Last week’s Second Annual National Cybersecurity Summit, hosted by the newly established Cyber and Infrastructure Security Agency (CISA), covered a wide variety of cybersecurity-related topics, including privacy policy, supply chain issues, and international partnerships. But one of the most consistently discussed topics during the summit was the security of 5G networks. It should come as no surprise to anyone in the security space that 5G security would be a hot topic at a DHS-hosted summit, especially considering President Trump’s May Executive Order aimed at preventing Chinese telecommunications companies, such as Huawei, from selling their equipment in the United States.
Concerns over the security of Huawei 5G equipment was a primary focus of Secretary of Defense Mark Esper’s keynote speech at the summit. In his speech, Esper made the case that China’s legal system, corporate requirements, and ties to Huawei’s leadership made it impossible for foreign countries to trust the company and its equipment. He argued that the presence of Huawei equipment in allied telecommunications networks presents a real threat to U.S. national security and the security of our allies, given the importance of interoperability and information sharing between the U.S., NATO, and other allies. Allowing Huawei into these networks would undoubtedly present new risks.
CISA Director Chris Krebs and U.S. Senator Mark Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, also discussed 5G security risks. They observed that the low cost of Huawei’s technology was extremely appealing to developing countries and cash-strapped telecommunications firms, even if Huawei’s equipment is inferior to that of their competitors or rife with security flaws. Huawei technology becomes even more appealing when bundled with low-cost Chinese financing that Huawei’s primary competitors, Nokia, Ericsson, and Samsung, are unable to match. Senator Warner emphasized how, even if Huawei’s offerings pass initial security audits, continual updates from the manufacturer can alter the capabilities of the equipment in an instant, making the equipment a proverbial trojan horse for Chinese intelligence. Worse, once a telecom or country selects Huawei, it is exceedingly difficult for them to change equipment providers – Huawei often offers its technology as a vertical bundle, making it exceedingly difficult to integrate the offering of competing providers.
CISA Director Krebs picked up on this narrative, explaining how, in the past, telecom companies and countries generally implicitly trusted their equipment providers as they came from countries with a strong rule of law, a responsive judiciary, and a regulatory framework the protected companies from undue government interference. China, by contrast, lacks a strong rule of law, has no independent judiciary, and has laws requiring companies to cooperate with intelligence and security authorities in effectively all circumstances. Considering Huawei’s connections to the Chinese state, why would anyone expect the company to pursue the interests of its customers over those of Chinese authorities?
Both Director Krebs and Senator Warner noted the need for the U.S. and its allies to do more to counter this threat including the need for alternative financing models for cash-strapped telecoms and developing countries, making equipment from other manufacturers a viable alternative. The government is going to need to intervene in the market if it wants to counter the threats posed by Huawei and China, making government backed investments in Western 5G technology, much as former Homeland Security Secretary and Chertoff Group Executive Chairman Michael Chertoff and former NSA Director Michael McConnell argued in their CNBC op-ed. The U.S. needs to work with its allies to provide incentives for telecom companies and other countries to purchase alternative equipment, be it from Samsung, Ericsson, Nokia or new entrants. It also needs to work with its allies to provide direct investments, such as R&D funding, low interest financing, and joint ventures, to help these companies offer a product that meets U.S. security needs and while remaining competitive on the global market.
The summit’s 5G security-focused breakout discussion examined the issue even further, discussing how open standards, greater government engagement in the standards-making process, and public-private cooperation can help address the wide array of security-concerns associated with the deployment of 5G networks. John Godfrey of Samsung and Jayne Stancavage of Intel both discussed the value of open standards efforts, such as the Open Radio Access Network (O-RAN), and how they can help to encourage new suppliers to enter the marketplace, addressing concerns over limited competition by ensuring that a new supplier’s equipment is interoperable with that of others. Stancavage and Michael Woods from Verizon also discussed the importance of participating in the standards making processes for 5G, not just on the part of individual companies, but for the whole U.S. government. Eric Wegner, a Director at Cisco, called for the U.S. government to take a more strategic view on standards development and work more closely with industry to ensure that the U.S. has an adequate voice in shaping the standards-making process.
While much of the 5G security conversation continues to focus on Huawei, the security concerns surrounding 5G are much broader. The volume of data and range of new Internet of Things (IoT) devices being introduced to the network will dramatically increase the threat, especially given the existing vulnerabilities in many IoT devices today. Security features included in the 5G standards will not be in place until providers migrate their LTE-era backbones to newer, 5G offerings, requiring users and providers to think about alternative ways to ensure the integrity of their data, especially if they are unable to trust all of the equipment within the network.
The above, of course, only scratches the surface of the threat landscape we will face as 5G networks come online, but it is well past time for policymakers to have deeper conversations on 5G security, if for no other reason than to contextualize and better understand why the U.S. and some of its allies are so concerned about the threat posed by Huawei’s likely dominance of 5G technology in much of the world. It is also time for companies to think about how they are going to secure their data and devices in the 5G environment, especially with the high likelihood that equipment from manufacturers like Huawei will be part of 5G networks around the globe.
Alan Wehler is a Director at The Chertoff Group helping clients achieve their strategic objectives with an informed understanding of the national security landscape.
