Many of Canada’s closest allies have either firmly or softly blocked Huawei and ZTE from selling telecommunications equipment to Internet service providers in their countries over the past several years. After repeated statements from Canadian government officials that a review of Huawei equipment was ongoing, on May 19, 2022 the government announced its own bans on Huawei and ZTE equipment. The government published an accompanying policy statement from Innovation, Science, and Economic Development (ISED) Canada on the same day.
This post begins by summarizing the possible risks that Chinese vendors might pose to Canadian networks. Next, it moves to discuss the current positions of Canada’s closest allies as well as Canada’s actions and statements pertaining to Chinese telecommunications vendors leading up to the May 2022 announcement. It then proceeds to unpack the government’s “Securing Canada’s Telecommunications System” policy statement. Some highlight findings include:
- The government is unclear when it refers to “supply chain breaches”;
- The government may be banning Huawei and ZTE principally on the basis of American export restrictions placed on Chinese vendors and, thus, be following the same model as the United Kingdom which was forced to ban Huawei following American actions; and
- Establishing the security and protection of telecommunications systems as an “overriding objective” of Canadian telecommunications policy could have long-term implications for Canadians’ privacy interests.
The post concludes by discussing the policy and political implications of the policy statement, why any telecommunications security reforms must not be accompanied by broader national security and law enforcement reforms, and why the Canadian government should work with allied and friendly countries to collectively assess telecommunications equipment.
Last week I appeared before the Special Committee on Canada-Chinese Relations to testify about the security challenges posed by Chinese infrastructure vendors and communications intermediaries. . I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If so interested, my oral comments are available to download, and what follows in this post is the actual brief which was submitted.
- I am a senior research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, and focuses on issues of national security, data security, and data privacy. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.
- Successive international efforts to globalize trade and supply chains have led to many products being designed, developed, manufactured, or shipped through China. This has, in part, meant that Chinese companies are regularly involved in the creation and distribution of products that are used in the daily lives of billions of people around the world, including products that are integrated into Canadians’ personal lives and the critical infrastructures on which they depend. The Chinese government’s increasing assertiveness on the international stage and its belligerent behaviours, in tandem with opaque national security laws, have led to questioning in many Western countries of the extent to which products which come from China can be trusted. In particular, two questions are regularly raised: might supply chains be used as diplomatic or trade leverage or, alternately, will products produced in, transited through, or operated from China be used to facilitate government intelligence, attack, or influence operations?
- For decades there have been constant concerns about managing technology products’ supply chains. In recent years, they have focused on telecommunications equipment, such as that produced by ZTE and Huawei, as well as the ways that social media platforms such as WeChat or TikTok could be surreptitiously used to advance the Chinese government’s interests. As a result of these concerns some of Canada’s allies have formally or informally blocked Chinese telecommunications vendors’ equipment from critical infrastructure. In the United States, military personnel are restricted in which mobile devices they can buy on base and they are advised to not use applications like TikTok, and the Trump administration aggressively sought to modify the terms under which Chinese social media platforms were available in the United States marketplace.
- Legislators and some security professionals have worried that ZTE or Huawei products might be deliberately modified to facilitate Chinese intelligence or attack operations, or be drawn into bilateral negotiations or conflicts that could arise with the Chinese government. Further, social media platforms might be used to facilitate surveillance of international users of the applications, or the platforms’ algorithms could be configured to censor content or to conduct imperceptible influence operations.
- Just as there are generalized concerns about supply chains there are also profound worries about the state of computer (in)security. Serious computer vulnerabilities are exposed and exploited on a daily basis. State operators take advantage of vulnerabilities in hardware and software alike to facilitate computer network discovery, exploitation, and attack operations, with operations often divided between formal national security organs, branches of national militaries, and informal state-adjacent (and often criminal) operators. Criminal organizations, similarly, discover and take advantage of vulnerabilities in digital systems to conduct identity theft, steal intellectual property for clients or to sell on black markets, use and monetize vulnerabilities in ransomware campaigns, and otherwise engage in socially deleterious activities.
- In aggregate, issues of supply chain management and computer insecurity raise baseline questions of trust: how can we trust that equipment or platforms have not been deliberately modified or exploited to the detriment of Canadian interests? And given the state of computer insecurity, how can we rely on technologies with distributed and international development and production teams? In the rest of this submission, I expand on specific trust-related concerns and identify ways to engender trust or, at the very least, make it easier to identify when we should in fact be less trusting of equipment or services which are available to Canadians and Canadian organizations.
I’ve published a report with the Citizen Lab, entitled, “Huawei and 5: Clarifying the Canadian Equities and Charting a Strategic Path Forward.” The report first provides a background to 5G and the Chinese telecommunications vendor, Huawei, as well as the activities that have been undertaken by Canada’s closest allies before delving into issues that have been raised about Huawei, its products, and its links to the Chinese government. At its core, the report argues that Canada doesn’t have a ‘Huawei problem’ per se, so much as a desperate need to develop a principled and integrated set of industrial, cybersecurity, and foreign policy strategies. The report concludes by providing a range of suggestions for some elements of such strategies, along the lines of how Canada might develop and protect its intellectual property, better manage trade issues, and develop stronger cybersecurity postures.