Public-Private Partnerships in Cyber Security: Managing the Risks of 5G

(1)

Public-Private Partnerships in Cyber Security:

Managing the Risks of 5G

Noah Soekhai S1676636

Master Thesis: MSc Crisis and Security Management Thesis supervisor: Dr. J. Shires

Second reader: Dr. V. Niculescu-Dinca

20361 Words January 10, 2020

(2)

Abstract: This thesis analyses public-private partnerships in the telecom sector in the United Kingdom and the Netherlands, faced with new security risks introduced by fifth-gen cellular network technology (5G), and the controversial role of Huawei in 5G network construction. It builds upon existing academic resources focused on public-private partnerships, and applies these theories to public-private partnerships in cyber security, in the telecom sector. This work analyses these ‘partnerships’ by performing a comparative case study on the two countries, structured around three main elements important to public-private partnerships in cyber security: common understanding of roles and responsibilities, engagement of the private sector in regulation-shaping, and information sharing based on trust. The case of Huawei presents a crisis to the partnership, where economic interests of the private sector companies do not necessary align with national security interests, which complicates the cooperation. Based on the analysis, the paper suggests that constant cooperation and continued adaptation to cyber threats is necessary for public-private partnerships in cyber security to be effective, and the one-off responses to Huawei should be translated in structured approaches to dealing with the security risks of new technologies.

Keywords: Cyber Security, Cybersecurity, Public-Private Partnerships, 5G, Huawei, Cybersecurity Governance, Critical National Infrastructure

(3)

LIST OF ABBREVIATIONS

5G Fifth-Generation cellular networks

AIVD General Intelligence and Security Service (Dutch: Algemene

Inlichtingen- en Veiligheidsdienst)

BT British Telecom

CiSP Cyber Security Information Sharing Partnership CNI Critical National Infrastructure

CPNI Centre for the Protection of National Infrastructure CSAN Cyber Security Assessment Netherlands

CSC Cyber Security Council

CSP Communications Service Providers

DCMS Department for Digital, Culture, Media and Sport

EU European Union

GCHQ Government Communications Headquarters HCSEC Huawei Cyber Security Evaluation Centre

IoT Internet of Things

ISACs Information Sharing and Analysis Centres

ISC Intelligence and Security Committee of Parliament JCNSS Joint Committee on National Security Strategy

NATO CCDCEO NATO Cooperative Cyber Defence Centre of Excellence NCSC National Cyber Security Centre

NCSS National Cyber Security Strategy

NCTV National Coordinator for Counterterrorism and Security (Dutch:

Nationaal Coördinator Terrorismebestrijding en Veiligheid)

PPP Public-Private Partnership Telecom Telecommunications

TSR Telecoms Security Requirements

(5)

Chapter 1: Introduction

Over the past two years, many countries have discussed the controversial role of Chinese Telecom company Huawei in the construction of 5G networks, because of suspected espionage (Inkster 2019, 106). Security for these new 5G networks is increasingly important because of the wide variety of expected future applications for the technology in critical services; such as healthcare, self-driving cars and more (Fang et al. 2017, 4580-4851). These increased perceived risks and rumours of Huawei’s possible ties to the Chinese government, have motivated different countries to respond accordingly (Inkster 2019, 105). For example, Huawei has been cooperating with the United Kingdom government for the last few years in examination of Huawei equipment (Inkster 2019, 109). In the Netherlands there has also been an ongoing discussion. On May 16th 2019 one of the bigger newspapers in the Netherlands; “de Volkskrant,” published an article on the topic (Modderkolk 2019). Furthermore, discussions on the topic trace back to earlier in 2019, when the Dutch Prime Minister Mark Rutte made reference to an ongoing NCTV investigation into Huawei during a press conference in January (NOS 2019). In the conference, Rutte noted that the Netherlands should “not be naïve” about the potential dangers of Huawei’s involvement in the 5G network (NOS 2019). Compared to the Netherlands, the United Kingdom had already been investigating non-5G Huawei equipment for similar purposes, which raises the question whether the two countries reacted differently to the controversy of Huawei’s involvement.

The increasingly wide range of applications of mobile networks which 5G technology will enable, bring new security responsibilities for telecom companies (Fang et al. 2019). But, as argued by Bures and Carrapico, there is an overall lack of research into the security provision of private companies whose primary function is not security-oriented, despite the increasing role that these private companies play in security provision (Bures and Carrapico 2017, 230). Additionally, as noted by Carr; while the government is often deemed responsible for security of critical infrastructure and national security in general, public-private collaboration is necessary when most of this infrastructure is privately owned (Carr 2016, 54). This creates problems when, as argued by financial director Jan Kees de Jager from Dutch telecom company KPN, Huawei’s 5G technology is the best of its kind, and it “makes a lot of sense” to use their equipment (Pelgrim 2019). Another media article suggests Huawei equipment is also cheaper than its competitors (Kooiman 2019). Meanwhile, the Dutch intelligence agencies AIVD and MIVD advises that the Netherlands: “should not become dependent on IT services and equipment from countries that exercises an offensive cyber-programme against the

(6)

Netherlands.” (Modderkolk 2019). This creates an interesting dilemma where interests of the private entity do not necessarily align with the public interest.

This leads to the question this research is focused on: how have Public Private Partnerships in securing critical information infrastructure dealt with new security risks and possible conflicting interests posed by 5G mobile network technologies? To answer this question, this paper analyses public-private partnerships between governments and mobile network providers, confronted with the upcoming fifth-generation (5G) cellular network and the controversial role of Huawei. Namely, public-private partnerships in cyber security between the governments of the Netherlands and the United Kingdom and major telecom companies preparing for 5G. Answering this question will shed light on the increasingly important role of PPPs in cyber security and help fill in the knowledge gap on security provision by non-security oriented companies. As technology develops, mobile networks will most likely be important to any aspect of society. As the responsibility for security provision moves increasingly from the government to private companies, the security role of mobile network providers and the public-private cooperation necessary will likely need to intensify. Therefore, research on such matters is necessary, and the case of Huawei provides an example of the challenges 5G and other technologies will pose to private companies and PPPs in the future. In answering this question, depending on the results of the case analysis, this work will argue how countries could best approach these risks. In many ways, as will be discussed later, Huawei is an early example highlighting future risks for when 5G technology is widely integrated in parts of society and critical infrastructure.

Before moving to the literature review section, this paragraph will first present a brief overview of the structure of the thesis. After the introductory chapter, a literature review follows, explaining the main themes and core concepts of the thesis. Before moving on to the methods section, there will be a separate chapter on case selection, discussing the reasons for choosing Huawei and the Netherlands and the United Kingdom. It also aims to elaborate further on the wider context of the Huawei controversy, including some of the relevant geopolitical factors. Then, the methods section follows, which explains and justifies the methodological approach. Then, the two case studies will be analysed, both following the structure explained in the Methods chapter. After the case studies, there will be a chapter that discusses and compares main differences and commonalities of the cases, structured around core points. Finally, there will be some concluding remarks, where the research question will be revisited, and further avenues of research are concisely discussed.

(7)

Chapter 2: Literature review

2.1 Risks of 5G as part of critical infrastructure

Future implementation of Fifth Generation wireless mobile networks (5G) presents a leap forward in technology, but as it introduces many new possibilities, 5G also poses an unprecedented variety of possible security threats (Ahmad et al. 2019, 1; Fang et al. 2017, 4850-4851). With significantly higher reliability and lower latency, 5G mobile networks will not only provide mobile phones with better service, but more importantly serve as the foundation for the development of the ‘Internet of Things’ (IoT) (Fang et al. 2017, 4850). The concept of an ‘Internet of Things’ with 5G refers to the idea that nearly everything in society is connected; from mobile phones, home appliances and self-driving cars communicating with each other, to health care and parts of critical infrastructure (Ahmad et al. 2019, 5-6). Ferrag et al. use the example of a ‘smart city’ where people’s “smart wearables,” “car-to-car communication,” “smart parking,” connected houses and so on, which are all connected to the same network, are able to communicate with each other for various purposes (Ferrag et al. 2017, 55-56). This interconnectedness of various mobile and IoT devices do require a high level of security, as vulnerabilities would allow rapid spread of malware or other malicious files (Ferrag et al. 2017, 56). However, it may be difficult to combine zero latency with reliable security and privacy-preservation (Ferrag et al. 2017, 56). These types of connections are often referred to as D2D, or device-to-device communications (Fang et al. 2017, 4864). D2D communication technology applied to 5G wireless networks means that individual devices, or “nodes,” in a network can communicate with each other, instead of only communicating through a central antenna or “base station” (BS) (Fang et al. 2017, 4864). This results in less traffic for the telecom company’s BSs, but is also less secure than routing everything through the base network (Fang et al. 2017, 4864). On privacy, Ahmed et al. discuss that other than security risks, 5G mobile networks also pose an increase of potential threats to privacy (Ahmad et al. 2019, 23). They note that privacy concerns have always been a concern of mobile networks, but that previously, concerns were much more limited in scope (Ahmad et al. 2019, 23-24). With new infrastructure and wide variety of application of 5G networks, the scope of privacy concerns also increases drastically (Ahmad et al. 2019, 24). Moreover, 5G usage in health care and other industries introduce more sensitive types of data to mobile networks (Ahmad et al. 2019, 24).

Discussing the risks of the IoT, Abombara and Køien identify a number of security threats (Abombara and Køien 2015). First, vulnerabilities in system hardware components or software

(8)

which may result in a breach of data, loss of service or other types of exploiting by malicious actors (Abombara and Køien 2015, 71). Causes of IoT system vulnerability are most commonly related to their complexity and human factors, such as lack of resources and knowledge, poor planning and information difficulties (Abombara and Køien, 71-72). Especially in the case of hardware vulnerabilities, they note that even if identified, these vulnerabilities are difficult and costly to fix (Abombara and Køien 2015, 71). Actions to take advantage of these weaknesses of security systems are labelled as ‘threats’ (Abombara and Køien 2015, 72). Other than natural disasters, human threats range from ‘unstructured threats,’ such as individuals without particular expertise using available tools, to ‘structured threats,’ like people who identify and understand security vulnerabilities and can exploit these (Abombara and Køien 2015, 72). Next, they classify these structured threats into different categories. Other than skilled individuals, they make note of organized groups, which can be independent criminal groups, part of (terrorist) organisations, armies or other government-supported units (Abombara and Køien 2015, 79-80). Finally, they note intelligence agencies as significant threats to cyber security, potentially the biggest threat given the large number of resources and sophisticated infrastructure (Abombara and Køien 2015, 80).

In 5G networks, there is generally a distinction made between ‘core’ and ‘edge’ parts of the network. This distinction is relevant for later parts of this work, as various countries consider measures such as a “core ban” for risky suppliers. In 5G, the core is more commonly virtualised, or running in the cloud (Levy 2019). If there are certain suppliers that you consider more risky, the configuration of the virtualised core can be defined to limit the impact of those suppliers (Levy 2019). But, it is then important that these risky suppliers do not supply equipment for the ‘core’ parts, or the virtualisation layer, where the configuration or ‘architecture’ of the network is managed (Levy 2019). What this means, without delving further into technological details, is that some equipment used in the 5G network is considered more vulnerable than others, and security risks might not be manageable if risky suppliers are used for core parts (Levy 2019). It also means that it is more manageable to use the equipment of riskier suppliers in the ‘edge’ parts of the network however, where security risks are more easily contained (Levy 2019). In other words, the ‘core’ of the 5G network is generally more vulnerable than the ‘edge,’ which is relevant when some 5G equipment suppliers are considered less trustworthy than others. Even in this condensed overview, it becomes clear that IoT and 5G in general faces a large number of security threats, and a wide variety of potential malicious actors. Especially the organized groups and intelligence agencies pose threats that are difficult and costly to deal with

(9)

on a private sector level, and much wider cooperation is needed to deal with or at least minimize these issues (Rudner 2013, 469-470). The financial cost of ensuring security for the private actors that maintain critical infrastructures is often significant, and an unwelcome expense (Rudner 2013, 469). In corporate management, Rudner argues, there is often complacency or apathy towards cyber threats, which can lead to ineffective cyber security (Rudner 2013, 469). The problem when it comes to cyber threats to critical infrastructure, is that the consequences of an inadequate security impact not only the private entities themselves, but also wider parts of society (Rudner 2013, 469). Rudner suggests that a more finely-tuned multi-stakeholder approach would deal with some of these challenges, arguing for an ‘intelligence approach’ to cyber security, focused on information sharing (Rudner 2013, 470). Limba et al., discuss how cyber security in general has already been an important part of critical national infrastructure in recent years (Limba et al. 2017, 559). Now, in the context of IoT especially, the security of 5G mobile networks will be increasingly important for maintaining critical national infrastructure. Moreover, they stress that cyber security has also grown to not strictly be a technical issue, but an issue that warrants much wider attention (Limba et al. 2017, 560). The development of 5G mobile networks is still in the early stages, but at these stages it is vital to consider the variety of security risks. It is better to consider and prevent these risks from being active threats now, than to discover these threats when 5G is an integrated part of critical national infrastructure. It is important to deal with cyber threats in a proactive way, rather than reactive, and intelligence sharing is a key factor in facilitating this proactivity (Shackelford 2016, 459). As multiple authors suggest, a multi-stakeholder approach with effective public-private cooperation is important to effective cyber security of critical infrastructure. This will be the focus of the following section.

2.2 Public-Private ‘Partnerships’ in Cyber Security

Cooperation between the different actors involved in cyber security provision, such as the central government and other public actors and the private sector, is stated to be important to a cyber security management (Limba et al. 2017, 570). In the case of 5G, that means cooperation between the public actors and the privately-owned telecom companies is vital to effective cyber security provision. However, as suggested by Wiater, using the term ‘Public Private Partnership’ in policy documents does not mean very much at all if the ‘partnership’ itself is not clearly defined (Wiater 2015, 255). This paper has discussed that effective PPPs are important, and the

(10)

rest of this section will serve to clarify what public-private partnerships why this is the case, and what factors makes this ‘partnership’ an effective one.

Mobile networks increasingly becoming a part of critical infrastructure means that the public-private partnership between governments and the telecom companies will become increasingly important as well. However, the interests of a nation do not always align well with that of a private entity, especially when it comes to the pursuit of profit versus the pursuit of security (Carr 2016, 57). Christensen and Petersen for example identify a trend in literature about Public-Private Partnerships (PPPs) to mostly refer to: “the incompatibility between private market-based interests and pubic national security interests,” when it comes to PPPs in the field of security (Christensen and Petersen 2017, 1452). However, they argue that this ‘partnership’ is a lot more complex, and for a large part dependant on a set of ‘shared moral principles’ and a sense of loyalty rather than just formal procedures (Christensen and Petersen 2017, 1452). It should be noted that there has been some criticism on the notion of Public-Private Partnerships. Dunn-Cavelty and Suter, for example, stress that “Public-Private Partnerships are no silver bullet” (Dunn-Cavelty and Suter 2009, 179). On paper, PPPs might seem to be a ‘miracle cure’ to solve the problem of securing privatized critical infrastructure, but different elements, like the conflict of interests, illustrate that this is often not the case in practice (Dunn-Cavelty and Suter 2009, 181). Additionally, they note that PPPs are not the only type of governance to foster cooperation (Dunn-Cavelty and Suter 2009, 180).

Another criticism is brought forward by Madeline Carr, who shares concern that while a public-private partnership in cyber security is often mentioned in policies, it is often unclear what exactly this partnership consists of, and where exactly factors like responsibility and authority lie in the partnership (Carr 2016, 61-62). She stresses that currently, an important part of national security relies on a poorly formulated and/or functioning relationship (Carr 2016, 61-62). Rather than stressing that a public-private ‘partnership’ is important, it should be formulated what exactly this entails (Carr 2016, 61-62). One example that could clarify these things is the “National Cyber Security Strategy” of a specific country (Hathaway et al. 2015, 6-7). In describing cyber security strategies, it should also identify roles and responsibilities, specify the necessary resources needed to achieve clear, feasible goals (Hathaway et al. 2015, 7-8). Similarly, the goal of PPPs should be well-defined and understood alike by all actors involved (Boes and Leukfeldt 2017, 193) The goal should also be realistic to achieve for these actors, and drafted in collaboration rather than in a top-down manner (Boes and Leukfeldt 2017,

(11)

193). If possible, actors that are a part of the problem should be involved, as they can be very helpful to solving the issue (Boes and Leukfeldt 2017, 193).

As a practical example of poor definition of this ‘partnership’, similar to Carr’s concerns, Wiater brings forward the case of Germany (Wiater 2015). After 9/11, German politicians started to reconsider security of critical infrastructure (Wiater 2015, 255-256). The then mostly privatised critical infrastructure, as is common in most Western nations, were now largely outside of direct influence, which was seen as a problem for national security (Wiater 2015, 256). To solve this problem, German politicians came up with the notion of a ‘partnership’ with the private critical infrastructure companies in a newly drafted “National Strategy for Critical Infrastructure Protection (CIP Strategy)” (Wiater 2015, 256). However, the description of this notion of ‘partnership’ was vague, and there was a distinct lack of formal definition of roles and responsibilities (Wiater 2015, 256). There was more of a focus on ‘this is what should happen,’ instead of ‘this should be done to make this happen.’ For example, in the German case, the strategy spoke of “shared responsibility,” of providing security for the state and the private companies, without actually legally obligating, or adequately compensating the companies to do so (Wiater 2015, 257). Finally, the public-private partnership of securing critical infrastructure varies wildly depending on the sector, and a unspecific, vague approach would be ineffective in addressing critical infrastructure protection across all sectors (Wiater 2015, 257-258). As an approach in between regulation and ‘illusionary partnerships,’ Wiater suggests a “regulation by contract” approach, which, instead of using a single approach across all sectors, uses bi- and multilateral contracts tailored to specific companies and sectors (Wiater 2015, 259-260). Specifically, Wiater stresses that a “one size fits all” approach does not work, and tailored approaches towards different private sector companies are needed instead to foster effective cooperation (Wiater 2015). What the German case illustrates in particular is the importance of formulating roles and responsibilities, and actively either encouraging or obligating the private companies to exercise these. In the end it is the state itself that is responsible for providing security of critical infrastructure, and it can’t be assumed that a voluntary ‘partnership’ will be enough to ensure national security. In the case of the United Kingdom, Kristan Stoddart responds to the UK’s announced strategy for dealing with cyber threats in the future, underlining the importance of dealing with cyber security through a multi-stakeholder approach, similar to the aforementioned suggestion of Limba et al. (Limba et al. 2017; Stoddart 2016, 1104-1105). This approach will foster better information sharing and more engagement with private actors, which is necessary for successful resilience building (Stoddart 2016, 1105).

(12)

Stoddart underlines this approach, by stressing that nation states themselves only have limited capability to combat these threats, and arguing that imposing regulation on private actors without proper dialogue would be ineffective (Stoddart 2016, 1104-1105).

2.3 The Role of the Private Sector

Higher attention to security risks since 9/11, and previous privatization of critical infrastructure are discussed as the main reasons that PPPs for the purpose of security provision have become more significant in recent (Bures and Carrapico 2017, 233). With regards to where, in the EU, public-private cooperation actually takes place, Bures and Carrapico state that the majority of effective examples concern cooperation in the area of cyber security (Bures and Carrapico 2017, 234). Cyber security as part of critical infrastructure protection is relatively new, and unique compared to other types of critical infrastructures when it comes to which side of the public-private divide has the upper hand (Bures and Carrapico 2017, 234). Compared to other types, in cyber security the public actors have less cultural and symbolic capital, and it is the public side that is more often reliant on expertise of IT companies to assess threats and countermeasures (Bures and Carrapico 2017, 234). Consequently, the option of ‘top-down regulation’ instead of cooperation is less feasible when looking at it from the public sector. Instead of regulation, many states, as illustrated in their national cyber security strategies, instead move towards more bottom-up approaches to deal with cyber threats (Shackelford 2016, 460). Shackelford gives the example of the “Framework for Improving Critical Infrastructure Cybersecurity,” published by the United States’ National Institute of Standards and Technology (Shackelford 2016, 460). This framework is flexible in its application, and can be used to better assess cyber threats, and guide operators towards best practices (Shackelford 2016, 460). At the same time, it is also criticized for its limited scope and the problem of how ‘voluntary’ the framework really is and should be, for the private sector clients that apply this framework (Shackelford 2016, 460-461).

A different article by Carrapico, co-authored by Farrand, specifically touches upon security provision by non-security actors, and lines out a number of important developments private actors go through in collaboration with government (Carrapico and Farrand 2017, 260). In an effective collaboration of government and private entities, initially the private sector is object of regulation, towards the stage of adopter of regulation and finally the private sector becomes a shaper of regulation (Carrapico and Farrand 2017, 260). In the latter final stage of this

(13)

collaboration, the private sector therefore takes a much more active and effective role in the PPP (Carrapico and Farrand 2017, 260). These developments are based on their study of the role of internet providers in EU member states, witnessing the development of a more active private sector in regulation (Carrapico and Farrand 2017, 256-257). An active private sector in shaping regulation, they argue, is increasingly vital to combat cyber security threats (Carrapico and Farrand 2017, 257). As argued by Bossong and Wagner, the PPPs in cyber security seem to play out differently than classic public-private partnerships in other sectors (Bossong and Wagner 2017, 277). They take the case of the European Union and ENISA, the European Union Agency for Network and Information Security, and similarly witness a move towards co-regulation by the private sector (Bossong and Wagner 2017, 277). Again, it is underlined that public actors are often the weaker side of the partnership in the case of cyber security provision, and it is important for the public side to motivate or compel the private actors to provide proper security (Bossong and Wagner 2017, 284). When it comes to functions of the PPPs in cyber security, they mainly focus on information sharing, but also make note of ‘active assistance’ (Bossong and Wagner 2017, 280). For example, they mention extremist content online, and public-private cooperation in tracking down individuals, and taking down content (Bossong and Wagner 2017, 282). Still, it remains a complicated issue to determine how far PPPs should go in their cooperation (McCarty 2018, 7). The questions of to what extent states should intervene in private sectors, or how reliable a ‘voluntary’ partnership is in providing security really is, remains central to the discussion of PPPs in cyber security (McCarthy 2018, 7). Too much intervention and regulation on the private actors by the state has many negative effects on its own, but too little might mean that security cannot be ensured (McCarthy 2018, 6). In short, it is important to effective cyber security provision that the private sector has an active role in the public-private partnership in shaping regulation and assessing cyber threats. This presents a challenge to the public sector, as they need to find a balance between voluntary participation of the private actors, and ensuring national security. Motivating the private sector to properly engage in PPPs for the purpose of providing cyber security is therefore one of the important tasks of the public side of the partnership. An important part of motivating the private sector to cooperate, and incentivising private entities to engage in PPPs, is trust, which will be discussed next.

(14)

2.4 Information sharing based on trust

Effective information sharing is the key component that makes Public-Private Partnerships valuable in dealing with cyber threats, as was mentioned by many of the authors referenced above (Bossong and Wagner 2016; Christensen and Petersen 2017; Bures and Carrapico 2017; Hathaway et al. 2015; Rudner 2013; Shackelford 2016; Stoddart 2016). PPPs require effective information sharing mechanisms, in order to deal with the complexity of threats in cyberspace (Hathaway et al. 2015, 17). Manley argues that an essential element of PPPs in cyber security to facilitate information sharing is “trust” (Manley 2015, 90). Trust, he argues, is a necessary base for information sharing, as actors are more willing to share information if there is trust between the private sector and the government and other stakeholders (Manley 2015, 90). He gives the example of the private sector in the US, generally being very reluctant to share information about their customers (Manley 2015, 91). In the US, Manley states, the private actors perceived future PPPs to be more beneficial for the government in gaining access to their consumers’ information, rather than for the private sector in gaining access to information to deal with cyber threats (Manley 2015, 92). A more successful example, Manley argues, is the Netherlands. Early on in the PPPs, he witnesses similar scepticisms and privacy concerns (Manley 2015, 91). More recently, however, he found that the Dutch government was able to build more confidence with the private sector, by giving the private companies more say in what information the government was able to access (Manley 2015, 91). He concludes that the Dutch is more an exception to the rule however, as trust is one of the components of effective PPPs in cyber security that is generally still lacking (Manley 2015, 91). Similarly, Christensen and Petersen note that “distrust” between private actors and the government is a central issue standing in the way of effective public-private cooperation (Christensen and Petersen 2017, 1451). As a way of dealing with distrust, they suggest actively challenging the other side, and continuously working towards a consensus on how to deal with cyber threats should be beneficial to the partnership (Christensen and Petersen 2017, 1451-1452). This consensus-based approach then acts as the ‘glue’ that keeps the PPPs together (Christensen and Petersen 2017, 1452).

Information sharing should go both ways, it should not just concern the private sector that shares information with the government, but also go the other way. Rudner mentions the role intelligence services can play in improving cyber security (Rudner 2013, 470). Intelligence services, depending on the country, play a large role in cyberspace, as was mentioned before (Abombara and Køien 2015, 80). They pose a large potential threat to cyber security, but a

(15)

considerable resource as well, if the intelligence services can share information with the private sector (Rudner 2013, 470). Cooperation with the public sector and its intelligence resources can help the private sector to better assess threats, which allows the private sector to better protect their infrastructure against these threats (Rudner 2013, 472). In return, the private actors should then share their assessments with the intelligence services and notify if security breaches take place (Rudner 2013, 474). This creation of a ‘dialogue’ can help countries to better prepare against cyber threats. It also helps building a sense of trust, if offering information to the public actors then yields more information from the public actors, private actors might feel more inclined to continue sharing information if they expect something in return. This is related to another point made by Boes and Leukfeldt, namely that it is important in PPPs for both parties to recognize the added value of cooperating (Boes and Leukfeldt 2017, 193).

Summing up, from the different approaches to analysing public-private partnerships in cyber security, this work identified a number of key elements of effective public-private cooperation. First, a key element in engaging in PPPs, is a clear definition of roles and responsibilities of the actors involved. This could take place in the form of bi- and multilateral contractual obligations, like described by Wiater (Wiater 2015, 262). Alternatively it could take a non-legally binding, more collaborative form, as described by Manley (Manley 2015, 92). Strategies should not just underline the importance of engaging in public-private partnerships, but clearly explain what such partnerships should consist of. Secondly, another key element of effective PPPs in cyber security is an active role of the private sector. More precisely, the private sector should be part of the regulation shaping and decision-making process, rather than only be subject to regulation. The public sector should encourage this, and find ways to motivate private actors to actively cooperate. Finally, effective information sharing, based on trust, should take place in the public-private partnership. In the end, the primary goal of PPPs is to combine forces to deal with a common problem, and information sharing is a vital part of this.

(16)

Chapter 3: Case selection

3.1 Why Huawei?

Before moving on to methods and analysis, this section will serve to justify why this work studies Huawei in particular. It is important to clarify what Huawei means to the existing ‘partnerships,’ and what this work aims to gain by studying it in the context of 5G. Additionally, the controversy of Huawei is situated in a wider context, which should be explained as well. Huawei, as mentioned before, is the biggest global player in 5G technology at the moment (Horowitz 2018). They do not only develop the most effective 5G equipment technologically, but are also at the most affordable price (Horowitz 2018; Kooiman 2019). The investments into research and development at Huawei in 5G technologies are an important part of China’s efforts to become a global leader in technology, and more self-sufficient in the tech-sector (Horowitz 2018). The US in particular has been critical of Huawei, based on the belief that the theft of US technology has been the basis for the success of Huawei in the first place (Inkster 2019, 108). Additionally, the suspicion Huawei 5G equipment might include ‘backdoors’ which allow for further espionage (Inkster 2019, 109). Another example of ‘Huawei scepticism’ is the UK’s “Huawei Cyber Security Evaluation Centre,” which investigates Huawei equipment in cooperation between the UK government and Huawei, in order to mitigate expected security risks (HCSEC Oversight Board 2019).

These suspicions of Huawei and other Chinese telecom companies are not entirely without basis, especially considering that China may have the ability to compel Chinese companies that operate abroad to assist the Chinese government when there is a ‘matter of state security,’ argues Silver after reviewing Chinese security laws (Silver 2015, 397). More recently, a year after this conclusion by Silver, the Chinese state went a step further and implemented a new “Cyber Security Law of the People’s Republic of China” (Parasol 2018, 84). One of the components of this law is that it requires ‘internet company operators’ to assist the Chinese state with criminal investigations, and more importantly: “Companies must give the government investigators full access to their data if national security risks are suspected” (Parasol 2018, 85). Additionally, the law concerns security risks and threats both domestically and from overseas (Parasol 2018, 85). The process for reviewing this data, or recognizing security risks that warrant such an approach is vague, but it is not clear whether this is intentionally unspecified, or unintentionally unclear (Parasol 2018, 85). This vagueness, combined with the discretionary nature of ‘risks to security,’ makes the involvement of a

(17)

Chinese telecom company like Huawei in the construction of critical national infrastructure quite uncertain. Note that these concerns do not only apply to Huawei, but also to other Chinese technology-related companies like ZTE, Hytera and Dahua technology (Kaska et al. 2019, 8-9). Discussing Chinese espionage efforts, one example with proof was the case of “APT 1,” a case in 2013 where a group of hackers part of the Chinese military was found guilty of stealing intellectual property from Western nations (Boeke and Broeders 2018, 83). An example involving Huawei is the recent indictment for “theft of trade secrets,” as described by an US Department of Justice report (United States Department of Justice 2019). This particular example concerned the attempted theft and copying of a T-Mobile phone-testing robot (United States Department of Justice 2019). Huawei responded by saying that this was the work of rogue actors within the company, but the investigation revealed that it was instead a company effort (United States Department of Justice 2019).

Another example of ‘Huawei scepticism’ can be found in the United Kingdom, where Huawei has long been under special investigation in order to mitigate perceived security risks. In cooperation with the British government and Huawei, the Huawei Cyber Security Evaluation Centre (HCSEC) performs security evaluations of Huawei equipment to be used in UK telecom networks (HCSEC Oversight Board 2019). Despite the efforts of the UK’s HCSEC however, they note in their reports that they cannot verify that the equipment they investigate are exactly the same as all the equipment that will be used in the actual network (HCSEC Oversight Board 2019). Because of this, the HCSEC report can only give “limited assurance” to the integrity and security of Huawei equipment (HCSEC Oversight Board 2019). However, as noted in the NATO CCDCOE report on Huawei, it may not really matter whether clear vulnerabilities have been found so far in Huawei equipment (Kaska et al. 2019, 19). Important to consider is the fact that the construction of a 5G network means dependence on “long-term commitment to a relationship with a supplier” rather than a one-time interaction (Kaska et al. 2019, 19). The ambiguity of state ties to Huawei, instances of ongoing espionage efforts operated by China and differences in legal and political environment compared to Western systems reduce trust with Huawei (Kaska et al. 2019, 19). As argued by Kaska et al., considering these different factors, decisions cannot be made based on technological investigations alone, but should be a strategic choice instead (Kaska et al. 2019, 20).

Important to consider is the wider context of the Huawei controversy. Namely, that the Huawei controversy is not limited to security threats, but that there is a wider context of competitive trade in the context of a US-China trade war. As the US banned Huawei equipment from being

(18)

used in government agencies, and ‘urged’ private companies to do the same, Huawei criticized the United States of using “national security” to facilitate trade protectionism (Peng 2015, 455). They argue that these bans are not based on hard evidence, and instead give American telecom company “Cisco” an unfair advantage in the US telecommunications market (Peng 2015, 455). More recently, Huawei indicated that they are preparing for a lawsuit against the United States government, as a response to the unfair market restriction (Mascitelli and Chung 2019, 4). As argued by Inkster, the goal of ‘technological dominance’ will continue to play a major role in US-China competition, and ‘The West’-China competition in general (Inkster 2019, 110). Mascitelli and Chung similarly position the technological dominance of Huawei in the wider context of a ‘Rising China,’ and competition between major powers (Mascitelli and Chung 2019, 4). To explain the tensions between western powers and China, they make note of a “mutual distrust of long-term intentions” (Mascitelli and Chung 2019, 4). Other than direct competition, there is also the role of outside pressure. In the case of the UK, for example, there is some extra pressure on the UK as they are a part of the “Five Eyes intelligence alliance” with Australia, Canada and New Zealand (Mascitelli and Chung 2019, 4). If there are security concerns about the involvement of Hauwei in the UK mobile networks, other countries might be less inclined to share information, as trust declines (Mascitelli and Chung 2019, 4).

Huawei has made a lot of effort to clear their name, and reassure countries and people that they are trustworthy, without much success (Mascitelli and Chung 2019, 4). An example of such efforts is the UK HCSEC, where Huawei cooperates with the UK government to reassure the security of their equipment (Inkster 2019, 109). However, as mentioned before, these efforts give no complete guarantee that it does not enable China, as a foreign power, to possibly have the power to disrupt critical national infrastructure of the UK in an extreme case (Inkster 2019, 109). But the failure to effectively clear their name might be better understood when viewing the issue as Milton Mueller proposes (Mueller 2019). Namely, that in many ways, Huawei scepticism is not necessarily an attack on Huawei as a company, but instead an attack on the Chinese state (Mueller 2019). Considering that 5G concerns long-term dependency on a supplier, and Western states would not want to be dependent on China in some way when it comes to critical infrastructure in general, this makes sense, but it also means that this might be an issue that Huawei would not be able to effectively address themselves. Mueller does not completely disregard possible risks, but aims to underline that the US in particular really is not acting out of security concerns alone (Mueller 2019).

(19)

Considering the ‘battle’ for technological dominance, and US-China trade competition, it is difficult to judge the case of Huawei as a security issue alone. The question whether the controversy of Huawei is really a security issue or an example of anti-competitive behaviour likely warrants a thesis in itself, so this work is unable to satisfyingly answer this. However, based on this chapter, and previous discussed literature, a conclusion can be drawn that the security concerns are significant enough to warrant treating the role of Huawei as a security issue. Huawei is a China-based company, with questionable state ties, and the chance that the Chinese government has the power to compel Huawei to act on their behalf – even if this is only relevant in extreme cases – is likely big enough for many countries to reconsider. Huawei criticizes these claims because there is no clear proof to back them up, but previous decisions by other countries show that proof might not be necessary to make a decision. Additionally, as many Western countries experience that China is one of the major cyber threats when it comes to economic espionage, their involvement in 5G network construction becomes more questionable. On the other hand, Huawei is the clear market leader, providing the ‘best’ 5G equipment for the lowest price. This creates the dilemma what was discussed before. Namely, how do possible security risks, visible especially when looking at it on a state level, weigh up against the decision to use lower quality, more expensive 5G equipment, likely delaying the 5G network roll-out?

Summing up, Huawei provides a clear example which highlights the possible risks of 5G, and the increasing role of mobile network providers in security of critical infrastructure. It is a topic that has gained considerable media attention, political attention and prompted responses from the telecom companies themselves. The focus is not on Huawei itself, nor the question whether Huawei is actually guilty of espionage, but instead on what the introduction of a Chinese telecommunications equipment supplier means to the existing partnership in mobile network security provision. In other words, ‘Huawei’ as a potential ‘crisis’ can help identify faults or benefits of the public-private relations.

3.2 The Netherlands and the United Kingdom

Given that this work will look at public-private partnerships with mobile network companies, in the context of Huawei and state-backed espionage, the thesis will analyse public-private partnerships with mobile network providers in the United Kingdom and the Netherlands. The United Kingdom was chosen primarily because investigation into Huawei equipment for the

(20)

implementation in mobile networks (though not 5G) has already taken place previously. For over eight years, in cooperation with the UK government and Huawei, the “Huawei Cyber Security Evaluation Centre” (HCSEC) has provided evaluations of Huawei telecom equipment (HCSEC Oversight Board 2019). Because of this, it is expected that the UK would be more prepared for the issue of Huawei’s 5G involvement, as investigation into Huawei has already been quite institutionalized in the United Kingdom. The Netherlands was chosen primarily for its approach to public-private partnerships. The “Dutch Approach” to cyber security is based on voluntary, bottom-up participation, is largely unstructured and functions through more informal relationships and trust (Clark et al. 2014, 27). Through trial and error, Clark et al. argue, this model of collaboration has gradually developed to strengthen cyber security (Clark et al. 2014, 27). On the one hand there is the UK with more structured investigation into Huawei, and on the other hand we have the Netherlands with a much less structured approach to cyber security. Similarly, the UK has a longer history of dealing with Huawei, and is potentially more prepared for Huawei and 5G, compared to the Netherlands where there is less of a history of dealing with Huawei. These differences in approaches to cyber security, and history with Huawei, should yield some interesting differences in the way they dealt with the new security challenges posed by 5G. The next section will serve to explain and justify the research method in more detail, before moving on to the analysis.

(21)

Chapter 4: Method

4.1 Research method

In order to better understand public-private partnerships in the case of security provision by mobile network providers, and fill in the knowledge gap about security provision by non-security oriented private actors, this paper proposes a qualitative method with case study analysis. The case study analysis consists of PPPs with mobile network providers of two different countries confronted with the Huawei controversy: The Netherlands and the United Kingdom. The two cases will be analysed systematically, based on the three core elements identified in the previous chapter. First, each case will feature an overview of the cyber security landscape, and public-private partnership for the purpose of cyber security more generally. Then, the Huawei case will be analysed by first reviewing the reactions to Huawei’s potential involvement in 5G network construction by each country, and then answering three main questions: (1): Are the roles and responsibilities of different actors in the Public-Private Partnership, and the goals of the partnership, clearly defined?; (2): Does the private actor play an active role; are they an active part of regulation shaping process?; (3): Is effective information sharing, based on trust, taking place? Answering these questions in detail will reveal to what extent the core elements of public-private partnerships in cyber security are present in each case, and what this means for their ability to deal with such threats. How this work will seek to answer these questions, will be by analysing, in-depth, the data sources listed below. The previous discussed academic literature, as well as cyber security strategy assessments by specialized cyber security assessments, will serve as a guide for this analysis.

4.2 Why a comparative case study?

The reason for choosing qualitative methods, is that they allow for a more in-depth analysis of the two cases. The goal is to unpack a complex issue and identify good and bad practices, and to reveal new avenues for future research. Because of the recency of the case, quantitative data is generally not available. By identifying what elements make up effective public-private partnerships, and applying this to the two cases, this work is able to assess how well existing partnerships can deal with the new risks posed by 5G and the role of Huawei. Being an early example of the risks of an highly integrated 5G network, this qualitative study can serve as a basis for future empirical research. Then, there are a number of reasons these countries were chosen for a comparative case study. First, both countries have demonstrated that they will not simply disregard Huawei because of US pressures, and instead investigate security risks and

(22)

business opportunities themselves, as mentioned before. Second, both countries are already preparing for the development of a 5G network and telecom companies and public actors are already discussing various risks, which is necessary for availability of sources. Third, as mentioned before, China has an offensive cyber program towards the two countries, which means there is a reason to think twice about using Chinese equipment in critical infrastructure (AIVD 2018, Foreign Affairs Committee 2019) Fourth, both countries have public-private partnerships between the telecom companies and the government (and other public institutions), this is a necessary basis for analysing the effect of 5G and Huawei. Fifth, for practical reasons these countries are relatively open. Documentation is publicly available and both countries publish ‘Cyber Security Strategies’ which are relevant to the study. These factors mean there is a lot of common ground between the cases, which allow expected differences in PPPs to be more clearly visible.

4.3 Data sources

For data sources, the proposed research will firstly focus on primary sources. Examples are government documents focused on cyber security and future directions, such as the Cyber Security Assessment (CSAN) in the Netherlands, or the National Cyber Security Strategy in the United Kingdom (HM Government 2016; NCTV 2018). Additionally, public statements issued by government officials and government agencies or the telecom companies will be analysed. These primary sources in particular should help assess whether roles and responsibilities are clearly formulated, and to what extent the government employs a multi-stakeholder approach. Other than primary sources, the research will employ a variety of secondary sources. Firstly, academic articles and books are used to create the theoretical framework and create a more comprehensive literature review. Additionally, peer-reviewed academic articles that analyse and/or compare different cyber security strategies, and public-private partnerships in cyber security, like Boeke’s article, will be employed (Boeke 2017). For the case studies in particular, this work will make use of various cyber security reports, like the “Cybersecurity Capacity Review of the United Kingdom” published by the Global Cyber Security Capacity Centre, to gain a detailed overview of cyber security structures in the two cases (Bada et al. 2016). Next, much of the media reports are relevant as they often include statements by public or private actors or interviews. Only media articles from well-known sources will be used, and they will be assessed critically, but they can prove to be useful for the case study analysis. Media articles can be useful especially when the author has acquired information that is not publicly available, by their own inquiry or through interviews. One

(23)

example would be the online article by Teunis and Smit, which includes a full statement of Dutch telecom company KPN on their stance towards Huawei’s involvement in 5G network construction (Teunis and Smit 2019). These statements should not be considered as primary sources, as there is likely another ‘layer’ of interpretation, but they can still be useful if assessed critically.

4.4 Limitations

One main limitation of the study is the issue of confidentiality. Especially in the case of cyber security and espionage, it is unlikely that the collaboration between public and private entities is completely transparent. Additionally, both cases are similar, which makes differences easier to identify, but also creates a certain bias. In this proposed research, both cases concern European countries with a similar type of government, which might make this research less relevant or reliable for other modes of government, like in some Asian countries where the state might take a more regulatory approach. Moreover, both the United Kingdom and the Netherlands are relatively rich, developed countries, which also likely impacts the way PPPs work. In other words, this study might be most relevant to other similar countries, and less so for wildly different cases. Also, the controversy around Huawei is more complex than this work is able to address. An example is that some people argue that raising the issue of ‘national security’ is used to facilitate trade protectionism instead of fair competition between Huawei and European and/or American telecommunication companies, as discussed before (Peng 2015, 455). This is why it is important to realise that the focus of the research is on the public-private collaboration in the case of such controversies, and not on the controversy of Huawei itself in particular. Finally, the recency which makes this case interesting to research, also makes data collection more difficult. This is one of the reasons that this work will make use of some media sources, despite their possible challenge to reliability, because there might not be alternatives available.

(24)

Chapter 5: The United Kingdom

5.1 Cyber security organisation and public-private cooperation overview of the United Kingdom

Before talking about the case of Huawei in particular, this section will first provide a concise overview of the cyber security organisation in the United Kingdom. As this work will do for the Netherlands, it will make use of the NATO CCD COE project publications, providing comprehensive overviews of the cyber security apparatus of various nations, including the two central to this work (Osula 2015, 2-3). Compared to the rest of the nations in Europe, the United Kingdom is considered well-connected, ranking near the top when it comes to percentages of people with internet access, and the amount of people with mobile broadband subscriptions (Osula 2015, 5). While the UK does rank well in connectedness, they perform worse in terms of internet speed compared to other European nations (Osula 2015, 5).

The first cyber security strategy was published in 2009, after recognizing the threat of cyber-attacks in an earlier security strategy (Osula 2015, 6). In 2011, they published a new cyber security strategy, now supported by clear objectives and formulated roles and responsibilities (Osula 2015, 7). Working together with the private sector is one of the main objectives listed in the 2011 strategy (Osula 2015, 8-9). For example, the government aims to “work with the companies that own and manage our critical infrastructure to ensure key data systems continue to be safe and reliant” (Cabinet Office 2011, 9). With regards to critical national infrastructure (CNI), much of which is managed by the private sector, the 2011 strategy states that the Centre for the Protection of National Infrastructure (CPNI) cooperates with private CNI companies to ensure cyber security is maintained (Cabinet Office 2011, 28). It also talks of a “cyber security ‘hub,’” an effort of public-private cooperation to facilitate better information sharing and threat analysis to improve overall cyber security of the private sector (Cabinet Office 2011, 28). Finally, the Government Communications Headquarters (GCHQ) should play a central role in working with the private sector, and sharing expertise on cyber security issues (Cabinet Office 2011, 33). The CCD COE report describes GCHQ as being central to the UK’s cyber security efforts, receiving a major part of the cyber-related funding, and working closely with various security and intelligence agencies (Osula 2015, 11). The CPNI, according to the report: “facilitates public-private partnership efforts in the UK as the central governmental body working directly with the network of key industries and companies that own much of the state’s

(25)

critical infrastructure.” (Osula 2015, 18). The aim of the CPNI is to reduce vulnerability of national infrastructure to (cyber) threats, including espionage (Osula 2015, 19).

There have some relevant recent developments in the UK’s cyber security organisation, however, comparing the CCD COE report to the more recently published cyber security strategy: the “National Cyber Security Strategy 2016-2021 (HM Government 2016). In 2017, the UK Government created the National Cyber Security Centre (NCSC), as part of the GCHQ, which effectively combines the forces of most existing UK cyber security related capabilities, including the CPNI, CERT-UK and the Centre for Cyber Assessment (HM Government 2016, 29). With regards to cyber security, the CPNI refers to the UK NCSC as “the single point of contact for the public and private sector” (CPNI 2019). Regarding private sector cooperation, the NCSC aims to provide (expert) advice and share information (HM Government 2016, 29). Additionally, the strategy underlines the importance of working with “Communications Service Providers” (CSPs), including measures to secure the UK telecommunications infrastructure (HM Government 2016, 34). An example of this cooperation is illustrated by the NCSC, in their “Annual Review 2019” report (NCSC UK 2019)1_{. Namely, the NCSC regularly hosts CEOs}

and CISOs from the major telecom providers at NCSC to discuss the public-private partnership, and ways to improve cyber security in the telecom sector (NCSC UK 2019, 37). Additionally, the report talks of recent efforts by NCSC to evaluate cyber security risks in the supply chain of UK telecom companies as requested by the Department for Digital, Culture, Media and Sport (DCMS) (NCSC UK 2019, 37). For the purpose of supporting the DCMS’ “Telecoms Supply Chain Review” with technical expertise, the NCSC talked to the major telecom operators to identify risks and discuss existing security arrangements (NCSC UK 2019, 37). This is one of the examples of how the UK approached the Huawei controversy, which will be discussed in more detail in the next section.

5.2 Huawei

In the United Kingdom, ‘Huawei Scepticism’ goes back to over a decade ago, as Huawei entered the British telecommunications market in cooperation with British Telecom (BT) in 2005 (ISC 2013, 8). In 2008, the UK Security Service had informed the Intelligence and Security Committee of Parliament (ISC) of the possibility that the Chinese State could exploit

1_{To clarify: as both the United Kingdom and the Netherlands have their own “National Cyber Security Centre,”}

(26)

vulnerabilities in Huawei equipment, providing espionage opportunities (ISC 2013, 11). Moreover, the ISC notes that despite the confidence the GCHQ had in the capabilities of BT to mitigate these vulnerabilities, it would be impossible to completely mitigate security risks in telecommunications equipment (ISC 2013, 12). Looking back at Huawei’s market entry in 2005, the ISC underlines that consideration for national security issues regarding foreign investment in Critical National Infrastructure was not sufficient then, but also states that the Committee is not convinced this has changed since then (ISC 2013, 10). As other telecom service providers engaged with Huawei as well, the government started to work directly with Huawei UK, as they set up the Huawei Cyber Security Evaluation Centre (HCSEC) (ISC 2013, 13-14). The centre is funded and operated by Huawei in cooperation with the UK Government, and has been running since it was opened in 2010 (ISC 2013, 15; HCSEC Oversight Board 2019). It is important to note that the conclusions and recommendations by the HCSEC Oversight Board are not necessarily focused on 5G equipment, instead the relevance of the Centre is that it is based on similar concerns. These conclusions and recommendations have played a part in an ongoing review of 5G equipment security risks carried out by the DCMS mentioned earlier, but are only a piece of the puzzle (HCSEC Oversight Board 2019). The conclusions of the HCSEC report state that despite their efforts, the Board can only give limited assurance about the security of Huawei equipment (HCSEC Oversight Board 2019). More about this ‘assurance,’ the ISC report states concerns about a “Huawei-run” centre carrying the responsibility of providing assurance, and states that the GCHQ and the Government should have a bigger role, to better provide assurance and confidence in the Centre (ISC 2013, 17).

A more recent report published by the Joint Committee on National Security Strategy (JCNSS), called “Cyber Security of the UK’s Critical National Infrastructure,” addresses a number of the concerns and cyber risks the case of Huawei pose to UK cyber security (JCNSS 2018). For example, the risks of a possible conflict of interests between private and public actors is discussed (JCNSS 2018, 38). The committee suggests that the government should give more attention to “non-regulatory incentives and interventions” to motivate CNI operators to continually improve their cyber security (JCNSS 2018, 38). It underlines that this is especially important for sectors where private sector interests may not necessary align with security demands, which is relevant for the telecom sector and the case of Huawei (JCNSS 2018, 38). Additionally, the report talks about the NCSC’s efforts of public-private cooperation with CNI operators (JCNSS 2018, 43-46). Overall, its efforts over the two years previous to the report, since the NCSC became operational, were assessed positively (JCNSS 2018, 46). However,

(27)

there were some tensions regarding its ties to the GCHQ, its geographical reach beyond London, and speed and extent of information sharing (JCNSS 2018, 43-44). With regards to 5G mobile internet in particular, the report noted the difficulty of acquiring sector-specific expertise, which might difficult effective public-private cooperation with the telecom sector when it comes to 5G technology (JCNSS 2018, 45).

Cyber security concerns about Huawei as a Chinese company in particular, were discussed by the UK Foreign Affairs Committee, in an extensive report on China published in early 2019 (Foreign Affairs Committee 2019, 40-42). One of these concerns was the Chinese Cyber Security law discussed earlier, which was suspected to enable the Chinese state to compel Chinese companies operating overseas to share data and enable espionage (Foreign Affairs Committee 2019, 41). In response, Huawei UK was contacted, whose representative denied the law had any extraterritorial effect for a company like Huawei (Foreign Affairs Committee 2019, 41). Additionally, it makes note of the ongoing large-scale cyber espionage campaign carried out on behalf of the Chinese state, targeted at the UK and other nations, questioning China’s long-term intentions (Foreign Affairs Committee 2019, 42). Finally, it talks about the earlier decision by BT to remove Huawei equipment from the “core” of their existing mobile networks, and commitment to not use Huawei for their ‘5G core’ either (Foreign Affairs Committee 2019, 40-41). The report states that a ‘core ban’ might not be enough, referring to the Australian rationale for a complete ban on Huawei, who argued that it is difficult to distinguish between ‘core’ and ‘edge’ in 5G networks, stating that any threats in the system will be a cyber security risk to the entire 5G network (Foreign Affairs Committee 2019, 42). The report concludes saying they witness “considerable grounds for concern about Huawei’s involvement in the UK’s 5G infrastructure” (Foreign Affairs Committee 2019, 42).

As of the time of writing this thesis, the UK government has not made a final decision regarding a ban on Huawei. The main reason for the delayed decision is the December 2019 General Election and its necessary preparation, related to the political issues surrounding Brexit (Morgan 2019). The (long-term) significance of the decision, coupled with time pressure, motivated the government to postpone this decision until after the election process (Morgan 2019). Note that the lack of a central decision does not necessarily damage the value of this case study, and may actually shine more light on the decision-making process. Moreover, while a central decision has not been made, there are some indicators towards the contours of the decision based on recent publications, such as the outcomes of the Telecoms Supply Chain Review (DCMS 2019). Discussing the risks posed by ‘vendors,’ the DCMS report does not

(28)

mention a ban on Huawei as a solution moving forward (DCMS 2019). Instead, it is focused on ways in which the UK can manage the security risks suppliers pose, and how the additional requirements for suppliers – which are yet to be formulated – can effectively be managed by telecom companies (DCMS 2019). The new security requirements for telecom operators, appropriately named the “Telecoms Security Requirements” (TSR), will be formulated in collaboration between the UK Government, telecom security regulator “Ofcom” and the telecom industry (DCMS 2019). Moreover, Ofcom will play a central role in overseeing the implementation of the TSR, gaining additional regulatory power to better ensure proper security risk management by telecom providers (DCMS 2019). Other than that, there is focus on avoiding dependence on a small number of 5G equipment suppliers, making efforts to generate market diversity and competitiveness (DCMS 2019). The issue of overdependence also plays a role in why Huawei is not outright banned over security concerns, state the ISC (ISC 2019, 2). With only Nokia, Ericsson and Huawei available as potential 5G suppliers at the moment, banning one would likely result in overdependence on the other two, reducing competition as a result as well (ISC 2019. 2). On a related note, there are some local authorities in the UK that have decided to halt 5G roll-out in their areas, but reasons for this are health concerns about 5G masts, and are not security or Huawei related (Jones 2019).

The great delay for the security requirements might be problematic in the coming months, as multiple telecom companies have already started 5G roll-out in major UK cities, some using Huawei equipment (Hall 2019a; Sandle 2019; Sheng 2019). There are some differences between the telecom companies. O2, for example, opted not to use any Huawei equipment in their networks (Hall 2019a). Vodafone did decide to use Huawei equipment, but only in non-core parts of their 5G network (Sheng 2019). EE on the other hand, which is owned by BT, has decided to stick with Huawei equipment for the their 5G roll-out, including in their core (Sandle 2019). The Chief Executive of EE Marc Allera tells Reuters it is important that UK becomes one of the leading nations for 5G, noting that there are currently no instructions from the government for them to do otherwise (Sandle 2019). EE is planning to remove Huawei equipment from their core in the future, but decided to launch 5G before this, in doing so EE became the first telecom operator in the UK to launch their 5G network (Sandle 2019). In other words, while the government decisions are repeatedly being delayed, multiple UK telecom operators are eagerly rolling out 5G networks, both with and without Huawei equipment.

Public-Private Partnerships in Cyber Security: Managing the Risks of 5G