3rd Party Risk Management , Cybersecurity , Cyberwarfare / Nation-state attacks
Move Would Prohibit All US Use of Chinese Manufacturers' Telecommunications Gear(euroinfosec) • December 27, 2018 Photo: Scott Swigart, via Flickr/CCU.S. President Donald Trump continues to weigh an executive order that would ban all U.S. organizations from using hardware manufactured by China's Huawei and ZTE, Reuters reported on Thursday, citing three unnamed sources with knowledge of the White House deliberations.
See Also: Five Steps to Masterminding an Effective Security Awareness Program
The proposed executive order, first reported by the Wall Street Journal in May, could be issued as early as January, Reuters reported, noting that it would invoke the International Emergency Economic Powers Act, which allows the president to regulate commerce in the face of any external threat to the country's national security, foreign policy or economy. The executive order would reportedly instruct the Commerce Department to ban U.S. organizations from procuring or using telecommunications equipment built by manufacturers who posed a national security risk.
China's Foreign Ministry could not be immediately reached for comment. But ministry spokesman Hua Chunying told Reuters that she didn't want to comment on the potential executive order, since it has not been officially confirmed.
The U.S. has already restricted Huawei and ZTE from bidding for some government contracts, because of security concerns, while Australia, Canada, Japan and the U.K. have also enacted blocks, or expressed concerns, over the two manufacturers.
In August, a U.S. bill signed into law by Trump as part of the Defense Authorization Act banned the U.S. government from using Huawei and ZTE equipment. The bill is due to take full effect over the next two years.
The new, proposed executive order would likely also require small telecommunications operators to rip out their Chinese-built equipment and replace it, without compensation.
Caressa Bennet, general counsel for the Rural Wireless Association, which represents carriers that have fewer than 100,000 subscribers, tells Reuters that such a ban would collectively cost its members up to $1 billion.
Trade War Continues
It's not clear if the potential White House move is driven entirely by security concerns, or whether it might also hinge on the trade war Trump has launched against China (see Chinese Cyber Threat: NSA Confirms Attacks Have Escalated).
"In other news, ZTE stock is up over 50 percent over the last six months (Huawei is private)," says Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure, via Twitter.
But many countries' concerns include China's 2017 National Intelligence Law, which requires that "all [Chinese] organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work."
In August, Bob Lord, who became CSO of the Democratic National Committee in January, sent an alert to all Democratic organizations, warning that they should avoid using any equipment, including smartphones, built by Huawei or ZTE, even if they were free (see Democrats' CSO: Don't Use ZTE, Huawei Mobile Devices).
"Last February, the heads of the FBI, CIA and NSA strongly recommended that Americans not purchase Huawei or ZTE devices as they pose a security risk," Lord wrote. "I wanted to highlight that the intelligence community does not make statements like this lightly."
Australia Blocks Huawei and ZTE
The potential ban on the sale or procurement of Huawei and ZTE equipment across the United States follows the Australian government in August banning the manufacturers from contributing to its next-generation 5G mobile network rollout (see What's Riding on 5G Security? The Internet of Everything).
The ban was based on the government's assessment of the security risk posed by the equipment manufacturers, which it said were "likely to be subject to extrajudicial directions from a foreign government," the BBC reported.
UK Sees Supply Chain Concerns
In April, the U.K.'s National Cyber Security Center, which is the public-facing component of Britain's GCHQ signals intelligence agency, told the country's telecommunications operators that they were not allowed to use any ZTE equipment.
"It is entirely appropriate and part of NCSC's duty to highlight potential risks to the UK's national security and provide advice based on our technical expertise," Ian Levy, NCSC's technical director, said in a blog post at the time. "NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing U.K. telecommunications infrastructure cannot be mitigated."
Meanwhile, a July U.K. government report warned that "shortcomings in Huawei's engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management."
Other Countries Block Chinese Firms
In November, New Zealand's Government Communications Security Bureau barred Huawei from the country's 5G rollout.
Earlier this month, the Czech Republic's cybersecurity agency warned all domestic organizations to not use software or hardware from Huawei and ZTE, saying they posed a national security risk.
"The legal and political environment of the People's Republic of China ('PRC') in which the companies primarily operate and whose laws are required to comply with, requires private companies to cooperate in meeting the interests of the PRC, including participation in intelligence activities," it said.
Germany has also been weighing similar moves, despite Huawei being a partner of Deutsche Telekom, among other German carriers, as well as having a significant German market presence, Reuters reports.
"There is serious concern. If it were up to me we would do what the Australians are doing," an unnamed, senior German official in Berlin told Reuters last month.
Parliament's National Security Probe
Many nations continue to debate how to safeguard supply chains and critical national infrastructure, especially in a world where so much technology - including the vast majority of the world's PCs and laptops - gets built by China.
The U.K. Parliament's Business, Energy and Industrial Strategy and Defense Committees, for example, have been conducting a national security and investment inquiry, and weighing new legislation that would allow the government to block foreign takeovers of firms.
Testimony before the committee has highlighted how difficult it is to assess who controls what, while highlighting how new processes and legislation might help the government track when foreign firms had the potential to influence the operation of devices or part of the critical national infrastructure (see How to Future-Proof the Critical National Infrastructure).
A draft white paper from Parliament had attempted to set concrete limits based on foreign ownership of corporations. But witnesses told the committee that such a control might be too prescriptive, as well as damage innovation and drive up costs.
"Although we might get software from the U.K., we certainly do not get the hardware from here, so we have all become a lot more interdependent on other countries, and some of them may or may not be hostile actors in the future," Alan Woodward, a computer science professor at the University of Surrey's Centre for Cyber Security, testified before the committee on Oct. 15.
"There is a challenge if we are too prescriptive," Ollie Welch, head of defense/aerospace and security policy at EEF, which works with manufacturing, engineering and technology-based businesses in the U.K., testified before the joint committee during the Oct. 15 hearing.
"Presumably, we want to be an open economy and encourage investment, and if you determine that a technology simply by virtue of being new is controlled at that initial stage, it may act as a disincentive both to investors and potentially to researchers doing that work," Welch said.
Recommendation: 'Trust but Verify'
One problem is knowing when governments might best intervene, when previously unknown technology suddenly gets recognized as having national security implications or impact.
Or as Toby Harris, a Labour Party politician in the House of Lords, asked during the committees' Oct. 15 joint hearing: "Are there some areas that are so sensitive that the best posture for the U.K. would be to say that only vetted U.K. companies with vetted U.K. supply lines should provide those services?"
"Personally, I do not think so," Woodward replied. "There is a spectrum, from 'implicitly trust, come what may' to 'implicitly distrust,' as some of our colleagues in the United States and Australia have said of 5G networks. I think there is a third way, which is 'trust but verify.' That is the approach we have taken so far in the U.K. For example, when Huawei was supplying the 21st century network, an evaluation cell was set up with vetted people from the government who were able to look at the devices, et cetera."
But Woodward said his favored approach has a caveat. "The problem is that 'trust but verify' works only as long as you really can verify what goes into the infrastructure and critical positions," he said, referencing process problems that the U.K. government identified in its report into Huawei earlier this year.
"As I understand it, Huawei was not able to guarantee, and did not have a process in place to show, that what was coming off the production line and going into the networks was what had been evaluated, which drives a bit of a coach and horses through the evaluation process," he said.