Written by Gurshabad Grover
The Trump administration has not only passed orders restricting the US government and its departments from procuring networking equipment from Chinese companies, but is exerting considerable pressure on other countries to follow suit. The fear that Huawei and ZTE will aid Chinese espionage and surveillance operations has become common even though there has been no compelling evidence to suggest that Huawei’s equipment is substantively different from its competitors.
These events have also sparked a larger debate about the security of India’s communications infrastructure, an industry powered by foreign imports. Commentators have not shied away from suggesting that India ban the import of network equipment. C Raja Mohan, in ‘The tech wars are here’ (IE, December 11, 2018), expressed these concerns and asked whether Chinese telecom equipment manufacturers should be allowed to operate in India. A larger point was made by D S Hooda in his piece, ‘At digital war’ (IE, October 25, 2018). He pointed out threats that arise from using untrusted software and hardware all over the stack: From Chinese networking middleboxes to American operating systems and media platforms. As a method to establish trust in ICT infrastructure, Hooda recommends “indigenis[ing] our cyber space”.
The path towards indigenised manufacturing of networking equipment is an expensive, elaborate process. Restricting certain foreign companies from operating in the country without evidence would be a knee-jerk reaction solely based on cues from US policy, and would undermine India’s strategic autonomy.
At the heart of threats from untrusted software or hardware, lies an information asymmetry between the buyer and seller. It is not always possible to audit the functioning of every product that you purchase. Open technical standards, developed by various standards development organisations (SDOs), govern the behaviour of networking software, and remove this information asymmetry: They allow buyers to glean or implicitly trust operational and security aspects of the equipment.
It is clear that various governments including India have repeatedly failed to advance privacy and security in the 5G standards, which are developed at the 3rd Generation Partnership Project (3GPP) — the organisation developing standards for telephony. Government and industry dominance at the 3GPP has ensured that telecom technologies include security vulnerabilities that are euphemistically termed as “lawful interception”. From an architectural perspective, 5G does not contain any significant vulnerabilities that were absent in older telecom standards. Unfortunately, these vulnerabilities are indifferent to those who exploit them: A security exception for law enforcement is tantamount to a security vulnerability for malicious actors. As the report from UK’s Huawei Cyber Security Evaluation Centre Oversight Board confirmed, there is perhaps no technical way to mitigate the security risks that 5G poses now. But there is still no evidence to suggest that Huawei is operating differently from say Ericsson or Nokia.
India needs to establish that Huawei is aiding the Chinese government through their products (5G or otherwise) before reacting. That Chinese companies are rarely insulated from Beijing’s influence is indisputable. However, the legal requirements placed on Chinese companies by Beijing are equivalent to de facto practices of countries like the US, which has a history of intercepting equipment from American companies to introduce vulnerabilities, or directly compelling them to aid intelligence operations. Such influence should be fought back by pushing for international norms that prevent states from acquiring data from companies en masse, and domestic data protection legislation.
In the long term, the Indian government and its defence wings would benefit from understanding the argument Lawrence Lessig has made since the 1990s: Decisions of technical architecture have far-reaching regulatory effects. A long-term strategy that focuses on advancing security at technical SDOs will prove more effective in ensuring the security of India’s critical infrastructure than the economically expensive push for indigenisation.