In its often fractious dealings with western governments, Chinese tech giant Huawei has been repeatedly accused of being a proxy for government espionage and other practices unbecoming of a global corporation.
Now National Security Adviser Kim Darroch has called for the company to submit to an unusually high degree of intervention from the UK government.
As a condition of doing business in the UK, Darroch said, Huawei should be closely monitored by intelligence agency GCHQ. This raises new questions about the nature of cybersecurity, public-private partnerships in business and the role of the state in both. We have found ourselves monitoring a Chinese company in a way that might make us decidedly uncomfortable if the roles were reversed.
The current debate centres around the Huawei Cyber Security Evaluation Centre in Oxfordshire. This was set up in 2010 to assess the security vulnerabilities and possible exploitation of the Huawei equipment and software that has been embedded in dozens of UK critical national infrastructure systems, from power grids to telecommunications.
The centre is known as “The Cell” and is funded and staffed by Huawei, albeit under the remit and oversight of government, which decides what to examine and how this is done. This is a considerable imposition on any company, even one well used to having to prove itself. Huawei has to toe the line more than most corporations, given long-standing western perceptions that it is a front for Chinese state and commercial espionage.
Fox in the henhouse
Huawei employees at The Cell are tasked with granting Huawei systems clean bills of health so that the company can continue to access British markets, so it is unsurprising that Whitehall and the information security industry have grumbled about foxes and henhouses.
A report by the influential Intelligence and Security Committee, published in June, recommended that existing levels of GCHQ involvement with The Cell be increased.
In his review of the situation, Darroch notes Huawei staff have been “exemplary” in cooperating with the UK government. But he concurs that GCHQ – the UK’s most technically adept foreign intelligence-gathering agency and guardian of the networks – needs to exert more control over this particular fox.
Darroch rejects the ISC’s suggestion that all HCSEC employees be GCHQ staff but suggests that GCHQ should take control of all senior hiring and firing. He also suggests the agency should chair an oversight board which should set and evaluate all annual HCSEC objectives. This board should have a deputy from Huawei but include other Whitehall mandarins as well as the chair. The aim of all this is to further HCSEC’s “continuing independence from Huawei headquarters” which, of course, are in Shenzhen, one of the fast-growing hi-tech hubs in southern China. Darroch may of course also be making a subtle allusion to Beijing.
The public-private quandary
Darroch acknowledges that HCSEC is a “model for government collaboration with the private sector”. Since the 1990s, governments have been looking to collaborate with industry over information security and critical infrastructure issues that require information-sharing in pursuit of national security objectives.
These public-private partnerships have arisen because in most countries the private sector operates upwards of 85% of the infrastructure on which national and economic security rely.
But social values and market values do not necessarily correspond. Governments are unwilling to share classified information and businesses are wary of acknowledging vulnerabilities that might undercut their bottom line. States do not wish to confer strategic advantage on another party in much the same way as a company would not wish to confer competitive advantage on another by, for example, coming clean about the insecurity of its consumer data protection processes.
The HCSEC is only one model for information-sharing but unresolved dilemmas remain. Is Huawei’s willingness to assent to more GCHQ infiltration of its corporate structure a justifiable cost of doing business in the UK? Does this deal represent a prototype public-private partnership set up that could be used in the future when the government wants to keep tabs on other corporations that are deemed to be less than whiter than white?
Or is Huawei an exception, a victim of what the company has previously identified as “politically-inspired and racist corporate defamation”? Can the UK government sustain a narrative of independence from Huawei, while ignoring the fact that Huawei does not appear to be independent of GCHQ? It’s not as if GCHQ will reach the end of 2013 without its own reputation, post-Edward Snowden, being somewhat less polished than it was at the beginning of the year.
Public-private partnerships like the one between GCHQ and Huawei are an important component of the UK’s national cybersecurity policy so these issues will continue to rear their heads.
The Huawei situation is doubtless a curious one because so few companies have received such a high level of attention from western security agencies and so few companies have bent over backwards as much as it has to prove their innocence. We don’t know if other businesses will need to engage with government in the same way or, indeed if they would be willing to if asked. Such arrangements are not unprecedented – Google and Yahoo have famously played down their links with the Chinese state in the past – but were the Chinese to implement such formal arrangements for British businesses seeking access to Chinese markets, how would the British respond?