On Risk Mitigation and Huawei: A Response

By Herb Lin
Wednesday, April 24, 2019, 7:40 PM

Today, Lawfare published an article by Alexei Bulazel, Sophia d’Antoine, Perri Adams and Dave Aitel on “The Risks of Huawei Risk Mitigation” that seemingly disagrees with an earlier piece of mine on the topic. But apart from a bit of snark about my use of the confidentiality-integrity-availability (CIA) triad as a pillar of the security discussion and the definition of risk mitigation, I don’t disagree with anything in their piece and endorse almost all of it.

First, on the snarkiness.

They write:

While the CIA triad is a helpful framework for thinking about some computer vulnerabilities—such as “someone I’m not friends with on Facebook can see my vacation photos by doing this one weird thing”—it falls short when considering national infrastructure and nation-state attackers. ... For one, this analysis generally assumes an abstract “attacker,” perhaps some ill-meaning basement-dwelling hacker.

Their write-up mischaracterizes the issues at stake in cybersecurity with the nature of the threat. The attributes of confidentiality, integrity and availability are the issues at stake when contemplating any cybersecurity threat, and no amount of snark will change that fact.

At the same time, these attributes are at significantly greater risk when considering a serious nation-state attacker as the threat. If that’s the point of the piece, no disagreement there. In fact, their discussion of how the nation-state threat differs from the basement dweller is a good description of the crucial differences between the two.

Additionally, the authors make a statement that, taken at face value, can’t possibly be true. Their key statement is that “Mitigation Is Impossible,” after which they discuss the risks inherent in various risk mitigation techniques. Again, their discussion of such risks is very good and highly informed, and I endorse everything they said on that issue.

But that’s beside the point. My dictionary defines risk mitigation as a reduction in risk—and, most significantly, not as an elimination of risk. There are clearly things that one can do to operate more securely over a network known to be insecure. The U.S. Department of Defense runs its Secret Internet Protocol Router Network (SIPRNET) over commercial lines that are insecure—and it does so because the benefits of operating in such a manner (for example, reduced acquisition and operating cost) are outweighed by the costs it has incurred to mitigate the risk of operating in such a manner.

The more accurate statement is “Total Mitigation Is Impossible.” But the authors have not established that the risks of operating over an insecure network cannot be diminished even a little bit, which is what their original statement would imply.

They also assert that the risks are incalculable. I’d agree in a formal sense—but then again, the risks of operating on a 5G infrastructure supplied by Nokia or Ericsson are also incalculable for the same reasons. Nevertheless, everyone has an intuition that the risks of the latter are less than the risks of operating with Huawei 5G infrastructure. So although it’s impossible to make a formal risk assessment complete with numbers and probabilities, intuitions can communicate something quantitative. In any case, the fact that the risks are incalculable does not mean that they are infinite.

It should also be kept in mind that there are risks incurred in not adopting 5G as soon as possible. These risks are in the economic realm rather than that of security, but they loom just as large in the eyes of policymakers—and, like it or not, they do play into the decision-making calculus.

Finally, the authors do tackle the problem of deciding about Huawei in exactly the terms I posed. I said that “policymakers should be weighing these costs [of mitigation] against other considerations such as price, speed of deployment and functionality where Huawei technology might have an advantage over other vendors.” The last paragraph of their article provided their answer to that weighing in the text I have emphasized below. They say:

For technology embedded in critical infrastructure, the scale and complexity of risk mitigation so quickly outstrips the lower-cost benefit that discussing possible mitigations seems akin to rearranging deck chairs on the Titanic. Over the long term, the upfront savings in cost will be dwarfed by the need to constantly create, update and maintain mitigations for the ever-evolving risk the government would be taking on. Uneven standards in international regulation, innovation and labor prices allow adversaries to offer economic expediency that is underwritten by access-enabling penetration of infrastructure. While these issues are complex, the public and international debate over this issue suggests a secure supply chain will prove to be the 21st century’s most elusive luxury good. (Emphasis added.)

My article noted that “[i]n practice, the incremental costs of risk mitigation may be high enough to render Huawei technology uncompetitive, though on economic grounds rather than policy grounds.”

That sounds very much like their conclusion above.

For the United States, I come down entirely in agreement with the sentiment of the Bulazel article. The United States is simply too big and presents far too large an attack surface to expect mitigation measures to be adequate, and the cost and complexity of risk mitigation measures would be, in my mind, prohibitive. But other nations are not the United States, and policymakers in other nations may rationally come to conclusions that differ from those of U.S. policymakers.