U.S. raises 5G concerns with Gulf allies

0

The United States raised concerns with Gulf allies over a possible security risk in Huawei technology for their 5G mobile infrastructure US officials said.

Washington has warned allies against using the Chinese company’s equipment, which it says presents a security risk, but has so far has largely made public comments to European states.

Huawei repeatedly denies the allegations, raised last week during a visit by Federal Communications Commission Chair Ajit Pai to Saudi Arabia, the United Arab Emirates and Bahrain, all of which use its equipment.

“We shared a message about the importance of securing 5G technology and applying risk based security principles,” Robert Strayer, US State Department deputy assistant secretary for cyber, international communications and information policy said.

Below is a full rush transcript of the press conference by  Ajit Pai Chairman, Federal Communications Commission and Robert Strayer, Deputy Assistant Secretary, Cyber & International Communications & Information.

Chairman Pai:  Thanks so much, In mid-April I was at the White House with President Trump to highlight American efforts to promote the development and deployment of 5G technology.  5G being the next generation of wireless connectivity.  And when Presidents and Prime Ministers get personally involved in a communications issue, the message is clear.  5G is a critical subject with major implications for economic growth and national security and our quality of life.  And we believe that 5G networks will be much faster and will carry much more data than current networks.  And in time, they will bring applications and services we can’t even imagine today.  Transforming the entire industry from transportation to agriculture, education to manufacturing.

Here in the United States our 5G approach is private sector driven and private sector led.  As the regulator in the United States, the FCC has adopted what I have called our 5G fast plan.  A plan to expedite the private sector deployment of 5G technologies.  

This has three basic parts.  Number one, pushing more spectrum into the commercial marketplace.  Number two, updating our infrastructure policy to promote the wireless infrastructure of the future.  And number three, modernizing outdated regulations to promote the fiber deployment that will be necessary to carry all this 5G traffic. 

We’ve been executing on each one of those parts of our plan with some substantial results.  American 5G deployments are proceeding, investment is increasing, and applications and services are being developed.

But as important as these regulatory policies are to giving companies the tools they need to invest in 5G, the overarching issue for us is, at the U.S. government, how can we make sure that these networks are safe and secure?  Network security is not only a priority, but a necessity for 5G and no country can lead in this area without addressing first the security challenges.

Over 30 countries recognized this imperative when they gathered in Prague this past April and they agreed to what were called the Prague proposals set of consensus practices for 5G security.

In the United States many agencies have important responsibilities when it comes to ensuring the safety of our networks, and at the FCC we are playing our part.

One of our top priorities has to be protecting the security and the integrity of our telecommunications supply chain, and that is why the FCC has proposed to prohibit the use of broadband funding that we administer to purchase equipment or services from any company that poses a national security threat to the U.S. supply chain.

Now stepping back and looking at the bigger picture, and my colleague, the Deputy Assistant Secretary of State will amplify on this, but we believe that 5G security issues need to be addressed up front.  Making the right choices when deployment is beginning is much easier than trying to correct mistakes once network construction and operation is well underway.  This is not an area where we can simply take a risk and hope for the best.

Moreover, decisions that impact 5G security have to be made with the long term in mind.  Focusing too heavily on short term considerations could result in choices that, as we say, are penny wise but pound foolish.

Additionally, when making these decisions we have to remember that the implications are very wide-ranging.  Again, 5G will have a transformational impact on our industries, on our public sector, agencies including our military, and our critical infrastructure.  Because of that generational impact, we think the time to address the issue is now.

With that, I would turn it over to my distinguished colleague from the Department of State, the Deputy Assistant Secretary of State.

DAS Strayer:  As we go around the world because of the incredible importance that 5G technology will have to our societies and to our shared prosperity in the long term, we talk to countries about the importance of adopting principles like the Prague Proposals that will ensure that there’s a risk-based security framework to the deployment of 5G technology.  We think it’s important not just to have the best of cyber security best practices employed, that it’s looking at the practices that will address vulnerabilities. But it’s critical because we can have the potential for software updates that can instantaneously bring millions of new lines of code into our 5G networks that we also have a trust relationship, the most trusted types of relationship, with the supplier of 5G technology.

In the Prague Proposals as well as in the European Union Commission’s recommendations for 5G security that was released in March, there is a principle that the vendor should not be under undue influence by a third country’s government.  We think when you apply that principle worldwide, you can find that in China the vendors like Huawei and CTE are under the potential influence of the Chinese government and could be required to comply with mandates of the intelligence and security services.  That is the case because there’s no independent judiciary in China.  They are therefore subject to the extrajudicial control of the Chinese Communist Party over those vendors.  

Because there is no adequate way to protect or to monitor software updates through the review of source code or through equipment testing, the only way to truly ensure that we have software that is secure for the future, we must rely on trusted relationships between the vendor that is deploying that technology and our telecommunications operators.

So we look at that trust relationship.  We think it’s important, of course, to look at the legal regime in which that vendor company is headquartered.  It’s also important to look at other indicia of trust like the ethical practices that the company upholds.  The questions there would be does the company have a history of corrupt practices?  Does it have a history of intellectual property theft?  Does it have a history of compliance with export control laws?  We find with regard to a company like Huawei that all three of those fronts, that it does not comply with the best of ethical corporate practices.

In addition, it’s important to look at the ownership structure of the company.  Does it have a transparent ownership structure?  For Huawei, we know that one percent is owned by the founder, but the other 99 percent is owned by a trade union committee which is effectively the government itself.  So it’s very easy for the Chinese government to exert its pressure over the company.  It also has members of the Chinese Communist Party on its board.  Therefore, there’s no effective distinction between the company and the government in China.  That raises very serious concerns for us about the ability for the government to cause the vendor company to have the software that was running on its network systems in our countries to be compromised into doing the bidding of the Chinese Communist Party.

We know that over time, the Chinese Communist Party and Huawei have been involved in the mass surveillance of the Uyghur population in the Xinjiang Province.  We know that now more than a million Uyghurs are in reeducation camps.  That is in part done by the use of technology and surveillance. 

We’ve also seen Huawei employees complicit in the surveillance [state] in other countries.  They’ve exported that to other countries around the world.

With that kind of intent about the use data to deprive people of fundamental human rights as well as the past history of Huawei in intellectual property theft as well as the Chinese government’s activities related to intellectual property theft for the use of its own commercial enterprises, that is a massive campaign of industrial espionage over the years, it’s clear that China will use any capabilities it has to further its goals in this area when it has the further capability of a 5G network that will provide massive amounts of new data and would be able to undermine our critical infrastructure through disruption or through the exfiltration of data from a wide variety of sources.  

Therefore we are encouraging countries to apply a risk-based security framework that includes both cyber security best practices but also must examine very closely the trust relationship that must exist in order to protect our networks from software updates that are malicious.

Question:  First, South Korea being one of the U.S. key allies has been taking a hesitant stance opposing to Huawei’s 5G network.  There is a key U.S. Force Korea base in South Korea.  What is U.S. concern?  And how are they, how is the U.S. addressing this issue?  

The second is, you mentioned about the export.  A couple of months ago Huawei’s inside document was revealed that they were helping installing North Korea’s network infrastructure.  How serious is the U.S. dealing with this issue? 

DAS Strayer:  We are talking with all of our partners around the globe including with the Republic of Korea.  We are sharing our views about how we can adopt security practices for our 5G networks, and we continue to share those views.

With regard to the use of technology in authoritarian regimes, it really comes as no surprise to us that Huawei is supplying technology to authoritarian regimes.  They’ve supplied their technology to Iran, and it would be no surprise to us that they’re also supplying it to North Korea.

Question:  You cited security concerns, so my first question will be why do you think that Europe still hesitates to actually buy Huawei technology?  Because not a single European country or European member state has actually outright said that they would not use Huawei.

And then we’ve also seen obviously this is a different technology, but from a European point of view, there’s a number of U.S. companies including Amazon to name a few.  So why should we trust other technology more than the Chinese technology? 

DAS Strayer:  Firstly, I would point out that two weeks ago Vice President Pence signed a memorandum of understanding with Poland regarding our cooperation on security in 5G.  We’ve signed similar agreements with a number of other countries including Romania.  So there are a number of countries in Europe that are understanding our message and taking public stances on it.

We’re also seeing in our discussions with other countries acknowledging the security concerns with Huawei.  They’re talking about additional security measures.  That was not where they were, I think it would be fair to say, more than a year ago.  There was not a serious discussion about security, cyber security as well as supply chain security in the need to protect 5G networks.

With regard to other technology companies, I think the critical distinction that we should start with is that it’s the role of the government in this.  The role of the government in China is what concerns us, without the independent judiciary standing between the government and the technology companies in order that it can be forced to do the bidding of their intelligence and security services.

With regard to data protection, I would point out that in the United States, for example, when Facebook violated a consent decree related to its uses of data, it received a $5 billion fine from the Federal Trade Commission.  So we will take action consistent with the rule of law to enforce data rules against our tech companies. 

Our tech companies, generally speaking, have their own privacy policies and terms of service in place that are open and transparent.  I think that is quite a distinction from what you will see from the Chinese tech companies.

Chairman Pai:  I agree completely with what the Deputy Assistant Secretary has said.  And [the source] I would observe as well.  The fact that we saw such a consensus this past spring in Prague surrounding the Prague Proposals indicate that there’s a common understanding of the need for a risk-based framework.

Secondly, I would agree with the Deputy Assistant Secretary and amplify that message that there’s a major difference between a content provide that is subject to the jurisdiction of the Federal Trade Commission and has in fact been subject to investigations from multiple U.S. government agencies as opposed to a company that is subject to the jurisdiction of the Chinese government, which of course under the National Intelligence Law is required to comply with any request from the intelligence services and is forbidden from disclosing the fact of those requests to any outside party.

So in our view, this is not just a case of apples and oranges; it’s a case of apples and chairs.

Question:  First of all, you mentioned that you’re encouraged by the fact that more and more people are looking at this in terms of a risk-based framework.  I mean what seems to be emerging as the picture where perhaps countries don’t name Huawei or indeed China or anywhere else, but phrase their framework in such a way that is would clearly exclude Huawei and other Chinese companies.  Is that sufficient from a U.S. point of view?  Or does it need to go further?

And secondly, if you feel that European countries aren’t going as far as you want, what would be the U.S. reaction in terms of possible countermeasures?  Will it mean exclusions from business in various sectors in the U.S. or sanctions or what?

DAS Strayer:  Thank you for that question. Yes, the approach you outlined is in fact our approach that we encourage countries to adopt principles that can be applied to any supplier, any vendor around the globe.  We’re not asking them to implement an exclusive ban.  We want it based on these principles of security.  But as I mentioned earlier, the security principles have to include a trusted relationships that will ensure that the software updates are secure as well.  They cannot just be security measures that only look at the testing of equipment and the review of source codes.  That will be inadequate by itself.

If countries do include untrusted vendors that would potentially insert this malicious code in software updates through the improvement of their software over time, we will have to consider how we share information, very valuable information with those governments, and we also will have to consider how we’re going to work together in NATO because it could interfere with troop mobilization if we have untrusted vendors in our 5G networks.

Question:  Both the two of you were in the Gulf I believe last week, and there was [a meeting] in Bahrain and I think you were also in the UAE.  Could you tell us about your visit to the region and what was the message with regard to using the use of Huawei here?  Because Huawei technology is building 5G in the Emirates, in Bahrain and in Saudi Arabia, all places where you guys have a military presence or will.

DAS Strayer:  Again this is Rob Strayer.  I’ll start fielding that question and see if Chairman Pai wants to add anything.

We shared a similar message about the importance of securing 5G technology and applying risk-based security principles.  I think it’s also important to note that it’s not just Huawei that’s involved in building out 5G networks in those countries.  There’s also other vendors like Ericsson and Nokia that are building out 5G networks in the Middle East.  So there’s not just the one vendor.  We think that when you apply a security-based framework, one would end up excluding Huawei from deployment of 5G.

Chairman Pai:  I would agree with that and I would add that we conveyed the consistent message that we were there because we prize the relationship with each of those countries that we visited including the security relationship we have.  For example, the 5th Fleet of the United States is stationed in Bahrain.

Additionally, we made the observation that the United States is embracing the security framework that the Deputy Assistant Secretary described, and it is also leading the world in the development and deployment of these 5G technologies.  For example, by the end of this year it is estimated that we will have approximately 92 commercial deployments in the United States; where China currently has none.  Additionally, the number of small cells that have been deployed is estimated to be approximately 200,000 in the United States by the end of this year.  That number is much greater than the number estimated for China.

Additionally, we see all of our national mobile carriers investing billions of dollars in both the spectrum and infrastructure necessary to deploy these 5G technologies here in the United States, and they’re doing that using trusted vendors.  

All of which is to say that we conveyed the message that one can have the best of both worlds.  One can lead in the deployment of 5G technology and rely on trusted vendors.  And I think that’s the message that it was important for our close allies in the Gulf to hear.

Operator:  We have a question from the line of Bojan Pancevski.  Please go ahead.

Question:  I’d like to press you on the measures that you might take with regards to countries that are not willing to go the way of Poland, as you mentioned, because I’m based here in Germany, and I think it’s pretty certain that Germany will take equal or similar measures and eventually Huawei will be allowed on the market.

A second question if I may.  Is there any particular reason why you’re doing this briefing today?  Is there anything in the pipeline?  Or is it just part of a regular communication strategy? 

DAS Strayer:  To the latter part of your question, we just returned from a trip together visiting a number of countries, and it’s part of our regular update process to make sure that countries as we’re talking to them in direct conversation as well as the public around the world is aware of our concerns about the need to have a risk-based security framework applied to 5G technologies.

As I said before, with regard to countries that do include untrusted vendors in their 5G networks, we’re going to have to reassess how we’re sharing information.

I’m a perpetual optimist, so I think that over time we will continue to have discussions with governments and continue to educate the public around the world about the very critical risks that they are facing potentially by having untrusted vendors that can be called to take action by Beijing.  We’ve seen that Beijing has deprived people of their human rights, both in the country and the companies they work with have taken authoritarian measures to suppress internet freedoms, to enable surveillance [states] against political opponents around the world.  So that kind of activity is something that should cause citizens around eh world to be concerned about embedding technology that can be abused by the Community Party in their country’s networks as well.  

Chairman Pai:  With respect to the second part of the question, we are very open and transparent about the policies we are advocating for and the fact that we’re advocating for them.  That’s part of the reason why we held multiple press availabilities during our time in the Gulf.  In Bahrain, for example, as well as in the United Arab Emirates.  We’re continuing that with this current press conference as well.

Question:  Chairman Pai, you mentioned the SEC’s proposal to ban [USF] funding from companies like Huawei that pose national security threats.  Do you have any updates on that front?  Does the FCC plan to hold a vote on that in the near future?

Chairman Pai:  We are still evaluating the effects of the President’s Executive Order earlier this year on our supply chain proceedings.  What I can say is the FCC is still actively pursuing that proposal and we intend to take the necessary steps to secure the integrity of our supply chain.  I don’t have a specific time frame that I can offer you as this time, but I can say that since we’ve issued that proposal what we have found is widespread support from Republicans and Democrats on Capital Hill as well as the members of the private sector who understand that the security aspects of our communications networks are critical, just as critical as the connectivity that those networks support.

Question:  A question from me about, there’s a conference coming up next month in Sharm El Sheikh on the WRC, World Radio Congress, about spectrum.  I’m just wondering if that’s an important venue at all for your efforts against Huawei and the Chinese.  Are there any concerns, for example, about Huawei developing technology surrounding radio spectrum?

DAS Strayer:  The World Radio communication Conference couldn’t be more important to the United States relative to ensuring that we ensure that there are updates to the global rules related to the uses of spectrum that will empower our 5G technologies as well as ensuring that the legacy or existing systems that use all kinds of spectrum including satellites and new types of emerging applications have adequate spectrum use.

So it’s very much a policy conference.  It’s dominated, it’s a multilateral conference, so it’s dominated by nation states and that’s who signs the treaty that’s done at the end of the conference, the update to the radio regulations that are international.

So we are looking forward to the conference that starts at the end of October.

Chairman Pai:  Thank you, DAS Strayer. We too, the FCC, have been actively involved in this, both on a bilateral basis advocating with other countries for forward-looking spectrum policies, as well as entire regions.  The United States was very much involved in the Region of the Americas coming up with proposals that would advance the ball, so to speak, with respect to 5G policies.  

And we are very hopeful that at the end of October the results of the WRC will be spectrum policies that allow everybody in the space to innovate and invest, and we are confident that we will strike the right balance in time in both the supply of spectrum that’s available for 5G development as well as the security protocols that enable our citizens to use 5G applications and services safely and securely.

Leave a Reply

Your email address will not be published. Required fields are marked *