in global politics right now. The reason for that is that information and information flow is shaping humanity and our lives and societies as well. That runs from the strategic to the tactical levels. So when I was serving in my modest role against ISIS, or in the Libya campaign, or in Iraq 2, or in the Afghan campaign, information for me was not only about propaganda and the influence of propaganda on minds, but also about information flow; how information gets to people and shapes perception and shapes your ability to communicate. For societies and states that is going to become even more important in the 21st century, especially with the growth of 5G. There was one story this weekend that I thought was fascinating and it was put out by Deborah Haynes, former Times defence correspondent who now works as Foreign Editor at Sky. She was looking at how a British company, based near Tewkesbury, was making circuit boards for the F35. Those circuit boards controlled lots of bits of the F35. It was a British company, doing high tech work for an advanced fifth-generation aircraft. A few years ago that company was bought by a Chinese firm with a very close relationship to Huawei. It might be that that was an entirely innocent sale and that company was looked at on purely commercial grounds, purely because it turns a profit, purely because it was doing some intelligent and creative work. Or it might’ve been because different states now take very different approaches to freedom, and to power, and to how to increase power influence to Western states. So for example BAE in the United States is entirely cut off from BAE in the UK. But was the same relationship, and we still don’t know the answer, this firm which was bought by a Chinese company and is still producing very advanced circuit boards for the F35 – what is the relationship with the Chinese firm that owns that, the Chinese state that was behind it, and that British company now. This is especially considering a recent Chinese law, I think it was 2017, which requires all Chinese companies, at home or abroad, to co-operate with Chinese intelligence services. It just makes me think about these things. Ambassador Strayer is here to talk about 5G and how we roll out 5G in a way that increases our economic and political progress and also which ensures as great a deal of security and transparency in our systems as possible. We already have Huawei in our 5G network, or its beginning to be in our 5G network because it was in our 3G network and it was in our 4G network. Effectively we’ve stumbled in to having Huawei in our 5G networks. I’m not saying that’s a bad thing per se but there’s a much bigger problem here and that is how free societies like Great Britain and Northern Ireland, like the United States, like France and Germany interact with states that have a different approach to human freedom and a different approach to power than others. That is not a question of looking for enemies or looking for adversaries, because I want a good relationship with everybody. But it is also a question about how we protect our freedom and how we promote, respectfully, to others our view of free human societies, open societies, and how the rule of law should operate in the 21st Century. Here to talk about that, I’m delighted that we have Ambassador Strayer, Ambassador over to you and thank you for being here Sir.
RS: Thank you Mr Seely. It’s a true very high honour for me to be introduced by a Member of Parliament especially one that’s as deep in these issues as you are. The way you’ve framed this is exactly how I’ve thought about a lot of these issues over the last few years, it’s also a privilege to be here with the two authors of this great report that I thought was very enlightening and well researched and well written. As you mentioned, we in the US look at these full range of digital economy and cybersecurity issues, including related to 5G, as ones that are going to be critical to our national interests, including national security, human rights, and economic prosperity in the future.
It’s a privilege to be here in the Palace of Westminster – this institution has made incredible contributions to the world, through the role that it has played in the development of our liberal democracies and the rule of law. Democratic institutions like Parliament and the US Congress have played a vital role in creating a legal framework that recognises human rights and fundamental freedoms, and ensures individual liberty is protected. The bedrock values of democracy, human rights, and limits on government authority underpin the special US/UK relationship and the broader transatlantic relationships. Independent judiciary is essential to the protection of these values because it ensures the rule of law has meaning, allowing citizens to appeal to the courts to check the mandates of government and preserve their individual liberties. Our shared democratic values have played an important role in enabling the growth of the digital economy. Private online communications are protected by prohibitions on government access with very narrow, tailored exceptions subject to judicial review. Digital platforms allow for robust debate and exchange of ideas to take place without government limits on individual freedom of expression. Finally, consumers trust that they will use protect their privacy and that companies they do business with are not subject to extra-judicial mandates from the state. Privacy protections and limits on data access by government are key enablers of cross-border data flows in our digital economy. To be sure, people around the world have enjoyed tremendous economic prosperity and improved quality of life from an internet that operates based on the foundation of these shared values. Unfortunately, these shared values are increasingly under threat from authoritarian regimes, such as China, that see technology not as a means to lift people up and enable them to reach their full potential, but as a tool for repression, mass surveillance, and as a means to take advantage of our open democracies. The US is concerned about the potential for technology to serve as a conduit for espionage but also the exploitation of intellectual property and private information, and the export of authoritarian values, creating serious security concerns for us all. These security concerns are particularly salient with regard to the fifth generation of wireless technology: 5G.
5G will be transformative, providing consumers and businesses with up to 100x faster connections and very low latency (the time that it takes for devices to connect). This will enable tens of billions of new devices to be connected through the internet in just a few years. These connections will empower a vast array of new critical services, from autonomous vehicles to transportation systems to telemedicine to automated manufacturing. This is in addition to the critical infrastructure of today; the delivery of electricity and water. The massive amounts of data transmitted by the internet of things devices on 5G networks will also advance artificial intelligence. With all these services relying on 5G networks the potential vulnerabilities and stakes for safeguarding these critical networks could not be higher. As countries around the world upgrade their communications systems to 5G technology we’re urging them to adopt a risk-based security framework. An important element of this risk-based security approach is a careful evaluation of hardware and software equipment vendors and their supply chains. This evaluation should result in the exclusion of vendors that are subject to control by a foreign government with no meaningful checks and balances on its power to compel co-operation of those vendors with intelligence and security agencies. For example, because of the essential role that vendors play in networks and their maintenance they could be ordered to undermine network security, steal personal information or intellectual property, conduct espionage, disrupt critical services, or conduct cyber-attacks.
BS: Ambassador could I ask you a quick question there? I forgot to say that occasionally I might ask a quick question to make sure that we’ve understood, because that seems like a critical point. You want people to conduct their own risk-based approach – do you think enough countries are conducting a risk-based approach? Do you think that approach is forensic enough? Could you also repeat the critical element of what that risk-based approach involves?
RS: So a risk-based approach needs to include both a threat and a vulnerability. There has been a lot of public debate so far about the vulnerabilities of 5G networks – basically we’re increasing what is known at the ‘attack surface area’ because there is so much software running on these networks, so many more devices connected to them, performing so many more critical services that I just outlined. So the attack surface increases and that has led the telecom operators and the vendors to think a lot more about how they’re going to secure these networks from a cybersecurity perspective to implement the right policies in terms of cybersecurity. That gets at the technical cybersecurity vulnerability side of it. But risk is both a threat and vulnerability. So the threat, we have to look at the potential for a government to basically be able to require a company to provide the entire architecture of the network as well as access to all the software. That is the perfect opportunity for someone that wants to exploit a network, both from a network or espionage perspective.
BS: I’m gonna be super dumb for a moment – so basically if I want to keep my 5G network secure it’s a bit like I have a house and I’ve got the keys to the house and I don’t give my key to a known burglar. If I leave my windows open or it’s really easy to copy my keys, then you can break in through cyberattacks. Do I make myself any safer by not giving my keys to a known burglar? Does that make sense?
RS: I would just add, to expand that metaphor a little bit, really we’re talking about who built your house and they’re not just handing you a set of keys – they kept a set of keys. They know all the potential faults and vulnerabilities of that house structure.
BS: And they can turn my heating up at will?
RS: Yeah. You would need to be concerned about that whole enterprise. One of the key differences with 5G will be that we have such reduced latency that enables that quick communication that is going to be necessary for things like autonomous vehicles. Right now we’re mostly focussed on a 4G network where we’re connecting to the internet to get our apps to work or to make phone calls or to send texts. In the future we’re going to see devices communicating directly with one another, vehicles communicating with other vehicles or vehicles communicating with the network. They’re going to need to have low latency and computing power very close to the edge of the network. That means that in essence we’re moving from types of networks where we have a core and an edge; a core where the smart computing power is and an edge that is relatively ‘dumb’, to one where smart functions and components are spread throughout the network. There is no differentiation between a critical and non-critical part of the 5G network.
BS: I’m going to ask you quite a political question now because the government, which I support, has said that they’re going to get Huawei in to do periphery stuff because there is still a difference between core and periphery. By what you have just said, you are saying that is not the case as you understand it and actually the difference between core and periphery now is really not what it was before.
RS: Right. I would also like to say that our understanding as the US government is that the UK government has not made a decision on this matter. There are a number of commentators who have discussed this idea of a core and a non-core and that you could have untrusted vendors in the edge or non-core areas.
BS: Apparently we may or may not have agreed this on the basis that Huawei is a private company, which I think is a very dubious claim, that there is no difference between core and periphery, which I think is a very dubious claim. Is there anything else? That they said they’re not going to spy on us. Over to you.
RS: That sort of advances some of the other points that I was going to add in this section. That is our conclusion, from our security experts, that it is a significant vulnerability to have untrusted vendors in any part of a 5G network. Especially given that industry is still developing the architecture for many of the use cases, like autonomous vehicles and others, it is really hard to understand how those commentators can be so confident that they can just banish untrusted vendors to some mythical edge of the future. That seems to be an overstatement of prognostication about the evolution of 5G technology, given we’re just on the front edge of what 5G will be in the future. Right now we’re seeing a lot of the telecom operators rolling out additional cell sites, what they call small cells for additional transmission of data. The whole architecture of both the core and the former core, the computing power is going to change as we develop use cases for it as well so it’s a little early to say ‘we think core/non-core will protect us into the future’. I should mention that there have been a lot of concerns raised by the telecom carriers here in the UK, and others, that there will be substantial delay or sort of loss of the best types of technology if those carriers do not go with Huawei. The four largest telecom carriers in the US, that serve the vast vast majority of people in the US are all committed to using three vendors which are Nokia, Ericcson, and Samsung – none of which by the way is an American company. So for anyone that asserts this is some kind of trade dispute or some way to advantage American companies, that’s just false. We’re benefitting Swedish, Finnish, and a South Korean company in that regard.
BS: And Qualcomm is not part of that?
RS: Qualcomm is selling everybody all kind of things.
BS: But they’re not part of the 5G infrastructure?
BS: OK, so that’s three; Nokia, Ericcson, and Samsung.
RS: They’re what they call the radio access network. They’re the vendors that provide and integrate a radio solution. Qualcomm of course makes chipsets for both phones and the networking devices. Even the GSMA which is the trade association for the wireless industry says that even based on the forecast we have today, from what they know of US plans, we will have by 2025 half of the connections in North America will be 5G and only 17% of the connections in Asia will be 5G. It’s clear that with the standard that has been adopted in the US, that we will not use these two Chinese vendors, that we are not being set back by refusing to use them.
BS: OK so you think the claims made by mobile vendors in the UK are inaccurate?
RS: Yes. They’re at the least exaggerated and I would point out that there is a huge financial incentive to make that kind of statement in their estimations because they have a lot of embedded technology, as you alluded to, at the front end If they have 70% of one company’s technology they might well exaggerate the cost of having to swap it out and move to others. In fact, we’ve learned that there are dozens of swaps between the major vendors that I’ve named every year. They are swapped out by operators for, usually, economic reasons but those swaps do occur. Swaps meaning from a Huawei to an Ericcson or an Ericcson to a Huawei. The Danish company, the largest telecom provider in Denmark, TDC announced that they are swapping out an entire Huawei system for Ericcson earlier this year.
BS: OK so that’s an option for us?
BS: Wow, that’s interesting.
RS: UK is bigger than Denmark and you can think about these things – technology, there’s something that applies to computing power called Moore’s Law which is that roughly every two years we see the doubling of computing power on a microchip of the same size. A similar thing happens in the telecom market which is that, whatever it is aside from 4G and 5G; the switching, the routing, the networking, the different components get better over time. Companies are apt to replace their technology on two year cycles or at most five year cycles. So there is a way to migrate away from an untrusted vendor to trusted vendors over a period of years.
BS: So my suggestion that we should be building tech from one party states out of 5G networks is entirely feasible and when the mobile operators say ‘you can’t possible do that’, that is wrong.
RS: Right. There’s always a way. So let me turn to China for a minute and explain why we’re particularly concerned about the threat posed by Chinese equipment vendors. Despite Chinese claims, our concerns are purely security related about our data, our markets, and our intellectual property. We believe countries must make decisions about 5G security in a broader context that takes account of China’s efforts to build powers in ways that allow them to foster dependencies and coerce others. As made clear by the Chinese law that Mr Seely noted, the national intelligence law from 2017, Chinese citizens are required to cooperate with Chinese intelligence and security services. In addition, Chinese government does not have any meaningful checks or balances on its powers to compel those firms to facilitate access to their networks and equipment. As Chinese President Xi Jinping told security officials in January, China does not walk the Western road of constitutionalism, separation of powers, or judicial independence. Therefore, we are concerned that China could compel network vendors to act against the interests of US citizens and citizens in countries around the world.
BS: I have never heard that quote before and I have to say that I find it really enlightening as well.
RS: It was something he said in Chinese to internal officials but it’s one that we have now translated. It’s a different model of government than what we have in our democracies.
BS: And you are confident that this different model of government translates into a different model of how Chinese companies, especially those close to the Chinese state and especially large companies that export influence abroad such as Huawei, you are confident that that influence is how they operate?
RS: Yes, absolutely. The ability of the CCP to, in the end, influence companies is tremendous for a number of reasons. First of all, if you look at Mr Ren, he has pledged loyalty to the CCP. There is no independent set of directors on the outside, there are no shareholders. In the US you can sue a board and say ‘you’re not being loyal to the shareholders’. It is also important to recognise the financial obligations that are in play here – the Chinese market is basically locked down for Chinese companies. The three largest telecom operators are state owned, so what do they buy from? They buy probably 90% or more of their technology from Chinese companies like Huawei and ZTE. Furthermore, the reason that Huawei has been so successful around the world, especially the developing world, is that they offer financing. While the cost of their product might be a little bit cheaper, the financing they’re offering 0% interest for 20 years to countries. So if you look at the actual cost of deploying this capital equipment, there are tremendous savings to those companies and telecom operators from having those low interest loans. They are usually done in deals that aren’t transparent to the public, the public in those countries or internationally, and they’re in no way commercially reasonable. There is financing tools that are used in other areas but they have some tether to economic reality.
BS: Are they effectively bribes and is that relevant to the UK market?
RS: We’re very concerned. We’ve added Huawei to what we call the Restricted Entities List in the US because of the sales of telecom equipment to Iran and a deceitful practice over years to commit wire fraud in order to enable that. But that gets to the corporate culture question. If you’re thinking about a trusted vendor, a vendor you can trust to abide by the terms of the contract and not be pressured or coerced by another entity like the CCP, you need to look at the culture of the whole company. There are rampant stories around the world of corruption and bribes from Huawei and ZTE. Those are well known and there has been a long history of intellectual property theft, we’re currently indicting Huawei relative to the theft of T-Mobile intellectual property and there is history going back to 2004 of Cisco complaining about intellectual property theft. To us that is an objective factor that should be considered – whether you trust the company from its corporate culture perspective.
BS: One other question on that, you were talking about Huawei’s relationship with the Chinese state. Do you believe that this is a mercantilist operation whereby Huawei is a private company which is embedded or is it, to all intents and purposes, part of the Chinese state?
RS: Well, unlike some companies it is not state owned, so it does have that separation. But the fact that in China there are these intelligence law, and other laws, that compel activity to be fully directed by the leadership and the fact that there is no independent judiciary – we think that is so important – you can’t go to court and object. American companies have objected to taking action in the US and those play out in court and there is rule of law that you can see being applied through the rule of law exchange that we have in our democracies. That is a fundamental difference. While there could be a legal separation, the way that the interaction happens we need to think about how these things play out in practice not just under terms of statute. That gets to most of our concerns about the company. The other thing that I wanted to highlight is that we’re talking about the shared respect that our democracies have for human rights. Is the way that Huawei works with an ecosystem of other companies in China to develop surveillance technologies to surveil people – I think we’ve all talked about the Uighur population in Xinjiang province, they’re including CCTV cameras to identify people and cross match that to profiles of people they already know about ad then geo-locate Muslim populations in Xinjiang. This is being used, of course, to undermine fundamentals of people’s free speech and freedom of association – that’s how they end up in these re-education camps.
BS: And Huawei is complicit in that?
RS: Huawei provides the underlying connectivity for these sensors and Huawei, if you read their material, talks about providing end to end solutions for a number of things and all these added on computing powers. Added on computing power can be used for a number of purposes, but the way that technology development occurs in China means they are well aware of the used their technology is being put to. They may not produce a surveillance camera but they work together on that ecosystem.
BS: So at the very least it is a passive acceptance of what is happening if not something more.
RS: Yep, exactly. The way we also see it is also in leaving China. There have been a lot of efforts at ‘smart-cities’, which is digitising cities doing the things that 5G will power. There is also an effort to create ‘safe-cities’. Safe-cities in a non-democracy can quickly become an authoritarian state, where it is going after people for all kinds of reasons. Huawei’s technology is key to enabling those safe-cities out there, so we do know that that is a way of exporting those set of values which are quire contrary to the ones that we hold dear. I would just note one other recent example of this use of censorship. We all know about the Great Chinese Firewall, well the 30th Anniversary of Tiananmen Square saw VPNs blocked again, we say WeChat users unable to update their statuses, and we saw video sharing services ‘down for maintenance’ that day. So there is a continuing effort by the government to restrict the use of technology and to insert itself into the private sector’s actions in China when it comes to surveillance and limitations on freedom of speech.
I just wanted to start wrapping up here. In closing, we just want to emphasise that this isn’t just about technology security, it’s also about our values and what kind of internet we want to see and what kind of world we want to see in the future. The US wants to continue working with the UK, we want to solve this 5G security concern that we have, but also work on the generational challenges related to the digital ecosystem of the future emerging technologies. There are many things beyond 5G that we need to work on, given out shared values and the values of many other countries that are in the same direction. We need to articulate our vision for what is acceptable and not acceptable and what is legitimate and not legitimate uses of technology. One of things we did is that we worked with the Czech government to have a conference in early May in Prague where the product of that was a set of roughly 20 principles of 5G security across the board. Some of the focussed more on supply chain but others on resiliency, how to manage any vulnerabilities in the system, and of financing. We think there are a country agnostic set of principles that can be applied to 5G security and we want to work with countries on implementing those. Note too that the EU Commission had a framework of security assessment that they developed and that assessment specifically notes the risk of a third country affecting a vendor, giving direction to a vendor. So we think that’s a very important criteria that all governments should be thinking about on the threat side, not just on the technical vulnerabilities. We really want to be building an ecosystem that will ensure we have a safe, vibrant future for all of our digital lives. Just as importantly we want to work with the UK and other like-minded partners to push back against the use of 5G and other emerging technologies by authoritarian regimes. We can’t allow that technology to be used to suppress dissent, censor freedom of expression, monitor populations, and restrict access to information. We must also not allow those regimes to unfairly support their digital companies at the expense of foreign competitors, or to conduct damaging cyberattacks or economic espionage on their rivals for commercial gain. We need to work together to defend our shared values and the liberal democratic order we have created against a rising tide of digitally enabled authoritarianism. I look forward to standing shoulder to shoulder with the UK in responding to these challenges posed by authoritarian states in cyberspace. Thank you for the opportunity to speak today – I really appreciate the questions and the dialogue and thank you all for attending. I look forward to having a vigorous debate after this.
BS: Fantastic, thank you very much indeed. John do you want to make a few points? I’m just going to hand over to John Hemmings for a few minutes and then we can have a Q&A.
JH: I’ll be very quick, I’m not the reason we’re all here. If I may, Ambassador Strayer, thank you so much for your remarks. It was very useful because I think all of us, I think if you’re learning about the issue if you’re in journalism or media or even in government, this is bringing cyber, bringing Chinese defence security policy, and also bringing in telecoms policy into a new thing which no one has ever heard of. So we’re all having to learn very quickly why this is important, why we disagree about these things so much. Trying to understand the assumptions is a lot of work. Dealing with people who are sometimes inside industry, who are the real experts on it, is difficult because they have their own internal incentives – I won’t say agendas because that sounds malicious, and I don’t think that is what I mean. Trying to find out what is the case of stuff is very difficult and having you here and knowing your telecoms background it is an opportunity for people like Bob and I who struggled around, like Plato’s cave trying to figure out if it’s an elephant or a wastebasket. The things that we’ve struggled with here are the antennas issue – to what extent is restricting a provider to the antennas a proper risk mitigation strategy. The second question or discussion point would be that there is pushback on the edge/periphery thing from people in government – I won’t say who but I have discussed this point directly with people and they pushback on that – so what do you say when they say that pudding is being over-egged. Can you say something about that? Finally, in terms of something I’ve heard from telecoms firms on the other side of the Atlantic, but also some in Asia, is this idea of open-architecture, an open-network system where you have lots of providers with much lower restrictions to market entry, versus a closed system. What do those things mean to you – I think I understand them – but it would be amazing if you clarified for us what they are?
RS: Great question. I think, to sort of get at the core/edge discussion a lot of people think is going to vanish over time, really people imagine the amount of investment in a 5G network being about 80% in the radio access area and 20% in the former core. The gain is at the edge, the smart edge where smarter computing components are coming into it. It might sound a lot like Star Trek but one of the most evolutionary technologies we’re going to see in the antenna specifically will be ‘beam-forming’. This is where antennas can very directly put a spectrum going at a particular user. Those components are getting smarter, they’re not the antennas of today which are omni-directional. We’re going to fundamentally see a lot of changes in what they call just the radio and antenna part of it. Beyond that we’re going to see more and more computing happening right at the base station, because that will be where we need to have that low latency, more and more activity occurring closer to the user and closer to those use cases.
First of all, we need to de-mystify what 5G is. It is a somewhat technical electronic equipment that if you’re not an electronic engineer you’re not going to have an easy familiarity with. But these are things that are already around today in different parts – we know that there are switchers and routers, you can break it down into different components, there is computer power, there is storage, and these are used for many things other than telecom. There’s going to be a lot more cloud computing involved in this and we’re already seeing that happen with the 4G core that is using cloud computing technology today. We’re going to see that kind of evolution happen more at the edge, what they call virtualisation, of the network. There will be less importance to the hardware and increasing importance to the software which is running on top of the hardware. So that’s why it’s really important that efforts like this open-network, which seeks to break up the proprietary types of architecture which the, roughly, five major vendors of this have now that will allow open interfaces, so you can put an antenna with someone else’s base station or you can put a different radio in there. You can start plugging and playing with different components and, as those become more virtualised, what they call software defined radios, you’ll see more of the software being the important part of this. But, for that to happen and to be successful and to be able to do it in an easier fashion than swapping out entire sets of towers and base stations, you’ll need to have open standards that you can write to and know that there will be an open interface with another piece of equipment and it will always work together rather than having to replace the whole thing. That’s generally what’s happening today because while there are general standards, there’s enough play in that interpretation that we end up with proprietary solutions for a lot of what we call the radio access network. There’s a lot of promise in this idea of working through open standards to end up with more of a virtualised edge that is more software driven. It’ll be better technology, it’ll be more adaptable as instead of changing out hardware you can just change the software and get better performance that way.
BS: Fantastic, thank you very much indeed. Right, we are going to get through as many questions as we can in the next 15-20 minutes when we get kicked out of this room. Can we just make sure mobile phones are turned off please. For the questions can you please state your name, where you are from, and please can we have questions not statements that ramble on with ‘what do you think?’ at the end of them. Nice punchy questions.
QUESTION: Ericcson, Nokia, and Samsung, particularly Ericcson and Nokia in Europe – what are the US or the EU member states, NATO, or the EC doing to coordinate and protect these companies given their core key capabilities?
RS: I don’t want to say that we don’t care about their future – we want there to be a diverse ecosystem, a lot of trusted suppliers, but we aren’t doing anything to help them directly. We want to talk about our security concerns, we know there will be sovereign decisions made and we hope to influence those in an outcome which will be helpful for our shared values and advantageous to the future development of those. As you may know that if they continue to see a loss of market share then they will have less money for R&D and we won’t have them. There’s solutions, like this idea of more open architecture that could develop which would be alternatives to the present. The idea of open architecture which has the ability to plug and play with different components would open the ecosystem up to a wider range of suppliers. There’s technological solutions that could evolve but we’re not doing anything directly to help those companies – we’re thinking about countries that might need assistance. We’re helping in Indo-Pacific we have a Digital Connectivity and Cybersecurity Partnership where we’re seeking to help countries do technical analyses to choose trusted suppliers.
QUESTION: You have spoken, and there’s a lot of talk about the core vs periphery, some technically minded UK officials say that’s not the right paradigm, that this is about sensitive and non-sensitive functions. You’ve spoken about the importance of protecting all citizen’s privacy, just focussing on the sensitivity of government data do you accept that it is possible for sensitive functions to be protected or would you reject that?
RS: I do. The way I would frame it slightly differently, I’ve agreed that you want to protect all sensitive, but I would consider the cell phone tower sitting out there or all over London, if they were all run by Huawei to be a point of concern. In the sense that all of our phone calls could be surveilled. Because of lawful intercept requirements at the base stations of all those towers, the data is unencrypted at that point. My understanding is that many people consider that to be non-sensitive today, but to us that is fundamentally sensitive.
QUESTION: With the new Prime Minister, whoever that may be, will Huawei be one of the first things on the agenda?
RS: So it’s currently on our agenda with the UK government among political and non-political levels, so we’re going to keep this active engagement going and having really frank discussions. We have this very long joint security relationship and that’s not going to…
QUESTION: Do you expect it to come up in the first meeting?
RS: I’m not able to decide what’s on the agenda.
BS: I really hope it’s going to be on the agenda – I have talked to some of the candidates about it and I will be talking to other candidates about it as well. Having good relationships with China and all the nations of the world is important. But looking after our Five Eyes relationships is absolutely critical and building a fifth generation wireless network in the UK, which is safe and secure, is really important. So it should be on the horizon and I, and others, are going to try to put it on the horizon.
QUESTION: Could you please tell us what you’ve said to the candidates so far and who they are?
BS: No, I would rather not at the moment but I’m happy to talk to you later about it. I’ve had a couple of conversations and I will be having others.
QUESTION: UK government ministers have said they want a cost-effective solution to 5G, do you have concerns that that could lead to what you mentioned earlier, that Huawei are offering them a deal that’s too good to be true?
RS: I’ll leave that to law enforcement and others who would enforce that. On the cost perspective I think the things that I didn’t mention is that you can have the migration away over a period of time, you’re going to see technology change out anyway. But it’s also very important to think about the cost to society of huge intellectual property theft and what is the cost to society of having data exfiltrated to an authoritarian regime. I know that both of our countries care tremendously about privacy, I know that sometimes we get a bad rap because we don’t have a GDPR regulation of the same sort, but this could be a mechanism to exfiltrate massive amounts of data.
BS: I will be careful what I say. I’m concerned about a couple of things on this. I believe that Huawei has a very extensive lobbying operation, I think it has got some drinks do somewhere grand. I’m tempted to go there just to see what would happen but I may not. My need for alcohol is not quite that bad. So there is an extensive lobbying effort which is the first point. Secondly, there are an uncomfortable number of people ending up on their board of directors who are people who have had influence. I think the same could be said of the Chinese state, Edward Heath was one example and there are others. I am also concerned, and I don’t think we’ve had straight answers from mobile UK as to the financial offer or whether there is a financial inducement, and I mean that in a very legal way, a financial attraction to having Huawei and whether that comes in to Chinese state development, the Chinese Development Bank – massive funding line for Huawei which is…
JH: 100 billion in dollars and 70 billion in pounds, those are numbers that are unconfirmed…
BS: Huawei has a great ability to offer remarkably good value for money service and you define ‘value for money’ in that context as you would like.
QUESTION: Do you think the UK carriers and the oversight board are thinking about their bottom line and potentially overstating the security they can assure?
RS: I’ve heard of some estimates that I think could be well exaggerated and I’ve seen some of the analyses of those costs that include countries that many of us wouldn’t even consider as part of Europe, that use analyses that just assume you can’t use Ericcson or Nokia. That have assumptions that I don’t think are fair. I take it that they’ve got cost concerns but there is a way to get there over time.
BS: I really worry that the bottom line seems to be everything for them and that they are not taking a broader view of what is in the national interest. And actually the long term interests of their customers and our economy. Because there are suppliers in the West and we should be working with those folks, Nokia and Ericcson, and also Samsung as well. I am worried that they are over-egging their arguments in favour of the status quo and using high tech from one party states, i.e. Huawei and China at the moment, and I wish they would reconsider.
QUESTION: Now they have started building and its largely Huawei equipment that they are using to build, especially BT, so does that make this more urgent? Have you had discussions with them since those networks launched?
RS: I haven’t. The one thing that I think is important for everyone in the room to really recognise is that there is a difference between trials and true commercial large deployments. The other question I would have is do they seem to be rushing out to do these but there is not going to be the technology for Huawei in the future. We have an export ban on US technology going to Huawei, there’s not going to be a future – this is not something that is going to be a question. That export ban will stop that technology flow. It seems to be a business decision that is rather risky at this point in time when you don’t have the future flow, just as a number of them decided not to go with Huawei phones because they felt the supply chains were in jeopardy, the supply chains for the networking is also in jeopardy.
BS: I get the worry that we are, as a society, being bounced in to this decision. I think that really concerns me because we’re being bounced into it for the wrong reasons.
QUESTION: We are studying the export of conflict minerals from the Democratic Republic of Congo, my question is would the increased demand of minerals following 5G introduction will the supply chain security increase the regulation of mining exports from the DRC?
RS: I really don’t have a deep enough understanding of the conflict minerals requirements, I would just say that generally speaking all companies should live by the highest standards of corporate practice and be careful about how they’re sourcing and treating employees, and the knock-on effect of commercial activities.
BS: Thank you for your question, sorry that we’re not expert enough to answer that specific bit.
QUESTION: You’re having conversations with large amounts of countries and as far as I’m aware there are very few countries that have implemented the ban that you’re looking for, what is it that you present to them that others are pushing back on and where are those lines of differentiation?
RS: So I would say that there has been a lot of success in roughly the last nine months since we’ve known what the standards are going to be for 5G and that it’s going to empower all this critical infrastructure. We’ve gotten people to say we’re not just concerned about cybersecurity and that there is a supply chain issue of itself too. I think there is almost no one in the developed world and in developing countries that we’ve talked to that does not want to ban Chinese technology from the core of their networks. That begs the question that if you’re so concerned about them in the core why would you let them in the edge, and you must have some serious discount as to the vulnerability of the edge. But that’s why we’re really here to help educate about what the edge will become; it may not be that today or in June of 2019 but it will soon become a much more sophisticated and technologically empowered edge that we need to protect as well.
BS: Thank you very much for all being here and our speakers for a fascinating talk.