Huawei agreement: No structured solution to the dependency problem

Contents

The end of years of discussion: should Germany ban the use of Chinese products in the mobile network? It took the German government one and a half terms in office to finally find an answer to this question. And the answer is now: yes, but please only phase it out quietly. The 5G expansion targets should not be jeopardized under any circumstances and the maximum benefit should be drawn from the technology already available.

The chosen path of public contracts with the providers allows them to continue using at least some of the installed hardware - if the interfaces are opened up. The ball is now in Huawei's court.

An opinion by Falk Steiner

Falk Steiner is a journalist based in Berlin. He works as an author for heise online, daily newspapers, specialist newsletters and magazines and reports on digital policy at federal and EU level, among other things.

Is this a viable option? Yes, it is. Is it a secure solution? No, it's not – because every software update could be dangerous until new control software is available and could lead to exactly what was feared but never proven.

Of course, it is legitimate to weigh up the risk against the cost. And yes, the mobile network – some readers may see it differently – is not yet essential for survival. The real-time applications that have been predicted for years for the 5G era are still in short supply – and are only likely to become a reality with 6G. The path chosen now could therefore also be seen as a clever way of avoiding an overly open confrontation with Beijing.

China's networked products

However, there are virtually no signs that Berlin's decision-makers have learned any lasting lessons from the case. Chinese suppliers play a leading role in the energy transition, and not just in solar panels. A glance at the Federal Network Agency's market master data register shows – and this is only a cursory search – thousands of storage units and solar systems connected to the electricity grid that are obviously supplied by Huawei. The inverter market is also largely dominated by Chinese manufacturers. And whether the software of the collective battery electric vehicle fleet made in China is clean? The total number is still manageable – BYD, for example, registered just 1202 new vehicles in the first half of the year, while MG Roewe, which belongs to SAIC, has already registered around 10,000.

The question must be answered realistically: Who should, who can and who wants to control this? Who prevents a malicious update from being installed? Who controls which Chinese product really communicates with which servers? In the case of mobile networks, it is the operators who have an increased interest in the integrity of their networks. But what about other infrastructure?

While telecommunications providers are comparatively privileged when it comes to IT security issues and can analyze their networks quite precisely and check them for incidents and threats, this does not apply to other networked devices - whether powered or unpowered. And whether the Cyber Resilience Act, which is supposed to make networked end devices secure, can really achieve this remains to be seen.

In fact, the German government's Huawei decision alone can only address the dependency problem to a very limited extent – and the reality of dependency with digital components has shifted even more towards the People's Republic since the Trump-Merkel dispute in 2019.

We don't know how dependent we are

Between all the Sunday speeches about "de-risking", "re-shoring", "friendshoring" and diversification, one thing is missing above all: the honest acknowledgement that it is more expensive to minimize risks. That it is not relevant to be able to act autonomously in every area, but that strategic management of dependencies can also consist of keeping the other side comparably dependent in certain areas. And that the only sensible move is not to play with fire in the first place. However, despite the Huawei decision, the trend is currently clearly moving towards even greater dependence on China.

In recent years, the German government has formulated a large number of strategy documents – a China strategy, a national security strategy, a cyber security strategy. However, it has so far failed to fill these documents with life. There has been a lack of effective instruments: to date, there is still no clear legal basis for excluding Chinese providers from public tenders for critical infrastructure. This means that the economic efficiency principle applies.

There are no effective enforcement mechanisms to seriously check the IT security of many products – the staff at the Federal Office for Information Security (BSI) are not sufficient for this. And a major increase is not to be expected under the current cost-cutting approach, despite growing tasks.

Missed opportunities pave the way

When the cabinet adopts the German implementation of the EU's revised Network and Information Security Directive (NIS2) in the coming days, there will be a lot of new regulations in the field of IT security and problematic countries of origin. This would have been an opportunity to show that the five-year Huawei debate really does not want to be repeated in other segments.

However, the regulations are anything but strict, and they remain narrowly defined. The solution that is now being propagated in the Huawei case does not even really appear in it: An obligation to open up proprietary interfaces, thus enabling the separation of hardware and control software. This would not be a bad idea, even with regard to other players in the world, although it would not be appropriate in all constellations.

After all, turning to Western and therefore also US providers also harbors risks. With 5G and presumably also 6G as the successor, these certainly play a role in control software, unlike with hardware. But with the prospect of an upcoming US presidential election, does this offer more reliability and trustworthiness? This question is also justified, especially in view of the history of some US providers.

But dealing with it in a structured way, deriving political conclusions, regulatory measures and economic decisions: This federal government, like its predecessors, is likely to be hopelessly overwhelmed. And so, the egg dance that is evident in the handling of 5G is likely to continue. Until it comes to electricity storage, inverters, cloud services, cars or AI providers and the wheel can be completely reinvented.

(mma)