The Western post-war model of stability and prosperity has been, in realist terms, founded upon the simple tenet that the United States largely underwrote the trans-Atlantic collective security that allowed for trade between the allies to flourish.
By virtue of being part of the largest and most technologically-advanced market in the alliance, American companies were at an advantage in exploiting opportunities. However, all Western nations have come to benefit from the trans-Atlantic partnership. The majority of them managed to reap benefits at a scale immensely disproportionate to their financial contributions to our collective security, and comparatively to the threats they face.
The US’ defence budget was equal to 70% of the Alliance’s combined defence expenditure and one out of only five to surpass the nominal 2% GDP target for NATO in 2018. Last year, NATO’s bottom nine’s combined spending on defence was less than the New York Police Department’s budget. Moreover, the United States, along with Canada, is geographically far more removed from any of the potential sources of conflict NATO was designed to protect against than any of the other members.
That tacit understanding of Pax Americana has faced significant tests before. The recurrent threat of a trade war between the United States and the European Union and its many warning shots are constant reminders of a strained relationship under redefinition. So is the protectionist rhetoric, on both sides. However, there is an issue more strenuous that has been building up, a new frontier of transatlantic tension: 5G infrastructure security.
In an online live briefing last Monday, Deputy Assistant Secretary for Cyber and International Communications and Information Policy, Robert L. Strayer, was unequivocal in underlining the strategic significance of 5G network infrastructure to American security architecture, declaring: “[w]e and our partners recognize that cyber policy issues are critical to not just protecting communications networks, but also to national security, human rights, and economic prosperity around the world. Because of its impact on these vital interests, cyber policy is a foreign policy priority for the United States. The security of information communications technologies, or ICTs, is an essential element of national security.” He urged partners to “adopt a risk-based security framework,” and to conduct a careful assessment of the “supply chain and equipment vendors.” “In particular, this evaluation should result in the exclusions of equipment vendors that are subject to unchecked or extrajudicial control by a foreign power.
These vendors could be ordered to undermine network security, to skim personal information, conduct espionage, distribute cyber-attacks, and disrupt critical infrastructure,” he added.
This repeated warning comes at a time when European governments and regulators struggle to address fears of an increased risk of Chinese interference through equipment that has been already supplied or could be supplied in the development of 5G infrastructure in the European Union.
Although the European Commission has recommended for national infrastructure security assessments to be conducted before the end of June this year, the Member States are far from putting together a decisive answer, let alone a common one.
There have recently been revelations about potential security risks in the form of backdoors (security vulnerabilities intentionally or unintentionally built in software or hardware that could permit unauthorised access to data), in particular when it comes to systems supplied by Huawei, a Chinese company. Only last week, UK telecom company Vodafone announced that they have discovered vulnerabilities in systems supplied by Huawei to the telecom operator’s private customers in Italy that date back to 2011.
In March, the British Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board report found hundreds of vulnerabilities in equipment supplied by the same Chinese company. On the other hand, “no major US wireless carrier plans to use Huawei or ZTE equipment in the buildout of its 5G network,” Deputy Assistant Secretary Strayer told journalists.
Although the US official said that it was too premature to assess what the impact on intelligence-sharing between the allies would be in case Europeans decide to use technology supplied by “untrustworthy networks,” a reassessment of information-sharing and the current level of interconnection was warranted. Answering a question that related to the counterargument provided by Huawei and the Chinese side, which claim that the US has failed to produce any hard evidence to substantiate its claims, Deputy Assistant Secretary Strayer answered that the presence of intent “to use data in different ways than we would ever want to see used under our views about fundamental human rights” (in reference to the use of technology by the Chinese authorities to assign social credit scores to their conduct, among other), capability, in the form of a set of Chinese laws that provide the government “complete control over their private sector and state-owned companies,” and opportunity (given that the new network will be software-based, the attack surface is exponentially larger), paint the picture of a loaded gun. Why would European states want to give “an authoritarian regime with very different values about the uses of data” that loaded gun?
All of us Europeans should ask that question. Why would we want to use equipment supplied by any company based in a country the government of which could compel it at any time to act in a way that is detrimental not only to our body of values but also our critical infrastructure and national security? That could not even be justified under economic interest criteria. Major European and American companies are involved in the 5G network infrastructure and value chain. Ericsson of Sweden and Nokia of Finland are two of the key players.
Further, there is another even more crucial question: assume that in the future there will be a cyber-attack against a European NATO member that has opted to use equipment by Chinese vendors. Given the unprecedented range of applications that 5G technology will have in the near future, affecting every part of modern life, the effect of such attack could be extensive. So will be the damage sustained, amounting to disruption seen at times of war.
Let’s assume that proof exists that vulnerabilities in the Chinese-supplied infrastructure were employed by the attacker to carry out that attack. What would the reaction of the Alliance be in case the said European member decided to activate Article 5? How would the rest of the members be able to justify to their citizens that human and military capital would have to be sacrificed for an attack that rose out of one’s own fault, for which they have been warned in time? Why would the American military use resources to protect any European country that has consciously decided to use infrastructure for which it had a strong indication of vulnerability or even potential threat? Limitations apply to military procurement (imagine a NATO member employing Chinese military aircraft). Why wouldn’t the same apply to network infrastructure? 5G will have immense implications in our daily lives. That will certainly extend to our defence alliance. Allies better think twice.