Squeezed between geopolitics and wary of Chinese espionage threats, the Baltic countries look to Brussels for guidance on what to do with Huawei and their 5G networks. In the second installment of a three-part series, journalists from Re:Baltica, Verslo Žinios and Postimees take a deep dive into the battle unfolding for 5G domination in the Baltics.
In late 2013, an official at the Estonian Ministry of Foreign Affairs opened an intriguing attachment to an email. At that moment, his computer was taken over by what is believed to be a Chinese state-backed hacker group, looking for the specific crypto-keys which Estonian diplomats use to communicate with their European Union (EU) partners.
Estonian authorities detected the incident more than a month later, in early 2014. The official stance is that while the Chinese hackers had successfully penetrated the system, they did not find what they were looking for. Estonians attribute the attack to the Ke3Chang campaign, which targeted European foreign ministries from 2010 but was most active in 2013-2014. The phishing emails promised either naked photos of Carla Bruni, a model and the wife of a former French president, or information on US military plans in Syria.
The security of critical infrastructure, including cyberspace, is mentioned as one of the problematic areas in a policy paper dealing with the EU-China strategic partnership. Baltic diplomatic and security sources confirm that Chinese intelligence activity is increasing in the Baltic countries, and Beijing’s main interests here are EU and NATO affairs.
Hampered by a lack of technological expertise and pressure from key defense ally the United States, the Balts are facing their first big tech decision in the battle of the superpowers: whether to allow the Chinese telecom Huawei to participate in building the next generation (5G) communication networks. The decision seems to be going in the direction of an indirect “no”.
New Opportunities, New Challenges
A 5G network will connect billions of objects and systems and carry much bigger amounts of data at a faster speed. The vulnerability of 5G networks will be especially critical, as the speed and the amount of data in 5G will make the network difficult to defend against “tapping”, or clandestine spying and interference by potentially hostile powers.
“It will not be just the communication. With the Internet of Things, everything will be connected. It could be very easy to cause panic in the society. What if someone takes down all the ATMs and card payment systems? A nation would be on its knees in two days,” says Margus Noormaa, the head of the Estonian Information System Authority.
“Probably the Chinese don’t currently have the capacity to monitor all the traffic that would go through 5G networks. But if you get your technology into the networks when the networks are being built, you will be in there for a very long time.”
Huawei Technologies is the world’s largest maker of telecoms equipment, which has come under fire in recent years following allegations that its equipment may enable spying by the Chinese government. This has, in turn, sparked growing security concerns worldwide, and countries such as the United States and Australia have banned Huawei from access to their 5G networks.
Estonia is set to become the first Baltic country to effectively ban Huawei technology from participating in building its 5G network, three unrelated sources confirmed to Postimees/Re:Baltica.
Tallinn made the principal decision in early July. In September, a task group created to analyse the issue will publish its recommendations, to be followed by the government’s decree. “The decree will probably be very general in wording, and it will not mention China or Huawei,” said a source with knowledge of the matter. Instead, it may demand that the technology to be used in 5G networks be certifiably safe.
“Our main concern is that we don’t have the capability to independently evaluate technology. That means we need to rely on the judgments of the US and other Western allies to say if Huawei is safe or not,” said Noormaa. While Huawei technology is cheaper and often better than that of its main competitors, in his words, “decisions about China are made in Estonia according to what our partners in Europe and America are doing.”
The other Baltic nations – Latvia and Lithuania – are unwilling to take a bold public stance about Huawei access to building 5G networks. “5G is a control system, not only a communications system, and if the systems are incompatible, we would have problems,” Raimundas Karoblis, Lithuanian minister of defence, said in June.
Lithuania’s Ministry of Defence has confirmed that Chinese technology will not be included in militarily sensitive installations. In its 5G network threat assessment, submitted to Brussels, Lithuania suggests that a blacklist of unreliable companies should be compiled. It also advocates for implementation of certification procedures and setting security requirements in auctions for 5G frequency bands.
Huawei Technologies Vilnius did not reply to questions in time for publication.
In Latvia, the Ministry of Transport, which is in charge of telecommunications, told Re:Baltica that so far it hadn’t seen evidence of Huawei having used its technologies in a malicious way, but noted the issue will be discussed at the EU level.
The Latvian solution may end up looking similar to Estonia’s, and others are poised to follow suit. The European Commission is considering amending a 2016 cybersecurity law which requires businesses involved in critical infrastructure to take appropriate security measures. “By amending the definition of critical infrastructure to also include so-called fifth generation mobile networks, the law would effectively prevent EU businesses from using such equipment provided by any country or company suspected of using its equipment for spying or sabotage,” Reuters reported.
Despite saying little in public, Latvian security services have been wary of Chinese technologies for years, and not just because of 5G. In 2010, when Latvian President Valdis Zatlers was visiting China, he was given a Huawei video conference system as a present. “To use it in state institutions would not be the wisest idea,” he recalls the reaction of Latvian secret service which is responsible for counterintelligence. He passed the gift on to two hospitals in Rīga and Liepāja, allowing doctors to consult faster with each other. “Me and Chinese ambassador attended the first call, all was functioning well,” he said.
Huawei may still have some leverage in the Baltics as Bite Latvia, one of Latvia’s mobile operators, has a direct agreement with the Chinese company to cooperate on building 5G. The agreement was concluded in 2016, and Bite reaffirmed it in 2018. Bite insists it has not seen security risks in Huawei production and says it will not terminate the deal.
Recently, it was also announced that Bite would team up with Tele2 to build, own and operate mobile networks, including future build-out of 5G network in Latvia and Lithuania.
To advocate for the safety of Huawei technology, the company’s vice-president of cybersecurity affairs, Mika Lauhde, visited Riga in February 2019. He completed an extensive media tour and, according to a company representative, met with government officials who the company declined to name. Representatives from the ministries of Transport, Defence and Interior, as well as the prime minister’s office, told Re:Baltica they had not met with Lauhde.
To build next-generation mobile communication networks, telecoms need access to 5G frequency bands which are auctioned by the state. So far, only Latvia has held these auctions, where mobile operators LMT and Tele2 bought the necessary bandwidth. Both companies started testing their 5G base stations this summer, while the full rollout of the technology is expected in the next few years.
In Estonia, a public auction of 5G has been stalled for months in a court row over the competition. The verdict regarding how many licenses should be put on auction is expected on Sept. 20, 2019. Only after the court decision will the state be able to proceed with the auction, following which mobile operators will be able to start building the 5G networks.
A similar auction has twice been delayed in Lithuania, and is now expected at the beginning of 2020. That doesn’t mean, though, that things aren’t moving. Telia, one of the three mobile operators in Lithuania, controls the country’s broadband network and is listed as a company important for national security. It has performed test runs for its two 5G cell towers. The company is waiting for the legislative and regulatory framework to be established.
The Chinese state-owned CITIC Telecom CPC bought the Linx Telecommunication in 2017. Along with the Amsterdam-based telecom CITIC also acquired its Estonian subsidiary. This means that the Chinese state owned company now owns some of the undersea internet cables connecting Estonia, Finland and Sweden as well as the routers and switches in the ends of the cables.
Estonia holds tenders for its foreign internet connections every two or three years. In order to diversify reliability and security risks, it always picks two companies to provide the service. Currently, it doesn’t buy the service from the Chinese-owned CITIC. But the Estonian Defence Forces have a separate contract and three quarters of their traffic out of Estonia goes through CITIC cables.
“One really needs to trust the service provider and the producer of the technology on the edges of the cables. They both can do harm,” said Tõnu Tammer, the head of Estonian CERT (Computer Emergency Response Team) at the Estonian Information System Authority.
Tammer pointed to the Chinese negative track-record in this field. “They have the capability to do it. They have history in doing it. And they have the 2017 intelligence law that obliges Chinese companies to cooperate with the state’s intelligence services. These are three ill-sounding preconditions.”
At the same time he acknowledged that if the data moving through the cables is strongly protected, the threat shouldn’t be exaggerated. “The operator of the cable can still make copies of your data and forward it anywhere without your knowledge, but if they don’t know how to read it, there isn’t much they can do with the data.”
Private Sector Targets
“Phishing attempts are an everyday issue for us,” said Taavi Madiberk, co-founder of Skeleton Technologies, an Estonian company which is one of the world’s leading innovators in energy storage. Skeleton has invested a lot into cyber security, but it is not the phishing emails that most concern Madiberk.
“We had an incident at our plant in Germany where a suited-up Chinese delegation demanded access to the factory alleging that they had such an arrangement with the managing board of our company,” said Madiberk. On other occasions, representatives of Chinese companies have followed Skeleton employees in conferences and allegedly even tried to secretly record the employees’ private conversations.
The exact scope of economic espionage in Estonia originating from China is unclear, as companies don’t need to report the incidents. But there have been several.
Arno Kütt, the CEO and founder of Cleveron, a company that creates robotics-based parcel terminals, said that the Chinese Hangzhou Dongcheng Electronic company stole one of their designs and had it patented in China. They even copied the promotion video from Cleveron.
“Our lawyers said we had a 90 percent chance to win in court, but we had to accept a defeat in the first round,” said Kütt. He believed that as Cleveron mostly operates in the US, the reason for the loss was the trade war between US and China. “It’s about politics.”
Kütt said that the Chinese company had offered to grant Cleveron the right to sell their robots in China, but in return Cleveron was asked to hand China the European and American patents. “Of course, we didn’t agree.”
Warnings, but no spies
Both of Estonia’s secret services have recently issued public warnings about Chinese intelligence recruitment attempts ,which are increasingly common. According to counterintelligence agency KAPO, public officials and professionals are approached on the Internet, seeking to attract them with lucrative job offers and paid foreign trips. “KAPO has reason to believe that Chinese special services are behind most such offers, and being paid to compile an apparently innocent summary or analysis may lead to a deeper collaborative relationship involving requests or demands to pass on state secrets or other confidential information.”
However, none of the Baltic countries has yet caught and tried a local Chinese spy.
Estonia’s Foreign Intelligence Service said in its latest threat assessment that China has become more active in influence operations and propaganda, establishing contacts and intensifying communication with politicians and government officials in other countries. It said China is also strengthening social and academic ties and promoting collaborative projects between European and Chinese think tanks. “These developments are evident in Europe, including Estonia. Contacts established through positive engagement may later develop into closer cooperation and ultimately lead to recruitment attempts by special services.”
Chinese intelligence makes overt moves once a target visits China. That’s where all of the recruitment attempts are made. “If the target makes a mistake, he or she is fast approached [by the services]. If you don’t make a mistake, they will invite you there for a second time,” a source described the recruitment methods to Postimees/Re:Baltica.
The rule for Estonia’s top politicians and state officials, when visiting China, is to always have two separate phones, with one phone reserved for personal matters. The communication should only be held over more secure channels, such as Signal app or FaceTime.
Members of delegations are strongly urged not to bring personal phones and laptops that contain access to sensitive data. Last September, when Estonian President Kersti Kaljulaid was on a state visit to China, a member of her delegation ignored that request. In Beijing, his laptop crashed beyond repair. It is still unclear why this happened. China’s embassy in Estonia, which was approached for a comment for these series, did not reply to the questions.
As the Huawei drama between the US and China was unfolding, Lithuanian Prime Minister Saulius Skvernelis met with the US ambassador in March 2019. While the content of the meeting officially remained sealed, Reuters reported that during the meeting the US ambassador called for action against Huawei, “saying the company’s 5G equipment could create a vulnerability for allied troops”.
Lithuania and the other two Baltic countries rely heavily on US military support for their defence.
A week later, Lithuania’s prime minister met with the Chinese ambassador to Lithuania.
“China is undoubtedly our most important trading partner in Asia. Cooperation between Lithuania and China in the field of agriculture is very important, we value this country as one of our priority markets for Lithuanian food industry. We hope that in the near future we can increase Lithuanian exports to China, especially wheat,” Skvernelis said after the meeting.
He admitted that Chinese ambassador raised questions about Huawei, but said the issue belonged at the EU level.
The meeting took place after Lithuanian security services had issued their first public warnings about Chinese espionage. After the publication of the report, the Chinese embassy in Vilnius expressed “shock and surprise” and said China poses no security risk to Lithuania. “The report about the so-called “China intelligence threat” is very unprofessional, not objective and irresponsible,” the statement said.
This is the second installment in a three-part series by the Latvia-based investigative center, Re:Baltica, Verslo Žinios in Lithuania, and Postimees in Estonia.
Part I: The rough face of China’s soft power in the Baltics – Investigation