The world must "understand the opportunities and threats from China's technological offer", GCHQ director Jeremy Fleming said today as he observed that there are "no clear norms or behaviours" for state-on-state cyber-squabbling.
Speaking at an International Institute for Strategic Studies event in Singapore, Fleming called for the world's "cyber powers" to "converge on agreed definitions, on regulatory frameworks, industry standards and norms of ethical behaviour" (PDF).
Huawei hasn't yet fixed its security vulns, says UK's NCSC overseersREAD MORE
He also commented on Britain's oversight of Chinese mobile network equipment company Huawei and its cybersecurity practices, saying: "Experience shows that any company in an excessively dominant market position will not be incentivised to take cybersecurity seriously. So we need a diversified market, competing on quality and security, as well as price."
Fleming also directly challenged China, Iran, Russia and North Korea over online hacking attacks, vowing that "the UK and its allies will keep calling this out". He highlighted the public attribution of the APT10 hacking group's activities to China in December 2018 as one example.
The location of Fleming's speech, Singapore, is no coincidence. Over the next few years the UK aims to step up its presence in the Far East, including a deployment of a Royal Navy task force to the South China Sea in 2021.
We're doing it Huawei, OK?
Fleming's remarks about China will intensify the pressure on Huawei over allegations that the Chinese state uses the company's presence to insert covert backdoors for spying on western companies and governments. The British government has covertly acknowledged this by admitting last week that it bans Huawei equipment from its own networks, leaving the private sector and general public to take their chances.
No concrete evidence has so far emerged that Huawei equipment contains a backdoor or any other means for China to snoop on.
Meanwhile, Nick Read, chief exec of Vodafone, publicly called for America to share its evidence that Huawei mobile network equipment poses a national security threat to countries its kit is installed in.
"People are saying things at the moment that are not grounded. I'm not saying that is the case for the US because I have not met them directly myself so I have not seen what evidence they have, but they clearly need to present that evidence to the right bodies throughout Europe," Read said at Mobile World Congress in Barcelona this morning, as quoted by Reuters.
Huawei has also gone on the PR offensive in recent weeks, with executives speaking publicly, including founder Ren Zhengfei, who gave an unusual public interview to the BBC last month. Such a move is a new one for the company, which, while not shunning the limelight, has until now not tried to take the public initiative. ®
Fleming's speech has also riled up defenders of the internet who have noted his argument that businesses and institutions "must protect the digital homeland."
The "digital homeland" analogy is an apparently clear sign that Fleming views the global telecommunications network as something that can or should have geographic borders: an approach that reflects the mindset of China and Russia rather than the traditional Western view of the web.
Both China and Russia have increasingly adopted the idea that they will have their "own" internet, largely as a result of what they feared was a creeping influence of outside voices into their cultures. China, in effect, operates a national intranet with carefully controlled access point to the broader global internet.
Russia has also repeatedly suggested in recent years that it will cut off its citizens' access to the global network and build its own internal internet. But to hear a Western democracy suggest that the model of a national internet is an alarm bell to many that the voices of control in UK society – in this case, the security services – are increasingly viewing the internet as something to be controlled rather than adapted to.
Sponsored: Webcast: Simplify data protection on AWS