Admiral Dennis C. Blair, USN (Ret.) is the former U.S. Director of National Intelligence and Distinguished Senior Fellow (Non-Resident) at the Sasakawa Peace Foundation USA; Michael Chertoff is the former Secretary of the U.S. Department of Homeland Security; Arthur Coviello is Special Counsel at WilmerHale; and William “Bud” Roth is a Fellow (Non-Resident) at Sasakawa Peace Foundation USA.
The authors are the U.S. Commissioners of the Trilateral Cyber-Security Commission (TCSC), a project of the Sasakawa Peace Foundation USA. The TCSC was created to facilitate cooperation in the field of cybersecurity among the United States, Japan, and the European Union.
Immediate Change to Our 5G Strategy is Needed
France and the United Kingdom’s recent announcements that they would permit limited use of Huawei’s gear on future 5G networks is a problematic development for the Trump Administration, which has urged its allies to ban Huawei from future 5G networks. It appears this push is faltering, and we believe an adjustment in strategy is needed. Proponents of the total ban on Huawei equipment base their recommendation, in large part, on classified evidence that they are unwilling to share with many overseas partners, their local telecoms, and the public. As a result, there is a lack of consensus on the nature of the problem, much less the suggested solution. What is needed is a diplomatic push that is substantiated by publicly available facts.
Evidence in the public record suggests that Huawei is (a) willing to help China’s foreign policy goals by conspiring with Iranian companies to bypass US sanctions on high-tech goods, (b) engaged in economic espionage against its competitors and (c) has wittingly or unwittingly sent two employees to Poland and the Czech Republic who are accused of spying for the Chinese government. There is also ample evidence the Chinese government is willing to favor national champions like Huawei through economic espionage, lax intellectual property protection, coercive local partnering requirements, directed preference in the domestic market and market subsidies. All this suggests that Huawei obtains advantages from a variety of government benefits not available to its overseas competitors. The fact that there is no publicly available “smoking gun” evidence that Huawei has used its access to western networks to support the clandestine cyber operations of China or the People’s Liberation Army does not offset these risks.
It is time to realize that the problem is not Huawei, but the insecure nature of cellular technologies and the rise of digital communications as critical infrastructure. We need to put into place risk reduction policies that go beyond one-off actions against Huawei and ZTE. Policies should be based on the reality that 5G networks are destined to carry a variety of mission-critical data, including first-responder and military communications as well as real time warnings from an array of automated sensors monitoring roadways, industrial facilities, and other hazards. Networks responsible for carrying mission-critical data of this nature are critical infrastructure that not only must have extremely high resiliency ensured by reliable hardware and software, but also must be secure against both criminal and foreign penetration for stealing information or degrading the network.
One element of this risk to digital critical infrastructure is the danger that a nation-state adversary such as China might coerce a local equipment manufacturer to provide access to a US network. While this risk has always existed, the rise of digital networks as critical infrastructure and the growing presence in our networks of goods made by countries at odds with the US increases the danger of compromise leading to national-security level consequences. In this sense, Huawei is merely an existing example of this emerging risk of strategic compromise. What we need, therefore, is not a one-off ban on Huawei, but a comprehensive risk-based assessment of foreign-made goods sold to US cellular carriers. This is the argument that the US should be making to its allies. There is far more evidence to support the need for a principled national security-based risk assessment on the use of foreign-made goods in digital critical infrastructure than there is for Huawei alone, giving the US a more persuasive “problem” to share with like-minded allies.
Secondly, the solution to the problem is not to simply ban companies such as Huawei, but to make available a variety of options to mitigate risks. This is the approach undertaken by the Committee on Foreign Investment in the United States (CFIUS), which can approve foreign acquisition or investment in critical infrastructure on implementation of certain safeguards such as a firewall between US and foreign management. A review of foreign-made cellular technology procurement should look at the same issues of foreign influence and control as those investigated by CFIUS for acquisition and investment. Where serious risks are identified, rather than simply forbid the deal, the reviewers should consider technical safeguards that mitigate risk of compromise. By allowing procurement of foreign-made gear to go forward with proper mitigation steps, a CFIUS-like review would adequately protect national security concerns with minimal interference in free trade. This graduated approach, again, would be easier to sell to US allies.
The Trump Administration’s belief that the US needs to work with its allies to implement a common 5G national security framework is correct, but the current focus on two Chinese companies and complete trade bans too narrowly defines both the problem and the solution. Establishing a common approach with like-minded allies in the world’s developed economies will require a more comprehensive framework and flexible set of mitigation options. The President’s May 15, 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain allows the Secretary of Commerce to review sales of foreign-made 5G and other cellular technology to US telecoms. The Secretary of Commerce should implement that authority by conducting a CFIUS-like review of foreign-made cellular technology purchased for integration into digital critical infrastructure such as 5G networks, reviewing issues such as the manufacturer’s susceptibility to manipulation by a nation-state adversary. Based on this review, the Secretary should condition approval of deals with a high-risk profile upon implementation of mitigation steps designed to address specific dangers of network compromise, and only deny a deal where the US telecom is unwilling or unable to mitigate such risk. A diplomatic push to convince our allies to implement a similar process is has a much greater chance of success than one-off bans.