While weighing 5G security risks, France predicts it can manage Huawei without banning it
- Mathieu Duchâtel writes that the French government is creating a regulatory environment that helps reduce its vulnerability to foreign intelligence collection
Many in China mistakenly think that states place security restrictions on Huawei as a courtesy to the United States.
France provides an interesting case of a Western country outside the five-eyes intelligence sharing arrangement that takes network security seriously and for years has taken steps to reduce its vulnerabilities to foreign intelligence collection and the risk of sabotage. It is also an example of seeking a balance between refusing a Huawei ban but working to create a regulatory environment to manage risks.
France has a security “deep state”, which conducts independent assessment of the domestic threat environment, prioritising foreign espionage and terrorist risks. The security of information systems is a government priority.
In that sense the current 5G debate is in perfect continuity with earlier discussions that had received little public attention. Restrictions were already placed on Huawei when constructing 4G networks. Huawei did not build the core networks, it only provided antennas on the edge. Its presence in the network infrastructure in the Paris region was also restricted.
5G infrastructure poses more complex problems. The distinction between core and edge is no longer as relevant, as many software operations will operate in the cloud.
Huawei ‘helped North Korea and secretly collected Czech data’
The security challenge is not purely about the protection of private data, it is also about managing sabotage risks. 5G will be the basic infrastructure for a range of industrial applications and a new wave of modernisation of public services, and no state wants to create vulnerabilities that could be exploited during international tensions.
The French assumption is that Huawei can be managed without a ban. This is the aim of legislation that was just passed by the French Parliament, creating a system of prior authorisation for 5G equipment with the aim of addressing the “risk of interference by a foreign state”.
In practice, the prime minister is given the authority to authorise equipment in telecommunication networks through ANSSI, the agency in charge of information systems’ security. A list of equipment that requires authorisation is established and the mobile network carriers are responsible for obtaining official approval when building the network infrastructure. The legislation only applies to 5G networks and covers hardware and software equipment.
The legislation also creates a toolbox for the government. Authorisations can be issued with specific conditions. Five-year jail terms and fines up to €300,000 can be imposed for the exploitation of non-authorised equipment or for the violation of their conditions of use.
Importantly, the prime minister’s office reserves the right not to explain decisions to refuse specific equipment when the disclosure of such information could undermine national security. There is a disposition to increase public transparency and oversight, as the government has to produce an annual report to the Parliament from July 2020 that evaluates the impact of the legislation on the deployment of 5G infrastructure on French territory.
Critics, especially among the network carriers, argue that the legislation will slow innovation and the deployment of the infrastructure. What if an important software update takes weeks before it receives “prior authorisation”? This becomes a question of administrative efficiency.
Could Huawei be using Trojan circuits to help Beijing spy on US?
What matters for equipment providers is that executive power over the telecommunication networks is reinforced for the sake of national security. Of course, this does not entirely solve the security problem as infrastructure equipment is far from being the only entry point for an intruder to attack a network. And the balance of power between the executive branch that seeks to constantly update equipment authorisation lists and the creativity of potential attackers will never be stable.
The French approach is not unique, even though France’s early sensitivity to 4G risks is quite distinctive in Europe. The no-ban/regulatory road is also the choice of Japan or Germany, two countries also outside the five-eyes alliance.
Overall, this is part of a current European emphasis on building the necessary tools to manage the risks of interacting with China in Xi Jinping’s “new era” and adjust to the reality of China as both a security state and an innovative scientific power.
This approach also protects a country like France from the uncertainties and the twists in the Huawei policy of the Trump administration. For how long will Huawei stay on the entity list? Will there be waivers? The response to these two questions will determine Huawei’s ability to maintain its 5G offer at the same price and at the same technical level.
As no one is able to predict this outcome, moving ahead with security legislation is a rational choice.
Mathieu Duchâtel is director of the Asia programme at Institut Montaigne
