Supply-chain Security in a 5G World: What to do about Huawei and ZTE?

Listen & Download

On March 6th, Huawei announced it was suing the United States government over policies banning federal agencies from purchasing the company’s equipment. Huawei’s lawsuit is the latest escalation in its continuing standoff with the White House, which has embarked on a global campaign to prevent Chinese equipment manufacturers from taking part in the building of 5G network infrastructure. Last February, Vice President Pence cautioned Western allies against having any dealings with Huawei, and stated: “We cannot ensure the defense of the West if our allies grow dependent on the East.” Australia and New Zealand have implemented measures to restrict the use of Huawei equipment, while the UK, Germany and Canada are considering restrictions. Is the United States justified in advocating for robust measures to counter Chinese involvement in Western 5G networks? Or are Chinese telecommunications manufacturers the casualties of a larger trade war between Washington and Beijing? Join us for a discussion of these and other important issues related to supply chain security in the 5G era. 

Featuring:

Michael H Ryan, Principal, MHRyan Law

Dileep Srihari, Senior Policy Counsel, Telecommunications Industry Association

Moderator: Paul Beaudry, Director of Broadband Policy and Regulatory Affairs, TELUS Communications Inc.

 

Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

Event Transcript

Operator:  Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's Telecommunications & Electronic Media Practice Group, was recorded on Monday, March 11, 2019, during a live teleforum conference call held exclusively for Federalist Society members.  

 

Micah Wallen:  Welcome to The Federalist Society's teleforum conference call. This afternoon's topic is "Supply-chain Security in a 5G World: What to do about Huawei and ZTE?" My name is Micah Wallen, and I am the Assistant Director of Practice Groups at The Federalist Society.

 

As always, please note that all expressions of opinion are those of the experts on today's call.

 

Today we are fortunate to have with us Paul Beaudry, who is Director of Broadband Policy and Regulatory Affairs at TELUS Communications. Paul will be our moderator for today and will introduce our other speakers. After our speakers give their remarks, we will then go to audience Q&A. Thank you for sharing with us today. Paul, the floor is yours.

 

Paul Beaudry:  Thank you, Micah, and thanks to The Federalist Society for holding this teleforum today. Supply-chain security in the telecom sector is an extremely topical issue, and an important one as many countries around the world are now grappling with the security implications of involving Chinese telecom equipment manufacturers in the deployment of next-generation networks. These concerns have been expressed because 5G networks will essentially enable the Internet of Things. They will provide hyperconnectivity between machines, people, and things and allow for a range of new technologies and new capabilities. That includes smart cities and homes, automated cars, virtual reality, robotics, and telesurgery.

 

There's been a lot of political noise lately regarding Huawei and other Chinese manufacturers, particularly from the Trump administration which has been very vocal in opposing Chinese involvement in Western 5G networks. Earlier this year, Vice President Pence cautioned Western allies against having any dealings with Huawei and stated that "we cannot ensure the defense of the West if our allies grow dependent on the East." Many Western countries, including my home country of Canada, have long-standing relationships with Huawei and are currently considering whether measures should be adopted to restrict Huawei's involvement in 5G networks. Australia and New Zealand have already implemented such measures, whereas the U.K., Germany, and Canada have been considering them.

 

Tensions have been escalating over these issues in the last several months with the arrest of Huawei's CFO in Canada. She is facing extradition to the U.S. and suspected of violating U.S. trade sanctions toward Iran. And last week, Huawei announced that it was suing the U.S. government over policies banning federal agencies from purchasing the company's equipment. So is the United States justified in advocating for robust measures to counter Chinese involvement in Western 5G networks, or are Chinese telecom manufacturers the casualties of a larger trade war between Washington and Beijing?

 

I'm delighted to have with me two telecom policy experts on this call. We have Dileep Srihari, who is Senior Policy Counsel and Director of Government Affairs at the Telecom Industry Association. He's based in Washington D.C. And we have Michael Ryan, a lawyer and Principal at MHRyan Law, who is based in London. Gentlemen, it's a pleasure to have you with us today. And I'd like to open the floor with you, Dileep, to hear your thoughts about the involvement of Chinese telecom manufacturers in Western 5G networks. Thank you.

 

Dileep Srihari:  Well, thanks, Paul. I appreciate it, and I appreciate The Federalist Society having me today. I'm glad to talk with everyone. So I guess I'll just start by framing this the way that TIA has been thinking about this issue. And TIA, who I work for, is the trade association that represents manufacturers and suppliers of telecom hardware and equipment, although Huawei is not a member of TIA. But we sort of see it as two kind of just related but distinct sets of issues regarding this topic of supply-chain security.

 

The first are sort of the things that you would think of generally in terms of supply-chain security activities that relates to a lot of work that's being done in the United States through public/private partnership efforts. We've seen the DHS/ICT supply-chain task force in this framework, essentially all of the process-based approaches to just generally improving how ICT companies, whether you're talking about carriers, or you're talking about hardware companies, or upstream suppliers, generally do a job of supplying of securing their supply chains.

 

The second and separate issue is how do you deal specifically with certain suppliers where there is a specific security concern regarding that specific supplier? And this is -- Huawei and ZTE are the most prominent examples. And TIA's view is the threshold to intervene in the marketplace should be pretty high. It's not something we would normally encourage the government to do to be getting involved in this, particularly since many of our companies actually view security as something that they compete on. But in certain extraordinary situations, we have to say that the threshold for action has been met.

 

And TIA does not have any access to any classified information. We're just going based on all of the publicly available information that we have seen that's been put out there, not just within the past six months or a year, but really, over the past five or six years, at least as far back as 2012 when the House Permanent Select Committee on Intelligence did a report raising concerns about Huawei, and from what we've heard with officials from the U.S. government who have been testifying in front of Congress and making it very plain that they have real concerns about this kind of equipment. So there's clearly a genuine national security threat. It's quite clear that the United States government has been taking actions not just here but around the world to discourage partners and allies from using this equipment, so we're supportive of those efforts.

 

And our issue at that point becomes, okay, if the government is going to do this, how can it properly be implemented, making sure that it doesn't go too far, inadvertently affect other companies or businesses, that the scoping language does not create problems for the U.S. government in terms of its own procurement procedures. And we've also been trying to keep this issue separate and distinct from some of the other, broader China policy conversations that are happening in Washington right now. But I would say Huawei is probably actually trying to conflate these two issues of general supply-chain security and the specific national security concerns regarding a specific company. And we are sort of saying, "Look, we understand the government wants to do this with regard to these specific suppliers, but it should understand that there are actually two distinct sets of issues here, and they have potentially different policy solutions." So I think I'll stop there for now.

 

Paul Beaudry:  Thanks, Dileep. Michael, would you be able to shed some light on these issues from your English or European perspective and talk to us a little bit about how European and other jurisdictions have been dealing with the Huawei/Chinese foreign equipment manufacturer issue?

 

Michael H. Ryan:  Yes, certainly, Paul. The issue has evolved in quite different ways in the U.K., Australia, and New Zealand than those than have just been described by Dileep. Let me first say, in terms of Europe generally, there's no direct involvement of the European Union in issues such as this, that is, national security. That's entirely a matter that's left for national government. So we need to look at the individual member states of the European Union to determine just what approach each will take.

 

Now, the U.K. does not have any legislation in place at the moment that would allow it to directly regulate or control the selection of equipment that's used in telecommunications operator's networks. The closest that we can get is provisions in the Investigatory Powers Act that was adopted a couple of years ago. But in my view, these establish a basis for requiring telecom operators to facilitate interception of communications, but this legislation doesn't provide a basis for regulating the selection of equipment by suppliers. And I make that point because when I turn to Australia and New Zealand, you'll see the approach has been quite different there. That isn't to say that the issue is not one in which the government hasn't taken a direct interest, and the U.K. has many less formal ways than existing legislation to make its views known, and for those views to prevail.

 

Now, a few years ago, the U.K. National Cyber Security Centre, for instance, said that the national security, and I'm quoting now, "The national security risks arising from the use of ZTE equipment cannot be mitigated." And essentially, what the National Cyber Security Centre, which is a division, effectively, of the national security infrastructure, was indicating wasn't satisfied that ZTE could be trusted to cooperate fully with the procedures that the National Cyber Security establishment wishes to follow to asses whether their equipment poses a threat to U.K. national security or not. But this specific finding that it made, although it doesn't have legal force behind it as such, has been sufficient to operate as a de facto ban on the use of ZTE equipment in any U.K. networks, and that's essentially where we stand. There isn't any appreciable amount of ZTE equipment being used in any of the major networks.

 

On the other hand, to turn to Huawei for a moment, the same body that I've just been referring to seems to be satisfied that the working relationship it has with Huawei is such that it can manage the risks associated with use of Huawei equipment in U.K. networks. And there is an entity called the Huawei Cyber Security Evaluation Cell that has been established by the National Cyber Security Centre and by Huawei, peopled by representatives of both bodies, which engages directly with the issue of the compatibility of Huawei equipment with U.K. national security needs. That body reports -- that Cell, which is the term that's used to describe it, reports directly to the National Cyber Security Centre that I've just been referring to. And the National Cyber Security Centre refers to an organization called the National Cyber Security -- or the National Security Council, sorry, which is effectively a committee of the Cabinet.

 

Most recently, this cell has been very critical in its reports to the National Cyber Security Centre about Huawei's compliance and has, although it's determined so far that the risks are manageable, it has raised some yellow if not red flags about prospects for the immediate future. They will be making their recommendation, if they haven't already, to the Cyber Security Centre, which will come to a determination of its own, and then, effectively, the cabinet will make a decision. So that's the process, formal and informal, that's going to govern how this issue is resolved. BT, in the meantime, has said that it's removing any Huawei equipment that it has in its core network and that it will restrict any future use of Huawei equipment to the peripheral parts of the network.

 

Now, Australia and New Zealand have flagged -- have taken a different approach. They have both adopted express legislative requirements that direct telecommunications operators to notify a security agency or security coordinator of any changes that they propose to make to their networks that may engage a security interest. And the obvious concern that has motivated the adoption of this new legislation is precisely Huawei because of Australia and New Zealand's significant involvement with China, both in this field and in other fields. Under this legislation, if the Cyber Security Agency is notified of a prospective change and it has concerns about that prospective change in the network, it can direct or, at least, give the telecommunications operator an opportunity to mitigate any concerns that it may have. And if it's not satisfied with the mitigation efforts, it will report to the Minister, who has ample power to issue a directive forbidding the operator or operators concerned from using these specific types of equipment that have been indicated.

 

So that, in terms of the framework, is where we stand. In Australia, effectively, there is a ban on Huawei equipment. I wouldn't say it takes the form of an express ruling on the Huawei situation. There was a statement by the Security Agency to the effect that -- I'm just looking for the passage. I'll just quote it to you. It was made in August of last year. It says, "The government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law may risk failure by the carrier to adequately protect its 5G network from unauthorized access or interference." So a bit of a circumlocution, but effectively, they're saying that they have concerns where foreign governments can direct carriers to engage in security operations, which is manifestly the case under China's 2017 National Intelligence Law, and that alone would be sufficient grounds for excluding them from manufacture of such equipment from participating in the supply of equipment to Australian networks.

 

New Zealand, which as I've said, has the same basic legislative framework, hasn't reached any such similar determination. And we can regard them as, like the U.K., as sitting sort of on the sidelines for the moment. And maybe I'll just leave it there, Paul.

 

Paul Beaudry:  Thanks, Michael. Dileep, I'm interested in knowing from your perspective, Michael mentioned that in certain jurisdictions, and that includes the U.K., Germany, and Canada, there are government associated centers that have been opened in conjunction with Huawei to test equipment and software and ensure that they don't create security concerns. Has there ever been a consideration to implement such an approach in the United States as opposed to considering a blanket ban of Huawei or other competitors' involvement in 5G networks?

 

Dileep Srihari:  Not seriously, certainly not to that extent. I think, certainly, it's coming up now that this issue is hot in the United States, but I don't think people are really looking at that as a solution. And the reason, I think, is because when you think about it systemically, it is really hard to design a kind of test that would defend against the type of national security threat that is at issue here. I mean, the threat is that you've got a company that is one of China's national champion companies -- two of them really, Huawei and ZTE, that are China's crown jewels of their economy. You've got the CEO of Huawei is a former official from the Chinese People's Liberation Army. You've got a legal regime in China that requires those companies to comply with, essentially, intelligence efforts of the Chinese government.

 

And then you think about how would you design a test? Well, for example, are we talking about doing some kind of port scanning or something like that? I mean, you could write software into a box that would essentially say, well, only once a year, or on nights when there's a full moon, or something like that that a certain password combination opens up and it allows someone remotely to log into a router. And that is just something that is really hard to defend against because that can be hidden very deeply in the source code of a product in a way that, even with millions and millions of dollars of forensic computer scientists reading every line of the code, would be incredibly difficult to pick up. And that leaves aside even the possibility that you could have hardware-level exploits inserted in the chips of a product at very low levels of design that would be practically uncatchable unless you had, again, access to all of the chip designs. And even then, it could be very cleverly hidden.

 

There've been similar examples. In the United States a few years ago, there was a case where one of the people who worked for the Multi-State Lottery Commission had managed to skew the lotto results by rigging the random number generator, and it was very hard to find that code. So when people talk about testing and setting up standards for Huawei and ZTE products to be tested in that way, I mean, it's fine. And I think, again, as I said at the beginning, standards and processes and all of that, there is a role for those things to play, and public/private partnerships can have a good role there, and the U.S. is working towards that. But the notion that somehow it is possible to design a standard or a test, or any suite of standards or tests, and thereby say that this product has not been compromised by Chinese intelligence is just really not realistic.

 

Paul Beaudry:  Right. And has there been any instances in the past -- I know there's been multiple congressional hearings held in the past on this issue. Aside from the concerns that you've raised, is there a national instance, and I understand that national security can be a pretty sensitive issue where the information doesn't come out all at once, but is there any known instance where Huawei equipment, for instance, has actually given rise to cybersecurity issues, either in the United States or elsewhere?

 

Dileep Srihari:  We've heard secondary reports. I believe there was a report in The Australian last fall talking about the fact that Australia had information that did suggest that Huawei equipment was part of an actual potential cyber espionage attack. I have not seen any direct evidence of this. The United States government has not shared any evidence like that in the public record, but obviously we know that there are incredibly high levels of concern.

 

And it's not just since 2017 when the Cyber Security Law was passed in China. This is going back at least seven years, if not all the way back to 2010 when there were news reports that Gary Locke, who was President Obama's Commerce Secretary had called the heads of the major carriers in the United States and told them, "Don't use Huawei equipment." Again, if such a thing happened in the United States, I'm pretty sure it would be classified. And we haven't seen that, we've just sort of heard anecdotally that that's probably happened, but nothing confirmed in that way.

 

Paul Beaudry:  Michael, do you have something to add?

 

Michael H. Ryan:  Well, I'm going to say that I'm not somebody who can judge the sufficiency of these testing procedures in terms of their ability to reveal any malicious activity. And at the same time, a lot of confidence is being placed on them here in the U.K. I don't know if that's a misguided effort or not, but that's certainly where the chief effort is going now. And I don't see any immediate prospect for, say, a blanket decision that isn't based firmly on a conclusion by the Huawei Cyber Security Evaluation Cell that these products aren't testable or the risk can't be mitigated. I don't see any sort of policy-level decision absent such evidence or such conclusion becoming U.K. policy or law in this area.

 

I think we'll be firmly rooted in the testing procedure for the time being, which raises an interesting question, if I may, Paul, because this is not regarded, as far as I can tell, as a trade issue in the U.K. It isn't regarded as exclusively a security issue. And the agenda seems to be more complicated in the United States. One has to ask the question whether this reluctance to take a testing approach or a standards approach to dealing with this issue isn't influenced by the fact that there's a wider picture where U.S. interests on the trade front are engaging with China. And maybe Dileep has some further comment to offer on that.

 

Paul Beaudry:  Well, that's a good point, Michael. Dileep, I'd be happy to hear your thoughts on this, especially we'll recall that when Huawei's CFO, Meng Wanzhou, was arrested in Vancouver last December, President Trump, a few days later, mentioned that he'd be willing to intervene in the Justice Department's case against her if it would help secure a trade deal with Beijing. So I know you mentioned earlier in your presentation that we shouldn't try to conflate the trade issues with the specific security issues, but it does appear that some, at least within the administration, are conflating these issues.

 

Dileep Srihari:  Again, I'll start by saying, look, the security issue regarding Huawei and ZTE has been recognized by the appropriate sort of security apparatus in the United States for a long time. Again, as far back as nine years ago in 2010, you have news reports that the U.S. Secretary of Commerce called the CEOs of major American carriers and told them not to buy Huawei and ZTE equipment. Then in 2012, you have a bipartisan report from Congress from the House Permanent Select Committee on Intelligence raising serious national security concerns about Huawei and ZTE equipment. And in fact, because of that development over the past nine years, unlike what we see in other countries, Huawei and ZTE have a really tiny market share in the United States. We're talking less than 5 percent, less than 3 percent, something like that. I don't remember what the exact number is. But functionally, they're not part of U.S. networks. Their presence is sort of limited to a few smaller, rural carriers who admittedly have been very vocal about this issue. And we can talk about that, but really, unlike the rest of the world, Huawei and ZTE have really not been able to break into the U.S. market over the past nine years because of these security concerns.

 

Now, of course, recently, over the past two years, we've seen this become part of sort of the higher-level national conversation about China and China policy. And there was the ZTE denial order, which was related to their Iran sanctions violations, which the President himself decided to undo. And I think it was pretty clear that that was a decision made at the presidential level as part of a deal with China.

 

Meanwhile, as there have been conversations among the security establishment in the United States about dealing with the Huawei problem, we've also seen signs, again, at the highest level that this could be roped into the China trade discussions. Now, it's not something that I think anyone associated with the U.S. national security establishment supports, but obviously, it's an interesting time policy-wise in the United States with these big China trade deals going on. So one can't predict what may or may not happen, but I think there is really sort of a unanimity of position dating back at least nine years in the United States among the U.S. security establishment that this is a national security issue, and it's not something that should be treated as a trading chip.

 

Paul Beaudry:  And Dileep, there has been a rumor going on since December that President Trump was considering issuing an executive order that would declare a national emergency barring U.S. companies from using equipment from Huawei and ZTE. Is this still something that you or the industry still thinks is on the table?

 

Dileep Srihari:  Well, it's our understanding that the executive order has been underway for quite some time, that this has been in the works for over a year, and that it was sort of going through the inter-agency process and had basically gone through that process. But of course, at some point it has to go up the chain, and we're not sure if it was within the Department of Commerce, which would likely have to play a significant role in implementing it, or at the White House at the presidential level. If memory serves, the President was actually asked about this, and he said something to the effect of, "Maybe. We'll see."

 

So I don't have any confirmation on this. I haven't seen the draft text of an executive order. We understand it's written, but it may literally be something that's on the President's desk and has yet to be issued. And again, at that high a level, we don't know what the factors are or what the political considerations are, but it's real, from everything we understand. But we've been saying, "Oh, it's coming any moment now or in the next few weeks." We've sort of heard that for the past six months, that it'll be out in the next few weeks, and it never quite seems to happen.

 

Paul Beaudry:  Thank you. And I'm also curious to know what are your thoughts on diplomatic relationships between the United States and countries that will not ban Huawei and other Chinese manufacturers from partaking in the building of 5G networks? For instance, I noticed that Germany has decided not to ban Huawei, at least for now. It has tightened the rules for all 5G vendors, but there's no official ban, so there might very well be Huawei involvement in their 5G networks. How do you envision diplomatic relations between the U.S. and these other countries, and that might include Canada as well which hasn't taken a decision on this yet, that refuse to implement the full ban and will have Huawei involvement in their networks?

 

Michael H. Ryan: In terms of diplomatic relations, there hasn't been much of an indication that there has been direct pressure or sustained pressure from the United States on the U.K. or German authorities. We know what the position of the U.S. is, but it doesn't seem to have deflected the U.K., or for that matter, Germany yet, from the course that they're on. As for Australia and New Zealand, I suppose those jurisdictions are aligning more closely to the position that the United States would like to see other countries take.

 

Paul Beaudry:  Dileep, do you have something to add?

 

Dileep Srihari:  No, I think I'll just echo what Michael said on that one.

 

Paul Beaudry:  Excellent. Before opening the floors to questions from the audience, I've got one last question. If there is a trend, at least within Western countries, to ban or severely restrict the ability of Chinese manufacturers from being involved in 5G networks, aren't we running the risk -- and I've seen this argument being made by some critics -- aren't we running the risk of essentially having two internets, the Western internet which is going to be relatively open and free, and the internet of China and its allies which will be heavily censored?

 

There's been an argument made by certain people that by excluding Chinese companies from showing us the work that they do and allowing us to inspect it, we're essentially encouraging the emergence of two distinct internets and things not being much better on the Asian front for at least China's allies. What do you think of this concern that we might essentially encourage polarization amongst Western countries versus other countries that could hurt, overall, the internet ecosystem in the long run?

 

Michael H. Ryan:  Well, Michael Ryan here. I don't see that emerging as a topic for discussion up till now in the United Kingdom, at least. But I think it's a concern that is likely to come to the forefront as this issue evolves here. But for the moment, we're very much focused on struggling with the issue of whether we can make a -- whether we have the wherewithal and are satisfied that we can mitigate the risk through the technical types of measures that I've seen. And until we've resolved that issue, I think these other issues are lying dormant.

 

Dileep Srihari:  This is Dileep. I think it's an interesting point. I've seen that argument made, and the first thing it brings to mind is it seems to align the distinction between the flow of data and traffic across borders versus the national security risk posed by certain types of equipment. So people will still be able to send an email back and forth to China, regardless of whether the router in the local 5G network is produced by Huawei or produced by another company. This is about the hardware and software that's sort of underlying the network architecture, and so I don't think there's necessarily a reason why they need to -- that one needs to result in the other. I mean, certainly, I could see a situation resulting where if Huawei hardware is kept out of the markets of certain countries that you have sort of a hardware Balkanization, but I don't necessarily think that that needs to result in the internet somehow bifurcating in that way.

 

Paul Beaudry:  Thank you. Micah, I will cede the floor to you now. I think we are ready for audience questions if there's any.

 

Micah Wallen:  Thank you, Paul. Let's go to our first question.

 

Caller 1:  Hi. Well, it seems to me that during the first Gulf War, we disabled Saddam's anti-aircraft system with stuff that we'd supplied him. And so I'm just -- I think that this has been done before. Also, I was at a Federalist Society lecture with a local prosecutor up here in New York who felt that the Chinese either did or could have a tiny microchip that would be no larger than a blob of solder and would be almost undetectable even by visual inspection that could take over chips, and take over defense systems, and the internet, and anything else they wanted to sabotage. Comments?

 

Dileep Srihari:  Well, this is Dileep. I think we've seen all kinds of different stuff that's been emerging into the media recently in different reports. There was something I read the other day about how power cords could potentially be compromised if they were hooked up to a chip that's inside the power supply component of a router. So yes, there are a bunch of different ways that are potential threat vectors, but then you ask yourself what would be needed then to get that connection also tied into the actual data stream that was passing through the routers so that someone remotely could access the router and cause it to start sending packets, sending a homing signal to Beijing. Would that be possible? Would that not? I think sometimes there's a danger that we don't want to overstate the danger because some things may just not be technologically possible at all, or at least somewhat farfetched by current technology, but maybe not.

 

So I think while there are legitimate risks at play regarding products from a company that is dominated by a government that is very sophisticated and has security interests that are adverse to the United States -- and obvious ways of exploits would include the software that's in the product which would be very hard to detect through anything but forensic source code examination, and even there, very difficult, as well as hardware. And whether we're talking about chip design, whether it's possible -- at the same time, when we start talking about power cords, is that a step too far? I'm not sure. So I think there's a legitimate issue there, and we just have to define what that issue is, and understand what that issue is, and then see how we address it.

 

Micah Wallen:  And Paul, not seeing any other questions lined up at the moment, I will throw it back over to you and chime in if we have one come through.

 

Paul Beaudry:  Sure. Thanks, Micah. One other item I wanted to broach is whether the issue of blocking or preventing Huawei and other companies from being involved in the network building part of the equation is the only consideration that we should have in mind when discussing cybersecurity. Are there other risks at the edge that the whole Huawei focus is forgetting about? Are there cybersecurity threats through apps? In a 5G era where everything will be interconnected, should we also focus on other aspects of the ecosystem when discussing about cybersecurity threats and issues?

 

Dileep Srihari:  This is Dileep. I can start on that one. Of course there are. I think that there's been a lot of focus on the Huawei problem, and that is just sort of a supply-chain security piece for the ICT networks. And even there, it's not the full supply chain, it's just the sort of specific national security concerns regarding specific suppliers. But of course, every -- just talking about supply chain, every ICT carrier will want to make sure that it's got good and verified supply chains in terms of where its equipment and services are coming from, and all of our member companies who produce those boxes want to verify those things from their upstream suppliers.

 

But even beyond that, there's the whole other panoply of cybersecurity issues. I think wireless network security is always an issue just in terms of basic interception of wireless signals and the like. And people have said, I think rightfully so, that 5G is a more secure wireless standard than any of the previous generations of wireless standards, so that something that is always getting better over time to make wireless network security better.

 

When we talk about cybersecurity, we're talking about things as basic as phishing attacks, or people not having good passwords set, I mean, basic cyber hygiene stuff. And all of the stuff in the middle, automated botnet attacks, and denial of service attacks, and the whole list of cybersecurity attacks -- it's a huge field. And the Huawei/ZTE piece is a different piece because it's specific companies and a specific national security threat from a specific foreign state actor. So I think the responses to dealing with things like cyber hygiene problems with bad passwords versus dealing with Huawei hardware in your networks -- we have to recognize that those are two very different problems, and they have very different solution sets.

 

Paul Beaudry:  Michael, do you have something to add on this?

 

Michael H. Ryan:  Well, it probably is worth adding that Australia, in particular, has been a country that's been concerned about cyberattacks.  The legislation that I've referred to really has a dual nature. It's meant to equip Australia to defend better against cyberattacks as well as the more specific question we've talked about, about intrusion into the network of foreign-supplied equipment that may have weaknesses where security issues are concerned. So I agree entirely that this is a much broader issue than the one that we're able to discuss here today. And in fact, where we've actually seen the problems manifest themselves hasn't been in the supply of equipment, but it's been in the more general level of cyberattacks and the like.

 

Dileep Srihari:  Yeah, this is Dileep. I'll agree with that and just say I think there's some statistic that 70 percent of all cyberattacks on the internet or more are just because of people having bad cyber hygiene with passwords before you even get into the sophisticated stuff about technical attacks, let alone state actors and equipment problems.

 

Paul Beaudry:  One last question on my part. Dileep, as you know, Huawei launched a lawsuit last week against the U.S. government in regards to U.S. legislation that prevents federal agencies from purchasing Huawei equipment. In light of the comments that you've made today, I would probably evaluate Huawei's likelihood of success as being relatively slim, but I'd love to year your thoughts on this.

 

Dileep Srihari:  Sure. So I agree with you. I think the chance of likelihood is relatively slim. We've seen the arguments, many of the arguments, actually, Huawei made last summer in response to the FCC's proceeding. So the FCC, our telecom regulator, has an open proceeding right now that would consider prohibiting the use of the universal service funding for rural broadband deployment, would prohibit the use of such funding on suppliers with national security concerns. Huawei has pushed back on that pretty hard and raised various legal arguments against the FCC's ability to do that, which TIA has responded to on the other side of the argument.

 

So basically, Huawei is making three claims. They're saying -- well, I should explain. So Congress last summer passed in the Defense Authorization bill, Section 889 of the FY19 Defense Authorization Act, and as you said, that prohibits federal government purchases of equipment from Huawei, requires action within two years to address that. It also includes a prohibition on federal grant and loan program funds, so it affects the states, and we would argue, also applies to the FCC's universal service program.

 

So Huawei is now -- their lawsuit says that that law passed by Congress last August is unconstitutional. They're raising three claims. They say first, Congress specifically mentioned us plus ZTE and a couple of other companies by name, and so that's an unconstitutional bill of attainder. They, second, said that violates the Constitution's Due Process Clause because they have a right to a hearing. And then the third argument was that it generally sort of violates the separation of powers between the branches of the government, Legislative, Executive, and Judicial in the United States. So that's their claim.

 

Now, just last November, there was an issue -- there was a case involving Kaspersky Lab, which is the Russian software company. And they had actually filed a bill of attainder challenge because something similar had been done regarding them, and they lost that challenge pretty cleanly and clearly in the D.C. Circuit in the appeals court here in Washington. So essentially, as far as we read it, a lot of the logic of that case would apply in the Huawei case as well. So I think legally, their chances of winning this are slim to none. But of course, that's not the only reason they would have filed a lawsuit because it certainly could be seen, and many people have said this, that it's part of a global public relations strategy by Huawei to not just sort of accept the U.S. government's decisions and conclusions as sort of fait accompli but to try and push back legally in the United States to show the governments of other countries around the world that they're trying to fight this in the U.S. courts.

 

Plus, also, it does bring into consideration, bring the issue higher to mind of the White House, and it may be Huawei's hope that they could find some out as part of a trade deal and that the U.S. White House would somehow bail them out and maybe tell the Justice Department not to defend the lawsuit or something like that. I think it's all unlikely, and from everything we understand, it's unlikely. So I would view the lawsuit more as a tactical and public relations play than a real chance at actually winning it.

 

Micah Wallen:  We do have a question in the queue, but whenever you're ready to go to it, we can turn there.

 

Paul Beaudry:  Excellent. Please go ahead.

 

Micah Wallen:  All right. Caller, after you hear the prompt, go ahead and ask your question.

 

Andrew Lomb (sp):  Hi, my name's Andrew Lomb. I had a question. So if you go through the, I guess, the outline of what the talk's about, it talks about advocating for robust measures. Isn't the most robust measure to have some competing product that's just better? And where are we if we're saying, "Don't use these companies," where are we with the alternatives, and what does that picture look like?

 

Dileep Srihari:  Sure, that's a great question. There are a few ways to look at that. First of all, the market for certain types of 5G wireless equipment is relatively -- I mean, the number of suppliers is relatively small. And part of that is through some industry consolidation that's happened in recent years. People generally think about it when you're talking in terms of the antennas that go at the top of a cell tower or actually manufacturing the cells, there's basically five companies. Huawei and ZTE are the Chinese ones, and then the non-Chinese ones are Nokia, Samsung, and Ericsson. So for the most part, you have five major suppliers. There are a few smaller ones as well. And so one of the considerations in the United States has been how do we get more U.S. development so that there's U.S. technology leadership in moving forward in these next generation technologies, particularly since, at the moment, none of those five companies are actually headquartered in the United States.

 

Now, the reality is when you're talking about Nokia, Samsung, and Ericsson, they own a lot of facilities in the United States, and so a lot of the work that's being done on these issues, as far as we understand, is actually happening in the United States. But, and this gets back to maybe where Paul started the conversation at the top when we were talking about trade, we're not, for example, looking for the United States government to implement, say, a "buy American" provision because that would be counterproductive, especially right now. But we do think it's important that the U.S. government continue to invest in small business incentives, invest in R&D, technology support to make U.S. technology leadership in wireless sort of a real, national priority here.

 

Also, I would point out that while installing cells at the top of a tower, there's relatively fewer of those. But when you talk about small cell deployments for 5G, you're going to see a totally different topology in terms of network layout. Whereas one small cell, rather than being a big thing at the top of a 200-foot cell tower, will be something smaller, the size of a pizza box, that will go on the side of a building and maybe serve an area about the size of a block, but it will do it at super high data rates of 10 gigabits and up. So you'll have vastly more numbers of these small cells that are going to be deployed, and I think that creates a lot of potential for other players to enter the marketplace in addition to the big five who have been doing the 4G cellular deployments.

 

Now, the other thing to point out here is Huawei competes in a whole bunch of different spaces, not just the actual wireless infrastructure point of 5G, but a 5G network is not just that antenna. It's the cabling, it's all of the routers, it's the devices that are in the central office that connect back to the core of the internet. And a lot of that is wired networking equipment that has nothing to do with the actual 5G radio protocol. And for that set of equipment, there are a lot of other competitive U.S. equipment providers. For example, a company like Cisco, which is an American company that builds routers, they're heavily involved in this space. So of course, I think Huawei competes across a lot of these different segments, so you have both wired and wireless and other interests in the United States who are in those various markets.

 

So obviously, I think, yes, we have to understand what exactly are we talking about when we're talking about this 5G equipment and what exactly is the nature of the problem. And then, even there, you say there's a lot of different ways to attack this that are other than sort of just saying, no, don't buy this, but what should you be doing who are the suppliers, and what's the type of equipment we're talking about.

 

Paul Beaudry:  Thanks, Dileep. And that's a good point by the caller. And I've heard some people say, "Well, shouldn't we simply allow Huawei equipment to be marketed in our country, at least to put some downward pressure on prices?" Michael, do you have any thoughts on this?

 

Michael H. Ryan:  Well, I wanted to echo what you just said, Paul, about the importance of the question that the caller has posed. Certainly, one of the factors that's been affecting the approach of at least the U.K. to this issue, and I suspect other countries like Germany and perhaps Canada, is that there's a perception that there's a lack of attractive alternative solutions for 5G. I don't mean there's no possible solution, but they aren't as attractive both from a technical or a price standpoint as the Huawei solution. In addition to that, there's the concern that the introduction of a de facto or legal ban would result in a delay in deployment of 5G networks. So both of those factors are at play in the U.K. decision making, I'm sure.

 

Dileep Srihari:  Well, this is Dileep. On the pricing point, one of the things we hear from our member companies is, "Well, look, we're competing against a company that is receiving tens of billions of dollars in subsidies from the Chinese government." So now, admittedly, that's not a national security issue, that's a trade policy issue and a government subsidies issue, but I'm speaking on behalf of TIA and our members who are producing great, innovative products every day. They're fully excited to go out there and be willing to compete, and to have new companies emerge into the space. I don't think that anyone's afraid of free and fair competition here. That's why they're trying to focus on this in terms of a national security issue rather than sort of a trade policy issue.

 

Micah Wallen:  One question just came through. All right, caller, as soon as you hear your prompt, ask your question.

 

Caller 3:  Hi. There's another issue that nobody's discussed here, and that is the possible toxic effect of 5G on the environment. People may not be healthfully affected by microwave radiation, and this might turn the entire country into a big microwave oven, cooking our genes.

 

Dileep Srihari:  Well, this is Dileep. We have seen those concerns being raised. So far, we haven't seen the evidence to support those things. The FCC has an open proceeding right now to look at those issues, and TIA has certainly urged them to finalize that, and move ahead and issue rules. I'm aware that this is sort of an issue that's out there in the zeitgeist, but as far as we're aware, it hasn't been backed up by any evidence yet. But of course, if the FCC were to look at that and say that there needed to be some kind of a change in the existing standards of the rules, then all of our members would comply with them. I know that all of our members right now have to do pretty extensive testing of all of their products for RF radio frequency exposure to make sure that they comply with all of the FCC's rules.

 

Paul Beaudry:  Michael, do you have any thoughts on the potential for 5G radiation?

 

Michael H. Ryan:  It doesn't seem to be an issue that's being actively debated in the U.K. at the moment. There was a scare and a lot of tension paid some time ago to the issue of handsets, but that seems to have abated. And as I said, I haven't heard anything further either in the context of 5G or radio frequency radiation issues more generally.

 

Micah Wallen:  We do have one more question. I will go to that one now.

 

Tricia Paoletta:  Hi, this is Tricia Paoletta, and great call so far. I did join late, so my apologies if you guys already talked about this, but on the lawsuit, has anybody who is kind of defending U.S. government actions noted that the U.S. has an existing reservation in our trade obligations and where we've taken a national security reservation? It's very high-level. We did it 20-odd years ago, so there's nothing specific, of course, to China in there or these two companies, but in your review of these issues, are people talking about that national security reservation?

 

Dileep Srihari:  This is Dileep. So in terms of the lawsuit that Huawei filed, it hasn't come up there because Huawei is alleging that an act of Congress which prohibits them by name from essentially selling to the federal government, Huawei is alleging that that violates the U.S. Constitution. So I am aware -- my colleague who works on trade issues has brought this up, the national security exemptions and all of that. We're trying to -- at TIA, our view is to try and keep that a little bit out of this because, typically, the national security reservation tends to be something that gets thrown at us by foreign governments.

 

TIA's general view has always been we want to maintain open markets, and we want to maintain the free flow of trade and goods and products and services. I know that may seem strange for me to say after a whole call when I've been talking about the Huawei issue, but we're trying to keep that a little bit separate because we don't want other countries relying on that heavily. And at the moment, we don't see any particular reason to bring that up in this context because it's not like Huawei has specifically alleged, as far as I can tell, violations of trade agreements on that front.

 

Paul Beaudry:  Thanks, Dileep. Micah, do we have any other questions?

 

Micah Wallen:  We do not as of now, so if you would like to offer up some final remarks, we can close.

 

Paul Beaudry:  Well, thank you very much. I think this was a very interesting call. These issues will continue being debated, I think, hotly in the coming weeks and months as some Western countries get ready to make their decisions on the future of their 5G networks and whether Chinese company involvement will be banned or not. I want to thank our two panelists, Dileep Srihari, who is, again, Senior Policy Counsel and Director of Government Affairs at the Telecom Industry Association, and Michael Ryan, Principal at MHRyan Law in London. Thank you very much to both of you, and have a nice day.

 

Dileep Srihari:  Thanks, Paul. Before folks go, I just wanted to put in a quick pitch. Next Tuesday, TIA's hosting an event in Washington on supply-chain security. If you're interested, just check out the TIA website. Thanks.

 

Micah Wallen:  All right. And on behalf of The Federalist Society, I want to thank our experts for the benefit of their valuable time and expertise today. We welcome listener feedback by email at info@fedsoc.org. Thank you all for joining us. We are adjourned.

 

Operator:  Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at www.fedsoc.org/multimedia.