After a year of open debate on 5G risks, a lot of it centered on the case of China’s Huawei, explicit policies are coming out. France had been first with a new law - a certification system of "prior authorizations" that broadly empowers the administration and therefore leaves it much leeway on final choices. The UK, faced with strong demands by the US, has come out with its "new plans to safeguard the country’s telecoms network and pave way for fast, reliable and secure connectivity". It stops short of banning Huawei, and this is contested among security agencies and in Parliament. Germany is in the midst of polemics that leave Mrs. Merkel exposed to criticism from all parties except the Christian Social Union in Bavaria (CSU) for also refusing to name high-risk vendors. And the European Commission has finally published, with a delay of 45 days, its "toolbox of risk mitigation measures" with recommendations to Member States. Some of these have moved specifically on the issue of Huawei: Poland and Italy are pulling back from their earlier embrace of the Chinese supplier. The Danish carrier TDC, whose 4G was powered by Huawei, has announced the choice of Ericsson for its 5G infrastructure, on commercial terms.
Convergent threat analyses
On key points that cover technical and political issues, there are convergences in the published risk management announcements. 5G and its reach into many more activities through the Internet of Things (IoT) create new vulnerabilities. Sabotage or denial of supply (including from crucial subcontractors, for any reason) are even more ominous risks than spying. These threats are of a political and strategic nature. They are related to China’s leverage over Europe, and to the capacity of the Chinese state to conduct hostile actions in times of political tensions. The country of origin of the supplier may have laws that compel its cooperation with weak or inexistent democratic checks and balances: this is an obvious reference to China’s National Intelligence Law in the European risk assessment paper. In that case, how to protect targets in Europe from hostile intelligence action, since the capacity to seek legal redress is almost or entirely non-existent? To this list, the British framework for security threat analysis adds "network prepositioning", the ability to gain a presence for future exploitation.
Finally, were US sanctions on Chinese suppliers to intensify, these suppliers might simply be unable to provide some of their services to customers. So far, the US has listed Huawei on the entity list only to immediately create a regime of exemptions through temporary general licenses. But a new wave of attacks against the Chinese equipment provider is in preparation in Washington.