Huawei has been defending its โtrustworthinessโ amid comments from Germanyโs spy chief, though the countryโs government has already drafted new security guidelines allowing the Chinese equipment maker to supply equipment for Germanyโs future 5G network.
Bruno Kahl, head of the German Federal Intelligence Agency, claimed that Huawei canโt be fully trusted. In response, Huawei Germany issued a statement repeating that it is independent of Chinaโs Communist Party and has a good track record working with network operators worldwide.
In an ironic twist, German authorities drafted new security guidelines issued on October 15, calling for would-be suppliers to 5G network operators to submit a document self-declaring their trustworthiness, a similar sentiment to Huaweiโs statement.
Equipment vendors, such as Huawei and ZTE, would produce the document confirming that they are not obliged to reveal personal data, equipment design, or any other critical information to third parties.
โCertain telecommunications providers and network operators with increased risk potential may only use certain critical system components if they have been purchased from trusted sources,โ Michael Reifenberg, a representative for German regulatory office, the Federal Network Agency (FNA), told TechNode by email.
Reifenberg referred to the trustworthiness document as a โno-spy declarationโ for dealings between equipment suppliers, such as Huawei, and network operators, such as Deutsche Telekom. Operators would then submit the declaration to the FNA. The document binds the supplier or manufacturer with the network operator in case of data breaches, meaning that they will bear joint liability in case of a leak.
โIt is the weakest link in this entire document,โ said Jan-Peter Kleinhans, Project Director of Security and the Internet of Things at Stiftung Neue Verantwortung, a think-tank in Berlin. The certification will be based on technical standards, but the vendorsโ declaration of trustworthiness โis not double-checked by [cybersecurity agency] BSI , it is not evaluated. It is not enforced, there are no sanctions,โ he said.
โDetails of the implementation are not yet specified,โ Reifenberg said. When a declaration is breached, the Agency โmay give orders, take other measures to secure compliance and may set penalty paymentsโ on an ad hoc basis, he said.
The draft guidelines also provide for the certification of 5G network equipment, which will be issued by Germanyโs cybersecurity authority, known as the Federal Office for Information Security.
Regulators have yet to decide whether the certification, based on an upcoming technical guideline, will be a mandatory process for suppliers.
Germany is one of many countries worldwide facing pressure from the US to exclude Chinese firms from the development of 5G networks. Washington claims that Chinese vendorsโ have a close relationship with the government, which may force them to turn over critical information.
Back in May, US Secretary of State Mike Pompeo issued a veiled threat during an official visit to Berlin, saying there is โa risk we will have to change our behavior in light of the fact that we canโt permit data on private citizens or data on national security to go across networks that we donโt have confidence (in).โ
โHostile third countriesโ
Days before Germany released the guidelines, the EU Commission released a risk assessment on 5G, warning โhostile third countriesโ against colluding with 5G equipment vendors to conduct cyberattacks on member states. But the German agencies which drafted the security catalog are not trained to account for political risk, โin the eyes of the BSI, the origin of the vendor doesnโt matter,โ said Kleinhans.
โIn a way, you are asking the wrong question to the wrong person,โ he said. โYou have two completely technocratic agencies that are very much focused on technical aspects, drafting a technical document, which suddenly the world and some Germans included, expect that will have geopolitical impact.โ
This is in line with Angela Merkelโs overall approach to the security of 5G, which has โpushed the debate into the technical realm,โ Kleinhans said. Analysts say that Merkelโs government is trying to protect Germanyโs industrial prowess, which relies heavily on access to the Chinese market.
The guidelines have caused controversy within the German Parliament, not only because of the content. The draft neednโt be voted on by parliamentarians before it is enacted, since it is not a new law but an updated version of technical guidelines created by the responsible agencies.
โA question of such strategic meaning should not be being decided at the administrative level,โ said Norbert Rรถttgen, a member of Merkelโs party, the Christian Democrats.
The draft will be open for public comment until 13 November 2019.
