Recent U.S. efforts to ban the federal use of telecommunications equipment from Huawei Technologies and other Chinese companies are “malaligned” and “don’t make any sense to me,” said former Federal CIO Tony Scott in a podcast interview with SC Media.
Scott, who served under former President Barack Obama and now operates as chairman of his own IT consulting and advisory firm the TonyScottGroup, previously addressed the controversial banning of Chinese technology in a recently published supply chain security white paper that is owned by and was reportedly paid for by Huawei. (Huawei Technologies USA Chief Security Officer said Scott told SecurityWeek that Scott decided on his own content.)
In his podcast with SC Media, Scott reiterated some of the concerns that he previously alluded to in his paper, which does not specifically reference Huawei, and also called for an independent and standardized testing and certification process to assess the security risks of telecom techniques, IoT devices and other key digital technologies.
“First of all, tons of stuff [are] made in China. It’s not just Huawei stuff. Every Apple device you have, every consumer product that you can get, everything has lots of Chinese components in them. So I don’t think it’s appropriate to focus on just Huawei and say because it’s Chinese it’s bad,” said Scott.
Additionally, “I looked at the supply chain practices of all the major OEMs, not just Huawei, and the idea that you could plant something bad in a specific device at its point of origin and have any certainty that it was gonna end up someplace where you wanted it to was a high-cost, low-probability-chance-of-success sort of exercise.”
Scott said a better approach would be to institute an independent and standardized testing and certification process, “where no matter who the manufacturer is, no matter what country of origin, you could send devices and have them tested for their cybersecurity capabilities… And put everybody’s gear through it. Put all the software through it and then test it regularly.”
Still, the question remains whether such testing would be effective against an APT-level threat. At the 2020 RSA conference, Bruce Schneier, security technologist, researcher and lecturer at the Harvard Kennedy School, said, “We can put backdoors in systems that cannot be found… especially if you control the hardware.” And according to media reports, U.S. officials have accused Huawei of planting backdoors in its products and telecommunications networks – backdoors that China could later leverage for cyber spying or even a future attack on critical infrastructure.
Federal agencies have been banned from using equipment from China-based Huawei and ZTE Corporation since the passing of the 2018 Defense Authorization Act, and in late 2019 the Federal Communications Commission banned telcom networks from purchasing Huawei and ZTE equipment from the agency’s Universal Service Fund (USF). And just last month, Congress passed the Secure and Trusted Communications Network Act, which will establish a reimbursement program – administered by the Federal Communications Commission – that will allow small and rural telecom operators to “rip and replace” from their networks any equipment deemed untrusted and unsafe.
During his podcast interview, Scott also compared and contrasted the cyber posture of the White House under President Donald Trump with that of the previous Administration.
On the plus side, Scott commended the Trump Administration and current Federal CIO Suzette Kent for following good cyber posture recommendations across federal agencies. “Overall, I feel pretty good about the at-large state of cybersecurity in the federal government,” said Scott.
On the flip side, however, there are a lot of “individual cases where you could say, ‘Maybe we took step backwards.'” Said Scott, “We didn’t let President Obama use a personal phone,” as Trump has been known to do.
Scott also reflected back on the infamous U.S. Office of Personnel Management (OPM) data breach, which took place before his arrival as CIO but was discovered shortly after he had taken over the position.