Great Britain has decided to let the People’s Republic of China’s Huawei—which by PRC law must cooperate with the PRC government whenever that government requires it—to play a role in Britain’s development and deployment of its 5G telecommunications network.
Great Britain says Huawei role will be limited, but in a computer network, such limits lie somewhere between chimera and pipe dream.
The Brits say that Huawei, and “high risk vendors” generally, would be excluded from the network “core.”
The Brits say they are
taking steps that would allow it “to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cybercriminals, or state-sponsored attacks.”
high-risk vendors would be subject to a 35% cap on access to even non-sensitive parts of the network.
Thirty-five per cent. That’s a broad penetration of a network’s “non-sensitive parts,” a network’s periphery.
This is foolish.
Mitigating risks is not the same as preventing them. This isn’t a matter of the Internet going down for a bit, and our not being able to post our blog articles or do a Bing search for this or that. It’s not a matter of losing a cable connection so we can’t watch TV for a few minutes or an hour, nor is it a matter of a temporary drop of cell phone access. This is a matter of national security, and the difference between mitigation and prevention is critical.
It takes only a single opening in a network’s outlying accesses to enable a nefarious entity to insert malware into the network. Once inserted, that malware can proliferate on its own, even penetrate the core, and then that malware is positioned to allow the entity to engage in cybercrime, cyberespionage, cyber-triggered sabotage of other infrastructure.
Even were the core adequately protected, malware in the periphery still can render the core impotent by isolating it from the periphery—much as biological damage can isolate a body’s core, its brain, from the body.