Germany is coming under fire for what critics say is a toothless move on tech regulation that opens it up to Chinese hacking.

The countrys regulators released a new “security catalogue” Tuesday that would require telecom operators to identify critical parts of their networks and demand that suppliers of these parts sign up to a “no-spy clause.

Tech hawks, though, say that the new regulation lacks teeth and will in effect allow Chinese telecom company Huawei almost unhindered access to its telecom market. They argue it amounts to a huge setback for U.S. and European security services who are concerned about potential Chinese security threats to 5G networks from using the company — a charge it vigorously denies.

The U.S. is already signaling that the move could have serious implications for future intelligence-sharing between Berlin and Washington. “If there is technology that is untrusted is deployed in [German] 5G networks, then well have to reassess how we share information with countries like Germany,” said Rob Strayer, President Donald Trumps top envoy on cybersecurity, on Tuesday.

Tech hawks say that the new regulation lacks teeth and will in effect allow Huawei almost unhindered access to its telecom market.

U.S. security services fear Huaweis equipment can be easily misused by the Chinese state to spy on Western allies, and the companys increasing dominance also poses a strategic threat as it gobbles up competitors in the West.

Lacking teeth

Berlins no-spy clause (technically a pledge of “trustworthiness” for suppliers of critical components and services) has attracted criticism for lacking real teeth. The pledge — which would affect Huawei, its smaller Chinese competitor ZTE as well as European competitors Ericsson and Nokia — does not include plans to verify if promises have been kept. Nor does it include enforcement measures against suppliers that fail to respect commitments.

“[It] reads great on paper, it ticks boxes on backdoors and compliance, but theres not a single word on enforcement and sanctions, not a single word on evaluation,” said Jan-Peter Kleinhans, a researcher at the policy think tank Stiftung Neue Verantwortung that studies 5G security.

The security catalogue — which is still under review — comes as German Chancellor Angela Merkel in past months has walked a narrow line in its policies toward China, drawing criticism from the U.S. and European countries who argue that Berlin should take a tougher line over Hong Kong street protests and 5G security.

One senior Commission official who asked not to be named said that Germanys 5G security review undermines a recent move from EU officials and national cybersecurity officials, warning the telecom industry for foreign states hacking efforts — a warning squarely backed by Germanys own intelligence service.

German Chancellor Angela Merkel on a visit to China | Andra Verdelli/Getty Images

“Its awkward for the new German European Commission President-elect [Ursula von der Leyen],” the senior official added, as Berlins position differs from the one carved out by the European Commission in past months.

Von der Leyens plans include beefing up Europes “technological sovereignty,” including through public support for home-grown technology in strategic sectors like telecom. But the incoming Commission president is struggling to win parliamentary approval for a commissioner in that portfolio, after MEPs shot down French nominee Sylvie Goulard last week.

Likely a self-certification scheme

Germanys action on Huawei is particularly sensitive because the country has Europes largest telecom market, dominated by giants Deutsche Telekom, Vodafone and Telefónica.

Its also arguably the most strategic market in Europe for Huawei, which is the largest supplier of telecom equipment in Germany and has signed huge 4G contracts with telecom giants in recent years.

In opting for a 5G no-spy clause, Germany is reusing a tool that has served in the past for public procurement acquisitions of technology. The tool was invented as a safeguard against spying in the wake of revelations by U.S. whistleblower Edward Snowden — and in past years already drew criticism for being very hard to enforce.

Germany is arguably the most strategic market in Europe for Huawei.

The original template for this particular no-spy clause, drafted by the countrys Federal Office for Information Security (BSI), said that companies selling technology to the German government for use in “sensitive environments” should ensure that no confidential information is passed on to foreign countries, third parties or foreign services inside Germany.

It also said that suppliers should ensure the firm is “legally and effectively able not to disclose” confidential information to foreign intelligence, and that it uses “only particularly trustworthy employees” to provide services and develop products.

A 5G logo at a mobile broadband forum hosted by Huawei on October 15, 2019 | Stefan Wermuth/AFP via Getty Images

That template inspired the no-spy clause for 5G contracts in Tuesdays draft document. But regulators dropped key provisions that would have raised the bar for vendors to comply: The 5G no-spy clause does not include a pledge to allow on-site inspections; to release source code or design documentation for products; or to release financial information on shareholders and company accounts.

“Though the document makes a nod to the need for carriers to obtain documentation about the trustworthiness of suppliers, it remains unclear who would determine criteria for vendor trustworthiness,” said Paul Triolo, head of technology policy at Eurasia Group, a think tank on geopolitics. “It would likely be a self-certification scheme.”

Germanys critical parts of 5G networks would also have to pass checks by the BSI, who will have a strong role in certifying which kit is deemed safe to use.

This emphasis on certification — a thread running through the draft security catalogue — echoes what leading telecom companies have called for: To set objective European standards on cybersecurity that suppliers have to meet — regardless of their country of origin.

This emphasis on certification — a thread running through the draft security catalogue — echoes what leading telecom companies have called for.

“Unless it is crystal clear that there is some wrongdoing [by suppliers], I dont think [restrictions] should be handled operator by operator,” Telefónicas Chairman and Chief Executive Officer José María Álvarez-Pallete told POLITICO in an interview published last week.

According to Kleinhans, “with this approach, even for critical components, Chinese vendors will be in.”

The approach differs from other European governments preference to vet specific contracts between operators and vendors based on national security concerns. Italy, France and others have put in place new mechanisms that give prime ministers, ministers aRead More – Source