Huawei

Keeping Huawei Hardware Out of the U.S. Is Not Enough to Secure 5G

By Tom Wheeler, Robert D. Williams
Wednesday, February 20, 2019, 4:18 PM

The Trump administration’s effort to protect the security of fifth-generation, or 5G, wireless networks by limiting the deployment of Chinese technology both domestically and globally melds trade policy with cybersecurity policy. On both counts, it should not be considered sufficient.

The administration’s anticipated ban on Huawei and other Chinese companies from providing the infrastructure for domestic 5G networks occurs in the context of President Trump’s positioning of 5G as part of a “race” between the United States and China, a metaphor that obscures more than it enlightens. The president will undoubtedly declare the ban, should it come to fruition, an important victory in that race. It is important, however, not to be distracted by a favorable headline and to consider the steps necessary for achieving the United States’s national network-security goals.

Shiny Objects vs. Serious Security

Huawei and other Chinese telecommunications equipment companies are subject to broad Chinese laws and policies requiring them to assist in “intelligence work.” They maintain deep and opaque connections to a party-state that has expanded its presence in Chinese corporations, benefited from a massive campaign of state-sponsored cyber theft of foreign intellectual property, and launched sweeping domestic digital-surveillance programs with few if any procedural constraints. By itself, the relationship between Huawei and the Chinese state should be a sufficient rationale to keep Huawei out of America’s 5G infrastructure and that of our allies.

The major American wireless networks have voluntarily heeded government warnings extending back into the Obama administration by not purchasing Huawei equipment. In response to some small rural wireless companies purchasing Huawei equipment, the Federal Communications Commission (FCC) under the Trump administration announced those firms should not be eligible for federal rural subsidies.

But keeping Chinese hardware out of most U.S. network infrastructure does not equate to successfully preventing foreign espionage or sabotage of those networks. We must not be lulled into a false sense of security by a flashy and well-promoted decision about hardware. The internet, after all, is about the interconnection of disparate networks; keeping Chinese hardware out does not translate into keeping Chinese-originated digital code out.

A 5G network is essentially a collection of microprocessors rapidly sending packets of data among themselves. Making sure those microprocessors aren’t running Chinese software is one thing, but protecting the software they do run and the applications they handle is even more important. The goal of effective 5G cybersecurity should be to anticipate and ameliorate foreign attackers exploiting the internet’s connections for their own purposes through any of these vectors.

The Russians, Iranians, North Koreans and others have already proven their abilities to penetrate U.S. networks to cause harm—and the networks they broke into didn’t use Chinese equipment. To focus solely on the physical network is to delude oneself into a false sense of accomplishment and to ignore a clear record of adversaries exploiting non-Chinese infrastructure.

The challenge of 5G cybersecurity is made all the more difficult because it is an evolution from the 4G technology of over a decade ago—a lifetime in terms of cyber exploitation. In the United States, the rollout of mobile 5G networks will seldom be greenfield construction. Typically, 5G expansion begins with the addition of spectrum capacity and processing power to the existing 4G-LTE network to allow greater data throughput. That AT&T has named its current 5G offering “5G-E” (for “Evolution”) illustrates this evolutionary reality. Cybersecurity for 5G must reach across previous generations of wireless technology as well.

In short, the 5G cybersecurity challenge is much more complicated than simply dealing with network equipment and Huawei. The devices that connect to 5G can also pose cyber threats. In 2016, key internet activities were shut down as low-cost Chinese chips in security cameras and DVRs were hijacked by third-party malicious hackers to become attacking bots, taking down multiple internet domains. The internet of things will soon connect tens of billions of smart devices, meaning cyber supply-chain management of those devices is critical. Restricting Huawei is important, but not if it becomes the “we did something” excuse for ignoring other looming cyber risks. 

Missed 5G Cybersecurity Opportunities

The Trump administration has already missed important opportunities to offer meaningful 5G cybersecurity beyond the banning of network equipment.

Early in the new administration, the Trump FCC eliminated two 5G cybersecurity efforts begun by the commission under the Obama administration. The first of these was to require that the new international standard for 5G have built-in cyber protections. To support this effort, the FCC opened a formal proceeding called a Notice of Inquiry in which the commission asked America’s best technical minds for suggestions on how to design cybersecurity into 5G from the outset. It would have been the first time that government required cybersecurity to be integral to the development of a new telecommunications standard rather than an add-on, but it did not fit the Trump FCC’s anti-regulatory approach.

Under the Trump administration, the FCC also reversed another Obama-era policy and questioned whether the agency has any role in monitoring carriers’ cybersecurity programs. The agency charged with ensuring that the nation’s networks protect public safety and national security has, instead, substituted the administration’s anti-regulation initiative to eschew cybersecurity responsibilities.

The significance of the Trump FCC’s walking away from 5G cyber protections was strangely reinforced by a National Security Council investigation into the cybersecurity threats arising from the new network. These threats were so significant, the study concluded, that the only way to maximize cybersecurity was for government to run the 5G network. While the recommendation was immediately shot down, it is a powerful recognition of the significance of 5G national security challenges. Meanwhile, one of the criticisms of the NSC report—that even a government-operated network is only as secure as everything that connects to it—reinforces the breadth of the cyber threat and why the FCC must be engaged in cyber protection efforts. 

Opportunities for U.S. Leadership on 5G

Although the administration’s Huawei-related efforts are bearing fruit with some nations, others will be unable to resist the company’s low-price strategy. The 5G cybersecurity void will only grow if the United States limits its engagement to pressing other nations to exclude Huawei technology from their networks. With multiple countries’ companies playing important roles in supplying components of 5G networks, the United States can accomplish only so much on its own. The U.S. government should push for multistakeholder efforts to develop common approaches to supply-chain diversification, to ensure an open and transparent international 5G standard-setting process, and to promote voluntary agreements on security standards. Regardless of whether Huawei is banned from building U.S. 5G network infrastructure, Chinese networks and Chinese equipment will be connecting to American networks, so the U.S. must take proactive steps to deal with this.

American leadership on 5G must also be part of a comprehensive U.S. strategy for technology competition. One element of such a strategy is pushing back on Chinese trade and investment practices that benefit companies such as Huawei but undermine fair competition for U.S. firms whose market share and innovation edge are eroded in the face of distortive Chinese industrial policies. This is both an economic and a national-security priority, given the importance of 5G-enabled technologies to the operation of the military and critical infrastructure. U.S. trade negotiators are pressing China to commit to structural reforms on everything from government subsidies to state-sponsored cyber espionage for exactly those reasons (among others).

There is, of course, the possibility that the crackdown on Huawei and related efforts to protect U.S. technology could reinforce views within China that Trump’s trade war merely serves a broader effort by Washington to thwart China’s rise. That reaction could stimulate China to double down on aggressive state policies to reduce its dependence on American semiconductors and other technology. For this reason, as with the cybersecurity challenge, it’s crucial that the United States enlist the support of like-minded allies who broadly share U.S. concerns about discriminatory and distortive Chinese trade practices. At the same time, it is also important for the U.S. to seek cooperation with China in areas where leveraging the two countries’ technological strengths can yield mutual benefits without undermining their legitimate security interests.

U.S. technology and trade policy cannot be merely reactionary. It must include aggressive leadership to both protect U.S. networks and promote U.S. technology. This includes redoubled government investments in basic research and regulatory expectations that the security of 5G will not be decided unilaterally by those who build the network. Any national effort must prioritize not only STEM skills but also cybersecurity skills, in particular through university and workforce-education programs.

Even as the United States takes legitimate steps to protect national security in 5G infrastructure and operations, it should not succumb to the impulse to close off the U.S. economy to the innovation-driving investment, capital and talent that have made the United States a technology leader. America’s open economic model—not China’s state-directed approach—offers the best chance to realize the enormous opportunities of 5G while mitigating its manifold risks.