Last week, Google reportedly warned the Trump Administration that its current ban on exports to Huawei might actually jeopardize national security by forcing Huawei to create an insecure fork of its Android operating system, according to the Financial Times.
That ban was imposed as part of a Commerce Department effort announced in mid-May which placed the Chinese telecom and tech giant on a U.S. export blacklist, the “entity list,” for its purported efforts to spy on behalf of the Chinese government. Two other companies — the telecom giant ZTE and a memory chip maker, Fujian Jinhua Integrated Circuit — were also placed on the list and the administration is now reportedly considering adding video surveillance company HikVision to it.
Two days before Google’s reported warning was made public, the Washington Post released the results of a survey of 100 cybersecurity experts from government, academia and the private sector who mostly concluded that the ban would only end up hurting U.S. tech companies and further diminish U.S. influence over the security of new products. One of the experts, former Facebook security chief Alex Stamos, now a Hoover Fellow at Stanford University, said that the ban could cause China to “emerge as the indispensable nation in consumer technology.”
The Commerce Department action comes on the heels of a White House executive order that bars telecom services and network gear from foreign adversaries in the U.S., a directive that is largely targeted at Huawei and its Chinese rival ZTE. Both of these actions, in turn, follow the enactment of the National Defense Authorization Act of 2019, which contains provisions banning the federal government from purchasing equipment from certain Chinese vendors due to security concerns, including Huawei and ZTE.
The blacklisting of Huawei: A timeline
These most recent clampdowns on Huawei (and other Chinese tech suppliers) are the culmination of more than a decade of mounting concern over the supply chain risks that Huawei has fostered. In 2005 an Air Force-commissioned report by the Rand Corporation flagged concerns over the company’s ties to the Chinese military. In 2012, the House Permanent Select Committee on Intelligence issued a report warning against the use of technology from Huawei and ZTE.
In 2018, AT&T abandoned plans to become the first U.S. mobile company to offer Huawei handsets after regulators and lawmakers warned the telco against it. Shortly afterward, the Pentagon banned the sale of Huawei and ZTE phones in military base stores. Along the way, Huawei has been embroiled in a number of other controversies, including whether it violated trade sanctions on Iran, allegations that ultimately resulted in the arrest of Meng Wanzhou, the daughter of company co-founder, Ren Zhengfei.
This year, the Trump Administration has been pressuring foreign governments to ban Huawei from their next-generation wireless telephone networks — a large request considering that Huawei is a leader in 5G mobile technology. Although Australia and Japan are among the top countries that have banned or limited Huawei’s products to “non-core” portions of their networks, Europe, where Huawei has gained a strong foothold, is a much harder sell.[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]
In the Netherlands, leading wireless carrier KPN has selected Huawei to provide equipment for its 5G network. Portugal and Germany are leaning in favor of using Huawei in their 5G networks, while most other European countries are treading carefully by studying the matter or pausing on previous plans to deploy Huawei technology. Russia has struck a deal with Huawei to build that country’s first 5G network for carrier MTS.
Surveillance and the IT supply chain
All these developments center on a valid concern. Under Chinese law, Huawei, ZTE and any other tech company are obligated to assist in intelligence work and hand over any data or knowledge that the government in Beijing requests. Despite assurances from Huawei that it will not build surveillance backdoors or hand over data to the Chinese government, the country’s 2017 National Intelligence Law and the 2014 Counter-Espionage Law require them to do so and will protect them if they do support, cooperate or collaborate in intelligence work.
The question remains, however, whether efforts to block, ban and shun Chinese tech suppliers effectively address the main, underlying concern that Huawei and its Chinese peers are implanting surveillance and other undesirable technologies into the IT supply chain on orders from Beijing. A related question is whether these efforts actually harm security, as Google’s recent appeal suggests.
Many experts believe that the world has evolved beyond the point where blocking any specific vendor or country can stop an adversary from infiltrating the supply chain. The sheer number of players operating in our current digital infrastructure makes it extraordinarily difficult to block not only China-related malware somewhere along the chain, but any would-be adversary who wants to implant unwanted technologies.
“The internet, after all, is about the interconnection of disparate networks; keeping Chinese hardware out does not translate into keeping Chinese-originated digital code out,” Robert Williams, director of the Paul Tsai China Center at Yale Law School, and Tom Wheeler, former FCC Chairman and now a visiting fellow at the Brookings Institution and a fellow at the Harvard Kennedy School wrote in Lawfare in February 2019.
Huawei, of course, agrees. “Blocking an individual company does not make cyberspace or America any safer partly because you want to promote interoperability,” Andy Purdy, CSO for Huawei Technologies USA, tells CSO. “One of the fundamental messages we’ve communicated both publicly and in our submissions to the FCC is that there is real cybersecurity risk out there. The threat from the most sophisticated of the nation-states is very real.”
A Risk-Management Approach
What would work best in the long run, according to Purdy, is a comprehensive approach to supply chain threats based on risk management. Williams and Wheeler would agree. “The U.S. government should push for multistakeholder efforts to develop common approaches to supply-chain diversification, to ensure an open and transparent international 5G standard-setting process, and to promote voluntary agreements on security standards,” they said in their Lawfare piece. “Regardless of whether Huawei is banned from building U.S. 5G network infrastructure, Chinese networks and Chinese equipment will be connecting to American networks, so the U.S. must take proactive steps to deal with this.”
In the short term, though, Huawei is pressing the government, to the extent they can talk to government officials at all at this point, for what are called national security agreements that a host of foreign-related tech companies, such as Nokia and Ericsson, have struck with the federal government. “We are hoping the government will talk to us,” Purdy says. “Right now, we believe we could come up [with] risk mitigation mechanisms. We are not yet in those conversations.”
Huawei may just get the chance to do that if a recent statement by Donald Trump to CNBC is any indication. Trump said during a call-in to the network’s Squawk Box show that he would reconsider the penalties his administration has imposed on Huawei as part of a trade deal with Beijing. Using Huawei as a bargaining chip in trade talks has alarmed some security experts because it sends the signal that our country’s security assessments are political and not based on bona fide threat analysis.