Trusting ICT Providers – Can Corporate Cyber Confidence-Building Measures Help?
Publication Type:Journal Article
Source:Connections: The Quarterly Journal, Volume 20, Issue 2, p.21-31 (2021)
Keywords:cyber confidence-building measures, cyber risk, ICT infrastructure, supply chain security, trust
Abstract:Trust in cyberspace is essential for increasing security and even more important when nations rely on private companies to develop, construct, maintain and operate their Information and Communication Technology infrastructures. This article proposes a redesigned form of Cyber Confidence-Building Measures to achieve this goal by including the private sector as a peer actor. Nations can use this method to vet their potential suppliers, so they may reduce their risk perception and establish and maintain a trustful relationship with them.
Nations need to trust or ban a vendor from building their Information and Communication Technology (ICT) infrastructure and services. In a world where private companies almost exclusively wield both the technical expertise and means to develop, operate, and maintain the ICT structure, nations increasingly depend on the private sector. As it is impossible to determine the integrity of supplied software or hardware, trust between customer and supplier is paramount, mirroring the classic trust issues between citizens, government, and corporations. A nation will choose a company it trusts to protect its interests against security-related risks. It will continue to assess the ICT providers on their trustworthiness and transparency. In a situation where a nation may not have trusted options available, it must settle on a company nonetheless. The Prague Proposals of 2019, the results of an international conference on 5G security, acknowledge this as one of the most important policy-related security risks in managing a nation’s IT infrastructure. This task is critical and increasingly complex, especially when one of the most prominent candidates, Huawei, is under suspicion of being controlled by the Chinese Communist Party (CCP).
The focus of this article is to propose a way to build trust by drawing upon the lessons learned from the Huawei challenge. Specifically, this article presents a way forward for distrusted nations and companies alike by proposing an adjusted form of Confidence-Building Measures (CBMs) to promote trust and reduce the risk perception of their potential customers. For customer nations, it could offer assurance in selecting a suitable ICT provider, while for suppliers, it provides the possibility to prove their transparency and independence from other actors. In a post-trust world, this kind of transparent and proactive communication could help rebuild trust and prevent a breakdown of communication between actors from rivaling political systems.
The Case of Huawei
Huawei is a leading ICT company that has grown through substantial state subsidies and preferential treatment for China’s domestic market. Huawei’s status as a “national champion” of a high-profile industry such as ICT  enabled it to become the world’s largest telecom equipment and second-largest smartphone manufacturer.
Huawei claims to be a private company, yet its internal organization differs from the classic understanding of one. Huawei’s prime argument is that the company’s employees are also its owners, with nearly 87,000 shareholders voting for the Representative Commission. This Commission elects the Board of Directors and Supervisory Board, which then elect the Executive Committees.
While true to a degree, the company’s representation leaves out crucial details regarding its ties to the CCP, the most important being that 99 % of the shares are not owned by its founder or the employees but by the Huawei Investment & Holding Trade Union Committee (TUC). Furthermore, the Huawei Investment & Holding TUC is ultimately answerable to the All-China Federation of Trade Unions, whose head sits on the Central Political Bureau of the Chinese Communist Party (CCP). Another factor to consider is the involvement of the CCP in the company, as evidenced by the current Chief Ethics & Compliance Officer being a party secretary.
Chinese state-owned banks also treat Huawei similarly to state-owned companies. For example, the China Development Bank, which is under the control of the Chinese government and the biggest holder of loans worldwide, is the main funder of Huawei. A risk profile from 2018 shows that Huawei also received billions of dollars in funding from several state banks in China. The 2018 arrest of Huawei’s Chief Financial Officer, who was in possession of eight different passports, including a “public affairs” passport usually reserved for state-related officials, casts further doubt on the asseverations of independence.
Adding to the distrust is China’s use of cyber espionage. Critics claim that China is incapable of differentiating between the political-military espionage conducted by every nation and large-scale, economically motivated theft of intellectual property against economic rivals. To make matters worse, the CCP shares the results of its ill-gotten gains with Chinese companies to further provide them with economic advantages besides its generous state subsidies. State support is arguably what made Huawei successful, as it allowed Huawei to expand rapidly and undercut competitors.
Another concern involves China’s ability to compel companies to cooperate with its intelligence services. The 2017 Intelligence Law contains articles interpreted as a way for Chinese intelligence services to either access Huawei ICT itself or force the company to cooperate. In particular, Article 7 gives cause for scrutiny. China has assured that Article 7 is misunderstood and poses no security risk. In response, Huawei tasked a Chinese law firm to confirm this, but critics have pointed out that legal assessments do not adequately address the concerns. At the moment, it is reasonable to assume Huawei’s non-compliance with Article 7 would hurt its standing with the CCP.
In an effort to strengthen confidence in the company, in 2019, Huawei’s chair offered to sign a “no spy agreement” with the United Kingdom, Germany, and India. However, this offer failed to gain other countries’ confidence because Huawei does not behave like a private corporation. For example, Huawei states that it does not intend to go public due to moral reasons. Seely, Varnish, and Hemmings  suspect that the real reason may include “legal requirements to report company structure, auditing data, and financial statements relating to cash flow, equity, and balance sheets to the public, to public shareholders, and to authorities such as the US Securities and Exchange Commission.” Additionally, Seely and colleagues  note that the “absence of cooperation agreements on security, or similar arrangements, such as adequacy decisions, as regards data protection” are signs of risk concerning Chinese technology firms under the given context.
A growing number of nations have banned Huawei equipment in their networks, citing risk concerns with Huawei’s close ties to the CCP and fears of surveillance. Currently, the United States, the United Kingdom, Japan, Taiwan, Australia, New Zealand, Sweden, the Czech Republic, Denmark, Estonia, Guernsey, Jersey, Latvia, Poland, and Romania are among the countries banning Huawei. Developing countries seem to be less wary of the security risks. In most cases, this is related to the simultaneous granting of loans and other forms of assistance offered by Chinese state-owned organizations, helping developing countries to overcome the barriers to technology acquisition.
The Gap: Cyber Confidence-Building Measures
In the absence of universally binding regulations, nations use CBMs, originating from regular arms control norms, to build trust between each other in cyberspace. To date, there are no internationally universally recognized and binding norms of acceptable behavior in this realm. The international community agreed that existing international laws, such as the Charter of the United Nations (UN), apply in cyberspace. However, there is division over the question of how to apply and enforce these laws to specific cyber operations. This is in part because existing laws were not designed with cyber activities in mind. Another reason is the lack of consensus among nations on the terms and definitions necessary to formulate acceptable binding regulations. This is often because of a lack of trust or goodwill to compromise with opposing nations due to the high-risk perception towards trusting actors holding different values than oneself.
CBMs are intended to reduce risks or the perception of risks by building trust and improving the relationship between the participating nations. Cyber CBMs (CCBMs) aim to establish stable international relations and a common understanding of acceptable state behavior in cyberspace. They encompass information exchanges and cooperation between nations to combat illegal cyberattacks of various forms. Due to their origin in classical arms control, international actors can also constitute CCBMs as bilateral or multilateral agreements. They increase the overall feeling of security among nations by demonstrating the good intention of all participants. CCBMs can also facilitate an exchange of respective working methods and practices, as well as mutual expectations concerning behavior. Since norms reflect the standard behavior expected by nations in cyberspace, CCBMs and norms often complement each other.
CCBMs are designed for interactions between state actors; therefore, they are not currently applied to state-to-non-state actor interactions. Most experts agree that CCBMs must also take the multi-stakeholder nature of the cyber domain into account, which includes private corporations, amongst others. However, traditional international and regional organizations, such as the UN and the Organization for Security and Co-operation in Europe (OSCE), which primarily focus on state relations, are the entities mainly developing CCBMs and cyber norms. While this makes sense for CBMs, where states are the sole wielders of military and nuclear power, it falls flat in cyberspace. Here, the power, by design, does not rest with the states alone but also with technology companies, which develop and operate most of the critical infrastructure, such as 5G networks.
Proposal: Evolution of CCBMs to Include Non-state Actors
An article by Hitchens and Gallagher compared the progress achieved by both the UN Group of Governmental Experts (GGE) and OSCE on norm-building and CCBMs in April 2019. It made two points of value for this article. First, the authors emphasized the importance of the relationship between a nation-state and non-state actors, focusing on information sharing and risk assessment. Second, they recommended an increase in participation of stakeholders to include “companies that own or operate key parts of the ICT infrastructure … along with some private-sector cybersecurity service providers,”  paralleling recent statements by the OSCE and UN GGE. Both nation-states and non-state actors, such as private companies, need to take part in developing and applying CCBMs.
The reasons given for the current lack of ICT industry involvement in CCBM development are “lack of government understanding of the cyber-sphere, heavy-handed regulation and the efforts of national security organizations to compromise private sector tools and networks for their own uses.”  Hitchens and Gallagher, in the tradition of classic CCBMs, call for better cooperation to improve the integration of private companies. However, this article proposes a different interpretation of the circumstances described in this quote. It is exactly the lack of government understanding of the cyber-sphere that puts companies in an advantageous position to compromise a state’s attempts to regulate cyberspace. Therefore, nations should be interested in making ICT providers more than just stakeholders in the CCBM process; they should endeavor to make them subjects on equal footing.
The NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) differentiates between two sets of CCBMs. One is a demand-driven model, where norms for acceptable behavior in cyberspace trigger the development of concurrent CCBMs, which result in increasing cyber capacities. The other is a supply-driven model, which sets advancing cyber capacities, often developed and implemented by non-state actors, as the trigger to develop “concrete cooperative CBMs between all stakeholders.”  These CCBMs result in new norms being formulated to guide nations on how to use the new capabilities.
Pawlak intended to use non-state actors to improve inter-state relations, but the distinction between the different models of CCBMs is valuable for this article. This article argues that with the development of groundbreaking technologies in cyberspace, such as 5G, there is a need to develop CCBMs to reduce the risks perceived by stakeholders. As seen in the current debate about Huawei’s inclusion or exclusion in the 5G networks of several countries, these groundbreaking technologies, yet to be fully developed or even understood, are ripe for exploitation.
As described in the 2019 Prague Proposals, a risk assessment needs to cover both potential technical and non-technical threats posed by a supplier. Issues such as the legal environment of its origin nation, the form of governance, and security cooperation all need to be accounted for. The Charter of Trust (CoT)—a consortium of technology companies calling for binding rules and standards—offers an interesting approach to creating trust amongst ICT suppliers. It focuses on supply chain management and has a very important statement for the case in this article: “The CoT partners also believe that no undocumented functionalities or possibilities for remote connection should be part of initial device setup; another aspect that is not yet a general rule today.”  It acknowledges that not only companies but also governments could come into a situation where the inherent risks of ICT require the establishment of rules concerning identity and access management.
There is an emerging trend to include actors beyond nations in regulating the cyberspace, but the inclusion of non-state actors so far is limited to advisory or feedback roles. The idea to make the private sector a counterpart to a nation under the conditions of a CCBM represents a new approach, which was only recently alluded to in a report by the Global Commission on the Stability of Cyberspace (GCSC) in the form of norms for cyberspace for both states and non-state actors.
As outlined in the previous section, a deep lack of trust hinders potential business between Huawei and several nations. Huawei’s Position Paper on Cyber Security shows the company is acutely aware of this, as it dedicates an entire chapter to addressing its “business independence.” The company even declared its willingness to sign a “no spy” agreement and would rather shut down the company than infringe on customer privacy and security. However, this declaration will do little to convince critics as it is a publicity statement and does not actively build trust, which is exceedingly difficult once lost. The supply-driven model mentioned earlier comes into play here. As the new technologies offered by Huawei are perceived as risky, stakeholders like interested nations should develop CCBMs to deal with them.
Next, this article will examine the Huawei Cyber Security Evaluation Center (HCSEC), which tests Huawei’s equipment and discerns risks in software or hardware, as a potential basic model for more advanced measures. The HCSEC was established in 2010 and staffed by Huawei, with the UK’s National Cyber Security Centre (NCSC) acting as a direct counterpart to the company. The HCSEC oversight board is chaired by the CEO of the NCSC and includes a Huawei senior executive, several UK government officials, and experts from the private sector. Since 2014, the oversight board has produced annual reports, including an audit to show its ability to operate independently of Huawei Headquarters. The HCSEC aims to “demonstrate an increase in Huawei’s technical capability” and software engineering. However, it also aims to “continue to provide assurance to the UK Government by ensuring openness, transparency and responsiveness to Government and UK customer security concerns,”  which aligns with the concept of a CCBM. But the review of technical capabilities alone does not address the root of the problem.
In the case of Huawei, the center rather needs to deal with the issues of actual ownership, independence from the influence of the CCP, and the Intelligence Law of 2017. These questions trace back to Huawei’s country of origin, which again corresponds to the risk assessments outlined in the Prague Proposals. While the HCSEC reported having found no evidence of the Chinese state’s involvement with the discovered technical deficiencies, this did not convince critics. If one believes Huawei collaborates with the CCP and Chinese intelligence services, an apparent lack of installed technical backdoors will be insufficient proof. Given the rapidly developing technology, the code could later be tampered with via updates. An undisclosed relationship between Huawei and Chinese intelligence services is a major roadblock to building trust.
This article acknowledges that Huawei would most likely not agree to the CCBMs, despite their claims towards transparency. However, this is not the point this article tries to make. Instead, it proposes to adjust and apply the supply-driven model as a general measure embedded in a country’s selection process for ICT providers. CCBMs hold the promise to build trust between nations and ICT companies and contribute to security in cyberspace by establishing norms of transparency.
Recommendation #1: First, nations should build their own independent Corporate CCBM (C3BM) agencies, staffed and led by government experts in the ICT field. These institutions would have the mission to vet potential suppliers of national key ICTs and assess the risk associated with them. They should subsequently develop adequate C3BMs to counter the risks identified in each company. If interested in doing business with a nation, an ICT company must then abide by the measures to build up the trust to be accepted as a supplier. An added benefit of using a C3BM is that the review results could be shared with other nations, thus reducing the redundancy for ICT companies. Countries that are unable to create their own agency can use the C3BM reports of other nations as a baseline for their ICT contracts. Alternatively, several nations could pool their resources and create a C3BM agency at a regional level. Here, they should synchronize their expected transparency standards and develop unified conditions for business with private companies.
In the case of Huawei, a C3BM agency could identify the risks discussed earlier and develop matching measures to address them. One approach could be the condition for Huawei to implement transparency measures equal to its European competitors Ericsson and Nokia. As illustrated by a recent Strand Report, these competitors outclass Huawei in both financial and technological transparency. This includes transparency for third-party code use, which is an additional security issue of Huawei’s underlying software platform, as it is notoriously hard to verify. Another C3BM could be the concept of establishing a national branch of Huawei as a completely separate entity with shared ownership between Huawei and a domestic private or state-owned company, with the servers based inside the nation.
Recommendation #2: Nations should propose this new and expanded definition of CCBMs to international and regional organizations so that non-state actors are recognized as active partners for nations and subjects to CCBMs. An international organization, such as the UN, could be reluctant to accept the idea of non-state actors becoming equal counterparts to nation-states. However, regional organizations, such as OSCE and the Organization of American States, should be more accepting of non-state actors since many confidence-building mechanisms are established at the regional level.
If such organizations begin accepting this expanded definition of CCBMs, it will lend legitimacy to the concept. This would motivate private companies to adapt to C3BMs and prepare accordingly before approaching nations to conduct business with them. As nations move toward the 4th Industrial revolution, there will be an ever-expanding dependence on the private sector for developments in AI, surveillance, biotechnology, and quantum computing. These emerging technologies will pose other future challenges and risks yet to be defined or conceptualized. Since many of these technologies are dual-use, meaning they have military and civilian applications, there is an even greater need to start building trust between nations and the private companies developing the technologies.
The views expressed are solely those of the author and do not represent official views of the PfP Consortium of Defense Academies and Security Studies Institutes, participating organizations, or the Consortium’s editors.
Connections: The Quarterly Journal, Vol. 20, 2021, is supported by the United States government.
About the Author
Matthias Klaus is an international security and risk analyst. With experience as a squad and platoon leader and instructor in the German Armed Forces, Matthias joined the Master of Arts in International Security Studies (MISS) program, delivered jointly by the George C. Marshall Center and the Universität der Bundeswehr München.