Spain Just Outsourced Its Wiretap Servers To Huawei. Do TPRM Metrics Need To Change?

In early July, Huawei – the Chinese technology giant – won a €12.5-million contract to store data retrieved by wiretap technology used by Spain’s judiciary and intelligence services. In a statement, the Spanish government quickly claimed that no risks – cyber or otherwise – would result from the agreement. Leaving aside the question of whether Huawei’s presence in Spain is problematic in itself, the deal has forced Madrid to confront the EU’s own third-party risk metrics head on: referred to as a ‘high-risk’ supplier in 2020, the bloc’s image of Huawei shows the fundamental dichotomy between two schools of risk thought. Ultimately, the issue is forcing both sides to grapple with the question of whether a mega-third party can move beyond the pre-defined metrics for TPRM – and the extent to which this can be reconciled with wider risk management ecosystems.

The cornerstone of Brussel’s risk assessment concerns whether Huawei remains bound by China’s 2017 national intelligence legislation, which would theoretically compel the firm to share data with the Chinese Communist Party (CCP) upon request. The likelihood of this prospect can be debated at length. Nevertheless, Huawei embodies an alternative, post-modern type of organization – one that is intimately aligned with and embedded within the party state throughout its anatomy. Faced with the intricacies of such state entanglement, current TPRM metrics tend to spit out a myriad of uncharacteristically non-critical red flags, offering little substance beyond a wall of ‘high risk’. This structural inability to properly analyse an entity such as Huawei is neither helpful nor sustainable. Extrapolated beyond 2050, the implications for continuing to black-box threats from foreign hybrid giants will be dire.

As the geopolitical fault lines that give rise to state-aligned firms deepen, third-party assessments that fail or refuse to critically engage with the growing number of hybrid organizations will fall into obsolescence. Moreover, fragmentation between the use of old risk structures and qualitative assessments of entanglement will plague TPRM systems. To properly interrogate distinct emerging forms of corporate governance, third-party risk metrics must expand by:

• Acknowledging dual logic: TPRM frameworks must embed increased geopolitical literacy into their models by performing deeper analysis of the dual logic through which organizations such as Huawei or ZTE operate. This dual logic, it appears, entails the simultaneous pursuit of commercial and state imperatives; rather than relying solely on indicators such as ownership or location, metrics must also assess the range of implicit dependencies stemming from an opaque governance culture.
  

• Enhancing spectrum-based risk classifications: tiered, spectrum-based risk scales that can display and compare varying levels of state alignment and operational autonomy provide a better grounding for mitigation strategies that are both targeted and adaptable.
  

• Integrating behavioural and relational indicators: by factoring in indicators such as patterns of cooperation, historical compliance trends and corporate-state policy synchronizations, the behaviour of state-aligned organizations can be analysed rather than presumed. In terms of cross-regional operations, this allows for the identification of behavioural divergences quickly and efficiently.

Hybrid giants are not going away. In fact, they are likely to grow as states explore alternative systems of corporate governance in a rapidly changing world. When it comes to TPRM, expansion of the metrics of analysis does not relinquish control. Rather, control will be surrendered through the shutting out of these entities.

For more on third-party risk, check out Verdantix risk management insights.