Witness: Professor Andrew Martin, Oxford University.
Q33 The Chairman of the Defence Committee (Dr Julian Lewis): Could I just ask you if I would be right to summarise the situation with self-driving cars, for example, as follows? Is it basically the case that we are building new systems that are more and more dependent on a technology that cannot really be safeguarded? Would it be anyone’s role in society to ensure that, if we were involved in some sort of conflict with an adversary that was able to exploit those vulnerabilities and close down those systems, we would have some sort of fall-back so that, if we did not have self-driving cars, we could still drive cars ourselves?
Professor Martin: Guided by the previous comment, I think we should be careful about using cars as an example. Indeed, my colleagues who work on autonomous cars say that they certainly need to design the safety so that the car is actually autonomous and not reliant on the network. But to the general point, yes, we are building a society that is more and more dependent on network functions. If we were ever in a situation of conflict, we might discover that all sorts of unexpected things stopped working.
Q34 Dr Julian Lewis: Whose responsibility is it to plan for that?
Professor Martin: I think it falls on a lot of people, but ultimately is it a matter of critical national infrastructure, I suppose, and for those who take responsibility for such things.
Q35 Dr Julian Lewis: I would have thought it was a Government responsibility rather than one of private companies. Talking of private companies, if we were in a conflict with an adversary, would there be any greater danger arising from our dealing with a firm like Huawei, for example, than from our dealing with a firm from another country with which we were in a less adversarial relationship? Or would the vulnerabilities be the same irrespective?
Professor Martin: That has a very complex set of answers, because we are talking about global supply chains. We may be dealing with one vendor, but they may get their components from another place. Indeed, the vulnerabilities within any particular piece of equipment may not be under the control of the management of the vendor in question anyway; there may be some other party who wants to sell them to a third party. It is going to be a very complex picture behind the scenes.
Q36 Dr Julian Lewis: Let me give one final example. We have just been talking about backdoors dressed up to look like vulnerabilities. Would there be a greater chance of an adversary knowing where these backdoors or exploitable vulnerabilities were if they had been involved in constructing the system than if they had not?
Professor Martin: The designer and constructor of a system is always in a much better position, yes.
* * *
Witness: Mr John Suffolk, Global Cyber Security and Privacy Officer, Huawei.
Q61 The Chairman of the Science and Technology Committee (Sir Norman Lamb): You will be aware of the Australian Strategic Policy Institute report, which suggested that Huawei’s products have often been deployed in countries with poor records of political stability, rule of law and corruption. It also stated that in some countries, public security technologies have
“created a range of political and capacity problems, including alleged corruption; missing money and opaque deals; operational and ongoing maintenance problems; and alleged national security concerns.”
Do you accept that?
John Suffolk: No. Our point on this is really quite simple. Our starting point in the 170 countries in which we operate is: what is the law, and what does the law define as acceptable and unacceptable? I think it is right for Governments to determine, in essence, their objectives and enshrine that in law.
Q62 Sir Norman Lamb: So if it is a dodgy regime, you will go with it?
John Suffolk: I don’t think it matters whether it is a dodgy regime; it matters what is in the law. We do not create any moral judgments on what we think is right or wrong. That is for lawmakers to do. We execute within the law in 170 countries.
[ ... ]
Q66 Sir Norman Lamb: I understand, but I am interested in your involvement in Xinjiang at the moment. The Australian Strategic Policy Institute report alleged that Huawei supplies and assists the Public Security Bureau in Xinjiang, which has, in turn, been accused of surveillance and of human rights abuses, including, according to the report,
“an estimated 1.5 million Chinese citizens and foreign citizens”
being detained. How do you respond to those allegations?
John Suffolk: As I said, our job is to provide technology and services to partners. In this instance, that is what we have done. The –
Q67 Sir Norman Lamb: Do you have no concern about being, in a sense, complicit with such outrageous human rights abuses?
John Suffolk: I do not think it is for us to make such judgments. Our judgment is: is it legal within the countries in which we operate? That is our criterion. It is for others – predominantly the Government – to make judgments about whether they think it is right or wrong.
Q68 Sir Norman Lamb: But we are faced with a situation in which Huawei is involved in the provision of technology and services that has led to significant human rights abuses. Is that not something that concerns you?
John Suffolk: I do not know the specifics of whether they have or they have not, based on one report but –
Q69 Sir Norman Lamb: Do you condemn those human rights abuses?
John Suffolk: We always condemn human rights abuse in any country in which it occurs.
Q70 Sir Norman Lamb: Even where it involves your equipment and services.
John Suffolk: In any country in which it occurs. We believe, in essence, that our objective is to understand the law in the 170 countries in which we operate, and to operate within the law as defined by those Governments.
Q71 Sir Norman Lamb: If Huawei co-operates with the Chinese Government on state surveillance in China, particularly in Xinjiang province, to what extent can it resist pressure from the Chinese Government to enable surveillance abroad? You have demonstrated a willingness to work with the Chinese Government in a province where there are, allegedly, gross human rights abuses, and that suggests a close working relationship with the Chinese Government. Should that cause us concern in terms of your work here?
John Suffolk: I would not accept that characterisation. I would say that, in essence, we understand the law. It is the Government’s role to set the law, whether in the East or the West, and it is our job as a supplier to work within that law. It does not matter to us what the name of the country is; it is whether it is lawful. Coming back to your question about whether we could be put under influence, we are quite clear, and it is quite proven, that we are an independent company. No one can put us under pressure. We have made it very clear that, regardless of the country, if we were to be put under any pressure by any country that we felt was wrong, we would prefer to close the business.
Q72 Sir Norman Lamb: Should we do business with a company that is complicit in human rights abuses?
John Suffolk: I think you should do business with all companies that stick to the law.
Q73 Dr Lewis: There is a lot of law in China, isn’t there? Just like there was a lot of law in Nazi Germany. Some laws are good laws and some laws are bad. Some countries are totalitarian, repressive one-party states, and that includes communist China, doesn’t it?
John Suffolk: We do not make judgments about whether laws are right or wrong. It is for others to make those judgments.
Q74 Dr Lewis: Do you have a view as to whether China is a one-party state?
John Suffolk: China is a one-party state, yes.
Q75 Dr Lewis: Do you have a view as to whether that Chinese one-party state is repressive of human rights?
John Suffolk: I don’t have a view on that, no.
Q76 Dr Lewis: You don’t have a personal view on that.
John Suffolk: I don’t have a personal view on that.
Q77 Dr Lewis: You are a moral vacuum.
John Suffolk: I don’t believe so, no.
Q78 Dr Lewis: Is there any country in the world with a repressive Government that you would be unwilling to take a job from if you were offered it?
John Suffolk: I have never given that any thought, so I cannot answer that question.
Q79 Dr Lewis: Well, here’s an opportunity – give it some thought. Is there any regime in the world that you would not be prepared to work for, as long as your work involved observing the laws in that country?
John Suffolk: As I said, I have not given that any thought. If you want me to answer the question with some thought, I cannot do that now.
Sir Norman Lamb: That is a remarkable position you have stated.
Q80 Darren Jones: Mr Suffolk, you agree that there is a difference between ethics and law, correct?
John Suffolk: Yes I do.
Q81 Darren Jones: Does Huawei have any ethics regarding who it supplies to?
John Suffolk: Our starting point is always, in essence, that the law defines the ethics as far as we are concerned, because it is for Governments to define what is right and wrong, just as the UK defines what is right and wrong or what it will and will not allow. That is enshrined in law. That is our starting point.
Q82 Darren Jones: Companies are an entity in their own right, aren’t they, Mr Suffolk? They can make decisions about whether they want to do business with certain customers. Following on from Dr Lewis, have there ever been any customers that you have chosen not to supply to?
John Suffolk: I don’t think we do it on customers; we do it on products. We stay in the commercial space, for example. We don’t –
Q83 Darren Jones: But you do have customers.
John Suffolk: We have customers, but the customers –
Q84 Darren Jones: Can you answer my question, Mr Suffolk? Have you ever declined to supply to a certain customer?
John Suffolk: I am not in the sales, so I couldn’t answer that.
Q85 Darren Jones: If you could write to us with that answer that would be great.
John Suffolk: I am very happy to do that.
[ ... ]
Q115 Damien Moore: In a previous answer, you said that Huawei did not have any links with the Chinese state. Has there been an opportunity when it has failed to comply with a request from the Chinese Government?
John Suffolk: We have never had a request from the Chinese Government to do anything untoward.
Q116 Damien Moore: Anything at all.
John Suffolk: Anything. Let me be honest here. We have to pay our taxes, so I want to be clear. They never speak to us, but in terms of the purpose of this Committee, we have never been asked by the Chinese Government, or any other Government, I might add, to do anything that would weaken security.
Q117 Damien Moore: Would there be anything for any other Committee that might give a different answer to that question?
John Suffolk: Our answer would be the same. Are we asked to do things or build things into our products? Our answer would be: we have never been asked to do those things.
Q118 Damien Moore: Liang Hua, Huawei’s chairman, has reportedly said that Huawei
“are willing to sign no-spy agreements with governments, including the UK government, to commit ourselves to making our equipment meet the no-spy, no-backdoors standard”.
What is that standard, and how would such an agreement work?
John Suffolk: There isn’t an international standard on this. It’s a request we received from one mainland European Government: would we consider signing a no-spy deal? It is fair to say that different Governments have different approaches to how they want to deal with security. If it is relevant for a Government to sign a no-spy deal, then we are happy to do that, but at the moment you would need to craft a deal. Our view would be that, to make it worthwhile, you would need to link it to the contract of the operators that you are serving.
Q119 Damien Moore: To the best of your knowledge, do you know of any other provider that has had to commit to doing this?
John Suffolk: I am not aware of any, no.
Q120 Dr Lewis: You said the Chinese Government has never asked you to put any weaknesses in the system. Does that mean that you are saying that the Chinese intelligence and security agencies couldn’t get into your systems if they wanted to?
John Suffolk: If we remember Edward Snowden a few years ago, he amply demonstrated that Governments of capability can break into most things, including Huawei servers, so you can never say that a Government, whoever they are, if they have the capability, cannot break into systems. That is what Governments do.
Q121 Dr Lewis: But surely there is a law in China that requires Chinese companies to co-operate actively with the intelligence services, and surely that applies to Huawei in China, doesn’t it?
John Suffolk: Well, all laws in China apply to all companies in China, not just Huawei. That is point No. 1. Secondly –
Q122 Dr Lewis: Yes, but Huawei is the company we are considering. Why don’t you just admit the fact that Huawei is obligated to co-operate with the Chinese intelligence services in China?
John Suffolk: There are no laws in China that obligate us to work with the Chinese Government on anything whatsoever. We have looked at all of the Chinese laws. We have taken on board professors in Chinese law and we have had their views validated via Clifford Chance in London, and there is no requirement on us or any other company to undertake what you are suggesting.
Q123 Dr Lewis: So the law of 2017 doesn’t exist.
John Suffolk: No, the laws do exist, but it is the scope and context of what those laws enable you to do.
Q124 Dr Lewis: That law states very clearly that Chinese organisations and individuals are required to co-operate with the Chinese intelligence services, and you are saying that Huawei isn’t required to do that.
John Suffolk: I am saying our legal advice is that is not the case. That is not their interpretation, and it is not our interpretation.
Q125 Sir Norman Lamb: When your company wrote to me, you focused on the fact that it didn’t have extraterritorial effect. Julian is asking about inside China. China’s national intelligence law appears to be very clear on its requirement on individuals and organisations.
John Suffolk: I think it is fair to say, Chairman, that many countries produce laws that are unclear, and we have had to go through a period of clarification with the Chinese Government, who have come out and made it quite clear that that is not the requirement on any company. We have had that validated by our lawyers and revalidated again by Clifford Chance. I believe there is no such obligation.
Q126 Dr Lewis: So you are saying that Article 14 of China’s national intelligence law, passed in June 2017, empowering the agencies of the Chinese state to
“request the relevant organs, organisations and civilians to provide necessary support, assistance and co-operation”
to those intelligence agencies does not apply to Huawei.
John Suffolk: I am saying that what that means, according to our legal advice, is that it does not require Huawei to undertake anything that weakens Huawei’s position in terms of security.
Q127 Dr Lewis: And I am saying that that is entirely unbelievable. Can you tell us whether firms like Nokia and Ericsson are given the sort of access to Chinese critical national infrastructure that Huawei would like to have in the West?
John Suffolk: They follow me, but I will give my view and you can clarify with my friends. The telecommunications market in China is a very vibrant market, and Ericsson and Nokia have very good market share, and they compete with us head on in terms of China, so to answer your question, yes they do.
Q128 Dr Lewis: Finally, on 4 June it was the 30th anniversary of the Tiananmen Square massacre. How would you feel about equipment supplied by your firm enabling a similar exercise in suppression by a future Chinese Government?
John Suffolk: I am sorry. I didn’t quite understand the question.
Dr Lewis: How would you feel about equipment supplied by your firm enabling the Chinese Government, which is the direct descendant of, and absolutely continuously linked, in a linear fashion, with, the regime that killed thousands of people 30 years ago on 4 June in Tiananmen Square – how do you feel about being complicit in repressive actions of that sort?
John Suffolk: I do not think we are complicit in anything. I believe that our objective is to understand the law and comply with the law. It is for others to make judgments.
Q129 Dr Lewis: Like the people who manufactured the gas chambers, no doubt, in Nazi Germany.
John Suffolk: We comply with the law.
Dr Lewis: And so did they.
Q130 Graham Stringer: I was going to ask a similar question, actually. I listened carefully to your answers about following the laws. Do you think that when we come to write our report, it would be fair to compare your company with IG Farben, who manufactured Zyklon B and sold it to the German Government during the Second World War?
John Suffolk: I would paint a different picture. If you are asking us, “Should we ignore the law?”, I am sure you would say, “No, you must not ignore the law.”
Q131 Sir Norman Lamb: Basically, what you are saying is, “As long as we comply with the law, that is fine. We are amoral; we have no interest in what is happening”, like the one and a half million Chinese people who have been incarcerated in Xinjiang, for goodness’ sake. You do not care.
John Suffolk: It is not that we care or do not care; that is not our starting or end position.
Q132 Sir Norman Lamb: Yes, but you continue to provide equipment and supplies to facilitate that surveillance state.
John Suffolk: I think it is for Governments to determine what is right and wrong. That is their sovereign duty.
Q133 Sir Norman Lamb: But you will make money out of it.
John Suffolk: We are a commercial organisation.
Sir Norman Lamb: Right, you would. Okay.
Q134 Graham Stringer: Can I have an answer to my question?
John Suffolk: My answer to the question is still the same as it was earlier: that, in essence –
Graham Stringer: Is it fair to compare you to IG Farben?
John Suffolk: I do not know the circumstances around that.