The United Kingdom buys technology products from China, as does everyone else. It is realistic to expect China to try to establish as much intelligence (and military) superiority over the UK and others as possible. It is technically possible for China to use vulnerabilities in products and services originating in China to achieve that goal. Hence, the UK and others face a kind of a security dilemma. To be clear, China faces a symmetrical security dilemma in respect to technology originating outside of China. What are the possible policy responses?
One popular policy narrative is that a new China-West “cold war” over technology is inevitable (or even desirable) and that countries like the UK should move fast to “decouple” their supply chains from China. One policy option in that direction could be a ban on infrastructure-grade products and services, eg, from Huawei. The costs of adopting this direction comprehensively are potentially immense, not only in terms of giving up on the obvious benefits from trade and research exchange. The “decoupling” narrative tends not to take seriously enough the cost of losing the security benefits of mutual economic and research interdependence (in a simplified slogan: war with your trade partners is very costly).
What other solutions are there? The policy that the UK seems to have adopted so far is a superior alternative. From publicly available information it appears that in the case of Huawei the UK government adopted an evidence-based risk management policy, informed by a unique audit arrangement with Huawei (the Huawei Cyber Security Evaluation Centre). To scale this up for other manufacturers (and perhaps for bigger markets like the EU) the solution could involve making market access conditional on continuous compliance with measurable, realistically achievable security criteria (which should take into account, among other things, the risk mitigation measures that users can implement cost-effectively). This could be implemented using the cybersecurity certification scheme mandated by the new EU Cybersecurity Act.