“We need to ensure we only have trusted vendors inside the 5G network,” Mr. Strayer said. The key threat is the ability of a vendor to insert malicious code into software updates, he said.
“Looking at the source code cannot ever address this issue. Testing will never get all the potential vulnerabilities in the code. There needs to be an inherent trust relationship,” Mr. Strayer said.
Below is a full rush transcript of the press conference with Robert L. Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy, Bureau of Economic and Business Affairs, U.S. Department of State, USA.
DAS Strayer: I know I’ve spoken to many of you previously. So I want to dive into the substance of what we wanted to talk about, and that is that we are very pleased to see the EU’s coordinated risk assessment report that came out on October 9th.
It recognizes several important characteristics of 5G networks that I just wanted to briefly highlight. The first is that in the 5G networks, because of the expanded role of software and the increased ability of service providers and software vendors to influence the network, there’s really going to be an expanded cyberattack surface area in these networks that we need to protect against.
There’s going to be more and more computing moving from what has been traditionally called the core of the network to the edge, and that movement to the edge is necessary to empower low latency and higher levels of computing related to the massive new quantities of data that will be generated on 5G networks.
The report itself also notes in particular that lawful intercept functions, which are the ability for law enforcement to have access to conversations, are a particular area of potential vulnerability because if they are not properly managed, they could be misused for malicious actions.
That means that at the edge, the very edge where the base stations are, the towers are for cell networks, there – that’s where lawful intercept can happen or does happen in networks. So we really will see in 5G software driving those capabilities at the edge, and a vendor who undertakes malicious software updates or compromises that software could have access to conversations occurring at the edge of the networks.
What’s also very important about this report is it notes that we’re not just talking about the confidentiality or the protection from espionage of users’ communications, but we need to protect for the availability and integrity of the data. And the availability is so important because 5G networks will underpin all sorts of future critical infrastructure, as the report notes, related to healthcare, transportation, as well as the supply of electricity and water.
So one adversary that can undermine the integrity of the network or the availability of the network could well cause those critical infrastructure of the future that relies on 5G to be disrupted and the citizen services that are being supplied by it to be disrupted as well.
The report notes in particular, too, that there’s a major threat from state actors, or state-based actors. It talks about the need to address the ability of a government to – a third government outside the European Union to influence the vendors or service providers. And in particular, it recommends that the analysis of that vulnerability consider the link between the supplier and the government, as well as the third country’s legislation, and whether there are democratic checks and balances in place. It also says that the assessment should look at the ability for the third country to exercise any form of pressure, which, of course, could include the financing mechanisms that the government supplies to its companies.
So with all that in place, the next step, of course, is to have mitigation and security measures. In that regard, we think it’s very important to build off of this baseline that there be security measures that accurately and adequately assess and address the ability of a state actor to compromise a supplier or vendor of 5G technology. And it should address all four of those objective criteria that are mentioned in the report itself.
So it’s very important that the European Union now move forward with security measures that get at those four indicia of – roughly four indicia that show – that would go at the ability of a third government to influence the vendor of technology in a European country or in the United States for that matter. And we think that that’s really a way to talk about trust. Can you – does that security – does that technology vendor have a trust relationship with the telecom operator in the jurisdiction and with the country itself that is allowing the deployment of that technology? It’s really a sovereign decision for that country.
The other thing that’s important to note is that the risk of this 5G technology cannot be assessed solely through testing and evaluation of software or the hardware itself. Those are important steps, but the ability for a vendor to insert malicious code in the software operating the system, or what they call firmware, which is the software that operates components – hardware components – is so important that it be addressed, that it’s not just looking at the source code, which will never fully address those vulnerabilities, but requires that there be a trust relationship so that the vendor cannot be compromised by a foreign government and asked to take steps to undermine that software and firmware.
It’s also important to note that no company by itself can make attestations about whether or not it will be compromised, or use compromised software, or compromise the integrity or availability of a future network. That really requires, as this report notes, looking at the government where that vendor is headquartered. And in that regard, we’ve noted that there’s companies such as Huawei who are proposing that there be forums where they would attest to their ability to not compromise software, their willingness not to in order to gain business.
But that’s really a check that they can’t cash. It’s a false transparency that’s being offered up. It’s really transparency theater. There will be important discussions about the benefits of 5G in such a forum, but really, it’s having to look at whether there is an independent judiciary, whether there’s rule of law, whether there’s a rules-based system in place where that company is headquartered.
If it’s not the case that there is transparency, rule of law and an independent judiciary, then you can’t count on that company to make any of its attestations a reality. They will always be able to be compromised or pressured by the government because they can’t go to the independent judiciary, just as they can in – anywhere in Europe or in the United States. The companies – tech companies can always say that they don’t want to take an action because it’s not consistent with the rule of law. That is a fundamental question that must be answered, and it can’t be answered by the company itself.
Question: “Do you have any comments on the Romanian memorandum signed with the United States regarding 5G technology but that has – which has so far not been implemented, and the government and companies that say that 5G will be implemented in Romania in 2020?”
DAS Strayer: We’re very excited for the potential of working with Romania under the terms of this memorandum of understanding to make sure that Romania telecom operators and Romanian citizens get the full benefits of 5G technology.
There are three important principles related to trusted vendors in that MOU. Importantly, looking at the legal system where the vendor is headquartered, looking at the transparency of ownership, and the past history of practices of the company that’s seeking to be the vendor for 5G technology. So we think that that is the important factors of trust to ensure that the software and firmware does not have compromises injected by a foreign government, and those are – need to be complementary to any other security measures or testing that’s going to be put in place in countries like Romania.
Question: “What is the U.S. position on the risk assessment published by the European Commission on October 9th, which does not single out operators from a specific country and was welcomed by Huawei as an important step towards developing a common approach to cybersecurity and delivering safe networks for the 5G era?”
DAS Strayer: I would just reiterate my comments at the front end, saying we also positively see this report as highlighting a number of the principles that we’ve been highlighting for some time.
It’s very important to recognize that we in no way are asking for countries to adopt a ban against a particular country or against a particular company. And the – alternatively, what we’re asking for is that countries adopt security measures that are adequate to protect them and their citizens. In that regard, of course, as I mentioned a few minutes ago, it’s important not just to have security testing in place, but to actually have principles of trust that will get at the ability of a foreign government to influence the security vendor.
Those understandings of risk need to be carried forward in actual security measures that evaluate whether a particular vendor operates under something like the National Intelligence Law in China, where the company is forced to comply with the mandates of the intelligence and security services, and to do so in secret. And of course, in that case, the really other huge detrimental feature of it is that there is no independent judiciary or rule-of-law system to allow a company to object to that mandate that they have under law.
So we think those features of the risk analysis need to be followed through on and carried out with appropriate and strong security measures. Otherwise, just having some of the other vulnerabilities addressed and not these ones related to a third government, state-backed government*, as it points out in the report, will result in there being huge vulnerabilities remaining in 5G security.
Question: I was wondering whether you could comment on the latest reports on the German approach to the 5G technology question, especially that the German Government obviously is trying to weaken its requirements when it comes to trust. The phrase of “trustworthy company” is no longer in its directive. And I was wondering whether you would – whether you could actually explain what would happen if a country like Germany or other European countries have a different approach to this than the U.S.
DAS Strayer: Thank-you. Thank-you for the question. We think – I’ll take the last part of it first, and that is we want to continue to have important information-sharing and intelligence-sharing relationships with governments like Germany. To do so, we need to ensure that we have only trusted vendors in 5G networks. So if there’s technology that’s untrusted deployed in their 5G networks, then we’ll have to reassess how we share information with countries like Germany.
It’s very important that when we talk about trusted vendors and trusted companies, that we actually get to those criteria that I mentioned earlier – that is, does that company have its headquarters in a country where there is rule of law and an independent judiciary in place? Does it have a transparent ownership structure? And does it have a history of ethical behavior? I would just note, with regard to Germany, that Huawei, for example, is under indictment, criminal indictment, in the United States for the theft of intellectual property from T-Mobile, and T-Mobile is actually a subsidiary of Deutsche Telekom.
So there’s a long track record of intellectual property theft by Huawei and of violations of corruption laws around the world. So I think those are questions that the company would need to answer for the country of Germany to make an assessment about its trustworthiness, and as well as explaining how it would have rule-of-law protections when there is no independent judiciary in place in China.
Question: Thank you for the opportunity for a question session. how does the U.S. evaluate the current state of 5G, especially in Portugal, compared to countries like Australia or something? Are we already at risk?
DAS Strayer: I think I got the question, so if I haven’t answered it, please let us know. We know that each country is going to develop its own set of protections and security mechanisms that have to be adapted to their particular legal systems and institutions. It’s very important that they, of course – the countries – adopt a legal framework that allows them to require that their telecom operators consider and evaluate national security as they’re deploying 5G networks.
We are relatively early in the stages of 5G deployment around the world. We’re seeing a number of trials in small commercial deployments. So there’s still time for a country to put in place appropriate legal mechanisms that will ensure their public and their critical infrastructure is secure.
Question: Basically, Germany published today the guidelines on security issues regarding vendors offering 5G network services, and there’s nothing there that could prevent Huawei from bidding. So I was just wondering about your reaction to that.
DAS Strayer: Yes. I haven’t had the opportunity to review the security measures that I believe were released just a short while ago. But I will say along the lines of what I said in my earlier answer, and that is, it’s important not just to have a number of security measures; those should be part of an initial kind of minimum threshold. But as a part of the entire minimum evaluation of security for vendors of 5G networks, it’s critical that there be a rule of law and independent judiciary in place to protect that company from the country that would seek potentially to use that company for intelligence or other national security purposes that would potentially be requiring that company to disrupt the critical infrastructure in our countries or, as this EU risk assessment report notes, have access to lawful intercept capabilities.
So it’s very important that there be something more than just testing. Testing will never get at all the potential vulnerabilities in the code that – the software that underlies components, which is called firmware, or the software that’s operating the systems. There needs to be inherently a trust relationship between the vendor and the telecom operator in the country in which that network will be deployed.
Question: The first is that could you maybe elaborate a bit more on, let’s say, if Germany did include Huawei in its infrastructure? How will the diminished intelligence-sharing look like? I mean, I remember the U.S. has made similar – I don’t know if the word “threat” is appropriate – to a number of countries. How will it look like?
Secondly, it’s not directly related to 5G, but I think it’s related to cybersecurity. Around one year ago the Bloomberg Business-week published a cover story, “The Big Hack,” which said Chinese companies inserted chips in Apple and Amazon servers. That’s caused a huge discussion, and it’s been a year. I don’t know if your department has any analysis back to that story.
DAS Strayer: Thanks for the question, the two-part question. On the first part, I don’t really have much to offer other than – because I don’t want to speculate on hypotheticals at this point. We are still seeing, I think, a process play out in Germany with regard to their security principles and how they will actually implement them, and we’ll see whether they actually adopt real measures of trust rather than ones that are insufficient. We need to have real ones that look at whether or not there’s an independent judiciary in place and the transparency and ethical practices of companies.
With regard to the Bloomberg story, I don’t want to comment on that specifically. But I will say that the United States and 14 other countries, including many European countries, attributed the largest probably commercial theft of intellectual property in modern history to the Ministry of State Security in China. It was known as the Cloud Hopper attacks. We made that joint attribution less than a year ago, in December, and that was a process where managed service providers and cloud providers were compromised by the government and then in coordination, of course, with a private company in China, and then they had access to major companies’ data in more than 12 countries around the world.
That data was then provided to competitors in China and used for their own commercial gain, which, of course, violated a number of agreements that – and that – that China had signed over the last few years saying that they would not use – not conduct industrial espionage through cyber means.
So we still have a – they have a track record here of the use by the state of private companies and others to compromise networks and get access to data in countries around the world. We don’t want 5G to be yet another vector for that kind of compromise, because China has clearly showed its intent to access data on individuals and to acquire intellectual property. And if they are able to influence vendors like Huawei, they will then have the capability to take advantage of the networks at any time.
Question: You’re talking more about having some safety procedures in place, et cetera, et cetera. And further than that, I’m also hearing you making a reasoned argument, and I think in the past the administration has indicated that it had technical analysis that would substantiate both the blacklisting of Huawei in the U.S. and why it’s urging its allies to do the same.
So has there been a change in tone in this regard? Do you have technical analysis from your experts? Have you shared this with your European partners beyond what you’re saying to us today, which is really political and legal analysis rather than technically substantiated?
DAS Strayer: Our messaging hasn’t changed on this. We’ve always had this point about the National Intelligence Law in China being the manifestation of the ability of the Chinese Communist Party and the government to require a vendor like Huawei to take specific steps. I think, if anything, the only reason that this conversation’s a little bit now is that the European Union has moved so far down the road of doing its risk assessment and of having this network information security cooperation group pull together the assessment and now start to look at specific measures that they will put in place.
We’ve always championed having particular security measures, acknowledging they may not be the ones that we would do, but they need to achieve the same sets of concerns related to the ability for someone to compromise software and firmware. So we’re really not making any different argument than we would – did before.
On how we’re talking with our partners, you know, we’ve had a global campaign for almost a year to start educating and being on the learning path together with the governments about the promise of 5G and also the potential vulnerabilities, many of which are explained in this EU risk assessment. And we, of course, are sharing some technical information about networks and technical information we’re not going to share publicly, but, you know, as we look to the future, we think the real headlines are the ones that we’ve been talking about, which is the ability for a government to assert leverage over a company. The other public things we’ve talked about before were the re-routing of internet traffic through China, and that’s been done over the course of a decade because of China Telecom’s interconnections in the United States, so as well as the numerous intrusions and theft of – rampant theft of intellectual property that’s occurred, which show clear intent to take advantage of technical capabilities when they are presented to the government.
Question: I would just like to press you more on the sincerity of this claim of potentially cutting intelligence service – sharing with the Germans should the country go ahead and implement Huawei into their 5G networks. I would like to know – I mean, because this is by no means a new message. And I would like to know exactly how you would cut these forms of intelligence sharing and whether you have actually had discussions with senior German Government officials about this possibility.
And secondly, just going back to the point about not sharing technical details on the espionage claims with regards to Huawei publicly, how exactly can you justify not sharing these technical details publicly? Because obviously, in light of the heavy campaigning against Huawei, as journalists, we often need a bit more hard data to go on rather than just spin.
DAS Strayer: I will first say that I don’t think anything I’ve said is spin. It’s actually well-thought-out policy analysis by the United States Government. But I take your point that there’s always a need and a desire to see more information. There’s just, unfortunately, a limitation on our ability to share information, but we’ve tried to be as transparent as possible about our thinking along the path of 5G.
And, you know, we know that it’s ultimately the sovereign decisions of the member-states of the European Union, as well as of the European Union Commission, and we’re in there talking to them all the time and sharing what we do know and how we’re thinking about how we’re going to secure our collective future. I really can’t offer anything more on the reassessment that would have to occur if 5G is being supplied by an untrusted vendor. As you may know, in Germany, our ambassador had sent a letter to the German Government many months ago alerting them to this possibility, and those discussions have continued with the Germans.