Some thinking and advocacy on an idea that should be relegated to the dustbin of history
Announced in August 2020 by Secretary of State Mike Pompeo, the so-called Clean Networks Initiative seeks to decouple the United States from all Chinese telecommunications equipment and mobile communications technology, including mobile apps. It also extends to data servers and transmission network infrastructure like undersea cables – write Simon Lacey.
On its face, the initiative might appear to be a comprehensive approach to network security that seeks to leave no part of the digital economy untouched. Yet although it claims to be based on “internationally accepted digital trust standards”, this claim has never been substantiated since the initiative was announced.
If the initiative were, in fact, based on international standards, it could not discriminate so blatantly against equipment and technology from one country: China. Any international accepted digital trust standard would have to be based on some degree of consensus, and the global consensus among cybersecurity experts is that measures based on a simple “flag of origin” approach do nothing to improve network security. As one expert, Maria Farrell, explained “[the Initiative’s] specifics don’t add up terribly well [and] don’t speak to a good understanding of how networks function”.
The Administration’s approach also seems at odds with that of America’s own technology sector. In 2011, the Information Technology Industry Council (ITI), a trade group that unites US hardware and software companies, released its Cybersecurity Principles for Industry and Government. This document articulates 12 principles that “seek to provide a useful and important lens through which any efforts to improve cybersecurity should be viewed”.
Principle No. 2 says that “[efforts] to improve cybersecurity must properly reflect the borderless, interconnected, and global nature of today’s cyber environment”. ITI goes on to explain that policies that comply with this principle will improve interoperability of digital infrastructure by making it easier to align security practices and technologies across borders, while also facilitating international trade in cybersecurity products and services across multiple markets.
Interestingly, the ITI also refers to the World Trade Organization’s Agreement on Technical Barriers to Trade, which it notes “calls for non-discrimination in the preparation, adoption, and application of technical regulations, standards, [and] avoiding unnecessary obstacles to trade”. The Clean Network initiative as currently formulated is the exact anti-thesis of these principles.
It also stands in marked contrast to that of the European Union, a major US trading partner and geopolitical ally. In early 2020, the EU announced a “5G toolbox” to guide regulators on how to secure 5G communications networks as they are being launched. By adopting the 5G toolbox, EU Member States have committed to “move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures.”
The EU’s 5G toolbox calls on member states to strengthen security requirements for mobile networks, assess the risk profile of suppliers based solely on security grounds and objective criteria, and to ensure that the 5G ecosystem consists of a healthy plurality of competing suppliers by requiring operators to have an appropriate multi-vendor strategy (i.e. that they source equipment and technologies from at least two and ideally three or more vendors).
The EU’s concerns about 5G network security are based on the critical role that communications networks and data play in modern economies. Nowhere do the EU specifications call for the arbitrary and discriminatory singling out and banning of equipment vendors based in China.
A better approach to securing 5G networks and equipment is one developed by the global industry itself. The Network Equipment Security Assurance Scheme (NESAS) was created by GSMA, an industry organisation representing more than 750 mobile network operators worldwide; and by 3GPP, an umbrella organization of seven standards-setting organizations, which develop protocols for mobile telecommunications.
NESAS articulates many of the internationally accepted security requirements that network equipment vendors must comply with, and it lays out a blueprint for independently verifying compliance with ISO requirements. Nowhere is there any provision for excluding a product simply because the company that manufactured it happened to be headquartered in a country that has fallen out of favour with the United States executive branch, or with certain members of Congress.
The Clean Network initiative actually makes it less likely the that United States will adopt any of the demonstrably effective steps it could take to improve network security. These steps require a multi-stakeholder approach and the active participation of all ecosystem players – including equipment vendors, operators, regulators, businesses, and even individual users.
As commentator David Morris has also pointed out, the current unilateral approach being pursued by the Trump administration risks undermining international cooperation and abandoning the rules-based system of international trade cooperation that the United States has traditionally championed. This is a bad idea, best relegated to the trash heap of history and replaced with more collaborative, more effective approaches that will actually enhance the security of the world’s communications networks.
About the author
The author is Senior Lecturer in International Trade at the University of Adelaide and previously served as Vice-President Trade Facilitation and Market Access at Huawei Technologies in China.
Originally published as an opinion piece in EUREPORTER on 16 October 2020.