Having previously tried to play hardball with Germany over 5G security the US now says its allies should follow its example. The US wants foreign governments to follow Germany in adopting stricter security standards for next-generation 5G telecoms networks, a US cyber-security official said on Wednesday, adding that doing so would effectively rule out the use of Chinese equipment vendors.
This sudden change of heart was expressed by Robert Strayer, Deputy Assistant Secretary for Cyber, International Communications and Information Policy at the U.S. State Department in an interview with Journalist. But it’s even less substantial than it seems as the only reason the US has warmed to Germany’s approach is that it thinks it will result in the Huawei ban it has been seeking all along.
“We have encouraged countries to adopt risk-based security frameworks,” said Strayer. “And we think that a rigorous application of those frameworks will lead inevitably to the banning of Huawei. At this point we’re looking for governments to adopt security standards like we’re seeing in Germany. We think it was a very positive step forward in the German standards.”
Surely all security frameworks are largely risk-based. What is a security framework if not an attempt to mitigate risk? Apparently Germany is asking its operators to only work with ‘trustworthy’ vendors, which once more seems somewhat redundant as that was presumably already a priority. As ever the critical matter seems to concern Chinese law, which apparently compels Chinese companies to cooperate with the government, thus rendering them intrinsically untrustworthy.
Ultimately this seems to be a totally cosmetic concession by the US. Germany had previously made it clear that the US was overstepping the mark when it came to direct pressure over 5G security so now it’s saying Germany can do what it wants… so long as that results in Huawei getting banned. This leaves us where we’ve been for months – the US thinks everything Chinese is dodgy and expects its allies to publicly agree.
Below is a full rush transcript of the press conference by Deputy Assistant Secretary Robert Strayer, Cyber and International Affairs and Information Policy Bureau of Economic and Business Affairs
DAS Strayer: I’m part of the team at the State Department that leads our international engagements on 5G security issues.
Starting at the high end, 5G will be truly transformational relative to what we have our 4G networks. It will empower all the internet of things devices. Everything from telemedicine to autonomous transportation networks which would include autonomous vehicles to automated manufacturing. It will be able to do this because we’re going to see in many cases throughput speeds of more than 100 times what we see currently in 4G networks. We’re also going to see very low latency or very low delay, down to one millisecond, which is critical for things like autonomous vehicles. So 5G will really start touching all parts of our lives because it will be the underlying infrastructure for so much of the critical services that are provided to the public. So if a 5G network fails, there would be significant ramifications for all parts of society.
We are urging countries around the world to carefully consider how they adopt a risk-based framework for security relative to the construction of 5G networks. That includes looking at the supply chain of the vendors that would be part of their 5G infrastructure.
In particular, we think it’s very important that countries deploying 5G networks consider the relationship between a foreign government where a vendor is headquartered and the companies themselves in that country.
When we look at the Chinese laws relative to intelligence and national security, those allow the Chinese government to direct the actions of companies for their national interests of China, as well as require the companies to then maintain secrecy about the actions they’ve taken at the direction of the Chinese Community Party.
It’s very important to distinguish how Western democracies operate relative to their private sector companies and vendors and how the Chinese government operates with its companies. They don’t have the ability to go to court. They’re basically under direction, what we would call extrajudicial command of the Community Party of China from the Executive to take actions when requested by the government. There’s not the same rule of law that we consider a part of our daily lives in all of our business dealings in Western democracies. That leads us to significant concerns about a Chinese-based vendor being the lead integrator for 5G networks.
We also think one should carefully consider arguments about the pricing. There’s the assertion that Chinese technology is cheaper. We think in the long run, because of the very significant number of vulnerabilities that have been exposed, for example in the United Kingdom, the Huawei Oversight Report which found hundreds of point vulnerabilities in Huawei networks, that the long term cost to have to patch those vulnerabilities and address what they consider in the UK to be very weak engineering practices, sort of even up the cost in some ways.
Furthermore, there’s been much assertion about the cost, but it’s actually a lot about the financing of it. The Chinese government through state-owned banks and other sources have provided in some cases zero interest, 20-year loan offers which are not commercially reasonable. That kind of unfair playing field is not one that Western technologists should have to compete with. It should be a level playing field for technology vendors.
Lastly, there’s a cross subsidization that’s probably occurring in the Chinese market. They can get large profits on what they sell to the Chinese market, which they largely have under their control through the government, and then use shot subsidies to then offer lower prices in our markets in the West.
Media: There’s been reports in recent days that U.S. officials are now happy with Germany’s approach to Huawei of setting strict 5G standards but not banning Huawei. The U.S. end game had been, at least previously, to encourage countries to ban Huawei. Are the reports about U.S. approval of the German approach accurate? And just more generally, has there been a change in the U.S. stance on Huawei and 5G?
DAS Strayer: Our international engagement has been very consistent. We have encouraged countries to adopt risk-based security frameworks. And we think that a rigorous application of those frameworks, because if they include supply chain security risk and the consideration of the relationship between a 5G vendor and their government will lead inevitably to the banning of Huawei and ZTE. But at this point we’re looking for governments to adopt security standards like we’re seeing in Germany. We think it was a very positive step forward in the Germany standards, which I’d note are still out for comment from what I understand. They’re not finalized. But in particular they say that they will review for secrecy of telecommunications and for data protection. So we think when you look at that necessity, when it’s lined up with the Chinese intelligence laws, it’s hard to see how Chinese technology would meet that standard for protection of data.
Media: The UK Oversight Board, although it was quite stringent in its review of Huawei’s progress and all the lack thereof that they were claiming in the security side of things, it did not recommend banning Huawei from critical infrastructure in the UK. Is that the aim of the U.S. at the moment? Because Huawei has been claiming that they’ve been unfairly targeted as a company by the U.S. authorities. What do you say to that?
DAS Strayer: I would go back to the point that we’re making about, we don’t think that, based on risk-based security standards that Huawei or ZTE meet the standard of trust, being a trusted enough vendor that countries should put their equipment into their 5G networks because of all that will critically ride, including critical infrastructure services, on 5G networks.
With the UK in particular, we’re close partners with the United Kingdom, of course, and there’s an ongoing dialogue about the policy implications of what was identified in that report regarding the vulnerabilities and the very weak engineering practices which I’ve seen in numerous sort of public statements.
It’s very important to note that the oversight report cannot be a policy document in itself because Huawei is on the board that approves the report. So that would be very odd, that can’t be the government’s policy document on this matter.
Media: It seems like American allies are moving forward with 5G networks and in particular you see Thailand and South Korea moving forward. And you see American intelligence officials making statements about getting ready for a 5G world in which Huawei’s a part of these networks, and trying to work with [dirty] networks.
Is the risk-based approach that you’re talking about here, is that your response to a world in which Huawei is inevitably going to be a part of this network, these kinds of networks?
DAS Strayer: When I’m using the term risk-based I’m really referring to the way that we should assess even on the front end of the risk, not importing risk from untrusted vendors.
To address the point about folks have been talking about how one could engage with, if you will, a less safe network, that’s a separate ongoing process that would have to occur.
We know that it would be very difficult for us to share information the way that we have in the past if there are unsecured networks that we’re having to rely upon, and unsecure equipment in those networks. But we haven’t made any policy decisions yet about actually how we would move forward. We just know it would be very difficult and it might interfere with our ability to collaborate in ways that we have in the past.
I will say just to your point, kind of separate from what was kind of implied in your question. I think when you see some of these announcements about memorandums of understanding, many of those are just intents to cooperate or intents to do research and development. They’re not actual contracts to do the full build-out of a network yet, or of networks.
5G is going to evolve over a period of years based on the use cases. There will be some cases of handsets, more like the 4G network. But the really transformational things would be all these other applications that are going to occur perhaps first on a college campus or in a hospital or a manufacturing facility.
So we shouldn’t put too much weight on just raw numbers or people sort of throwing out oh, this contract, this terms of agreement was signed. It’s important one, of course, for one to look at the terms of the agreement itself.
Media: Will there be consequences for the exchange of intelligence between Italy and the U.S. if Huawei and other Chinese companies are not kept out of the 5G development in the country? Do you consider Italy’s response to this issue to be satisfactory after U.S. alarms?
DAS Strayer: Thanks for that. We’re continuing to talk to all of our partners in Europe as well as our NATO allies. We still are engaging in discussions with Italy and others. We think, as I said before, it could affect our ability to share intelligence information and it would, if the actual policies that would have to be put in place to address the security risks are ones that would still have to be developed, but we’re hopeful that we can talk to Italy among other countries about not putting unsecure equipment into their 5G network.
Media: I would like to ask a follow-up question to the previous one. You say the use of insecure Huawei components might affect the ability to share intelligence information.
Now are we talking here of black and white? Of yes and no? I’m asking this because there are models being discussed in Germany where they say let us distinguish between the core elements and more marginal elements and exclude certain vendors for security reasons from the core elements, but admit them to the more marginal ones.
So are these thoughts something that you could make a statement on? Would this influence your decision whether to share intelligence with such countries?
DAS Strayer: I will say that our overall concern is beyond intelligence. Of course it’s about all the critical cooperation we have in the economic sphere, our very interconnected economies. More data flows between the United States and Europe than anywhere in the world, so we need to make sure that we’re able to interoperate and provide all that critical infrastructure that facilitates our economy and our general public.
We also have so much more cooperation beyond intelligence, of course, on the front of military, of all kinds of other national security interests beyond intelligence.
So it will no doubt, if there is untrusted vendors in another country’s network, harm our ability to cooperate in those overall, in a number of aspects. As it relates to intelligence, that’s why I used the word might. It depends. But our concern is quite significant about the deployment of untrusted vendors in networks.
We view there to be no relevant distinction between the core and the edge of a 5G network. That distinction had existed in 4G networks because you basically had you’d say a smart core where the intelligence and the software were at, and the edge was dumb they sort of called it because it was just for the transmission of data to the core.
In a 5G network much of the smart computing capacity that needs to be done because of the need to have very low latency and sort of immediate response, immediate computing, will move to the edge. So we need to be sure the infrastructure that undergirds that as well is just as secure as the core. So we don’t think there’s a meaningful distinction between the core and the edge.
I’ve also heard some propose that there be source code reviews. There’s hundreds of millions of lines of source code in current 4G networks, in their operating system. It only takes one line of code with a vulnerability to potentially disrupt the operations of a system. So there’s not really a practical way for human beings, and even with the assistance of automated tools, to review all those lines of source code. We think, especially as we move to 5G which will have even more software embedded into it, it will dramatically increase an adversary’s potential to attack a service area where they can take advantage of the software. We think it’s even more important to have trust in the vendor and not have to rely on source code reviews.
Media: I was just wondering what’s the kind of motivation for this press call today? Because as far as I can tell there’s nothing sort of new that you’re announcing or giving us. Is it just sort of the ongoing, if you like, public lobbying? Is that what this is about?
DAS Strayer: I think that’s a fair statement that we’ve been, I’ve personally done dozens of meetings with foreign counterparts and we’re keeping up our campaign to explain ourselves and our points of view. We know that countries in Europe will make their own sovereign decisions, both in a national basis and through maybe a harmonized EU framework, so we keep wanting to share our views and our concerns about these security matters. We know it’s going to be a period of not just months but probably years that we’ll be discussing 5G security because, as I mentioned before, these use cases for 5G are going to take some time to actually roll out into the field.
Media: I wonder if you can help us understand where things stand with China. Has the U.S. had any conversations with Chinese officials about Huawei and 5G?
DAS Strayer: I can say that we’ve still raised concerns separately from Huawei and 5G I guess, generally that we are still concerned about Chinese theft of intellectual property through cyber means. We still consider that to be a very significant issue. But I can’t talk about other particular issues related to those trade discussions.
Media: I had a question concerning sort of the higher international level, G7 and G20. This issue is on the agenda for the G7 mid-May and I think on the follow-up meeting for G20 countries. So my question is at what extent are you confident that there will be consensus on this at the G7 meeting mid-May? And then how can you sort of bring this forward through G20, the broad group of G20 countries?
DAS Strayer: The G7 countries, many in the G7 and the G20 are some of our closest allies. Each of these G7, G20 formats have their own kind of idiosyncrasies or particularities that we’re obviously talking about 5G with those countries, but I don’t know if it will end up being in the actual statement document or something like that.
I will say that we’re going to continue to work very closely with those countries. There’s a number of ways that we could see common statements about the uses of data that we consider to be in line with our views and consistent with our values that are in opposition to what China has done with data and the theft of intellectual property. Exactly 15 countries, the U.S. and 14 others, joined together on December 20th to say that we know it was China through their APT10 Group that compromised globally cloud infrastructure in what they called managed service providers to steal intellectual property from more than a dozen countries including France, Germany, the United States, United Kingdom. Stole that information and then used it to give to their own companies so they had a competitive advantage.
So there are statements like that that occur that I think are showing our cohesiveness on the issues. So I don’t know that we’ll necessarily see something 5G related in the G7 or G20 final statements, but it’s certainly something that the countries that participate in those forums are well aware of.
Media: Did you present any evidence to any of the governments or any national cyber security agencies or any other stakeholders in these countries?
Also, up until now it seems clear that no European government is following the U.S. position on this. So my question is what will the State Department do in the near future in terms of this lobbying campaign that it has been going on?
And lastly, tech supply has been an open market up until now, and what U.S. is asking for is to close these open markets for two companies specifically.
My question is, wouldn’t it be more appropriate and in the interest of all consumers and all companies to address the security fears that the United States has directly with the companies involved?
DAS Strayer: First, the evidence question. This sort of goes back to, we’ve been asked that a number of times. I think it’s important to distinguish what we’re talking about here. We’re not talking about 4G networks, we’re talking about a 5G network that’s not yet built. So it’s somewhat speculative to say what’s the evidence the Chinese will take advantage of 5G with all these new services, potentially during a time of escalatory conflict to cause that system to be disruptive.
The concerns that we have are related to not just espionage, which is sort of the back door argument, it is about the potential to disrupt or to alter the quality of the service that’s being provided over these networks.
We’ve seen of course that large number of vulnerabilities in the Huawei equipment that the United States has been studying as part of their 4G. They have the same number of vulnerabilities. That combined with the Chinese government’s, the Communist Party’s willingness to steal intellectual property data in the commercial sense, and the way that they treat their own citizens relative to personal data. That is the use of DNA, the acquisition of DNA data, the use of facial recognition technology to track people, to identify them by religion, and then to send some of them to reeducation camps, I think that should give us in the West tremendous pause about how a government that can command its companies to follow its orders would act in the future if they are providing the underlying infrastructure for our critical services.
On the point about following the United States, we actually think that we are where we need to be at this point in Europe. That is with the German standard that came out on March 7th, with the considerations of a new law in France, with the European Union’s first Parliament resolution saying you need to look very closely at 5G supply chain security. And then that was, of course, followed by the Council decision and then the Commission recommendations on March 27th. We think that is exactly the kind of risk-based framework that needs to be put in place. Even the Commission recommendation noted that analysis needed to be done of the third party country’s laws and legal system that is in place.
So we think that is exactly where things should be at this point.
On the point about banning technology. We’re not for banning technology. We’re for employing this risk-based framework where we see the lack of rule of law, the ability of a government to assert control over its own companies in the way that China does. The way to sort of change this would be for China to adopt a rule of law system that we have in our Western countries.
To your point before: We have sanctioned, and so has I believe Europe, companies that we’ve determined to be acting in ways that are not consistent with our values or our concerns about following the law. We sanctioned individuals that were part of that APT10 hack of managed service providers. We sanctioned their companies as well. So this would not be — I don’t really want to put the two on equivalent grounds because what we’re asking is not for them to be sanctioned or anything like that. We’re asking for the national security decision to be made. But it’s definitely been true in the past that companies that have been bad actors have been scrutinized and either charged criminally or sanctioned.
And of course as you probably know, we have charges against Huawei for a long term campaign to deceive a number of international banks about the nature of their relationship with a subsidiary company in Iran, and we’ve also charged them for the theft of intellectual property related to T-Mobile and they actually have a campaign in place to provide bonuses to employees based on the amount of intellectual property that they stole.
So I think there’s malign activity relative to these countries that it shouldn’t be surprising that we’ve got concerns about.