Trust as the Foundation of the Transatlantic Partnership in the Digital World
Alexander Szanto
Brandenburg Institute for Society and Security (BIGS)
Alexander Szanto is a Research Fellow working in national and EU projects on various economic, societal and security policy related aspects of cybersecurity at the Brandenburg Institute for Society and Security (BIGS).
Alexander studied European Studies at the University of Maastricht and as part of his studies he spent a semester abroad at the Sciences Po in Paris with a focus on International Relations. He subsequently earned a master’s degree in Intelligence and International Security, concentrating in Cybersecurity and Political Developments in the Middle East post-1945 in the War Studies Department of King’s College in London.
Prior to joining BIGS, Alexander Szanto worked in the State Parliament of North Rhine-Westphalia in Düsseldorf, where he provided research and advice on digital politics and domestic security policy.
Tim Stuchtey
Brandenburg Institute for Society and Security
Dr. Tim H. Stuchtey is a Geoeconomics Non-Resident Senior Fellow at AICGS. He is the executive director of the Brandenburgisches Institut für Gesellschaft und Sicherheit (BIGS), a homeland security think-tank based in Potsdam, Germany. He is also a Non-Resident Fellow at AICGS and has served as Director of the Business & Economics Program. He works on various issues concerning economic policy, the economy of security, the classic German ‘Ordnungspolitik,’ and the economics of higher education.
Dr. Stuchtey studied economics with a major in international trade and international management and graduated in 1995 from the Westfälische Wilhelms-Universität in Münster. In 2001 he earned a Ph.D. from the Technische Universität Berlin in economics, which he obtained for his work in public finance and higher education policy. He worked as an economist for the German Employers Association and as a university administrator both at Technische and Humboldt-Universität Berlin. He was also the managing director for the Humboldt Institution on Transatlantic Issues, a Berlin-based think tank affiliated with Humboldt-Universität.
He has published a number of articles, working papers, and books on the security industry, homeland and cybersecurity issues, higher education governance and finance and on other questions of the so-called ‘Ordnungspolitik.’
Ultra-fast 5G broadband cellular connectivity will advance a host of the technologies of the future, including Industry 4.0, autonomous vehicles, virtual reality, drones, and telemedicine, to name just a few. These technical innovations, use cases and business opportunities are, however, accompanied by security concerns that are the subject of heated debates in the United States and Europe.
Central to ongoing discussions on 5G are not only the economic opportunities offered by this new mobile communications standard and the potential leaps forward in productivity, but also potential dependencies and vulnerabilities from new networks built with proprietary technologies from potentially untrustworthy vendors.
Countries expect a high degree of trustworthiness from 5G technology vendors involved in constructing a supercritical infrastructure of the future. In addition to the requisite technological skills, the criteria for trustworthiness include an untarnished reputation and an unwavering commitment to respecting local laws and regulations.
The relevance of the trustworthiness of technologies for domestic and international security and the economy is highlighted, not least, by the recent establishment of the EU-U.S. Trade and Technology Council (TTC) to lead a values-based global digital transformation. This forum aims to coordinate approaches to key global technology and economic issues based on shared democratic values.
Since 2015, the German parliament has been developing dedicated and far-reaching legislation to ensure IT security in Germany. The IT Security Act 2.0 requires providers to self-declare their trustworthiness, which must also be confirmed by several ministries and security authorities.
The Federal Office for Information Security (Bundesamt für IT-Sicherheit – BSI) will check the technical components, the Federal Office for Intelligence (Bundesnachrichtendienst – BND) will add their assessment, and the Foreign Office (Auswärtiges Amt) together with the Ministry of Economics (BMWi) and the Ministry of the Interior (BMI) will make the final decision. With regard to 5G, both telecommunication and critical infrastructure operators are required to report critical IT components to public authorities (in particular to the BSI). Vendors of critical components must sign a guarantee declaration and untrustworthy vendors can be banned if they fail to pass the government’s assessment.
All in all, the IT-Security Act 2.0 is seen as raising barriers for Chinese vendors to participate in the building of 5G networks in Germany. While the Act’s language directs the Ministry of Interior to seek agreement with other relevant ministries when prohibition of manufacturers’ critical components is necessary, eventual approval of trustworthiness likely also requires unanimous consent among the various government agencies involved in the certification process.
At a recent online event, Andreas Könen, Head of the Cyber and IT Security Department at the German Federal Ministry of the Interior, stated that trustworthiness is in the end a political question. Whereas technical requirements guide the certification of components, the classification of trustworthiness is also based on intelligence about vendors’ relationship with customers and governments. Stephen C. Anderson, Acting Deputy Assistant Secretary for International Communications and Information Policy in the U.S. State Department, emphasized during the same webinar that the United States and Germany have shared concerns regarding the security of critical technologies and need to work together to find a common way to ensure resilient supply chains through trustworthy vendors.
It is not a question of defining a European and an American way of dealing with untrustworthy vendors in parallel, but rather a common transatlantic approach that is based on an appropriate risk assessment broad enough to consider features such as the social and legal framework, accountability, and respect for the rule of law. This approach should be designed to build more resilient supply chains that reduce the risk of disruption and dependencies.
Strategic competition with China overlays all discussions with European leaders, as reflected in communiqués outlining technology’s growing importance at the core of global competition. In this context, the EU and the United States need to consider and assess technical, economic, and political interdependencies, taking a holistic approach rather than considering individual elements. This includes identifying vulnerabilities in supply chains, evaluating the lifetime costs of technologies (including political and social costs), as well as exploring ways to diversify the range of vendors and reduce critical (technical, economic, and political) dependencies. In the end, this applies not just to 5G, but also to other critical technologies.
On this premise, the EU has launched a robust and comprehensive set of measures for a coordinated approach to securing 5G networks. Secure and reliable 5G networks are a crucial strategic priority for the EU, and to achieve this the EU Commission is recommending several measures to member states that are primarily aimed at strengthening network security. These include, in particular, security requirements for network operators such as Deutsche Telekom, Vodafone, or O2, restrictions for high-risk suppliers of 5G network technology in security-relevant areas, and the establishment of redundant and diversified 5G networks in order to avoid dependencies and bolster security.
Moreover, the Commission recommends trade, industrial, and innovation policy measures to ensure secure and reliable 5G networks at the strategic level in order to strengthen the digital sovereignty of the individual EU countries as well as the bloc as a whole in the mid-term.
In theory this presents a clear set of measures, but their implementation has not been smooth. The European Commission’s July 2020 progress report on the implementation of the so-called EU Toolbox called on Member States to make urgent progress in mitigating risks to 5G telecommunications networks posed by certain high-risk vendors.
For its part, the U.S. government has approached the 5G network security issue with a combination of technological capacity building at home and cooperation with allies. Within the United States, serious efforts are being taken to strengthen 5G supply chain resilience and position U.S. 5G network technologies as high-quality, secure, and cost-effective alternatives to Chinese offerings in the international market. The National Telecommunications and Information Administration (NITA) and the Federal Communications Commission (FCC) support and promote the development and deployment of 5G Open Radio Access Networks (Open RAN). Serious government funding for 5G development is also on the way. After the U.S. House of Representatives approved a bill that would provide $750 million to support a domestic 5G equipment market and Open Ran development, the U.S. Senate passed the U.S. Innovation and Competition Act, which would create a $1.5 billion Public Wireless Innovation Fund and give $500 million for a joint semiconductor and Open RAN multilateral program.
Already during the Trump administration, the U.S. government had encouraged European governments to move away from using technologies from potentially risky vendors in their national 5G network infrastructure. The newly launched EU-U.S. Trade and Technology Council could provide a necessary and fit-for-purpose platform for transatlantic consultation on 5G standards, supply chain issues, and strategic implications with regard to China. The U.S. government is also mindful of the need to engage a diverse group of partners throughout the world and is taking steps to complement bilateral discussions on 5G network infrastructure security with plurilateral and multilateral efforts to boost infrastructure availability. The OECD’s recent launch of a multi-stakeholder design process for the Blue Dot Network certification framework, an initiative proposed by the United States, Japan, and Australia to foster quality infrastructure investment, is an encouraging development.
The competition with authoritarian states should focus on promoting innovative ideas and good governance instead of further escalating the conflict and widening divides between the East and the West. Strengthening democratic values and advancing technology governance practices based on the rule of law, transparency, citizen participation and individual freedom, should be done without slowing down technological innovation and adoption. To make this work, all parties will have to cooperate more closely in the future, and the transatlantic partnership in particular will have to be enhanced at all levels.