U.S. officials have spent months urging allies to ban Huawei from their 5G wireless networks, warning the company will gather intelligence and steal intellectual property for the Chinese government.
Now they’re prepping for the next battle: staying secure after those countries partner with Huawei anyway.
“We are going to have to figure out a way in a 5G world that we’re able to manage the risks in a diverse network that includes technology that we can’t trust,” Sue Gordon, the deputy to the director of the U.S. intelligence community, said during a recent conference, my colleagues Ellen Nakashima and Souad Mekhennet reported.
The apparent resignation to plan for a post-Huawei future comes after recent setbacks to Washington on this front. While the U.S. has pressed its case from Canada to New Zealand, only Australia has committed to banning the Chinese telecom giant. The European Commission decided last week not to warn European Union member nations against contracting with the company. And a NATO-affiliated research center report yesterday urged “nuanced approaches … instead of a blanket ban" by nations in the military alliance.
As the tide turns against diplomatic efforts to keep Huawei out of allies’ networks, U.S. officials are looking for technological solutions. After all, the shift to 5G is especially significant because its super-fast speeds will allow far more data to travel on wireless networks — creating far more opportunities for espionage if an adversary is sitting on those networks.
Government officials are examining ways to better encrypt vital communications so they can’t be snooped on between the sender and the recipient, Ellen and Souad reported. Major U.S. telecom providers are also working on ways to prevent any spying tools in foreign 5G networks from reaching into domestic networks.
The Homeland Security Department has launched a supply chain initiative aimed at better securing the most vital portions of telecommunications and other key industry sectors. And the Pentagon is examining how it can segregate vital communications from untrusted 5G networks or be prepared to operate “in environments where we don’t know how secure that network is,” acting defense secretary Patrick Shanahan told lawmakers last month.
But those technological fixes may be out of reach for other nations that choose low-cost Huawei equipment as they transition to 5G, or communicate with other countries that do, according to the report from the NATO Cooperative Cyber Defence Centre of Excellence.
Only about one-third of NATO and European Union members have the capability for such technical fixes, the report authors estimated, “leaving the rest with the dilemma of choosing their dependencies: trust Chinese technology or trust their partners’ insight.”
Huawei, for its part, has steadfastly denied it has ever spied for the Chinese government and has tried to shift the debate to focus on what it describes as its technological advances over competitors.
The effort to keep Huawei out of 5G networks was always going to be a long shot.
The company is heavily subsidized by the Chinese government, which means it can sell 5G technology at prices that undercut its main competitors Nokia, Ericsson, and Samsung, noted Jim Lewis, a cybersecurity expert with the Center for Strategic and International Studies, last week.
“And the Chinese government is not paying hundreds of millions of dollars to build another country’s telecom infrastructure because they admire its cuisine,” said Lewis, who was previously a top cybersecurity official at the State and Commerce departments.
The company is also already managing 4G networks for large portions of Africa, the Middle East, southeast Asia and southern Europe, which puts it in a strong position to get those nations’ 5G contracts. And China’s position as a major exporter gives it a lot of leverage to push back against nations that it believes are unfairly discriminating against its companies, Lewis noted.
“The risk is real, countries understand it, but they fear retaliation,” he wrote.
Even the United States has not yet officially banned Huawei from its 5G networks, and President Trump suggested in a cryptic tweet in February that a ban might be negotiable as part of broader trade talks — undercutting his administration’s position that the ban is about security, not trade.
Lewis urged the White House to impose that ban as soon as possible by executive order, but also to launch a series of other efforts aimed at mitigating Huawei's role in 5G, including providing assistance to poorer nations that want to upgrade their networks without Huawei.
Even those measures, though, will likely fall short of preventing Huawei from controlling a large share of the global telecom system.
“You have to presume a dirty network,” Gordon said at the conference last week. “That’s what we’re going to have to presume about the world.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sen. Ron Wyden (D-Ore.) is pressing one of the nation’s three largest election systems vendors for more information about its cybersecurity track record.
In a letter to the company Election Systems and Software shared with The Cybersecurity 202, Wyden pushed back on a statement from the company that ES&S machines have never been compromised during an election. He asked for audits and other documentation to prove the claim, which the company made in a letter to the League of Women Voters of South Carolina.
ES&S previously came under fire from Wyden for first denying, then admitting it installed software that allowed it to remotely access some of its voting machines -- and that hackers could theorerically exploit. Lawmakers have also balked at the company's claims that independent security researchers should not be probing its machines for bugs because that could aid malicious hackers.
The letter comes less than a week after four other Senate Democrats — Amy Klobuchar (Minn.), Mark Warner (Va.), Jack Reed (R.I.) and Gary Peters (Mich.) — sent ES&S and other top vendors a list of 16 questions about their security practices.
PATCHED: An FBI system for notifying people they've been victims of cyber crime is clunky, prone to errors and often results in people being notified too late about digital breaches to do anything to protect themselves, according to an inspector general’s report.
The IG’s office interviewed 31 FBI agents at six field offices and found 29 of them weren’t using the system properly, according to the report. They also found the system was prone to typos and errors such as agents recording that they’d notified a victim before a data breach even occurred.
Auditors recommended that the FBI strengthen its controls to ensure cyber crime victims are notified as quickly as possible and more clearly define who is a cyber crime victim and who isn’t.
PWNED: Former hackers for U.S. intelligence agencies helped the United Arab Emirates spy on Arab journalists including the chairman of Al Jazeera, according to an investigation from Reuters’s Joel Schechtman and Christopher Bing.
“The American operatives worked for Project Raven, a secret Emirati intelligence program that spied on dissidents, militants and political opponents of the UAE monarchy,” according to Schechtman and Bing, who previously exposed key details about the group.
Here’s more from the story: “The Raven operatives — who included at least nine former employees of the U.S. National Security Agency and the U.S. military — found themselves thrust into the thick of a high-stakes dispute among America’s Gulf allies. The Americans’ role in the UAE-Qatar imbroglio highlights how former U.S. intelligence officials have become key players in the cyber wars of other nations, with little oversight from Washington.”
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: