Dena Anee (Regular Writer)
How many others have access to [our] data and what decisions are being made with this data? No one really knows. We just don’t know.
Rebecca Herold
In 2016, around two-thirds of UK businesses reported cybersecurity breaches and attacks. As a result, there has been a concerted effort by the UK government to implement stringent regulations and measures to deter cyber-attacks and to protect businesses from suffering financial losses and intellectual property thefts. In the same year, the UK government announced a five year £1.9 billion cybersecurity strategy to combat a number of cyber-attack threats and to help ‘make the UK the best protected country in cyberspace’. The government further highlighted its commitments by establishing the National Cyber Security Centre (NCSC) in October 2016. However, despite these measures, the industry continued to struggle: in 2018, 43% of UK businesses and one in five charities had fallen victim to cyber-attacks.
But concerns about online security, perhaps highlighted by the number of cyber-attacks in recent years, points to demand for more effective reforms. The introduction of the General Data Protection Regulation (GDPR) in 2018 was a reasonable legislative step which demonstrated more considerable efforts to tackle various areas of policy in need of reform. The first of these policies is data security; the GDPR imposes stringent rules and measures with respect to data breaches, and businesses who fail to comply face consequences: stiff fines and reputational damage.
However, while the introduction of such legislation is a step in the right direction, in today's digitally connected world, mitigating the risks – against malware, crypto-jacking, identity theft, and data breaches – is not an easy task. At first blush, affirmative steps ought to be taken to ensure our national infrastructure is less susceptible to cyber-attacks. Indeed, adding further components and equipment could create opportunities for higher risks and disruption to the UK's national infrastructure.
It is of no surprise, therefore, that the UK's recent decision to use Huawei Technologies Co. Ltd (Huawei) to help build part of the UK's 5th generation (5G) network has received a relentless barrage of criticism and condemnation from some of Britain's close allies. The UK's plans for rolling out 5G – one area targeted for special attention in its 2017 Digital strategy – is set to deliver a beneficial economic role in fulfilling Britain's aims in developing a ‘world-leading digital economy’. However, the implications of using Huawei to enforce these plans could not be more profound.
In light of the above, this article will examine the concerns and risks that could be faced by the UK's infrastructure from the use of Huawei components for its 5G deployment. It will also ultimately consider whether the use of Huawei could pose a significant existential threat to the long-term security of Britain, and the implications that such issues could have for the legal industry.
Huawei and the race to 5G
In 2018, the Chinese President, Xi Jinping, announced his plans to turn China into a ‘cyber superpower’. The strategy would enable China to lead in emerging technologies such as artificial intelligence (AI) and 5G. However, for China the road to achieving these plans, so far, has been strewn with obstacles.
In 2018, the US commenced a trade war with China by imposing hefty tariffs on Chinese products being imported into the US, causing China to also retaliate by increasing its own tariffs on US goods. In the same year, the US placed the Chinese hardware firm ZTE on a blacklist to prevent the company from using American intellectual property (the impact of which can be seen in the 39% decline in the value of ZTE shares). In May 2019, the US imposed a ban on the Chinese telecommunications giant Huawei, restricting the company from purchasing American components without first obtaining a licence from the US government.
The US’s intention behind these critical decisions centres beyond attempting to mitigate the risks of cyber-espionage or to protect America's infrastructure: it is about the US using economic pressure to limit China’s ambitious plans. It seems clear that the US views Huawei as a potential linchpin, helping China to achieve its plans of becoming a 'cyber-superpower'. Indeed, the fact that Huawei is a leading 5G provider rests at the core of the current Huawei cybersecurity problem.
Huawei, founded in China in 1987, is the world's leading telecommunications equipment provider for the 5G networks. 5G – which is set to be the next generation of wireless mobile technology – will be built upon the ‘Internet of Things’ (IoT). The IoT – an infrastructure which interconnects physical and digital entities – is set to deliver greater network speeds, reduce delays between the transfer of data (latency), and help the development of 'smart cities' (an initiative that uses technology to help enhance the quality of living for citizens).
The most salient motivation for concern is the fact that the IoT will enable Huawei to embed their components to networks, thereby giving Huawei access to an unimaginable amount of data and information. Vodafone Group Plc (Vodafone), Europe's largest phone company provider, identified vulnerabilities in the use of Huawei equipment, such as the potential existence of ‘hidden backdoors’ in Huawei devices. These 'backdoors' could lead to cyber intrusion by Huawei, which would allow Huawei to bypass security controls and gain unauthorised access to computer systems or encrypted data.
These concerns were further reinforced in a report produced by the Oversight Board of the UK's Huawei Cyber Security Evaluation Centre (HCSEC). This critical report revealed that:
significant technical issues have been identified in Huawei's engineering processes, leading to new risks in the UK telecommunications networks.
However, the installation of Huawei's equipment is not the only reason to perturb regulators concerned about security risks. There remains another reason for attention: Huawei's proximity to the Chinese government. This, in part, has been at the crux of the debate for some members of the 'Five Eyes' intelligence alliance, such as Australia and the US, who fear that using Huawei to build their 5G infrastructure could expose their networks to espionage and data tracking. However, Britain remains optimistic that it has a plausible cybersecurity model which could ‘mitigate these risks’. Huawei has also signalled its willingness to sign a ‘no-spy agreement’ with Britain to dispel any concerns.
However, there is also a further underlying issue regarding this. Every manufacturer that enters into a contract and purchases Huawei components or equipment will need to consider the long-term risks to their customers. Indeed, mobile operators, EE and Vodafone, have already taken a firm stance against using Huawei until further assurances are in place. If nothing else, this illustrates that Huawei still has some way to go to demonstrate that it can be trusted.
The challenges to law firms and companies
For now, the issue is not solely whether Huawei should be allowed to build part of Britain's 5G infrastructure; rather, it is the increased potential of organisations being marred by cyber-attacks as a result of the ubiquity of IoT devices.
The burgeoning risk of cybercrimes arising from new telecommunications equipment will be of critical concern for many law firms. International law firms should be most concerned due to the vast amount of client information (such as details about potential mergers and acquisitions) and intellectual property they hold and operate with on behalf of clients, which cybercrime hackers and groups would steal to generate business ventures. In 2017, DLA Piper was one of the many organisations attacked by the ransomware ‘Petya’, which cost the firm nearly $2.25 million in IT fees to recover. But it's not just the financial losses law firms are concerned about; there is also the risk of reputational damage. In 2016, Mossack Fonseca, a Panama based law firm, decided to permanently close its doors following a global cyber-attack on the firm which led to the leak of trove information about its clients to media organisations, otherwise known as the ‘Panama Papers’.
For companies, the protection of their data from unauthorised access is of paramount importance to themselves and their employees. The provisions imposed by the GDPR is one facet which aims to mitigate the risk of a data breach arising from emerging technologies, such as IoT and AI. As such, the foundations of the GDPR should remain consistently embedded in organisations to ensure clients and their employees are aware of the grave consequences in the event of a data breach.
Commercial Interests
Despite the apprehensions mentioned above, there remains a positive avenue for consideration: the commercial benefits Huawei could offer to Britain's economy. A study commissioned by The Oxford Economics revealed that Huawei supported 26,000 jobs and contributed £1.7 billion to Britain's GDP. But it is not just these rosy statistics that could impact Britain's economy. If Britain wants to deliver on its 2017 Digital strategy and fulfil its aims of a 5G rollout, restricting the use of Huawei's telecommunications equipment could cost the UK economy an estimated £6.8 billion.
Moreover, the long-term delays of 5G rollout plays an equally significant role. Faster is always better and the deployment of 5G will be critical in improving connectivity across various industries. The UK has yet to decide whether to formally ban Huawei from helping build its 5G network. Such action will nonetheless come with costs for all.
Protecting our data
The challenges ushered in by cybersecurity are not entirely novel, but today's digitally connected age presents new complexities to the UK's infrastructure. The government will play a vital role in continuing to ensure that our infrastructure is resilient to cyber threats and attacks. Whilst the rollout of 5G will offer several benefits to the UK's digital economy, the magnitude of future cyber risks could potentially outweigh these benefits.
It is necessary to assume stable management against any potential telecommunications threats. While the concerns regarding Huawei offer enough motivation for stricter cyber-security rules, some may question whether there remains more to be done to ensure strategic measures are in place to alleviate against any potential vulnerabilities. For now, it remains unclear whether using Huawei to build the UK's 5G infrastructure could create security risks for Britain in the long-term. Only time will tell.
For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.
Tagged: Commercial Awareness, Data Protection, The GDPR
