TechNationalism: Cybersecurity at the Intersection of Geopolitics
Security concerns have become a key driver behind government decisions to ban foreign technologies or vendors, impose severe and costly technical requirements, and limit foreign investments in sensitive technologies. Under the banner of TechNationalism, the security of information and communications technology (ICT) and global supply chains has become an issue of high politics among national policymakers. Reverberating from these geopolitical tensions, as well as technical security concerns, restrictive domestic policies have complicated global supply chains and enhanced discussions about ICT trustworthiness and dependence on foreign suppliers. The COVID-19 pandemic has exacerbated governments' protectionist tendencies regarding supply chains, resulting in similar policy discussions in adjacent sectors such as the pharmaceutical industry.
From the backdrop of several years of worsening U.S.-China relations, the discussion has centered mostly around 5G technologies sold globally by Huawei, a China-based telecom equipment manufacturer. Offering 5G technology at a fraction of the price of its few remaining competitors, Huawei has been accused of receiving extensive support from the Chinese government and allegedly benefiting from theft of technology from competitors.
The broader picture, however, is more complicated. In addition to 5G, technologies such as semiconductors, Internet-of-Things (IoT), cloud computing and artificial intelligence are key to a state’s economic well-being and military power. Globalization has created complex, global supply chains with components manufactured and assembled by hundreds of suppliers across continents and countries. Ensuring trustworthiness in this web of contractors and subcontractors has become a defining challenge in securing ICT—including software, hardware, components, devices, services and data—and its supply chains.
The EastWest Institute’s report Weathering TechNationalism: A Security and Trustworthiness Framework to Manage Cyber Supply Chain Risk, outlines a framework to address ICT trustworthiness while enabling trade, competition and innovation by using objective, risk-informed measures to address security concerns on three levels: individual buyers, the ICT industry and the wider ecosystem. Taking a risk mitigation approach, the framework serves as a basis for much-needed discussions to ease current tensions among major powers on emerging technology issues and to steer away from current policy developments that run the risk of fragmenting cyberspace and decoupling global ICT supply chains. Siloed ICT ecosystems would not only undermine trade and innovation, but likely have adverse effects on global security.
Following the report’s release in English and Chinese, the EastWest Institute organized two virtual roundtables in May and June with 50 experts, including current and former government officials, corporate executives, industry experts and academics from Canada, China, Germany, India, Japan, Malaysia, Turkey, the UK and the U.S., to discuss the current state of TechNationalism and a way forward. The paragraphs below summarize key arguments made by speakers and participants during the roundtable discussion.
5G Drives TechNationalism
Rollouts of next-generation communications infrastructure—viewed by many as the most significant build-out of critical infrastructure since the Internet—is the main driver behind current policy controversies. While there is a shared emphasis on 5G security, the approaches that countries and operators have taken to mitigate threats from these emerging technologies vary in significant ways.
The U.S. government has extensively studied how an adversary might undermine U.S. national security by exploiting 5G technology and thus, has decided to tie 5G security to trade to approach national security in a holistic manner. While the U.S. government in principal takes a risk-informed approach to manage 5G security, reservations remain regarding the verification and management of trust in complex, global supply chains. To address long-standing complaints regarding foreign companies’ unfair advantages, the U.S. will continue to use policy levers to manage foreign threats to support its interests and keep vendors that are deemed a threat from doing business in the United States and with U.S. entities. Similarly, India’s largest telecom network operates without Chinese equipment due to national security concerns.
Putting clear, risk-informed criteria front and center, Germany’s government is in the process of drafting the IT Security Act 2.0, legislation that will outline requirements for 5G technology deployments. Germany wants to avoid political discussions over banning vendors and focus on setting forth objective, transparent technical criteria with stipulations for vendor diversity in critical infrastructure sectors. Diversity of vendors is critical to maintaining market competition; a potential ban would have the opposite effect and increase the dependence on a small number of ICT suppliers. One participant noted that a leading Asian telecom carrier is successfully deploying a mix of equipment in their networks to maintain vendor diversity and address operational pressures created by geopolitical tensions over 5G.
Focusing on application, Malaysia’s government—in close cooperation with industry partners, local telcos, airports and hospitals—established a test-bed on the island of Langkawi to study the application and security of 5G technology. This effort is accompanied by a government working group preparing technical deployment guidelines and a government-run 5G security test lab with a revised 5G rollout set for 2022 to account for changes in the nation’s spectrum allocation.
Markets Fail to Produce Security
The roundtable’s experts agreed that supply chain security and dependency on foreign suppliers are broader than 5G. States should not rely on a few suppliers for strategic ICT deployed as critical infrastructure, which the U.S. is forced to do after erroneously relying too much on global markets to produce secure ICT. To compensate for these shortcomings, like-minded states need to jointly draft technical standards and interoperable solutions, and U.S. industrial policy should ensure markets produce competitive solutions. Several experts noted the need for greater industry-level transparency to ensure ICT trustworthiness. Others pointed out that trust centers, as operated by Microsoft, Huawei and Kaspersky, can open corporate doors for buyers and independent evaluators to assess a vendor’s security practices and trustworthiness.
While many experts welcomed the report’s practical framework and its overall recommendations, several noted the significant challenges and efforts in implementing the measures in the industry. One expert argued that current incentives are pulling the industry in the opposite direction of good security practices and hence, new incentive structures are needed for ICT firms to take security seriously.
Countries Caught in the Middle
Several experts suggested that many countries, from Singapore to Canada to India, find themselves caught in the middle of U.S.-Chinese tensions over 5G. Making important investments in their country’s digital future is riddled with geopolitical obstacles and increasing pressures from great powers to pick sides or potentially face withdrawal of support or cooperation, such as the sharing of intelligence.
Great powers should be careful with attempts to force smaller nations to choose, as they may be surprised by the outcome. While two Singaporean telecom consortiums recently decided not to use Huawei as their 5G network equipment supplier, it would be false to conclude that the Chinese ICT giant was given the boot. In fact, Huawei remains a key technology provider for Singapore’s Smart Nation initiative. With the exception of Vietnam, which has been working on an indigenous 5G solution, most ASEAN countries are caught in the middle and are trying to balance the geopolitical disparity.
Misperception as a Major Barrier to Trust
Trust as a precondition to get security right has been a recurring theme throughout the roundtables and the topic was linked strongly to current misperceptions between China and the U.S. From the Chinese perspective, the ongoing controversy around Huawei is seen as unreasonable In the West, Huawei, a privately-held international company that follows local laws, is vilified as a Chinese threat. Standards and operational procedures to ensure technical security in systems, as well as laws and norms to regulate the behavior of corporations and states, provide additional pillars for trust and security. Trust between countries and multinational tech firms must be strengthened, but perception is critical to assess risk accurately and take mitigation measures.
Agreement Among Fierce Competitors Will Clear Path for Trade and Security
The issues of trust and security are not new to international trade, but the implementation of TechNationalism measures is a concerning path as it accelerates these issues and hampers trade. While countries are trying to find multiple ways to maintain their sovereignty in the digital age, many have engaged in misguided efforts that have created significant trade barriers. From an international trade perspective, such barriers must be minimized so that companies can deploy their technologies of choice, while governments address legitimate national security concerns with targeted, narrow measures. The Digital Economy Partnership Agreement, signed by Singapore, New Zealand and Chile, is exemplary for addressing digital trade issues with a modular approach. Some participants noted the Chinese position that trade policies should be non-discriminatory and all products treated equally as long as companies abide by the local laws of the countries in which they are operating. Others countered that China’s long-standing trade policy restricts market access of U.S. tech companies in China. Despite the ongoing geopolitical tensions, there is still a path for competitors to reach balanced trade agreements, while also accounting for security.
Several participants noted that the current geopolitical tensions created by markets are worrisome, yet technology-driven controversies are not new, but rather reflect the strategic nature of ICT. Solving the challenges that arise from TechNationlism in a way that ensures ICT and supply chain security while allowing for innovation and trade will benefit the entire globe through shared technological innovation, global trade and better digital infrastructure upon which to build the new digital environment.