Europe may be about to pull the welcome mat out from under Chinese technology giants.
Politicians, pushed by powerful German industrial interests, are looking for ways to address growing security concerns about Chinese-built equipment. It comes at a time when the Trump administration tightens up already restrictive policies, this week using Chinese company ZTE as a bargaining chip in wider negotiations on trade.
Chinas growth as a technological powerhouse adds to existing concerns about trade and its geopolitical ambitions both in Washington and the EU.
It would mark a change in course for Europe, which had been more open to Chinese tech than the U.S., and potentially slow already lagging efforts to keep pace with the U.S. and Asia on 5G. If implemented, it would be a setback as well for Chinese giant Huawei, which has invested billions across the Continent and political capital in Brussels to build up its business.
Among the legislative options German industrial chieftains would like to see are more stringent security requirements for companies building crucial infrastructure, potential restrictions on foreign-owned companies bidding for public procurement contracts, or both.
“Cybersecurity is not something that is an afterthought” — Huawei spokesperson
“As German industry, youre between two camps. You can choose which backdoor you want: A Chinese backdoor or a U.S. backdoor,” said Steffen Zimmermann, the lead expert on industrial security at German industrial lobby organization VDMA that includes Bosch, Siemens and robotmaker Kuka among its members.
“Were not friends of a regulation at all … but when it comes to important things like critical infrastructure risks, there should be some things required through a regulation,” he added.
Huawei reaps Snowden whirlwind
The shift in Europe coincides with global anxiety on the rise since 2013, when former U.S. National Security Agency (NSA) contractor Edward Snowden first revealed the extent of his countrys spying operations.
Snowden claimed at the time that his agency had built vulnerabilities right into the heart of Ciscos network infrastructure, without the company ever being aware that its communications were being tapped. A later leak of NSA hacking tools by the group Shadow Brokers also revealed built-in backdoors for U.S. intelligence services at network equipment-maker Juniper.
German industrys push to shield telecom networks from foreign prying could expose giants like Chinas Huawei to new restrictions
Now, the same fears that Snowden awoke are being trained on Chinese telecoms equipment giants, namely ZTE and Huawei. Both companies are close to Beijing. The latter is the worlds largest company of its type and has zeroed in on Europe, which accounts for 35 percent of its revenue, for future growth.
Industry experts explain that Chinese and American vendors have outperformed Europes Ericsson and Nokia on making the gear to connect industrial applications. According to telecom engineering experts who spoke to POLITICO on condition of anonymity, Huaweis networks are vulnerable to exactly the same type of tampering as Ciscos were and could be funneling communications back to Beijing — perhaps even without Huawei knowing about it.
Huawei rejects such arguments as “baseless.”
“Cybersecurity is not something that is an afterthought. Instead, it is a built-in standard part of the way we do our daily business. Despite baseless allegations coming from the U.S. for many years, in Europe we have been recognized [for high cybersecurity standards],” a Huawei spokesperson said.
Huaweis protests are not getting much attention in the United States. In February, Washington barred Huawei and ZTE from selling phones in U.S. military stores. In January, U.S. President Donald Trump floated the idea of creating a “nationalized” 5G network to handle critical economic and strategic communications, according to leaked memo. And now, Republican lawmakers are vying to keep Huawei and ZTE out of bidding for public procurement contracts. Meanwhile, Trump said Sunday that he would try to help ZTE, after the Chinese company announced it was shutting down its US operations as a result of sanctions.
In the midst of a war over telecom cybersecurity, the U.S. Commerce Department banned U.S. companies from selling to ZTE because the company violated U.S. sanctions on Iran. Trump on Sunday mitigated the clash, saying he would try to help ZTE, after the Chinese company announced it was shutting down its U.S. operations as a result of sanctions.
Its not just the United States scrutinizing foreign firms. In January, Australias government introduced legislation that would allow the government to block commercial decisions by telecom operators based on whether security is at risk.
“If youre not going to produce the technologies, youre not going to understand them. If youre not going to understand them, you dont understand security” — Matthias Machnig
Britains security services have set up a center to monitor products introduced on the U.K. market by Huawei. And the British National Cyber Security Centre last month sent official advice to telecom providers not to procure equipment or services from ZTE, the other Chinese telecom vendor.
Now, as trade tensions run high between the U.S. and the EU, German politicians are piling on.
At the international trade fair Hannover Messe at the end of April, European Budget Commissioner Günther Oettinger, who is German, called on local lawmakers to develop “digital sovereignty” by linking investments to strong cybersecurity and data protection standards.
At the same event, German industrial technology company Siemens launched a Charter of Trust, too, asking companies to sign up to standards designed to increase the security of supply chains. Cisco joined the Charter of Trust. “One principle is also focusing on responsibility throughout the digital supply chain to ensure that there are baseline requirements and trust in the whole supply chain,” a spokesperson for Siemens said.
Matthias Machnig, Germanys former state secretary for economic affairs, also urged Europe to pay more attention to cybersecurity standards.
Matthias Machnig, Germanys former state secretary for economic affairs | John Thys/AFP via Getty Images
“In Europe, it isnt understood that we need an industrial policy strategy on digitization,” Machnig told POLITICO just before leaving office in April. “We are going to be dependent on other players, on the U.S., on China … If youre not going to produce the technologies, youre not going to understand them. If youre not going to understand them, you dont understand security,” he said, adding that the provenance of a provider was one such concern.
Brussels dragging its feet
Brussels has heard the concerns — to an extent. The European Commissions proposed Cybersecurity Act could result in new security requirements for companies selling to Europes industry giants, raising the bar for these Chinese vendors and others. And a recent proposal to start screening foreign direct investment shows the bloc is looking for ways to protect EU industry.
But when it comes to more radical proposals, such as blocking procurement from foreign vendors in private supply chains and business-to-business contracts, European legislators are holding back. Many fear criticism that they are behaving as protectionists.
Two Commission officials who follow questions of network security said there are no plans to stop foreign companies from bidding for public procurement contracts in Europe. Nor are they examining how to shut out foreign vendors to protect European supply chains for sensitive technologies like connected cars, smart cities, energy grids and other critical networks, the officials said.
Part of that reluctance has to do with the EUs structure. All decisions relating to critical security are made by national capitals. And yet, in other areas the Commission shows increasing willingness to wade into gray areas between industrial regulation and security — such as when it introduced a plan to stop foreign investors from taking over firms in “strategic” sectors such as robots and innovation.
“We believe that some countries have asked for the source code when using foreign critical infrastructure providers equipment” — Udo Helmbrecht
No such rules are in the works for telecoms networks. The blocs only cybersecurity law, the Network and Information Systems Directive, only holds telecoms service providers liable for breaches. Network equipment-makers arent directly covered. A recent proposal called the European Cybersecurity Act could lead to cybersecurity certifications for telecoms and 5G, but its years away from becoming reality.
National governments are entitled to bar certain vendors. But for now, the higher EU rules state that such decisions need to be backed up by “non-protectionist” motivations.
“Each member state can take their own views on the risks associated with using various suppliers,” said the EUs cybersecurity agency Director Udo Helmbrecht, a former president of the German Federal Office for Information Security. “We believe that some countries have asked for the source code when using foreign critical infrastructure providers equipment. Others only allow equipment vendors that they trust and work closely with,” Helmbrecht said.
Whats missing? According to Zimmermann, “a European champion on network information infrastructure.”
“In my opinion it would be wiser to choose a partner with the same cultural background,” he said.
Hans von der Burchard contributed reporting.