When the Czech cyber security agency issued an unprecedented warning against China’s telecoms giant, politicians clashed over national security. But was it anything more than political theatre?
Tech is the lifeblood of the Czech city of Brno, where IT startups rub shoulders with global names like Motorola and IBM as well as home-gown giants such as Avast and Kiwi.com.
Nestled between two rivers, the southeastern castle town is also home to the highest concentrations of tech universities in Central Europe. No wonder it is a hub for budding entrepreneurs.
But for IT geeks who prefer the public sector, one employer in the Czech Republic’s second-largest city stands out — the National Cyber and Information Security Agency (NCISA), the government’s cyber security watchdog.
Established in Brno in 2017, the agency attracts some of the country’s top talent — even if the work is rarely as glamorous as the Hollywood version of cyber intelligence might suggest.
“It’s routine, administrative, even clerical work that we do here,” NCISA spokesman Radek Holy told BIRN.
Even so, every once in a while the atmosphere at the Brno office gets heated. And possibly the “hottest” day in the agency’s history was December 17, 2018.
That is when the NCISA issued an official — and unprecedented — warning that “the use of technical or program tools of Huawei Technologies and ZTE Corporation poses a cyber security threat”.
Suspicion towards the Chinese telecom giants had been swirling since August 2018 when US President Donald Trump first branded the companies a security risk.
But in the winter of 2018, no European country had joined Trump in his crusade against the firms amid fears their hardware could be used to spy for the Chinese government.
The Czech Republic broke that silence.
Panic and confusion ensued. Czechs were desperate to know if it was safe to keep using gear made by Huawei, the world’s largest producer of telecoms equipment. ZTE was less of a concern since its presence in Czech Republic was far smaller.
Quickest on his feet was Czech Prime Minister Andrej Babis, who ordered his office to stop using Huawei equipment — only to find out later the warning only applied to entities deemed critical to the country’s information infrastructure.
As a major supplier of data centre equipment and IT infrastructure to the Czech state, Huawei was in pole position to help roll out the country’s next-generation 5G cellular network promising super-fast connectivity.
What followed was political theatre as the Czech Republic’s two most powerful men — the prime minister and the president — tried to turn the alleged security threat to their advantage.
Analysts say the “Huawei affair” quickly morphed into a hullabaloo that said as much about the country’s east-west political divide as anything to do with national security — with millions of euros of business at stake.
A year after the NCISA sounded the alarm, public tender records show that Huawei continues to win contracts to supply hardware for vital Czech infrastructure.
If the warning was meant to keep the company’s tech out of the 5G network, it has hardly made a dent.
The NCISA alert thrust the Czech Republic into a geopolitical tug-of-war between the Washington and Beijing.
Ever since Trump signed an executive order in May adding Huawei to the US Department of Commerce’s sanctions list, Washington had pressured its European allies to blacklist the firm, warning of possible security risks for the whole transatlantic alliance.
Arguing that vulnerabilities in Huawei’s equipment could allow snooping and sabotage by malign actors, the US government was particularly concerned about Huawei’s participation in 5G networks set to revolutionise the way data flows.
“We’ve been clear: our task is that our allies and our partners and our friends don’t do anything that would endanger our shared security interests or restrict our ability to share sensitive information,” US Secretary of State Mike Pompeo said in a speech in The Hague in June.
Our task is that our allies and our partners and our friends don’t do anything that would endanger our shared security interests or restrict our ability to share sensitive information.
– US Secretary of State Mike Pompeo
5G, the fifth generation of cellular network technology, promises speeds a hundred times faster than current broadband technology allows.
This will make possible the so-called internet of things, in which everyday objects like clothes or vehicles are always connected to the web. Many see 5G’s blistering speed and super-broad bandwidth as a game changer in everything from entertainment to healthcare.
They dream of real-time medical diagnostics, immersive virtual reality and self-driving cars.
But where some see promise, others see pitfalls.
Given the importance of 5G networks in future communications infrastructure, the US government and other critics of Huawei are calling for a blanket ban on the Chinese vendor’s participation in building 5G networks in Europe and elsewhere.
Some US allies have been quick to oblige.
Australia was the first country to introduce a broad ban on Huawei technology in 5G networks. New Zealand soon followed with a similar ban. Another US ally in the region, Japan, excluded Huawei from public procurement.
Much to Washington’s dismay, the Europeans did not follow suit.
According to Emir Halilovic, head of the global telecom technology and software team at British data analytics firm GlobalData, countries near China geographically tend to be much more cautious about their powerful neighbour.
“The dominant position of China in the Asia-Pacific region is undisputed,” Halilovic told BIRN. “It’s only natural that countries from that region are much more careful about Huawei. For them, the risk is much more tangible.”
Despite the fact that many European countries share US concerns about allowing a Chinese company to participate in the development of such sensitive technology as 5G, no country in Europe has yet sided with Washington and imposed an outright ban on Huawei.
Instead, most European states favour an evidence-based approach.
This requires them to first present clear evidence that Huawei gives Beijing access to personal data from EU users or installs in its devices so-called backdoors that could expose EU critical infrastructure to foul play.
“So far, there is no, at least publicly available, information that such things have been happening,” Halilovic said. “Looking at the issue from this perspective, one can think that the whole campaign against Huawei has been a bit exaggerated.”
Also important is Huawei’s already dominant position on the European telecommunications market, Halilovic said.
“Huawei is extremely strong in Europe. There is very little that can be done about it now. It is impossible to just get rid of Huawei equipment overnight. Moreover, it would be an absolute disaster for everyone.”
Concerns about ZTE were less of an issue, he added, since government tenders affected by the warning mainly concern equipment for data centres and other IT infrastructure.
“ZTE doesn’t really make those so they don’t really play a major role in this.”
Cold, hard cash
Huawei Technologies (Czech) s.r.o., Huawei’s Czech branch, did not respond to an interview request.
However, in September, Huawei’s vice-president of Central Europe and the Nordics, Radoslaw Kedzia, told Reuters that Czech security concerns over their equipment had not had a significant impact.
“It is pretty much business as usual with a little bit more attention to show that we are transparent, open and inclusive and we have nothing to hide,” Kedzia said.
Huawei’s rising profit numbers
|Year||Revenue (EUR)||Profit (EUR)||Number of|
Source: https://or.justice.cz/ias/ui/rejstrik | Source for exchange rate: Infor Euro
Crucially, the NCISA’s warning only applied to “administrators and operators of the critical information infrastructure communications systems” that are subject to the Cyber Security Act. That amounts to 160 state institutions and companies.
Those entities are obliged to carry out extra risk assessments and steps to manage any risks before introducing Huawei and ZTE technologies to their systems.
That is a far cry from a ban on the Chinese vendors’ hardware. The measure merely asks state institutions to do some extra homework before granting contracts to Huawei or ZTE.
As of late September, Huawei’s partner companies have won more than two dozen contracts from state institutions in 2019, worth over 1.5 million euros (40 million Czech crowns), according to tender records.
|Huawei partner company||Number of state contracts in 2019||Value of contracts (EUR)|
|Atos IT Solutions and Services, s.r.o.||1||8,823|
|M Computers s.r.o.||1||119,960|
|S&T CZ s. r. o.||1||9,558|
Like many other large IT companies, Huawei does not compete for state procurements directly. Instead, it relies on a network of partner companies that offer Huawei’s equipment and technical solutions to the state.
“The partner companies are typically much smaller firms that are better positioned to respond flexibly to the needs of their end customers,” Martin Vitek, a board member of one such partner company, Huatech a.s., told BIRN.
“This is a very common practice in the sector.”
Jan Sedlak, a Czech tech analyst and a China expert, said the reason why Huawei’s market position has not been badly hit by the warning has to do with cold, hard cash.
“Nearly all public procurements have price as the only criteria; whichever provider offers the lowest price for its services gets the contract,” he said. “This is something that Huawei is quite good at.”
Nearly all public procurements have price as the only criteria; whichever provider offers the lowest price for its services gets the contract.
– Tech analyst Jan Sedlak
Since the warning, there have been only three instances of Huawei not being allowed to bid for a state contract. In two of these, the tenders were eventually canceled altogether, to avoid legal disputes with Huawei.
Vitek from Huatech said such obstructions wasted time, hindered technological progress and resulted in a lack of transparency.
“There are some people who don’t like China/Huawei, and those people currently have the upper hand,” he said. “They use the NCISA’s warning to further their own interests.”
Not that Huatech — known as Huawei’s “gold partner” in the Czech Republic — has reason to complain about contracts this year.
According to an official registry of public procurements, Huatech had won 20 contracts in 2019 as of late September. Clients included the Czech police and Czech National TV.
“It’s hard to say whether this number is high or low compared to last year,” Vitek said. “It’s impossible to estimate how many contracts we would’ve got in the absence of the warning.”
Risks versus evidence
Whatever the impact on Huawei’s sales, tech expert Sedlak said the NCISA’s warning last December immediately boosted the Czech Republic’s political clout in the United States.
“It was because of the warning that Prime Minister Andrej Babis eventually received an invitation to the CIA and the White House,” Sedlak told BIRN.
However, the Czech cyber security watchdog denies any political motivations behind its decision.
“Our work is strictly apolitical,” the NCISA’s Holy said. “We are concerned with security matters only. Over a certain period of time, we have been systematically gathering pieces of the puzzle. Once it all came together, we issued the warning.”
Asked if the NCISA actually had hard evidence that Huawei is conducting espionage on behalf of the Chinese state, Holy shed light on the way the agency operates.
“In general, we’re not concerned primarily with evidence,” he said. “We focus on risks. Once we have enough information leading us to the conclusion that there are risks associated with certain technology, we are legally obliged to take certain steps.”
He added: “In this particular case, there was so much information coming to us that we had to issue the warning. We might or might not have evidence. This is something that, for a multitude of reasons, we don’t specify.”
Once we have enough information leading us to the conclusion that there are risks associated with certain technology, we are legally obliged to take certain steps.
– NCISA spokesman Radek Holy
This risk-based approach contrasts with the evidence-based approach favoured by other European countries including Germany and France.
The Czech cyber watchdog appears to have adopted a similar methodology for evaluating risks allegedly posed by Chinese tech companies as the United States, Australia or New Zealand.
Sedlak said that the NCISA was well plugged into the intelligence communities of the United States, Britain and Israel.
“The Czech Republic has three cyber attachés: in Tel Aviv, Washington and Brussels,” he said. “The country has a lot of useful connections in those cities and a good reputation.”
An anonymous source familiar with the decision-making processes behind Czech foreign policy said that the country tends to follow the US lead on key security matters.
But NCISA director Dusan Navratil rebuffs any suggestion that the agency is swayed by other actors. He says it always acts independently.
“Our job is not to just sit and wait for orders from elsewhere,” he said in an interview (in Czech) with online daily Novinky in February. “Neither the Kremlin nor Brussels can tell us what to do. Our job is to act in a sovereign manner to defend the Czech Republic in cyberspace.”
Navratil conceded that the NCISA’s approach to Huawei had made NATO and EU allies sit up and listen.
“While other states are looking for backdoors in Huawei equipment — something nearly impossible to prove — we chose a different approach,” he said.
“We defined what a threat in this context means. This made an impression on our allies; I think we have developed some sort of a blueprint for dealing with this problem.”
Whatever the motivation behind the agency’s warning, it created a buzz — and Prime Minister Babis, known for his populist instincts, was quick to capitalise on it.
Sniffing growing anti-Chinese sentiment in the country, he immediately threw his weight behind the NCISA.
Ordering his office to stop using Huawei mobile phones, Babis told the media he took warnings about the two Chinese companies “very seriously”.
A few days later, Babis met China’s ambassador in Prague, Zhang Jianmin. After the meeting, the Chinese embassy announced on Facebook that the prime minister had said the warnings did not represent the position of the Czech government.
In a reaction to the Facebook post, Babis told Czech Radio, a national public broadcaster, that he was “rather surprised” by the Chinese ambassador’s interpretation of events.
“I do not know what the ambassador is talking about,” he said. “His communication is … very unusual.”
After the Czech position on Huawei opened the doors for Babis to visit the White House, and made him the first Czech Prime Minister to ever receive an invitation to the CIA, in March this year, he continued promoting the Czech cyber security approach.
In May, Babis opened the Prague 5G Security Conference, inviting experts from around the world to develop common plans for 5G network security.
Although the conference did not produce any binding agreements, it temporarily put Babis and the Czech Republic at the center of the 5G debate in Europe.
The reaction to the warning at Prague Castle, where the Czech president has his office, could not be more different.
President Milos Zeman said it could cause China to retaliate, potentially putting Czech business in China in danger.
In 2018, China was the Czech Republic’s 17th-largest export partner, with Czech exports to the country valued at 2.2 billion euros, according to Trading Economics.
During an official visit to China in April, Zeman also said the West’s allegations of espionage against Huawei were not supported by evidence.
Zeman, who has called for referendums on Czech membership of the EU and NATO, has long been a supporter of Chinese investment in the Czech Republic.
“A few years ago, Zeman came up with the idea of making the Czech Republic a sort of an entrance point for China to Europe,” China expert Sedlak told BIRN.
“He was convinced that they would bring a lot of money here, which never really happened. This is the reason why he defends Huawei.”
While Zeman’s protestations may or may not have helped Huawei’s fortunes in the Czech Republic, affiliates of the firm say the fug of controversy has created an unwarranted stigma.
“Even if Huawei didn’t lose any market share for state contracts, the warning certainly widened the barrier between Huawei and its customers,” Vitek from Huatech said.
“There are many people who just don’t want to get embroiled in this whole controversy. They would rather avoid talking to Huawei to safeguard their reputations.”