Russia must halt destabilizing cyber activity before the United States will resume cooperation on digital security, US Deputy Assistant Secretary for Cyber and International Communications and Information Policy Robert Strayer told reporters on Thursday.
“We need to see the Russian destabilizing cyber activity… be discontinued. Those are unacceptable,” Strayer said when asked what needs to happen to resume cooperation with Russia.
He also said that Washington was concerned that a Russian company would sign an agreement with Huawei.
Speaking to journalists, the US deputy assistant secretary for cyber security Robert Strayer said that Washington would have to assess the UK’s network itself if Huawei was allowed a role in its 5G infrastructure.
He said: “One of the most important responsibilities that we have as US government officials [is] that we protect our sensitive information, sensitive information that we’ve acquired.
“And people put themselves sometimes at substantial risk to acquire that information. Therefore, we need to ensure that that information is only transmitted on high security environments.
“We consider Huawei to be a substantial risk to the communications infrastructure.
“Therefore any country that deploys Huawei equipment in any part of its 5th generation infrastructure will be a network… that we need to assess ourselves and make a determination about how we will respond going forward.”
Below is a full rush transcript of the press conference by Ambassador Robert L. Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy , BUREAU OF ECONOMIC AND BUSINESS AFFAIRS.
DAS Strayer: The fifth generation of wireless technology or 5G will be transformative, and we’re all very eager to see that rolled out and for all the potential that it’s going to offer to our economies and to people in our countries.
It’s going to offer up to 100 times faster connections than what the 4th generation of wireless technology provides and with very low latency, that is very low delay in the time it takes to transfer data. That’s going to enable tens of billions of new devices to be connected to the internet in just the next few years. That’s what we call the internet of things. Those connections are going to empower a vast array of new critical services, from autonomous vehicles and transportation systems to telemedicine to automated manufacturing as well as empowering our traditional critical infrastructure such as the provision of electricity through the smart grid.
With all these services relying on 5G the stakes for safeguarding our critical networks could not be higher.
It’s also important to not there will be increased blurring of the differentiation between the core and the edge of the 5G network. There will be smart components that are doing computing throughout the network, therefore we need to ensure that we secure the entire network and not just leave untrusted parts of the network to the periphery.
It’s going to be very important for us to have a risk-based approach to carefully evaluate the hardware and software equipment vendors that are going to supply this next generation of networks. We should evaluate closely and exclude vendors that are subject to the control of a foreign government that has no meaningful checks and balances on its power to compel cooperation of those vendors with its intelligence and security agencies.
Those vendors, of course, could be asked to play a role in undermining network security to, for example, steal personal information or intellectual property or to conduct espionage or to disrupt the critical services that are going to ride over the top of the sensors and devices that are connected by the 5G network.
I want to take a minute to talk about our particular concern about Chinese vendors and why we’re particularly concerned about those vendors being involved in the supply of 5G networks.
As is made clear by Chinese law, most notably its National Intelligence Law, that Chinese citizens and organizations are required to cooperate with Chinese intelligence and security services. In addition, the government does not have any meaningful checks or balances on its power in China. President Xi Jinping has told security officials that China does not intend to walk down the “Western road of constitutionalism, separation of powers or judicial independence.” Therefore, we are concerned that China could compel actions by network vendors to act against the interests of our citizens or citizens in countries around the world.
We’ve also seen China in recent years undertake troubling uses of data and conduct industrial espionage through cyber means. Chinese technology firms are already working hand in hand with the Chinese government to suppress freedom of expression and human rights. They do this through arbitrary surveillance, censorship and targeted restrictions on internet access.
We only need to look at the Xinjiang Province in China to see the use of this technology already where it’s being used to identify individuals based on use of security cameras and artificial intelligence to identify individuals that are then in some cases put into reeducation camps. We now know there’s more than a million Uighurs that have been placed in reeducation camps for their beliefs.
If Chinese companies continue to build the underlying 5G infrastructure they will be in a better position to take advantage of their access to this data.
We also know that China was behind one of the largest thefts of information from companies as was attributed to them in December of last year. What was known as the Cloud Hopper attacks were Chinese attacks from the Ministry of State Security that compromised global-managed service providers and cloud providers. That gave them access to large companies’ entire networks of information. Some of that information was then supplied to other Chinese companies in order for them to benefit economically.
Next I’d like to turn just briefly to what the United States has done.
On May 15th to secure our networks President Trump signed an Executive Order entitled Securing the Information and Communications Technology and Services Supply Chain. This Executive Order allows the Secretary of Commerce to prohibit transactions involving information communications technology that could be controlled by or subject to the jurisdiction of a foreign adversary and that pose an unacceptable risk to our national security. We’re now in the implementation phase of that executive order with regulations to come in the coming months.
Also on that same day the United States added Huawei to what’s called the Restricted Entities List. Huawei was added to this list because of its years of supplying, in violation of international sanctions, years of supplying telecommunications equipment to Iran and then being deceitful about its practice of supplying that technology to Iran.
Under the entities listing, license can be granted. So the Commerce Department announced almost immediately that there would be temporary general licenses that U.S. companies could use to continue providing limited services and sales to Huawei. In addition, U.S. companies can apply for export licenses to provide service and sales that were not captured in that temporary general license.
Under the recent announcement by President Trump, Commerce will now take prompt action to issue certain additional licenses to companies that apply which permit transactions that will not pose a risk to our national security and that are not contrary to U.S. foreign policy interests. In general they will be for widely available commodity chip sets and software and tools that are generally available to the public. The idea here is that we should not penalize U.S. companies when there is already a worldwide market for devices that are being sold to Huawei. Our companies should not be at a disadvantage to others that are already selling to Huawei. So licenses that pose no national security threats, and they’re not contrary to our U.S. foreign policy can be considered under the entities listing still.
I also would just like to highlight a couple of recent events. For some time Huawei has maintained that they would not be able to be compelled by the National Intelligence Law of China to comply with the mandates of the Chinese Communist party and the Chinese state, despite there being a lack of independent judiciary review for them to object to such requirements. A researcher recently identified a number of employees of Huawei who also have close links with the Peoples Liberation Army, the military in China, as well as the intelligence services.
Earlier this year the Huawei Oversight Board in the United Kingdom found that there were hundreds of vulnerabilities in Huawei’s products. In addition, they determined that there were serious and systematic defects in Huawei’s software engineering and cyber security competence.
Those findings were recently buttressed by a cyber security firm called Finite State in the United States, which studied firmware on a number of Huawei devices and found that they were of substantially lesser quality from a cyber security perspective than their competitors. In fact they found there were hard coded passwords in the firmware as well as unsafe cryptographic practices in the firmware itself. Those vulnerabilities collectively amount to not just a back door but above door. That is vulnerabilities that are so significant that an adversary could easily take advantage of these, as well as because they’re so vulnerable and are filled with so many flaws, they could then have plausible deniability that they knew that a particular vulnerability was being used for exploitation of networks.
Question: What does the U.S. think the release of Piotr D from detention in Poland? Is it fair to say that our ally in Poland is taking a lighter approach to Huawei in the wake of the G20 Summit?
DAS Strayer: I can’t comment on what’s in the minds of the Polish government and why they take legal actions. I will also note that at the same time there was arrested a Huawei employee that was charged with that same type of espionage in Poland. I did read that article that Drew wrote yesterday, and at the end it does state that, I think incorrectly, that Huawei is the only company prepared to roll out 5G. A number of U.S. telecom operators are all going to roll out 5G, have already begun. There’s more than roughly two dozen trials by both, commercial roll outs actually, by Verizon and AT&T in the United States, and they’re using other vendors, others than Huawei — that is they’re using Ericsson in Sweden; Nokia in Finland; and Samsung from South Korea. We are moving ahead with 5G roll outs and it’s estimated by the trade association, GSMA, for the wireless industry that by 2025 the U.S. will have 50 percent of its wireless connections being 5G whereas in Asia it will be roughly 17 percent that will be 5G. So we think we will be leading the world using trusted technology vendors.
Question: The professional dialogue and cooperation on digital security between the U.S. and Russia. We used to have that IT was suspended by the American side. So how soon do you expect it to be renewed? What needs to happen for that? Do you need to talk on issues such as 5G as you described? Or maybe others?
DAS Strayer: From our side we’ve been very clear, talking to the most senior Russian officials, that we need to see the Russia destabilizing cyber activities be discontinued. Those are unacceptable from an international perspective.
I’d also note that I understand that one of the Russian operators recently concluded an agreement with Huawei. As I noted in my opening remarks authoritarian states are using Huawei to enable surveillance networks and other ways of depriving people of their individual liberties, so it’s quite concerning that a Russian company would be signing an agreement with Huawei for a full commercial deployment.
Question: Your recent visit to the UK, what’s your assessment of the current pause or indecision by the UK government as to Huawei’s role? And do you expect a change in stance under Boris Johnson should he succeed Theresa May?
DAS Strayer: We’re talking about our views around the world with a wide range of governments. We always emphasize that it’s the sovereign decision of those governments at the end of the day about how they want to protect their citizens. We, of course, have a substantial interest in the United States because we’re so interconnected with all these governments and we share sensitive information with those governments. So we want to talk with them in a frank way about our security concerns, so hopefully we can come to understandings that will meet our mutual interests.
So I don’t have any real comment on the United Kingdom’s processes, but just to say that we are in active dialogue with a number of countries around the world.
Question: Previously you said that the U.S. would have to reassess its relationship, its information sharing relationship with any country that has Huawei as part of its network. Does that extend to the UK? How do you anticipate information sharing with the UK would change if the UK decided to have Huawei gear involved at either the core or the edge of its infrastructure?
DAS Strayer: One of the most important responsibilities that we have as U.S. government officials, that we protect our sensitive information. Sensitive information that we’ve acquired. And people put themselves sometimes at substantial risk to acquire that information. Therefore, we need to ensure that that information is only transmitted on high security environments. We consider Huawei to be a substantial risk to the communications infrastructure. Therefore any country that deploys Huawei equipment in any part of its 5th generation infrastructure will be a network, a set of systems that we need to assess ourselves and make a determination about how we will respond going forward.
Question: The remark that Senior Trade Advisor Pete Navarro made a couple of days ago saying that U.S. firms would likely get licenses to sell less than $1 billion products to Huawei which is roughly less than 10 percent that Huawei was said to have bought in 2018. Could you comment on that amount? Also, how are software components, androids updates, are they going to be okay in the future?
DAS Strayer: Thanks for that question. I can’t really offer more than I said earlier. It’s not possible for me at the State Department to put a number on what will be licensed. Licensing decisions can occur over time and so the next set of licenses will shed light on which additional products and services can be sold to Huawei.
As I said, widely available commodity chip sets, integrated circuits, as well as software and tools that are generally available to the public on the market already are the types of software and hardware that we will license, of course if they do not have any impact on our national security or foreign policy interests.
Question: You’ve talked about 5G, core, networks, where the intelligence sits and the use of trusted suppliers. Have you put any pressure on governments around the world in the field of broadband networks as well? Obviously they’re a big supplier in that set of equipment too. Some of it considered passive, some of it less. Is it only really 5G that you’re concerned about?
DAS Strayer: It’s important I guess to say that as part of our overall emphasis on the importance of protecting all of our information and communication technology, we believe there needs to be a risk-based approach to it, and that includes looking at the supply chain. The suppliers and the equipment that goes into all ICT networks, as you mentioned. Whether that’s for a 4G network or 5G or other types of technology infrastructure. So we think a risk-based approach needs to be applied to that that includes looking at supply chain components. It’s just that on 5G we’ve made the determination that no part of it can come from, within the United States, come from a vendor that is in China subject to their National Intelligence Law.
Question: President Ramaphosa, our South African President, had expressed some sentiment last week about how the real reason for the U.S. restricting Huawei’s 5G sales and operations was because they were jealous of the fact that they have been overtaken technologically. And I just want to know, if you haven’t already answered the question, if you could address that. But also in the sense of a follow-up, do you have as U.S. all the same technology that would otherwise come from Huawei in the 5G department?
DAS Strayer: There’s a worldwide market for 5G equipment including what they call the radio access network. The other key suppliers outside of China are in Sweden, Finland and South Korea, those being Nokia, Ericsson and Samsung. The United States telecom operators, the largest ones here, are not going to use any Chinese suppliers. They’re going to use those other three trusted vendors. And we think we’re going to be leading the world in commercial deployments. There’s almost two dozen commercial deployments in cities for both our two largest carriers — Verizon and AT&T — already. Really the two first commercial deployments were in the United States and in South Korea. So in no way do we think that Huawei has superior technology. In fact when we look at what the objective source for that seems to be, it is the subjective source of Huawei itself asserting that it has the best technology. There are some, I think, telecom operators who have repeated that point, but they would cite back, I think, to the attestations they received form Huawei that they have the best technology. We’d encourage telecom operators in countries to look at the other options that are available.
At the end of the day, this is technology that we have somewhat had around for many years, whether we’re talking about computing servers, storage devices, networking equipment, radios, antennas. Those are all equipment that can be found in a number of suppliers. They are integrated by those three larger ones including the Chinese five large ones that I mentioned just a minute ago.
Question: You talked about the administration now permitting some sales from U.S. companies to Huawei, but also concern about Huawei’s rolling out 5G. And you also — sorry, I was wondering if you could just expand a little bit about Huawei’s role in Xinjiang because you also mentioned concern over China’s use of surveillance there, maligned use of surveillance. And in connection to that, should U.S. companies be doing any business at all with a firm that is involved in surveillance in Xinjiang?
DAS Strayer: Our understanding is that Huawei, among a set of other Chinese companies, tend to form an ecosystem that is used for both the communications devices as well as the computing power that’s necessary to undertake surveillance, to undertake other activities as well, such as the assigning of social credit scores that we’ve seen in China. So we advise companies that they should be very cautious about the end uses for their technology, that they’re not used in ways that are not consistent with our Western values. They’re not going to be used to violate people’s rights to privacy, and for our European listeners, not being used for ways that might violate GDPR. I would note that the founder of Huawei recently noted that it would take at least five years for them to comply with GDPR. He said that in an interview to the Financial Times last week.
So we advise companies to think carefully about how technology might be used by authoritarian states if they work with certain companies.
Our understanding generally is that Huawei and other Chinese companies tend to work together on these projects.
Question: UK mobile networks have decided to leave Huawei out of the core networks, and you today have stressed that both and the more peripheral equipment needs to be considered as well. Huawei has naturally pushed back at the idea that radio access network equipment is peripheral. But I just wanted to get an idea from you about how seriously mobile networks should be considering Chinese involvement in this edge equipment?
DAS Strayer: As I said, in the 5G network because of the way it’s architected, because there’s going to be smart computing components throughout it, components are going to provide the ability to have autonomous vehicles with very low latency, that is the time it takes from the sensor detecting something to it being transmitted to the computing facility. So you’re going to have to have that computing closer to the user, to the vehicle. The same way with telemedicine. So all these critical things will rely on computing near the edge.
We think that any of that computing, any of that very sensitive data that’s generated needs to be only on vendors’ equipment that we trust. Trusted vendors. Trusted vendors from the perspective of not being able to be subject to a National Intelligence Law like they are in China, to undertake activities that are of interest only to the Chinese government and its intelligence agencies, from the perspective of the best of corporate practices, for example having an independent board of directors subject to our Western legal systems to ensure compliance with privacy laws.
So we think that any of those types of equipment, wherever they might reside in a network are areas that we need to have secure vendors providing, and because of the way that the future 5G network will be architected and roll out as new use cases are developed, there really is no part of the network that will not potentially have the computing and the access to that very sensitive data of the future that will really empower, that the underlying infrastructure will power all types of new critical uses in the years to come. So we need to make sure every component is secure and is sort of under a governance structure that is consistent with our Western values.