Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Support for Expunging Huawei Gear From Carrier Networks Grows

Bipartisan Legislation Would Create a $1 Billion Huawei and ZTE Replacement Fund
Support for Expunging Huawei Gear From Carrier Networks Grows
Photo: ThatMakesThree, via Flickr/CC

A bipartisan group of lawmakers has introduced a bill to help U.S. telecommunications providers "rip and replace" any Chinese-built networking equipment. The move comes as many experts warn that using Huawei or ZTE 5G equipment poses an unacceptable national security risk.

See Also: The State of Organizations' Security Posture as of Q1 2018

On Friday, the House Committee on Energy & Commerce held a hearing on “Legislating to Secure America’s Wireless Future," which included a discussion of proposed legislation called the Secure and Trusted Communications Networks Act.

The bill would allocate $1 billion to help telecommunications carriers - especially smaller and rural operators - to replace suspect Chinese-built gear with more secure alternatives via a Secure and Trusted Communications Reimbursement Program. It follows a Senate bill, approved in July, that called for allocating $700 million for the same purpose.

The House bill was introduced on Sept. 24 by Rep. Frank Pallone, D-N.J., who chairs the committee, as well as ranking member Rep. Greg Walden, R-Ore.; Rep. Doris Matsui, D-Calif.; and Rep. Brett Guthrie, R-Ky. It includes a provision that the Federal Communications Commission "develop and maintain a list of communications equipment and services that pose an unacceptable risk to national security."

"The United States identified individual Chinese telecommunications firms, including Huawei Technologies Co. Ltd and its affiliates, as posing significant threats to U.S. commercial and security interests," reads a House Committee on Energy & Commerce memo issued on Sept. 24. "Their susceptibility to state influence over business operations results in China having 'the means, opportunity, and motive to use telecommunications companies for malicious purposes,' such as espionage and cyberattacks," it adds, quoting from a 2012 House Permanent Select Committee on Intelligence report.

FCC Commissioner Geoffrey Starks has been urging Congress to help smaller telecommunications providers replace Chinese-built equipment.

"I’m glad to see Chairman Pallone, with Ranking Member Walden and other leaders in the U.S. House of Representatives, introduce a bipartisan bill today that would take important steps toward finding insecure communications equipment in U.S. networks quickly," Starks said in a Friday statement, Broadcasting and Cable reported.

Proposals to Secure 5G

Other legislation discussed at Friday's hearing included a range of proposals for 5G spectrum development and sharing, securing telecommunications supply chains, boosting U.S. participation in setting 5G standards, and ensuring the U.S. complies with the draft 5G security "Prague Proposals." Those proposals include recommendations that touch on four areas: policy, technology, the economy, as well as security, privacy and resilience.

Czech Prime Minister Andrej Babiš at the Prague 5G Security Conference held in Prague on May 2, 2019. (Photo: Czech government)

In addition, the Secure 5G and Beyond Act would direct the president to develop a "secure, next-generation mobile communications strategy," together with the Department of Homeland Security, the FCC, National Telecommunications and Information Administration, Director of National Intelligence and Pentagon to "ensure the security of 5G communications systems and infrastructure in the United States" as well as help allies to do the same.

Supply Chain Security

"These bills are a very good first step in supply chain security," Bobbie Stempfley, managing director of the CERT Division at Carnegie Mellon University's Software Engineering Institute, testified at the Friday hearing.

"As the appropriate entities begin to implement supply chain security, encouraging resilience as a criterion in every stage of development and supply of ICT [information and communications technology] must continue to be the forward-leaning focus of the software and supply chain assurance efforts within government and industry," she said.

What's at stake from 5G is not just the security of a nation's telecommunications infrastructure, but also economic potential. Market researchers estimate that 5G revenue will reach $250 billion in 2025.

China's Intelligence Law

Some legal experts say China's 2017 National Intelligence Law compels all Chinese individuals and organizations to work with the government whenever officials so request, including for data collection and other intelligence-gathering purposes. That law continues to be cited by analysts who caution that Chinese-built gear could be forcibly suborned by China to spy on other nations.

The White House has continued to press allies to avoid using Huawei and ZTE gear for sensitive telecommunications applications. So far, Australia, New Zealand and Japan have agreed with the U.S. position and barred Chinese telecommunications gear from at least part of their 5G network rollouts. But other nations, including the U.K., have yet to issue a formal decision (see: Huawei's Role in 5G Networks: A Matter of Trust).

Huawei Markets First-Mover Advantage

Huawei markets itself to telecommunications carriers across the world with the promise that if they adopt the company's relatively low-cost equipment, they can best the competition by being among the first to offer 5G.

But Huawei's low-cost approaches might utilize 5G implementations that are proprietary and which preclude later interoperability with emerging global standards, said Chris Cummiskey, speaking at a Sept. 24 press conference held by Global Cyber Policy Watch - a project of Washington-based consultancy Cambridge Global Advisors, which he advises. Cummiskey previously served as CIO of the state of Arizona and later as the under secretary for management at DHS.

Chris Cummiskey, formerly the under secretary for management at DHS, and who's now a senior adviser to Cambridge Global Advisors, says 5G will underpin autonomous vehicles, the internet of things, cloud computing as well as corporate and government communications networks.

As a result, moving too quickly could place countries at a disadvantage as 5G comes to underpin autonomous vehicles, the internet of things, cloud computing, corporate and government communications networks and more, Cummiskey said.

Speaking at the same press conference, Tom Ridge, a former Congressman and governor of Pennsylvania who also served as the first U.S. Secretary of Homeland Security from 2003 to 2005, said that using Chinese-built equipment for sensitive applications poses clear national security risks. "Cheaper and earlier does not trump, pardon the expression, the risk posed by having them in your infrastructure," he said.

Tom Ridge, who served as the first U.S. Secretary of Homeland Security, says Huawei equipment poses clear risks to other nations' security.

Ridge, who now serves as chairman of Washington-based strategic consultancy Ridge Global, cautions that Huawei is one of a number of "basically state-owned, state-controlled enterprises" that have been receiving billions of dollars in Chinese government investment. He says that raises a national security red flag and demands the government take a more active role in addressing the problem,

"When a known adversary has been responsible for economic espionage, for surveillance, for the theft of intellectual property, and that known adversary is committed to moving quickly and aggressively and is willing to spend billions of dollars to accelerate its growth of the technology that can give it both economic and ultimately potentially disproportionate geopolitical influence, I think that is the time ... that maybe we better look a little bit differently at the role and the engagement of the public and the private sector in this space," Ridge said. "We don't have a moment to lose."

Engineering Concerns

Concerns also continue to be raised over the quality of Huawei's equipment. One potential risk is that shoddy code quality could be abused by anyone - not just the Chinese state - to eavesdrop on communications and intercept data.

Britain's GCHQ intelligence agency, via its National Cyber Security Center, since 2010 has been reviewing Huawei's business strategies and testing all product ranges before they potentially get used in any setting that might have national security repercussions. GCHQ has continued to call out engineering problems in Huawei equipment, which the manufacturer has pledged to fix (see: Huawei Security Shortcomings Cited by British Intelligence).

Addressing 5G security is "a hugely complex strategic challenge which is going to span the next few decades," said Jeremy Fleming, director of GCHQ, at the NCSC's CyberUK conference in Glasgow, Scotland, on April 24.

"When we analyze a company for their suitability to supply equipment to the U.K.'s telecom networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks," Jeremy Fleming, director of GCHQ, said in April. "The flag of origin of 5G equipment is important, but it is a secondary factor."

Europe Targets 5G Security

Such concerns are far from isolated. In March, the EU issued recommendations to member states for addressing 5G security. In recent months, EU member states have prepared their own 5G risk assessments, which they have fed to the the European Commission. All such assessments were due to be completed by Tuesday.

The commission says the risk assessments cover the main 5G threats and threat actors identified by each EU member state; an assessment of 5G network component and function resilience; as well as "various types of vulnerabilities, including both technical ones and other types of vulnerabilities, such as those potentially arising from the 5G supply chain."

The EU Agency for Cybersecurity - ENISA - is set to soon release a coordinated, EU-wide risk assessment. By Oct. 1, 2020, all EU member states are due to reassess whether ENISA's risk management recommendations have been sufficient as they continue their 5G rollouts.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.