net.wars

We rarely talk about it this way, but sometimes what makes a computer secure is a matter of perspective. Two weeks ago, at the CPDP-adjacent Privacy Camp, a group of Russians explained seriously why they trust Gmail, WhatsApp, and Facebook.

"If you remove these tools, journalism in Crimea would not exist," said one. Google's transparency reports show that the company has never given information on demand to the Russian authorities.

That is, they trust Google not because they *trust* Google but because using it probably won't land them in prison, whereas their indigenous providers are stoolies in real time. Similarly, journalists operating in high-risk locations may prefer WhatsApp, despite its Facebookiness, because they can't risk losing their new source by demanding a shift to unfamiliar technology, and the list of shared friends helps establish the journalist's trustworthiness. The decision is based on a complex set of context and consequences, not on a narrow technological assessment.

So, now. Imagine you lead a moderately-sized island country that is about to abandon its old partnerships, and you must choose whether to allow your telcos to buy equipment from a large Chinese company, which may or may not be under government orders to build in surveillance-readiness. Do you trust the Chinese company? If not, who *do* you trust?

In the European Parliament, during Wednesday's pro forma debate on the UK's Withdrawal Agreement and emotional farewell, Guy Verhofstadt, the parliament's Brexit coordinator, asked: "What is in fact threatening Britain's sovereignty most - the rules of our single market or the fact that tomorrow they may be planting Chinese 5G masts in the British islands?"

He asked because back in London Boris Johnson was announcing he would allow Huawei to supply "non-core" equipment for up to 35% (measured how?) of the UK's upcoming 5G mobile network. The US, in the form of a Newt Gingrich, seemed miffed. Yet last year Brian Fung noted at the Washington Post ($) the absence of US companies among the only available alternatives: ZTE (China), Nokia (Finland), and Ericsson (Sweden). The failure of companies like Motorola and Lucent to understand, circa 2000, the importance of common standards to wireless communications - a failure Europe did not share - cost them their early lead. Besides, Fung adds, people don't trust the US like they used to, given Snowden's 2013 revelations and the unpredictable behavior of the US's current president. So, the question may be less "Do you want spies with that?" and more, "Which spy would you prefer?"

A key factor is cost. Huawei is both cheaper *and* the technology leader, partly, Alex Hern writes at the Guardian, because its government grants it subsidies that are illegal elsewhere. Hern calls the whole discussion largely irrelevant, because *actually* Huawei equipment is already embedded. Telcos - or rather, we - would have to pay to rip it out. A day later, BT proves he's right: it forecasts bringing the Huawei percentage down will cost £500 million.

All of this discussion has been geopolitical: Johnson's fellow Conservatives are unhappy; US secretary of state Mike Pompeo doesn't want American secrets traveling through Huawei equipment.

Technical expertise takes a different view. Bruce Schneier, for example, says: yes, Huawei is not trusted, and yes, the risks are real, but barring Huawei doesn't make the network secure. The US doesn't even want a secure network, if that means a network it can't spy into.

In a letter to The Times, Martyn Thomas, a fellow at the Royal Academy of Engineering, argues that no matter who supplies it the network will be "too complex to be made fully secure against an expert cyberattack". 5G's software-defined networks will require vastly more cells and, crucially, vastly more heterogeneity and complexity. You have to presume a "dirty network", Sue Gordon, then (US) Principal Deputy Director of National Intelligence, warned in April 2019. Even if Huawei is barred from Britain, the EU, and the US, it will still have a huge presence in Africa, which it's been building for years, and probably Latin America.

There was a time when a computer was a wholly-owned system built by a single company that also wrote and maintained its software; if it was networked it used that company's proprietary protocols. Then came PCs, and third-party software, and the famously insecure Internet. 5G, however, goes deeper: a network in which we trust nothing and no one, not just software but chips, wires, supply chains, and antennas, which Thomas explains "will have to contain a lot of computer components and software to process the signals and interact with other parts of the network". It's impossible to control every piece of all that; trying would send us into frequent panics over this or that component or supplier (see for example Super Micro). The discussion Thomas would like us to have is, "How secure do we need the networks to be, and how do we intend to meet those needs, irrespective of who the suppliers are?"

In other words, the essential question is: how do you build trusted communications on an untrusted network? The Internet's last 25 years have taught us a key piece of the solution: encrypt, encrypt, encrypt. Johnson, perhaps unintentionally, has just made the case for spreading strong, uncrackable encryption as widely as possible. To which we can only say: it's about time.

Illustrations: The European Court of Justice, to mark the fact that on this day the UK exits the European Union.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.