• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • Future Issues and Technology Cluster
    • [email protected] Newsletter
    • Other Research
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • International Strategy Forum-Asia (ISF-Asia)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Great Powers
    • Sustainable Security
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • Future Issues and Technology Cluster
      • [email protected] Newsletter
      • Other Research
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • International Strategy Forum-Asia (ISF-Asia)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Great Powers
      • Sustainable Security
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • Can Trust Be Verified? Managing 5G Risk in Southeast Asia
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO19092 | Can Trust Be Verified? Managing 5G Risk in Southeast Asia
    Donald K. Emmerson

    09 May 2019

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Nothing can fully protect a country from secret malfeasance involving the company it hires to provide and maintain its 5th generation wireless system (5G). But certain steps can lessen the risk. One is to learn how secure the firm’s technology is; another is to estimate the chance that the laws and institutions in the firm’s home country will prevent the government there from accessing the firm’s data and algorithms without the user country’s permission.

    COMMENTARY

    Trust but verify. That mantra from nuclear-weapons negotiation discourse during the Cold War is newly relevant today. Versions of the advice are circulating among governments in Southeast Asia and elsewhere as they weigh the security risks of partnering with this or that company to install the fifth-generation telecommunications technology known as 5G.

    It is tempting to believe that a technical solution to the problem of unwanted risk exists — a clever digital tweak that will fully and permanently protect a 5G network’s users. It does not. The best one can hope for is a “good enough” balancing of faith and proof that is — arguably, not assuredly — reassuring and realistic. Characteristics of the network-offering company in its home country and of the network-purchasing government in its own country will shape the 5G seller-buyer bargain and its location. This will occur on an eventual spectrum of arrangements between the unwise and the unworkable: unverified trust at one extreme end, trust-eliminating verification at the other.

    Enter Huawei

    China’s Huawei Technologies is an ostensibly private (https://www.nytimes.com/2019/04/25/technology/who-owns-huawei.html) company founded in China’s mercantilistic state-capitalist economy by a former People’s Liberation Army engineer. Southeast Asian governments are considering whether to rely on Huawei’s technology in an upcoming 5G world.

    If a potential buyer insisted on continuous verification, Huawei would need to agree to the installation and maintenance of hardware and software designed to expunge from the system any present or future “back door” through which China’s Ministry of State Security (MSS) or the Communist Party of China (CPC) could walk.

    But even if Huawei agreed, would its software updates uphold that initial consent? Full prudence would oblige the user state to re-investigate the workings of the system whenever Huawei saw fit to alter the code. But whose investigators, employing what possibly proprietary knowledge, how thoroughly, and at whose and what expense?

    Scheduled updates aside, if and as adaptive machine self-learning becomes increasingly the norm, 5G software will be continually changing itself, potentially opening new vulnerabilities to breaching and manipulation. And even if every new back door is somehow dismantled or prevented, the MSS or the CPC could simply knock on Huawei’s physical front door at the company’s headquarters in Shenzhen to ask for access to the system.

    Fearing the  visitor and obliged to comply with the intrusive prerogatives of the state authorised in China’s National Intelligence Law, Article 7 (https://www.chinalawtranslate.com/%e4%b8%ad%e5%8d%8e%e4%ba%ba%e6%b0%91%e5%85%b1%e5%92%8c%e5%9b%bd%e5%9b%bd%e5%ae%b6%e6%83%85%e6%8a%a5%e6%b3%95/?lang=en), Huawei will open the door.

    Whom To Trust?

    Whom will you trust? And how much? Technical guardrails and patches can reduce but not remove the subjectivity of those necessary questions. In Southeast Asia, differing political and economic contexts will influence the answers. Other things being equal, governments indebted to China may feel less free to turn down Huawei. Lower-income countries may opt for Huawei because it is cheaper to do so. Poorer countries already tilted towards Beijing, such as Cambodia, may hire Huawei on both grounds.

    History will also matter. Vietnam recently observed the 40th anniversary of its 1979 invasion by China and the brief war that followed.

    Unsurprising in that context, Vietnam has granted its first 5G licence to a homegrown firm, Viettel, and is reportedly open to working with two Scandinavia-based multinationals—Nokia in Finland and Ericsson in Sweden (https://www.cio.com/article/3310197/how-is-vietnam-preparing-for-5g.html).

    Huawei, Nokia, and Ericsson are competing neck-and-neck for shares in the global market for the radio access network (RAN) equipment needed to enable 5G transmission. One analyst’s estimate of the three companies’ shares of 5G subscribers worldwide in 2023 who will be using their respective RANs has the distribution as follows: Huawei with 25 percent; Nokia and Ericsson each with 23 percent; and the remaining 30 percent split among other firms (https://www.telecompetitor.com/5g-ran-market-share-research-three-vendors-run-neck-and-neck/).

    Food For Thought About Policy Choices

    Relevant in this context is the devastating review of Huawei in the fifth annual report of the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019), released in the United Kingdom on 28 March 2019.

    Based on its investigation, the board found persisting “serious and systematic defects in Huawei’s software engineering and cyber security competence” resulting in “extensive vulnerability” and “significantly increased risk” for users.

    Huawei’s products were judged as having “no end-to-end integrity” and the firm’s software management was found “defective”. The board had only “limited confidence” in Huawei’s ability even “to understand the content” of its own products, presumably rendering the company incapable of diagnosing “identified issues” needing remedy.

    Lessons To Be Learned

    In cybersecurity, because perfection is impossible, it should not be made the enemy of the reasonably good. There is an opportunity here for governments and companies to scale up the methods that HCSEC used and the lessons it learned in the course of its experience investigating Huawei.

    Those lessons could contribute to the drafting of a checklist of tests and standards for use by Southeast Asian and other states when choosing between G5 network providers. User states could benefit further by taking into account the trustworthiness not only of a given 5G firm, but of its home government as well.

    Vietnamese officials may not have looked up the World Justice Project’s 2019 Rule of Law Index of Constraints on Government Powers (https://worldjusticeproject.org/sites/default/files/documents/WJP-ROLI-2019-Single%20Page%20View-Reduced.pdf). It ranks 126 countries by the extent to which the government in each one is held accountable within an effective framework of law that limits its power. Finland and Sweden are respectively 3rd and 4th. The UK is 11th. China is 119th.

    This is not an infomercial for Nokia or Ericsson in Scandinavia, nor for HCSEC in the UK. It is just a little food for possible thought about the policy choices that will shape the digital future of Southeast Asia.

    About the Author

    Donald K. Emmerson heads the Southeast Asia Program in the Shorenstein Asia-Pacific Research Center at Stanford University, where he is also affiliated with the Center on Development, Democracy, and the Rule of Law. He contributed this article specially to RSIS Commentary. His edited book, The Deer and the Dragon: Southeast Asia and China in the 21st Century, is forthcoming in 2019.

    Categories: Commentaries / Country and Region Studies / International Political Economy / International Politics and Security / East Asia and Asia Pacific / South Asia / Southeast Asia and ASEAN

    Last updated on 09/05/2019

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Nothing can fully protect a country from secret malfeasance involving the company it hires to provide and maintain its 5th generation wireless system (5G). But certain steps can lessen the risk. One is to learn how secure the firm’s technology is; another is to estimate the chance that the laws and institutions in the firm’s home country will prevent the government there from accessing the firm’s data and algorithms without the user country’s permission.

    COMMENTARY

    Trust but verify. That mantra from nuclear-weapons negotiation discourse during the Cold War is newly relevant today. Versions of the advice are circulating among governments in Southeast Asia and elsewhere as they weigh the security risks of partnering with this or that company to install the fifth-generation telecommunications technology known as 5G.

    It is tempting to believe that a technical solution to the problem of unwanted risk exists — a clever digital tweak that will fully and permanently protect a 5G network’s users. It does not. The best one can hope for is a “good enough” balancing of faith and proof that is — arguably, not assuredly — reassuring and realistic. Characteristics of the network-offering company in its home country and of the network-purchasing government in its own country will shape the 5G seller-buyer bargain and its location. This will occur on an eventual spectrum of arrangements between the unwise and the unworkable: unverified trust at one extreme end, trust-eliminating verification at the other.

    Enter Huawei

    China’s Huawei Technologies is an ostensibly private (https://www.nytimes.com/2019/04/25/technology/who-owns-huawei.html) company founded in China’s mercantilistic state-capitalist economy by a former People’s Liberation Army engineer. Southeast Asian governments are considering whether to rely on Huawei’s technology in an upcoming 5G world.

    If a potential buyer insisted on continuous verification, Huawei would need to agree to the installation and maintenance of hardware and software designed to expunge from the system any present or future “back door” through which China’s Ministry of State Security (MSS) or the Communist Party of China (CPC) could walk.

    But even if Huawei agreed, would its software updates uphold that initial consent? Full prudence would oblige the user state to re-investigate the workings of the system whenever Huawei saw fit to alter the code. But whose investigators, employing what possibly proprietary knowledge, how thoroughly, and at whose and what expense?

    Scheduled updates aside, if and as adaptive machine self-learning becomes increasingly the norm, 5G software will be continually changing itself, potentially opening new vulnerabilities to breaching and manipulation. And even if every new back door is somehow dismantled or prevented, the MSS or the CPC could simply knock on Huawei’s physical front door at the company’s headquarters in Shenzhen to ask for access to the system.

    Fearing the  visitor and obliged to comply with the intrusive prerogatives of the state authorised in China’s National Intelligence Law, Article 7 (https://www.chinalawtranslate.com/%e4%b8%ad%e5%8d%8e%e4%ba%ba%e6%b0%91%e5%85%b1%e5%92%8c%e5%9b%bd%e5%9b%bd%e5%ae%b6%e6%83%85%e6%8a%a5%e6%b3%95/?lang=en), Huawei will open the door.

    Whom To Trust?

    Whom will you trust? And how much? Technical guardrails and patches can reduce but not remove the subjectivity of those necessary questions. In Southeast Asia, differing political and economic contexts will influence the answers. Other things being equal, governments indebted to China may feel less free to turn down Huawei. Lower-income countries may opt for Huawei because it is cheaper to do so. Poorer countries already tilted towards Beijing, such as Cambodia, may hire Huawei on both grounds.

    History will also matter. Vietnam recently observed the 40th anniversary of its 1979 invasion by China and the brief war that followed.

    Unsurprising in that context, Vietnam has granted its first 5G licence to a homegrown firm, Viettel, and is reportedly open to working with two Scandinavia-based multinationals—Nokia in Finland and Ericsson in Sweden (https://www.cio.com/article/3310197/how-is-vietnam-preparing-for-5g.html).

    Huawei, Nokia, and Ericsson are competing neck-and-neck for shares in the global market for the radio access network (RAN) equipment needed to enable 5G transmission. One analyst’s estimate of the three companies’ shares of 5G subscribers worldwide in 2023 who will be using their respective RANs has the distribution as follows: Huawei with 25 percent; Nokia and Ericsson each with 23 percent; and the remaining 30 percent split among other firms (https://www.telecompetitor.com/5g-ran-market-share-research-three-vendors-run-neck-and-neck/).

    Food For Thought About Policy Choices

    Relevant in this context is the devastating review of Huawei in the fifth annual report of the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019), released in the United Kingdom on 28 March 2019.

    Based on its investigation, the board found persisting “serious and systematic defects in Huawei’s software engineering and cyber security competence” resulting in “extensive vulnerability” and “significantly increased risk” for users.

    Huawei’s products were judged as having “no end-to-end integrity” and the firm’s software management was found “defective”. The board had only “limited confidence” in Huawei’s ability even “to understand the content” of its own products, presumably rendering the company incapable of diagnosing “identified issues” needing remedy.

    Lessons To Be Learned

    In cybersecurity, because perfection is impossible, it should not be made the enemy of the reasonably good. There is an opportunity here for governments and companies to scale up the methods that HCSEC used and the lessons it learned in the course of its experience investigating Huawei.

    Those lessons could contribute to the drafting of a checklist of tests and standards for use by Southeast Asian and other states when choosing between G5 network providers. User states could benefit further by taking into account the trustworthiness not only of a given 5G firm, but of its home government as well.

    Vietnamese officials may not have looked up the World Justice Project’s 2019 Rule of Law Index of Constraints on Government Powers (https://worldjusticeproject.org/sites/default/files/documents/WJP-ROLI-2019-Single%20Page%20View-Reduced.pdf). It ranks 126 countries by the extent to which the government in each one is held accountable within an effective framework of law that limits its power. Finland and Sweden are respectively 3rd and 4th. The UK is 11th. China is 119th.

    This is not an infomercial for Nokia or Ericsson in Scandinavia, nor for HCSEC in the UK. It is just a little food for possible thought about the policy choices that will shape the digital future of Southeast Asia.

    About the Author

    Donald K. Emmerson heads the Southeast Asia Program in the Shorenstein Asia-Pacific Research Center at Stanford University, where he is also affiliated with the Center on Development, Democracy, and the Rule of Law. He contributed this article specially to RSIS Commentary. His edited book, The Deer and the Dragon: Southeast Asia and China in the 21st Century, is forthcoming in 2019.

    Categories: Commentaries / Country and Region Studies / International Political Economy / International Politics and Security

    Last updated on 09/05/2019

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    Can Trust Be Verified? Managing 5G Risk in Southeast Asia

    SYNOPSIS

    Nothing can fully protect a country from secret malfeasance involving the company it hire ...
    more info