The Trilateral Cyber Security Commission was formed to make recommendations to the governments of the United States, Japan, and like-minded European countries individually and collectively to improve the security of their information networks. Some of the most critical challenges to all these countries are the economic and security risks of future 5G networks. These rapidly developing networks will become a new and dominant form of critical infrastructure. Unless the free market democratic countries can develop polices and take actions in the near term, China is poised to dominate this emerging market and could use its position to undermine the national security of its adversaries.
To develop effective policies for the long term, it is necessary to differentiate between the systemic information security threat of integrating foreign-made gear into 5G networks, on the one hand, and the economic dangers of China’s government-orchestrated unfair trade practices and intellectual property theft, on the other. In the midst of a trade dispute driven by China’s massive trade imbalance with the West, there is an understandable temptation to handle all three related challenges—information security, mercantilism and trade deficits—with a single approach. However, a sustained successful response requires that they be treated separately. The following observations summarize the major points supporting this conclusion and ultimately, drive the Commission’s recommendations on 5G:
• 5G networks will be a critical part of the world’s cellular and digital infrastructure in the near future, hosting new forms of automated and device communications and creating a new USD $250 billion market.
• Like current cellular networks, 5G networks are at risk if they are built with hardware and software from foreign companies subject to unfriendly government pressure or that are not engineered to high security standards.
• China is engaged in an orchestrated effort to use both legal and illicit means to dominate the world’s 5G markets using control of its domestic market, subsidies to IT national champions such as Huawei and ZTE, and acquisition of Western technology through coercion and espionage. Without concerted counters by the free market democratic countries, China may well achieve its ambitious goal.
• Beyond the economic consequences, Chinese domination of the international 5G market poses national security risks. Huawei and ZTE have a track record of supporting Beijing’s foreign policy goals by engaging in activities such as evasion of international sanctions. There is every reason to believe they would support Chinese government requests for network access.
• Economic and national security risks are related, but some risk factors reflect China’s state-sponsored economic strategy and others reflect systemic risks inherent in 5G evolving into a critical infrastructure.
• The United States and most of its allies lag behind in developing complete 5G systems that can be sold at scale in their own countries and compete in international markets.
• Private companies in free-market democracies cannot defend themselves alone against the coordinated threat of Chinese national champions and the Chinese government working together.
• The policies and actions of the United States, Japan, and like-minded European countries have enjoyed some success in countering China’s mercantilist policies in the 5G industry but must be improved to pace this threat.
Informed by these insights, the Commission recommends the United States, Japan, and likeminded governments in Europe and elsewhere take a series of domestic and coordinated multilateral actions. The objectives are not only to protect their 5G networks, but also to support Western firms in competing fairly to deliver 5G solutions around the world.
1. Establish a two-prong domestic review mechanism to review 5G network procurement from foreign suppliers to ensure that telecom carriers purchase equipment (1) not at high risk of compromise through pressure on the supplier by an unfriendly government and (2) built with sufficient security features to minimize the risk for opportunistic hackers to compromise the gear.
2. Strengthen domestic policies and actions to penalize foreign firms supplying 5G equipment that benefit from illegal subsidies from their home governments or that conduct illegal activities such as IP theft.
A. Establish a process for rapid government decisions and imposition of penalties by experienced officials, shifting the burden of proof from the domestic victim to the foreign supplier.
B. Tailor penalties for specific companies to the scale of economic damage.
3. Promote the development of a robust, open domestic 5G sector in the free market democracies capable of building alternative 5G solutions.
A. Support open protocols to enable 5G gear to intercommunicate with 3G and 4G networks in order to reduce “vendor lock-in” and the resulting the barrier to entry for new 5G firms.
B. Support an open and modular architecture for 5G networks that permits carriers to integrate equipment from various sources without significant integration costs.
C. Create investment incentives designed to encourage domestic companies and overseas firms from trusted nations to invest in 5G technologies and networks.
D. Encourage industry cooperation in forming 5G system suppliers by the selective use of waivers to federal and state antitrust law as was done in the United States with the Cybersecurity Information Sharing Act of 2016.
E. Incentivize participation in domestic 5G system ventures to qualified foreign firms from trusted allies.
4. Fund basic research in critical 5G technology not taking place in the private sector such as:
A. Improved technology for spectrum sharing in the prime 5G frequency bands.
B. Secure communications over untrusted networks.
C. Identification and segregation of “high risk” components in 5G networks for which foreign components carrying high political risk should never be used, and “lower risk” components subject to lower security requirements.
5. Establish a “5G International Security Council (5G ISC)” as the primary mechanism for international coordination of 5G security and trade policies of the member states. The council would include government officials with national security, economic, and digital infrastructure regulation responsibilities, as well as representatives from major 5G providers and vendors. The 5G ISC would have the following responsibilities:
A. Coordination of the criteria to be used for each member country’s review of the political risk of foreign 5G equipment suppliers, along with comparison and potential coordination of specific results of reviews.
B. Coordination of technical standards used to assess the security risk of 5G vendor hardware and software, along with comparison and potential coordination of specific results of reviews.
C. Continuous sharing of threat and risk assessments among the council members.
D. Coordination on spectrum allocation issues.
E. Developing and coordinating opportunities for partnerships among member nation’s companies to facilitate development of robust, price-competitive alternatives to Huawei and ZTE while ensuring any antitrust or trade treaty concerns are preemptively addressed.
F. Coordination of research into new technologies for spectrum sharing, open protocols, and secure end-to-end communications over future 5G networks for specific organizations.
G. Comparison of technical reviews and agreement on “high” vs. “low” risk components of 5G networks.