US appeal to bar Huawei from 5G network

US deputy assistant secretary for cyber security Robert Strayer has stated unequivocally that “any country that deploys Huawei equipment in any part of its 5th generation infrastructure” would be reappraised as an intelligence partner.

European countries have been caught in the middle of a battle over 5G networks, as Washington lobbies its allies to avoid Huawei because of suspicions the company could be used by Beijing for cyberespionage – allegations the company has denied.

Other EU countries, including key markets Germany and the United Kingdom, have also resisted Washington’s entreaties to block Huawei, though they have yet to make a final decision. Hungary announced last month that Huawei will take part in the construction of its 5G wireless network.

Those decisions have contributed to at times strained relations between Washington and the EU, though there are signs that Europe is starting to take the U.S concerns more seriously.

Interview Robert Strayer, US State Department, about Huawei’s involvement in the UK’s 5G data network “We have to consider the risk that produces to our information sharing arrangements with them” (BBC News 10pm Bulletin – 29/04/2019 – ABSA627D)

Below is a full rush transcript of the press conference with Dr. Roslyn Layton Visiting Scholar at the American Enterprise Institute And Deputy Assistant Secretary Robert Strayer , Cyber and International Affairs and Information Policy Bureau of Economic and Business Affairs.

DAS Strayer:  We were very pleased to see the conclusions on 5G that the EU Council released on Tuesday.  Those make clear that in addition to looking at technical security risks, you also need to address nontechnical factors like the legal and policy frameworks where suppliers are governed by in their home countries, countries where they are headquartered.

Those nontechnical factors need to be addressed because, fundamentally, with regard to any technology that has software, that software can be updated instantaneously.  Within those updates can be compromises or vulnerabilities.  It’s also just simply impossible for any human to review tens of millions of lines of code to identify even one line that might be the cause of a disruption to the network or that would allow the unauthorized exfiltration of data. 

Furthermore on those conclusions, they specifically note that standardization and certification alone will not be sufficient to secure 5G networks.  They point out that additional measures are going to be required, and those would include these non-trust – these trustworthy measures that are nontechnical in nature.

We very much agree with the European Union’s conclusion that we need to build trust in 5G and protect our shared U.S. and European values like human rights, the rule of law, privacy, intellectual property rights, and protect – and transparency.

We also think that due to the 5G network architecture, there’s no part of the network that’s going to be safe for untrusted vendors.  We must secure both what has traditionally been called the core of the network as well as the periphery, or edge, of the network.  As 5G networks are built out, the important use cases will be at the edge.  We’ll see autonomous vehicles, telemedicine occurring in hospitals and other use cases at the edge of the networks, as well as automated manufacturing.  

There’s also important discussion within even the European Union Council conclusions about the ability to maintain lawful intercepts.  The lawful intercepts are going to occur at the edges of networks.  So the software that’s running those lawful intercept capabilities needs to be ones that are only the most trusted because, of course, that is the – that is putting in a front door for access to data.

We’re also very pleased to see yesterday as part of the NATO conclusions of the London declaration, highlighting the importance of 5G security for the future of NATO, and the commitment that nations in NATO made to secure their 5G networks.

So I’ll keep my remarks brief today just to allow time for your questions and allow Dr. Layton to speak.  And I’m going to say we very much look forward to partnering with countries in Europe to build a secure and vibrant 5G future.

Dr. Layton:  Yes.  Well, thank you, DAS Strayer.  

I want to make a few remarks based upon my research conducted in Copenhagen, where we focus on cybersecurity, as well as the report released by Strand Consult, also an organization I work with, which made a critical assessment of the cost to rip and replace Huawei and ZTE equipment from European mobile networks.  You can find this report at strandreports.com. 

Now, I think it’s very important that we do need to address companies such as Huawei and ZTE.  They are certainly not the only security problems posed by China and other countries.  I have founded a website called chinatechthreat.com to highlight the need for a holistic approach to cybersecurity, where it focuses on the equipment, the devices, the software, and the apps that comprise today’s modern mobile networks.

If you’ll note, the U.S. Vulnerability Database includes many commonplace items made in China which pose a security threat, such as Lenovo laptops, Lexmark printers, Hikvision cameras, and so forth.  You’re all probably familiar with the TikTok app, which is sending geolocation data to China.  

For good reason, NATO prohibits procurement from communist countries.  We don’t purchase fighter planes and tanks from China, nor should we be purchasing the vital inputs for our digital society from this country.  Now, some might suggest that we can isolate the threats by combining vulnerable elements to certain parts of the network.  That strategy might have worked in a 2G or 3G world, where the core was essentially a highway and the intelligence was in the apps, or the edge of the network.  But already in 4G, that typology falls away because the entire network is suffused with intelligence and capability.  There is processing going on, as DAS Strayer mentioned, of course, in the radio access part of the network, in the edge, but also in the core there’s network slicing.  So when you look at 5G, there’s no dumb part of the network.

Now, I think that there is something important going on from a European perspective, is that historically in the – or at least the last 10 to 15 years, the European telecom policy has focused on lowering prices at the – and unwittingly at the expense of security and quality.  If you’ll recall, around the year 2000, Europe was leading in telecommunications.  It had the top companies, most of the device manufacturers.  It led in the standards.  But that lead has been diminished significantly.  Europe once accounted for one-third of the world’s telecom investment; today it’s only 15 percent, and its revenue was half of the United States.  So the European policy has unwittingly brought about a real downturn in what could be a strength of the world in telecommunications.

And what’s important to know is that supposedly this argument that Huawei or ZTE equipment are such good quality or price, it has not helped Europe close the gap.  There’s a 100 billion dollar – euro – gap today to reach the connectivity goals, and the equipment that’s being used supposedly from Huawei and ZTE is not closing that gap.

I think the important point, just as DAS Strayer had mentioned, when we’re looking at all of these qualitative factors, that 5G is really a function of policy.  It’s not a function of any particular vendor.  I’m very pleased to see the Council make this declaration on 5G, but this is something they should have done two to three years ago.  Notably, the United States, they have a leadership position in 5G [inaudible] equipment.  This is a function of getting the relevant stakeholders onboard.  There is a harmonious federal, state, and local policy to fast-track the deployment of 5G.  It’s led, of course, by the President and his pronouncements about 5G.

So the good news for the European Union is that there are price-competitive alternatives to Huawei.  I describe this in the report that I mentioned, but to just put it in perspective, most of Europe’s mobile networks today are three to five years old.  They cannot be used for 5G.  The equipment itself will be obsolete.  The layout in terms of whether the kinds of antennas that are being used, the pole attachments, and so on – they are not usable for 5G.  So 70 to 80 percent of this equipment has to be replaced.  Forty percent of that said equipment is made up by Huawei and ZTE.  It’s a cost of about $3.5 billion to put in place.  Now, if you take out that portion and you divide it by the number of mobile subscribers in the EU – 465 million people – it amounts to about $7 per person.  That’s really a low amount, and the security is worth paying for, and I certainly think that European mobile operators can take on something as important as that.  They have made a big investment to comply with the General Data Protection Regulation; they can certainly keep the security of their customers at the forefront.

And just I want to close here with a point that’s important to be made, is that Europeans are very proud of the GDPR, and good for them, but if they’re going to take data protection seriously, they need to hold the Chinese vendors and all vendors of the world to the same account that are being demanded of European and American companies.  China’s surveillance society does not comport with the GDPR in any way, and we have already evidence that Europeans’ data is being syphoned out of the EU and brought to China, where it’s processed unlawfully.

Question:  The CEO of Huawei has said that he’d be willing to sell his company’s 5G technology to a Western company.  Is the U.S. Government interested in purchasing this technology, have private firms expressed interest, and would you work with an out-of-state Western company should they buy this technology?

Dr. Layton:  I am aware that Huawei has made that offer, but those particular patents that they’re offering really don’t have very much value.  They are not the standard, essential patents for 5G.  Those – the patents that are worth, that have value are owned by Qualcomm, Nokia, Ericsson, not by Huawei.  So that offer is really not worth very much.  I am not aware of a company that has taken them up on it.  Maybe they have, but that would only be something that could have some sort of marketing partnership, but there’s not a high value to that particular technology.

DAS Strayer:  My understanding is that there are no companies in the West that have even entertained this option.  That’s partly because or I’d say primarily because Ericsson, Nokia and Samsung have the components they need to provide the same level of functionality as Huawei offers to provide.  They’re providing – offering – making those offers to tele-companies around the world, including in Europe, to supply the cutting-edge 5G technology.  And in fact, when you open up the base stations, the key components – that is, the key microprocessing – it comes from companies like Qualcomm that Roslyn just mentioned.

In fact, I’d just put this whole statement by the CEO of Huawei in the category of things that they’ll say in order to get you to expand their market share around the world.  They’ve actually now acknowledged that they were not in negotiations with anybody.  In a Western legal system, and this is a small example of it, a CEO making that kind of statement that’s so misleading about their financial practices would likely be susceptible to fraud charges from investors.  We had a well-known case with Tesla in the United States, where a CEO claimed that he had investors that were willing to take the company private; when those didn’t materialize, of course, the SEC brought a lawsuit against him.  In the case here, there’s just no rule of law implications for the CEO of Huawei in China to make such statements.  In the West, there would be a totally different set of ramifications for making such kind of ludicrous statements.

Question:  I wonder, in Germany we have the stance of Deutsche Telekom, which is very pro-Huawei, which is heavily reliant on Huawei technology so far, and has been pushing for the inclusion of Huawei equipment in the 5G network also, and I wonder whether that has any repercussions on the ongoing talks between Sprint and T-Mobile in the U.S.  Does the U.S. Government make a connection here?

DAS Strayer:  Our process at the federal level has already completed to approve the T-Mobile/Sprint merger.  As you may know, a number of states’ attorneys general have filed lawsuits to hold up the merger, and so that’s where it stands, is with the states, or each individual state and their attorney generals’ separate lawsuits at this point.

Question:  Given that the U.S. and the European Union seem to be on the same page about the severity of potential security risks that 5G could pose, why do you think the conclusions drawn at the EU meeting earlier this week do not mention China or Chinese companies at all?

DAS Strayer:  In the United States we had an executive order signed by President Trump on May 15th to secure our ICT supply chains.  That resulted in regulations being promulgated by the Department of Commerce last week.  In those draft regulations, we do not mention China or Huawei by name.  We identify that we will apply a case-by-case basis to protect the national security interests in our telecom networks.  That’s the same proposal and same request that we’re making to governments around the world, that they set up a set of principles that will be – can be applied to protect their networks, the whole of their networks – not just the core, the edge as well – from untrusted vendors.  

So, in our view, you don’t need to name particular countries because there are generally applicable standards that can be applied to protect telecom networks without singling out any particular country in those regulations.

Dr. Layton:  I certainly agree that is the correct way to go forward with the policy.  What I would only say from the empirical perspective is if you look at the severity or the incidence of the particular kinds of vulnerabilities, the hacks, the various incidents, that they overwhelmingly come from China, and China as well is posing fronts on so many levels.  It’s not just mobile networks we’re worried about.  There’s satellite networks, there’s fixed-line networks.  And then, of course, on so many levels in terms of the types of equipment and devices and services.

So I think from a policy perspective, you need to have the right procedures and strategies, as DAS Strayer mentioned, but it shouldn’t overlook that there is a particular perpetrator, and you have to study those particular things and what’s going on so that the policy is correctly formulated.

Question:  I just wondered about your view on the ongoing German debate, which has essentially started as a proposed framework for a level playing field and equal scrutiny for all vendors, that we’ve seen calls from some lawmakers for an ex-ante ban on Huawei ?

Dr. Layton:  Well, I think the Germans, of course, will have their process for what they are going through.  What I would say is if we look at many countries have been through what Germany is going through now, and they have come to the conclusion that they have to take an ex-ante approach with Huawei – certainly what was the decision of the United States, and New Zealand, Australia, Japan, and so on – because there are just too many places where the cost of going through millions of lines of code, continued violations of trust, going to the actual plants in China, not being able to secure.  So it would be against the public interest to work with their firm. 

Now, I think that it’s conceivable such a firm could be in any kind of country, but it happens – they’re consistently happening to be in China.  

Again, the United States has taken this ex-ante approach with Huawei.  It has not hurt the United States to get a lead in 5G.  So there’s really no connection there between having leadership in 5G and working with this particular firm.

DAS Strayer:  I’m not going to comment on German political interactions, but I would just say that as I read the initial catalog approach to certifications, as I said in my opening comments, the approach of certification alone will be wholly insufficient to protect citizens and businesses in a world where software can be instantaneously updated and a compromise can be buried in millions of lines of code.  It is misleading and probably it’s hubris to think that you can use these certification processes to adequately protect yourself.  You need something more than just a certification.  

Question:  How does Deputy Assistant Secretary Strayer interpret the point made in the European Council’s conclusions that nontechnical factors should also be considered in the EU’s future security strategy for 5G?  What do these nontechnical factors refer to, exactly?

DAS Strayer:  Right.  So one of the nontechnical risks that were – was noted in the conclusions was the risk of the supplier of technology having to comply with legal and policy frameworks in a third country.  The risk assessment that was completed by the European Union on October 9th also noted additional risk profiles that should be considered, including the characteristics of ownership of the country – of the company, and as well as additional pressure that can be applied on the company.

So, in our view, a set of objective criteria need to be applied.  Those include, to just the first point about the legal and policy frameworks, is there an independent judiciary and rule of law in place so that a company can say that it does not want to comply with the mandates of the government where it’s headquartered?  In the case of China, of course, we know the National Intelligence Law requires all entities to comply with the mandates of the security and intelligence services, and to keep that cooperation secret.  Unlike in Western systems, there’s no independent judiciary so a company like Huawei cannot object in court to having to comply with those mandates.

We also think you can address those other risk profile issues noted in the October 9th risk assessment by seeking transparency about the ownership.  A company like Huawei is 99 percent owned by – it was claimed to be the employees, but it’s more likely controlled by the Chinese Communist Party.  There is limited transparency, very limited transparency about the ownership.  

And then, finally, as regards the funding, if a company is beholden to one government then financing could more easily be [inaudible] taking action by that government rather than doing what’s in the interests of consumers in other parts of the world where their technology is deployed.  So in the case of Huawei, because they receive tens of billions of dollars of financing from China, as well as in some cases zero percent loans to finance their sales, that means that the withholding potentially of that financing would be a very coercive measure that could be used against the company in the future.

Question: With yet another license extension having been awarded to Huawei recently, is the U.S. at sea in terms of dealing with the issue and is it struggling to formulate a coherent policy?

DAS Strayer:  Let me just step back a little bit from that just to explain some of the underlying facts, in case some of the reporters on the call aren’t fully familiar with all this.

But last – a year ago August, the United States sealed an indictment against Huawei and its CFO for evasion of U.S. sanctions related to Iran, telecommunications equipment being supplied by Huawei to Iran.  In order to complete that scheme of more than a decade of sales, they had – Huawei had to deceive banks about the financing payments.  They endeavored to engage in a scheme of bank and wire fraud around the globe.  So after we filed this indictment, we later sought extradition of the CFO from Canada in February, or late January, and then we also unsealed the indictment then. 

Because we have this indictment against Huawei violating our national security provisions as well as our foreign policy interests, we decided to put them on what’s called the Restricted Entities List, which limits the ability of manufactured products in the U.S. to go into Huawei products.  We do so because we want to enforce these very important national security rules, and one of the tools that we have is to limit – not be complicit in the undermining of our national security by seeing products manufactured in the U.S. go into companies that are undermining, really, free people’s interests around the world, especially with what’s going on in Iran right now.

So there has been no debate, no equivocation in the United States about keeping Huawei on this Restricted Entities List so long as they have not come forward or acknowledged any of these malign activities.  

We have, of course, allowed – to prevent disruptions to the market, we have allowed a temporary general license to be extended two times now.  That temporary general license prevents disruption; it also allows time and opportunity for companies to adjust their supply chains.  Supply chains are dynamic in this field, so we have responded with an additional temporary general license, as noted.  We will also allow some specific and limited licenses for particular activities.  

Question: The United States has repeatedly warned to limit cooperation with Europe if Huawei and other Chinese companies are involved in setting up 5G networks.  Could you please elaborate how far the U.S. is ready to go about that?  

DAS Strayer:  Well, so first, just to reiterate our general point, is that we’re not necessarily asking the Council’s conclusions to identify China specifically or Huawei in particular.  We want them to see – to establish robust enough security measures, particularly on the nontechnical side, on the trust side, that will fully protect their networks.

Now, with regard to how the future unfolds, we have very close relationships with Europe.  More data transmits between the United States and Europe than any other place on the globe.  We have our closest partnerships on law enforcement, on national security, on military affairs, as just noted in the NATO declaration, the London declaration.  We want to maintain those very close relationships and very close partnerships in Europe.  If there are the introduction of 5G components from untrustworthy vendors that can cause the compromise of data on networks in Europe, then we’ll have to reassess how we maintain levels of cooperation with them in such a robust manner.  That will be a very practical consideration that we will undertake in the future.  This isn’t a threat, it’s a – just a practical reality about how we’ll have to move forward.

Dr. Layton:  So what I would add there is that I think that there are many European countries which are aligned with the United States already, and they are looking for the U.S. to take leadership on this issue.  I think as you’ve seen just concluding, the NATO relationship, so many countries, especially countries in the European Union, who formerly lived through communist times.  They are extremely encouraged by the steps taken by the United States.  They have kept up their contributions because they recognize the kinds of threats that the world faces.  They have been occupied before.  They’re been invaded and they know all too well what this means.  So they’re looking for leadership from the United States. 

I think as well, the European Union is a democracy; there are different points of view.  There’s a free society.  There’s free exchange of ideas.  And that is part of what makes the strengths of the Western world.  So I’m actually quite confident that it is moving in the right direction, and as we’re going into this new 5G world, it is requiring a new way to understand how cybersecurity works, and many of the parties are coming together to what that means and what’s at stake.

DAS Strayer:  This is Rob Strayer.  If I just may offer one further point, it is that just from the U.S. perspective, we’re starting now to see the true evolution of 5G from being just telephone communications and the access that our smartphones need to have to the internet, to movement to the internet of things and much faster computing that will occur throughout the 5 – what will be 5G networks.  Just two days ago, Verizon, which is our largest telecom provider in the United States, announced a partnership with Amazon Web Services to put what they call mobilized computing – that is, computing at the edge – of their 5G networks.  That is the future.  That is why we’re so concerned that we not just try to secure the core of 5G networks, but we secure what was formerly considered the edge, or the periphery.  That’s because those smart components, the computing power, will be throughout 5G networks connecting the internet of things, devices, and very important critical infrastructure of the future.  

We can’t allow that infrastructure to be disrupted or the very important data to be exfiltrated for uses by authoritarian regimes.  

Dr. Layton:  I would just say that there’s a new EU government, which has begun here on December 1.  I think they have quite big ambitions.  The European Parliament has concluded a number of policies which want to protect the European citizens and have extremely high standards for companies working in Europe.  Those kinds of standards, they need – the Chinese companies have to be held to the same standard that’s expected of everyone else.  I think the good news going forward is because of the technological development, that there are – there are alternatives for 5G vendor network equipment.  They are price competitive.  They are of high quality.  So it’s actually a great time for Europe to pull together and look towards 5G.