A US official has repeated his country’s threats against its allies over Huawei – stating that the US’s goal is a process that leads “inevitably to the banning” of the Chinese company’s products.
“We have encouraged countries to adopt risk-based security frameworks,” said Robert Strayer, speaking on a call with the world’s press on Wednesday, expressing the hope that such frameworks would “lead inevitably” to bans on Huawei.
Strayer, who is the American foreign ministry’s deputy assistant secretary for Cyber and International Communications and Information Policy, told journalists that his country may withdraw some co-operations with its allies on security matters if they install Huawei equipment on internet and phone networks.
Below is a full rush transcript of the press conference by Ambassador Robert L. Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy , BUREAU OF ECONOMIC AND BUSINESS AFFAIRS.
MR STRAYER: The United States wants to maintain a secure cyberspace for future generations. We and our partners recognize that cyber policy issues are critical to not just protecting communications networks, but also to national security, human rights, and economic prosperity around the world. Because of its impact on these vital interests, cyber policy is a foreign policy priority for the United States. The security of information communications technologies, or ICTs, is an essential element of national security. These networks and services play a crucial role in the safety, security, and prosperity of each nation. The fifth generation of wireless technology, or 5G, will be transformative by providing consumers and businesses with up to 100 times faster connections than 4G networks provide, and with low latency, which is the time devices need to communicate with one another. Billions of new devices will become connected to the internet, enabling the internet of things. And these connections will empower a vast array of new critical services, from artificial intelligence to autonomous vehicles to telemedicine and automated manufacturing.
Since 5G networks will begin to touch every aspect of our lives, the stakes could not be higher for its security. As countries around the world expand and update their ICT infrastructure, we are urging them to adopt a risk-based security framework. An important element of this is a careful evaluation of the supply chain and equipment vendors. In particular, this evaluation should result in the exclusions of equipment vendors that are subject to unchecked or extrajudicial control by a foreign power. These vendors could be ordered to undermine network security, to skim personal information, conduct espionage, distribute cyber attacks, and disrupt critical infrastructure.
A significant cause for concern are a number of Chinese laws that compel their companies to cooperate with intelligence and security services without independent judicial controls. Responding to this risk, the United States enacted the National Defense Authorization Act last year, which prohibits the U.S. Government from using equipment or services from certain high-risk companies that are associated with, owned, or controlled by China. And no major U.S. wireless carrier plans to use Huawei or ZTE equipment in the buildout of its 5G network.
The good news is that many other countries are also acknowledging this supply chain risk and strengthening their ITC security. And last month, the European Union Commission released a set of recommendations to improve the cyber security of 5G networks, noting that evaluations of equipment suppliers should include the risk of influence by a third country, notably in relation to its model of governance. These criteria must be rigorously applied.
Moving forward in early May, the Czech Republic is hosting an important conference on 5G security that is attracting scores of countries. The United States welcomes their leadership and supports this initiative to create nonbinding principles on 5G network security that will drive global conversations on this issue. At the same time, many countries are not yet focused on 5G, but it’s not premature for countries primarily using 2G and 3G networks to consider their strategies for ensuring future network security now. Decisions about who builds and how you secure 4G infrastructure are crucial because they will affect the security of future 5G networks.
With that, I would be happy to answer your questions.
Question: What are the risks and opportunities for cyber security in the 5G era? What is the speed and timeline of 5G expansion? What is the role of new technologies like pseudo-satellite, e.g. Softbank and Loon?
MR STRAYER: So a number of new technologies will be built upon the 5G infrastructure. They will be empowered by the internet of things, they will be empowered by the very low latency and very high – up to 100 times what is current throughput on the networks. So we’re going to see all kinds of not just new communications, but the ability for all kinds of critical infrastructure to ride over that infrastructure itself. So there’s tremendous amount of economic growth that will occur in all the applications that ride on top of the actual infrastructure itself. So unlike the 4G networks of today, where they’re relied on primarily for communications and the use of our smart devices, handheld smartphones, new types of direct machine communications will occur.
Question: How does the U.S. view the UK’s reported decision to allow Huawei to build parts of its 5G network? And what do you want to achieve at the 5G conference in Prague?
MR STRAYER: Well, first I would note that the United Kingdom has not announced a final decision. Like all of us, they’re on a path of having continued conversations about security of 5G networks. I’d also point out that the United Kingdom, through their Huawei oversight board report, noted there were hundreds of vulnerabilities, including systemic engineering problems with Huawei technologies. So we’re looking forward to continuing the conversations with them, and with a number of other countries at the Czech Republic-hosted conference that will occur later this week in Prague that will help define some nonbinding principles that all of us can apply to improving the security of our 5G networks, including with respect to the supply chain of the vendors.
Question: Recently, you indicated that use of Huawei anywhere in a nation’s 5G infrastructure would harm cooperation between that nation and the U.S. Britain will use Huawei equipment in parts of its 5G infrastructure. Will cooperation between the U.S. and the UK be hindered?
MR STRAYER: It’s premature to address that exact part of the question, but I will say this: As our economies become more interconnected, including our digital economies, more data transmits between the United States and Europe than any other part of the world, which of course includes the United Kingdom, we know that a disruption to services or a disruption to the ability to store or access information that transmits between those routes across the Atlantic will impact all of us. So indeed, it’s not just about the sharing of intelligence or the cooperation on information sharing, it’s about all the services that we’re providing across the Atlantic today that could be disrupted. And it’s not just the disruption, but as well as the intrusion of – insertion of cyber vulnerabilities or the use of the networks for espionage.
Question: What is the government’s planned course of action for the now likely case that European allies such as Germany allow Huawei to build their 5G networks, in some detail if possible?
MR STRAYER: Well, it’s premature to assess that. I mean, we have said that if the risk to – if other countries insert and allow untrusted vendors to build out and become the vendors for their 5G networks, we will have to reassess the ability for us to share information and be interconnected with them in the ways that we are today. Exactly how that will be done will depend on the risk of the equipment that’s put into the new networks.
Question: Can you please give us a sense, what is the strategy in alerting nations in Southeast Asia and Africa where Huawei is very popular?
MR STRAYER: All right. So a year ago nobody was talking about the supply chain risks related to 5G networks, and there was a limited discussion related to 4G and 3G networks on the importance of supply chain security. So we’ve continued to have discussions with governments around the globe about supply chain security and its importance for all types of telecommunications networks, both the current generations of telecom networks as well as future generations. So we’re going to continue to engage with those governments. We’re going to share our views and our understandings about what are the avenues, and what is really going to be an enhanced attack surface in 5G because of the ability for much more software that will drive the networks and build a – for a potential adversary to compromise that software in any part of the networks.
Furthermore, we’re talking to countries about the shared values that we have, our shared values related to fundamental human rights and civil liberties. We want to talk about the importance of enabling the sharing of data in ways that are not going to be compromised that could result in authoritarian governments getting access to data and potentially compromising peoples’ ability to have free expression, to peacefully assemble, or to exercise freedom of religion. We have, of course, seen that in China in recent years and we’re very concerned about the ability of a government to compel telecommunications providers to provide that type of data to a government that has that track record.
Question: Do you believe that allowing Huawei to help build Britain’s or any country’s 5G telecoms network will risk national security even if it only applies to non-core parts of the network?
MR STRAYER: It’s the United States position that putting Huawei or other untrustworthy vendors in any part of the 5G telecommunications network is a risk. We are concerned that even at the edge of that network, where we’re going to see increasingly what they’re calling software-defined networks and the virtualization, the software virtualization of activities as part of the network that are done more today by hardware than software, but as they’re increasingly done by software there’s that increased attack surface. Having potentially compromised equipment and software provided by vendors in any part of that network is an unacceptable risk.
Question: Do you consider the distinction between core and radio networks a sensible approach to managing 5G security?
MR STRAYER: It is our position in the United States that there is no way that we can effectively mitigate the risk to having an untrustworthy vendor in the edge of the network.
Question: Is there anything that the U.S. Government and/or its allies could do to help Huawei’s rivals in America and Europe to become more competitive, or to shield them from potential retributions on the Chinese market?
MR STRAYER: I need to be clear here. The effort that we’re undertaking around the world, our global diplomatic effort, has nothing to do with trade. It’s 100 percent about national security interests. The conversations we’re having are about national security. That said, it’s also important to point out that there is no U.S. provider for the wireless radio networks, so we’re not advancing a U.S. interest here. The primary competition to the Chinese are a Finnish company, a Swedish company, and a South Korean company.
Question: How will the U.S. approach to the military cooperation and intelligence sharing with nations which use Huawei in some aspects of their 5G networks – for example, allies like the Philippines and Thailand – within the U.S.’s historically conducted military exercises, how will that change if those are both going ahead with Huawei 5G tests?
MR STRAYER: Well, certainly we want to have the opportunity to continue to have engagement with those governments about the future buildout of the 5G networks. They’re in 4G – have 4G networks they – like all of us do – that are – they’re now just starting to build out 5G networks. So we hope to convince them that in their 5G networks they should not have untrustworthy vendors in the network. That said, if there is an insertion of an untrustworthy vendor into a network, we’re going to have to evaluate our ability to share information and how we would share that information.
Question: Despite U.S. pressure, Germany refuses to exclude Huawei’s 5G technology. How is this step seen by you? And is there a risk that Germany will lose access to intelligence sharing?
MR STRAYER: So on the positive note, Germany has released a set of security standards related to 5G, which include looking at the ability for another country to undermine the data security laws in Germany and in the European Union. Acknowledging that general standard, though, the actual implementation that would occur down the road is very important. It’s crucial that that be – that particular element related to the supply chain and the ability of a third country to compel its vendors to act in the interests of that – of an authoritarian country be considered. If that is actually applied in a rigorous way, then it should lead to the prohibition of Huawei and ZTE from networks in Germany and around the world.
Question: Do Ericsson and Nokia have enough capacity to build the U.S. 5G network?
MR STRAYER: Well, in our wireless carriers’ view – I’m here representing the U.S. Government, of course. I cannot comment exactly on their internal supply chain issues. But my understanding is that our carriers have no concern about the ability for Ericsson, Nokia, and Samsung to supply their networks. Of course, they have said that they’re not going to use Huawei or ZTE technology in their 5G networks.
I think it’s also important to recognize that when we talk about 5G, there’s an entire ecosystem of component parts that will go into that well beyond just the wireless radio interface. There will be all kinds of networking and rallying that go on. There are American companies and companies around the world that supply that, including Cisco and Juniper. There’s also going to be a very big importance too as we see more and more of the network virtualized – that is, software taking over the role that was previously performed by hardware. There’ll be more data storage in effectively what is the cloud, a cloud environment. So there’s many companies providing cloud infrastructure for that 5G ecosystem.
Question: Can you elaborate on how the U.S. is defining, quote-unquote, ‘sensitive networks’ for 5G infrastructure? And is that definition different from the UK’s current definition?
MR STRAYER: Well, I don’t really want to get into how we would define what are more sensitive networks and less sensitive networks. I would just revert back to the point I was making earlier, which is that in our view, because of the interconnectedness and the dramatic changes we’re going to see in what 5G enables, that underlying infrastructure affecting the entire value stack of applications above it, that there are truly critical services that will be provided that we cannot see undermined in any part of a 5G network. We should be concerned about all parts of the 5G network going forward. And so therefore, no part of a 5G network should have parts or software coming from a vendor that could be under the control of an authoritarian government.
Question: Huawei and the Chinese Government have repeatedly denied U.S. allegations that Huawei equipment poses a security risk, claiming that the U.S. has not offered any concrete evidence. What is your strategy in countering those claims?
MR STRAYER: Well, I think it’s important to recognize that there’s been a number of allegations that Huawei and ZTE over the years have been involved in intellectual property theft. In fact, there’s currently an indictment against Huawei in the United States for the theft of intellectual property from T-Mobile, and that indictment notes that there was a campaign within the company to provide bonuses to employees who stole intellectual property.
It’s also important to recognize that it’s not just the intellectual property theft. It’s the ability for the government under their national intelligence law to compel that company to act in any way that is in the interests of the Chinese Communist Party. So in the future, they could be asked to do things they’re not asked to do today. The way we look at it is there is a combination of intent, capabilities, and opportunity. With regard to intent, we’ve seen that China has a history of intellectual property theft that has occurred over the years that resulted in a statement in the Rose Garden in 2015 with President Obama that it was not lived up to.
We noted last December, on December 20th, that China was behind the global hacking of what are called managed service providers, including global cloud providers around the world. And what China did is they used that data that it stole from some of the biggest companies around the world to provide to its own companies for their economic benefit. So we know there’s a history of intellectual property theft.
We also know there’s a use of data in China that’s contrary to the values that we have in the West. We’ve seen data used to assign social credit scores to then conduct surveillance against citizens, and then to use that information to put more than a million Uighurs into re-education camps. So those uses of data are completely contrary to the West’s view, so we know there’s an intent to use data in different ways than we would ever want to see used under our views about fundamental human rights.
Secondly, we come to the capabilities. With regard to capabilities, we know there’s the national intelligence law in China, the counterterrorism law, and then a number of other laws that come together to provide the Chinese Government complete control over their private sector and state-owned companies.
And then lastly, opportunity. As I mentioned before, the attack surface in a 5G network is greatly expanded. Some have asked, “Where is the smoking gun?” Well, it’s hardly appropriate to ask for the smoking gun evidence when we don’t even have 5G networks built out yet, we don’t have a history of 5G, and the – especially as U.S. cases get built out to provide massive amounts of new data, the temptation will be there to come after that data and use it for illicit purposes.
So that all combined – the intent, the capabilities, and the opportunity – what we really have here is a loaded gun, is something that Western democracies who value human rights should think very carefully about if they want to give that to an authoritarian regime with very different values about the uses of data.
Question: Was the EU commission’s decision to ask member-states to carry out a risk assessment of the security risks posed by 5G technology rather than to ban Huawei sufficient from a U.S. point of view? And what should Ireland, which is currently undertaking such an assessment, consider as part of that exercise?
MR STRAYER: We think that the European Commission’s recommendation to conduct assessments by the end of June and then come up with a European-wide policy is a positive first step. Of course, it’s very important that this analysis, this evaluation, be done in a very rigorous way, particularly as it relates to the supply chain. As I mentioned earlier, the European Union’s recommendation is set to consider the governance of third countries where vendors are located. So it’s very important to look at the laws in that country, the legal regime, the ability for companies there to seek independent judicial redress, to object if they are compelled to do something by the government. That, of course, does not exist in China. There is not an independent judiciary and there is an inability for companies to say that they do not want to comply with Chinese Communist Party direction. So with that in mind, we are hopeful that countries in Europe apply that type of framework and evaluation as they think about what kind of vendors they want in their 5G networks.
So as I said, the European Commission’s recommendations highlighting security related to 5G and including the fact that supply chain security is important is a positive first step, but it’s going to be – the truth, the sort of – it will be borne out in how the – those standards and those evaluations are done in the months ahead. So we’re in a very critical time for discussions with the European Union in the next few months.
Question: Can operators maintain a multi-vendor policy to manage their cyber security risks without having access to Chinese vendors?
MR STRAYER: Certainly. I think that question probably refers to who’s managing the networks themselves. There’s a number – a wide number of Western companies providing cybersecurity threat intelligence and cybersecurity management tools. If you just go to the RSA cyber conference, there’s tens of thousands of companies that are there. There’s no reason that one would have to necessarily turn to a Chinese company.
Question: Has the U.S. approach to 5G shifted away from Huawei and towards calling for increased security standards across the board? If so, why the shift?
MR STRAYER: There has not been a shift. Our entire diplomatic effort has always started with the premise that we need a risk-based security framework that includes looking very carefully at the supply chain. We think that an evaluation of the supply chain for a risk-based approach – that includes looking at the insertion of intentional vulnerabilities – must require – requires someone to look at the countries where those vendors are located and the laws of those countries, particularly as it relates to authoritarian regimes, their ability to compel companies to act in that country’s interest.
So we’ve started from that general framework and we look at the laws that are in place and then the vendors that are subject to those laws are the ones that we say should be excluded from providing 5G infrastructure. So we’re not targeting a particular country. I know there’s been a number of questions about different countries, companies within countries. We’ve answered those questions, in our view, about those companies’ activities and some concerns about them, but the overall framework that we’re applying here is a security framework that does – that has been applied to a particular country and particular vendors.
Question: Zimbabwe was doing deals with China. What are the next steps that would ensure emerging markets with U.S. 5G technology infrastructure? Is the U.S. open to establishing a working group with the diaspora?
MR STRAYER: Well, I will say more generally, the Chinese One Belt, One Road program has been offering countries in Africa and around the world what are basically loan terms that you would never find in any type of Western development bank, but what we have the countries thinking about is the strings that are attached to that. These are essentially predatory loans. They often ask for collateral to be attached to those loans. As we see in some cases, it’s required countries to give up the ownership of their ports when they weren’t able to make payments. They’ve also done these deals in many cases in non-transparent ways. It’s very hard for the public and others to have knowledge of what kind of deals are being struck in these deals. They’re not in – done in the best practices that we would consider in the West to be ways that countries and companies should be doing business.
So we would like to have a very close dialogue with countries like Zimbabwe about how we can potentially assist them in financing their infrastructure. There’s a number of development banks around the world who are able to invest in that type of infrastructure. So whether it’s all sorts of important infrastructure, including telecommunications infrastructure, we seek to be very engaged with them and look for opportunities to make that economic prosperity come about in ways that are transparent and will lead to the long-term prosperity of citizens in those countries.
Question: Have you been satisfied with the draft Prague principles that you’ve seen so far? What elements do you consider key for these non-binding principles to work?
MR STRAYER: Well, I will say that I am very satisfied with our engagement with the Czech Republic and their very diligent work on these principles. I don’t want to get ahead of them and the announcement of the principles that they are going to have at their conference. I look forward to having discussions with them. We really appreciate their leadership on this important issue and their drafting of the principles.
MR STRAYER: Thank you. Thank you very much for having me, and I appreciate everyone who’s been on in the online world, participating and asking all these great questions. This really comes to a fundamental question about values, about entrusting in your data with countries, and those that share values with you. And in important ways, we’ve seen the compromise of those values and the violation of fundamental human rights and civil liberties with regards to the freedom of expression, freedom of assembly, and the freedom to practice religion as one chooses. So we urge countries to think very carefully as they implement requirements related to 5G infrastructure, including related to the supply chain, and think very carefully about the values of the companies and the countries that they are being asked to do business with and receive offers from countries that have a track record that is checkered at best.