Back
About RSIS
Introduction
Building the Foundations
Welcome Message
Board of Governors
Staff Profiles
Executive Deputy Chairman’s Office
Dean’s Office
Management
Distinguished Fellows
Faculty and Research
Associate Research Fellows, Senior Analysts and Research Analysts
Visiting Fellows
Adjunct Fellows
Administrative Staff
Honours and Awards for RSIS Staff and Students
RSIS Endowment Fund
Endowed Professorships
Career Opportunities
Getting to RSIS
Research
Research Centres
Centre for Multilateralism Studies (CMS)
Centre for Non-Traditional Security Studies (NTS Centre)
Centre of Excellence for National Security (CENS)
Institute of Defence and Strategic Studies (IDSS)
International Centre for Political Violence and Terrorism Research (ICPVTR)
Research Programmes
National Security Studies Programme (NSSP)
Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
Future Issues and Technology Cluster
Research@RSIS Newsletter
Other Research
Science and Technology Studies Programme (STSP) (2017-2020)
Graduate Education
Graduate Programmes Office
Exchange Partners and Programmes
How to Apply
Financial Assistance
Meet the Admissions Team: Information Sessions and other events
RSIS Alumni
Alumni & Networks
Alumni
Asia-Pacific Programme for Senior Military Officers (APPSMO)
Asia-Pacific Programme for Senior National Security Officers (APPSNO)
International Strategy Forum-Asia (ISF-Asia)
SRP Executive Programme
Terrorism Analyst Training Course (TATC)
Publications
RSIS Publications
Annual Reviews
Books
Bulletins and Newsletters
Commentaries
Counter Terrorist Trends and Analyses
Commemorative / Event Reports
IDSS Paper
Interreligious Relations
Monographs
NTS Insight
Policy Reports
Working Papers
RSIS Publications for the Year
Glossary of Abbreviations
External Publications
Authored Books
Journal Articles
Edited Books
Chapters in Edited Books
Policy Reports
Working Papers
Op-Eds
External Publications for the Year
Policy-relevant Articles Given RSIS Award
Media
2024 Indonesia Elections
Great Powers
Sustainable Security
Other Resource Pages
Media Mentions
News Releases
Speeches
Video/Audio Channel
External Podcasts
Events
S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
Nanyang Technological University Nanyang Technological University
  • About RSIS
      IntroductionBuilding the FoundationsWelcome MessageBoard of GovernorsHonours and Awards for RSIS Staff and StudentsRSIS Endowment FundEndowed ProfessorshipsCareer OpportunitiesGetting to RSIS
      Staff ProfilesExecutive Deputy Chairman’s OfficeDean’s OfficeManagementDistinguished FellowsFaculty and ResearchAssociate Research Fellows, Senior Analysts and Research AnalystsVisiting FellowsAdjunct FellowsAdministrative Staff
  • Research
      Research CentresCentre for Multilateralism Studies (CMS)Centre for Non-Traditional Security Studies (NTS Centre)Centre of Excellence for National Security (CENS)Institute of Defence and Strategic Studies (IDSS)International Centre for Political Violence and Terrorism Research (ICPVTR)
      Research ProgrammesNational Security Studies Programme (NSSP)Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      Future Issues and Technology ClusterResearch@RSIS Newsletter
      Other ResearchScience and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      Graduate Programmes OfficeExchange Partners and ProgrammesHow to Apply
      Financial AssistanceMeet the Admissions Team: Information Sessions and other eventsRSIS Alumni
  • Alumni & Networks
      AlumniAsia-Pacific Programme for Senior Military Officers (APPSMO)Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      International Strategy Forum-Asia (ISF-Asia)SRP Executive ProgrammeTerrorism Analyst Training Course (TATC)
  • Publications
      RSIS PublicationsAnnual ReviewsBooksBulletins and NewslettersCommentariesCounter Terrorist Trends and AnalysesCommemorative / Event ReportsIDSS PaperInterreligious RelationsMonographsNTS InsightPolicy ReportsWorking PapersRSIS Publications for the Year
      External PublicationsAuthored BooksJournal ArticlesEdited BooksChapters in Edited BooksPolicy ReportsWorking PapersOp-EdsExternal Publications for the Year
      Glossary of AbbreviationsPolicy-relevant Articles Given RSIS Award
  • Media
      2024 Indonesia ElectionsGreat PowersSustainable SecurityOther Resource PagesMedia Mentions
      News ReleasesSpeechesVideo/Audio ChannelExternal Podcasts
  • Events
    • Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
      rsisvideocast
      school/rsis-ntu
      rsis.sg
      RSIS
      RSS
      Subscribe to RSIS Publications
      Subscribe to RSIS Events

      Getting to RSIS

      Nanyang Technological University
      Block S4, Level B3,
      50 Nanyang Avenue,
      Singapore 639798

      Click here for direction to RSIS

      Get in Touch

    Connect
    Search
    • RSIS
    • Publication
    • RSIS Publications
    • Can Trust Be Verified? Managing 5G Risk in Southeast Asia
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO19092 | Can Trust Be Verified? Managing 5G Risk in Southeast Asia
    Donald K. Emmerson

    09 May 2019

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Nothing can fully protect a country from secret malfeasance involving the company it hires to provide and maintain its 5th generation wireless system (5G). But certain steps can lessen the risk. One is to learn how secure the firm’s technology is; another is to estimate the chance that the laws and institutions in the firm’s home country will prevent the government there from accessing the firm’s data and algorithms without the user country’s permission.

    COMMENTARY

    Trust but verify. That mantra from nuclear-weapons negotiation discourse during the Cold War is newly relevant today. Versions of the advice are circulating among governments in Southeast Asia and elsewhere as they weigh the security risks of partnering with this or that company to install the fifth-generation telecommunications technology known as 5G.

    It is tempting to believe that a technical solution to the problem of unwanted risk exists — a clever digital tweak that will fully and permanently protect a 5G network’s users. It does not. The best one can hope for is a “good enough” balancing of faith and proof that is — arguably, not assuredly — reassuring and realistic. Characteristics of the network-offering company in its home country and of the network-purchasing government in its own country will shape the 5G seller-buyer bargain and its location. This will occur on an eventual spectrum of arrangements between the unwise and the unworkable: unverified trust at one extreme end, trust-eliminating verification at the other.

    Enter Huawei

    China’s Huawei Technologies is an ostensibly private (https://www.nytimes.com/2019/04/25/technology/who-owns-huawei.html) company founded in China’s mercantilistic state-capitalist economy by a former People’s Liberation Army engineer. Southeast Asian governments are considering whether to rely on Huawei’s technology in an upcoming 5G world.

    If a potential buyer insisted on continuous verification, Huawei would need to agree to the installation and maintenance of hardware and software designed to expunge from the system any present or future “back door” through which China’s Ministry of State Security (MSS) or the Communist Party of China (CPC) could walk.

    But even if Huawei agreed, would its software updates uphold that initial consent? Full prudence would oblige the user state to re-investigate the workings of the system whenever Huawei saw fit to alter the code. But whose investigators, employing what possibly proprietary knowledge, how thoroughly, and at whose and what expense?

    Scheduled updates aside, if and as adaptive machine self-learning becomes increasingly the norm, 5G software will be continually changing itself, potentially opening new vulnerabilities to breaching and manipulation. And even if every new back door is somehow dismantled or prevented, the MSS or the CPC could simply knock on Huawei’s physical front door at the company’s headquarters in Shenzhen to ask for access to the system.

    Fearing the  visitor and obliged to comply with the intrusive prerogatives of the state authorised in China’s National Intelligence Law, Article 7 (https://www.chinalawtranslate.com/%e4%b8%ad%e5%8d%8e%e4%ba%ba%e6%b0%91%e5%85%b1%e5%92%8c%e5%9b%bd%e5%9b%bd%e5%ae%b6%e6%83%85%e6%8a%a5%e6%b3%95/?lang=en), Huawei will open the door.

    Whom To Trust?

    Whom will you trust? And how much? Technical guardrails and patches can reduce but not remove the subjectivity of those necessary questions. In Southeast Asia, differing political and economic contexts will influence the answers. Other things being equal, governments indebted to China may feel less free to turn down Huawei. Lower-income countries may opt for Huawei because it is cheaper to do so. Poorer countries already tilted towards Beijing, such as Cambodia, may hire Huawei on both grounds.

    History will also matter. Vietnam recently observed the 40th anniversary of its 1979 invasion by China and the brief war that followed.

    Unsurprising in that context, Vietnam has granted its first 5G licence to a homegrown firm, Viettel, and is reportedly open to working with two Scandinavia-based multinationals—Nokia in Finland and Ericsson in Sweden (https://www.cio.com/article/3310197/how-is-vietnam-preparing-for-5g.html).

    Huawei, Nokia, and Ericsson are competing neck-and-neck for shares in the global market for the radio access network (RAN) equipment needed to enable 5G transmission. One analyst’s estimate of the three companies’ shares of 5G subscribers worldwide in 2023 who will be using their respective RANs has the distribution as follows: Huawei with 25 percent; Nokia and Ericsson each with 23 percent; and the remaining 30 percent split among other firms (https://www.telecompetitor.com/5g-ran-market-share-research-three-vendors-run-neck-and-neck/).

    Food For Thought About Policy Choices

    Relevant in this context is the devastating review of Huawei in the fifth annual report of the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019), released in the United Kingdom on 28 March 2019.

    Based on its investigation, the board found persisting “serious and systematic defects in Huawei’s software engineering and cyber security competence” resulting in “extensive vulnerability” and “significantly increased risk” for users.

    Huawei’s products were judged as having “no end-to-end integrity” and the firm’s software management was found “defective”. The board had only “limited confidence” in Huawei’s ability even “to understand the content” of its own products, presumably rendering the company incapable of diagnosing “identified issues” needing remedy.

    Lessons To Be Learned

    In cybersecurity, because perfection is impossible, it should not be made the enemy of the reasonably good. There is an opportunity here for governments and companies to scale up the methods that HCSEC used and the lessons it learned in the course of its experience investigating Huawei.

    Those lessons could contribute to the drafting of a checklist of tests and standards for use by Southeast Asian and other states when choosing between G5 network providers. User states could benefit further by taking into account the trustworthiness not only of a given 5G firm, but of its home government as well.

    Vietnamese officials may not have looked up the World Justice Project’s 2019 Rule of Law Index of Constraints on Government Powers (https://worldjusticeproject.org/sites/default/files/documents/WJP-ROLI-2019-Single%20Page%20View-Reduced.pdf). It ranks 126 countries by the extent to which the government in each one is held accountable within an effective framework of law that limits its power. Finland and Sweden are respectively 3rd and 4th. The UK is 11th. China is 119th.

    This is not an infomercial for Nokia or Ericsson in Scandinavia, nor for HCSEC in the UK. It is just a little food for possible thought about the policy choices that will shape the digital future of Southeast Asia.

    About the Author

    Donald K. Emmerson heads the Southeast Asia Program in the Shorenstein Asia-Pacific Research Center at Stanford University, where he is also affiliated with the Center on Development, Democracy, and the Rule of Law. He contributed this article specially to RSIS Commentary. His edited book, The Deer and the Dragon: Southeast Asia and China in the 21st Century, is forthcoming in 2019.

    Categories: Commentaries / Country and Region Studies / International Political Economy / International Politics and Security / East Asia and Asia Pacific / South Asia / Southeast Asia and ASEAN

    Last updated on 09/05/2019

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Nothing can fully protect a country from secret malfeasance involving the company it hires to provide and maintain its 5th generation wireless system (5G). But certain steps can lessen the risk. One is to learn how secure the firm’s technology is; another is to estimate the chance that the laws and institutions in the firm’s home country will prevent the government there from accessing the firm’s data and algorithms without the user country’s permission.

    COMMENTARY

    Trust but verify. That mantra from nuclear-weapons negotiation discourse during the Cold War is newly relevant today. Versions of the advice are circulating among governments in Southeast Asia and elsewhere as they weigh the security risks of partnering with this or that company to install the fifth-generation telecommunications technology known as 5G.

    It is tempting to believe that a technical solution to the problem of unwanted risk exists — a clever digital tweak that will fully and permanently protect a 5G network’s users. It does not. The best one can hope for is a “good enough” balancing of faith and proof that is — arguably, not assuredly — reassuring and realistic. Characteristics of the network-offering company in its home country and of the network-purchasing government in its own country will shape the 5G seller-buyer bargain and its location. This will occur on an eventual spectrum of arrangements between the unwise and the unworkable: unverified trust at one extreme end, trust-eliminating verification at the other.

    Enter Huawei

    China’s Huawei Technologies is an ostensibly private (https://www.nytimes.com/2019/04/25/technology/who-owns-huawei.html) company founded in China’s mercantilistic state-capitalist economy by a former People’s Liberation Army engineer. Southeast Asian governments are considering whether to rely on Huawei’s technology in an upcoming 5G world.

    If a potential buyer insisted on continuous verification, Huawei would need to agree to the installation and maintenance of hardware and software designed to expunge from the system any present or future “back door” through which China’s Ministry of State Security (MSS) or the Communist Party of China (CPC) could walk.

    But even if Huawei agreed, would its software updates uphold that initial consent? Full prudence would oblige the user state to re-investigate the workings of the system whenever Huawei saw fit to alter the code. But whose investigators, employing what possibly proprietary knowledge, how thoroughly, and at whose and what expense?

    Scheduled updates aside, if and as adaptive machine self-learning becomes increasingly the norm, 5G software will be continually changing itself, potentially opening new vulnerabilities to breaching and manipulation. And even if every new back door is somehow dismantled or prevented, the MSS or the CPC could simply knock on Huawei’s physical front door at the company’s headquarters in Shenzhen to ask for access to the system.

    Fearing the  visitor and obliged to comply with the intrusive prerogatives of the state authorised in China’s National Intelligence Law, Article 7 (https://www.chinalawtranslate.com/%e4%b8%ad%e5%8d%8e%e4%ba%ba%e6%b0%91%e5%85%b1%e5%92%8c%e5%9b%bd%e5%9b%bd%e5%ae%b6%e6%83%85%e6%8a%a5%e6%b3%95/?lang=en), Huawei will open the door.

    Whom To Trust?

    Whom will you trust? And how much? Technical guardrails and patches can reduce but not remove the subjectivity of those necessary questions. In Southeast Asia, differing political and economic contexts will influence the answers. Other things being equal, governments indebted to China may feel less free to turn down Huawei. Lower-income countries may opt for Huawei because it is cheaper to do so. Poorer countries already tilted towards Beijing, such as Cambodia, may hire Huawei on both grounds.

    History will also matter. Vietnam recently observed the 40th anniversary of its 1979 invasion by China and the brief war that followed.

    Unsurprising in that context, Vietnam has granted its first 5G licence to a homegrown firm, Viettel, and is reportedly open to working with two Scandinavia-based multinationals—Nokia in Finland and Ericsson in Sweden (https://www.cio.com/article/3310197/how-is-vietnam-preparing-for-5g.html).

    Huawei, Nokia, and Ericsson are competing neck-and-neck for shares in the global market for the radio access network (RAN) equipment needed to enable 5G transmission. One analyst’s estimate of the three companies’ shares of 5G subscribers worldwide in 2023 who will be using their respective RANs has the distribution as follows: Huawei with 25 percent; Nokia and Ericsson each with 23 percent; and the remaining 30 percent split among other firms (https://www.telecompetitor.com/5g-ran-market-share-research-three-vendors-run-neck-and-neck/).

    Food For Thought About Policy Choices

    Relevant in this context is the devastating review of Huawei in the fifth annual report of the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019), released in the United Kingdom on 28 March 2019.

    Based on its investigation, the board found persisting “serious and systematic defects in Huawei’s software engineering and cyber security competence” resulting in “extensive vulnerability” and “significantly increased risk” for users.

    Huawei’s products were judged as having “no end-to-end integrity” and the firm’s software management was found “defective”. The board had only “limited confidence” in Huawei’s ability even “to understand the content” of its own products, presumably rendering the company incapable of diagnosing “identified issues” needing remedy.

    Lessons To Be Learned

    In cybersecurity, because perfection is impossible, it should not be made the enemy of the reasonably good. There is an opportunity here for governments and companies to scale up the methods that HCSEC used and the lessons it learned in the course of its experience investigating Huawei.

    Those lessons could contribute to the drafting of a checklist of tests and standards for use by Southeast Asian and other states when choosing between G5 network providers. User states could benefit further by taking into account the trustworthiness not only of a given 5G firm, but of its home government as well.

    Vietnamese officials may not have looked up the World Justice Project’s 2019 Rule of Law Index of Constraints on Government Powers (https://worldjusticeproject.org/sites/default/files/documents/WJP-ROLI-2019-Single%20Page%20View-Reduced.pdf). It ranks 126 countries by the extent to which the government in each one is held accountable within an effective framework of law that limits its power. Finland and Sweden are respectively 3rd and 4th. The UK is 11th. China is 119th.

    This is not an infomercial for Nokia or Ericsson in Scandinavia, nor for HCSEC in the UK. It is just a little food for possible thought about the policy choices that will shape the digital future of Southeast Asia.

    About the Author

    Donald K. Emmerson heads the Southeast Asia Program in the Shorenstein Asia-Pacific Research Center at Stanford University, where he is also affiliated with the Center on Development, Democracy, and the Rule of Law. He contributed this article specially to RSIS Commentary. His edited book, The Deer and the Dragon: Southeast Asia and China in the 21st Century, is forthcoming in 2019.

    Categories: Commentaries / Country and Region Studies / International Political Economy / International Politics and Security

    Last updated on 09/05/2019

    Popular Links

    About RSISResearch ProgrammesGraduate EducationPublicationsEventsAdmissionsCareersVideo/Audio ChannelRSIS Intranet

    Connect with Us

    rsis.ntu
    rsis_ntu
    rsisntu
    rsisvideocast
    school/rsis-ntu
    rsis.sg
    RSIS
    RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    Getting to RSIS

    Nanyang Technological University
    Block S4, Level B3,
    50 Nanyang Avenue,
    Singapore 639798

    Click here for direction to RSIS

    Get in Touch

      Copyright © S. Rajaratnam School of International Studies. All rights reserved.
      Privacy Statement / Terms of Use
      Help us improve

        Rate your experience with this website
        123456
        Not satisfiedVery satisfied
        What did you like?
        0/255 characters
        What can be improved?
        0/255 characters
        Your email
        Please enter a valid email.
        Thank you for your feedback.
        This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
        OK
        Latest Book
        more info