The U.S. Senate Committee on Commerce, Science and Transportation on Wednesday held a hearing where officials from leading tech and telecom firms posed key recommendations to lawmakers who seek to replace and further prohibit telecommunications equipment that may pose a security risk, including products from China-based Huawei and ZTE. Among the key suggestions was that any effort to "rip and replace" untrusted equipment should really be treated a "replace, then rip."
Federal agencies have been banned from using Huawei and ZTE equipment since the passing of the 2018 Defense Authorization Act, and in late 2019 the Federal Communications Commission banned telcom networks from purchasing Huawei and ZTE equipment from the agency's Universal Service Fund (USF). And just last month, Congress passed the Secure and Trusted Communications Network Act, which will establish a reimbursement program -- administered by the Federal Communications Commission, that will allow small and rural telecom operators to "rip and replace" from their networks any equipment deemed untrusted and unsafe.
Hearing witness Steven Berry, president and CEO of the Competitive Carriers Association (CCA), addressed the latter legislation in a submitted written statement. Berry said that while most CCA members' networks don't have equipment from untrusted sources, those that do "want to take whatever steps are necessary to ensure our national security," but may need additional help and leeway moving forward.
"...I am hopeful that resources will be available so that carriers can move expeditiously to replace covered network elements. This means that after a carrier with covered equipment has established a clear plan for replacement and removal of networks elements, they will have access to funding both as the process begins as well as at specified benchmarks throughout the process," said Barry. "Such access to needed resources recognizes that networks that were not initially economical to construct absent support mechanisms are unlikely to be able to finance the project management process without resources available long before certification that covered elements have been completely removed. Additionally, as the removal process moves forward, policymakers should allow for carriers to triage their networks and focus on the most significant vulnerabilities first."
It was Barry who emphasized to lawmakers that the "rip and replace" process will more realistically have to be "replace, then rip." In other words, "a separate, standalone network must be established and stood up alongside current services before carriers can transition traffic to the new equipment and then decommission the covered elements, explained Barry." That way, Americans in rural regions don't lose voice connectivity and 911 services while this logistically complex transition occurs.
Additionally, Barry encouraged the federal government to financially incentivize carriers to select equipment providers that prioritize resiliency and security, so that telecom companies don't simply gravitate to the cheapest available solutions when using FCC funds to build out their networks.
Having learned from multiple equipment swaps executed by his company, Mike Murphy, CTO, Americas, at Nokia, said in his own written testimony that federal lawmakers and regulators must exercise patience and have flexibility in terms of both timelines and technology.
Murphy noted that such undertakings "require careful planning, are network specific, and the times required vary significantly from project to project." For that reason, "Nokia believes that several provisions of the Act are prudent, particularly the provision granting discretion to the FCC to extend the time allowed for impacted carriers to replace covered equipment from one year, by up to an additional six months, and the directive for the FCC to remain technology neutral in establishing the list of recommended replacement equipment."
Murphy also said that the FCC should not be "overly prescriptive" in how it governs carriers to replace "like for like" technology -- emphasizing that what's most important is that the functionality remain the same, even if the underlying equipment is different.
"[The] FCC should also not condition funds on any prescriptive technology mandates. No specific technology, network configuration or other similar mandate will be a one-size fits all solution to all network deployments."
Moreover, "Rather than focus on countries of origin for component sourcing or manufacturing, specify the components or activities that give rise to the risk of exploitation or manipulation," added Murphy. "Not all components and products create risk. Narrowing the focus to specific components or products with risk will assist suppliers in making critical and cooperative decisions with governments about supply chain activities."
Jason Boswell, head of security network product solutions at Ericsson, also offered up written testimony, encouraging lawmakers to support legislation that accelerates of 5G deployment and continue to foster a strong marketplace of trusted telecom suppliers.
"...Ericsson believes that accelerated U.S. 5G deployment will in turn protect the security of the 5G supply chain, a goal that can be achieved through (i) increasing spectrum availability, especially mid-band; (ii) putting in place reasonable, streamlined small cell siting rules; (iii) developing and deploying a skilled tower workforce; and (iv) ensuring effective incentives to encourage 5G deployment in rural areas," wrote Boswell.
In additional written testimony, James Lewis, SVP and director of the Technology Policy Program at the Center for Strategic and International Studies, said reports that the U.S. is falling behind China in the race to 5G are exaggerated. He also offered his take on how the U.S. can work to ensure a safer 5G with its global allies, some of whom still use Huawei equipment or have enacted only partial bans, like the UK.
"Where there is disagreement is in how to manage risk. The U.S., Japan and Australia have banned Huawei technology in their networks. This is the only way to eliminate risk entirely," said Lewis. "Those who advocate a partial ban argue that if properly implemented, it makes the risk of using Huawei manageable. Some European countries will copy the UK's decision. This provides the U.S. an opportunity to work with our allies to ensure that a partial ban reduces risk and there could be real advantages for the security of telecom networks and cybersecurity. The recently issued European Union 5G Toolbox provides a framework to guide policy in a way that, if implemented fully, would reduce China's use of telecom infrastructure for espionage and influence."
The root of the 5G problem is Chinese espionage and Chinese predatory economic practices," Lewis continued. "Our European and Asian partners have realized the extent of the Chinese espionage campaign against them. Countries near China are eager to cooperate, but there is an ambivalence in Europe. China is not a military threat to them and there is a reluctance to admit that the China market that Europe depends on comes with real economic risk... Spying, illicit subsidies, and predatory pricing helped Huawei to drive western telecom manufactures from the market and other sectors of the European economy, such as aerospace and automobiles, are now at risk. Our task is to persuade European allies that it is better if the democracies stand together."
Huawei debate raged on at RSA 2020
Wednesday's hearing came about a week after a spirited and at times contentious panel session at the 2020 RSA conference, during which cybersecurity experts and officials from the U.S. Department of Defense and Huawei clashed over America's move to ban the federal government's use of Huawei telecom products.
Panelist Andy Purdy, CSO of Huawei Technologies USA, implied that U.S. lawmakers and the Trump administration are singling out Huawei because it is based in China while overlooking other major threats that could pose just as much of a threat to communications and other critical infrastructure.
"Are we going to consider a vendor trusted because they're not headquartered in China? I don't think so. And I think, as I'm starting to learn from you all, that we can't trust anybody," said Purdy. For that reason, he continued, it's important to come up with a system that eliminates all threats more broadly -- a system "with uniform standards and conformance programs... ongoing testing and continuous monitoring to help make sure we're safe."
But Katie Arrington, who oversees supply chain management for the DOD as CISO of the agency's Office of the Under Secretary of Defense for Acquisition, said Arrington the DOD doesn't base its security evaluations solely on country of origin. "We always are looking at the source code... where the source code was created, who created it and how has it been transmitted since then," she said.
However, Arrington also insisted that Huawei is an exceptional case that requires special attention because of the clear threat posed. "We have our own data. The recommendation was to take Huawei out for a very specific reason," she said.
According to reports, U.S. officials have accused Huawei of planting backdoors in its products and telecommunications networks -- backdoors that China could later leverage for cyber spying or even a future attack on critical infrastructure.
Some observers have said the U.S. ban on Huawei products lacks justification due to a shortage of publicly available evidence that company has engaged in wrongdoing. However, Arrington insisted at that the DoD is not only following current law in imposing the ban, but also is privy to its own classified intelligence that illustrates that such measures are necessary.
Regarding the "rip and replace" policy set forth by the soon-to-be-passed Secure and Trusted Communications Network Act, Purdy asked a series of questions designed to prompt thought from the audience: "Who's more likely to be hurt, Huawei or the American companies that support the U.S. defense industrial base? And before Huawei's gear is ripped and replaced from the companies serving rural America, should experts consider the consequences? Should effective risk mitigation measures be considered? Will 'rip and replace' take more time and more money than anticipated?" Purdy asked.
But Arrington insisted the ban was a no-brainer. "Having this out of our most trusted environments isn't something that we in the DOD even are concerned is an impediment," she said. "It's a have-to-do because the risk is so high."
Other experts commented that the U.S. could still do a better job refining its telecom and 5G security policies, and beware of taking drastic actions.
"We haven't had an answer in the national conservation about what data constitutes [a] national security risk and part of the reason we don't know is because we don't know how data's going to be used in the future," said Kathryn Waldon, a fellow at the R Street Institute, a public policy research organization and think tank. "...But without knowing the answer to that, it's also hard to judge the proportionate response to any particular company. So while I definitely agree... that we cannot just look at country of origin -- you need to be equally suspicious of American companies, European counties, at the same time I would also agree with Katie that country of origin for some companies and some infrastructure, there's just too high of a risk for us to be really comfortable with including them in our supply chain."
Meanwhile, noted Harvard University Security Technologist Fellow Bruce Scheiner weighed in by opining that the U.S. hurts its position by treating the Huawei situation as both a security issue and a trade issue -- thus raising the question of whether the ban may in part a way for the U.S. to gain leverage in the ongoing trade war with China.
"Unfortunately, when you look at the news, the administration is trying to play it both ways and I think this hurts us. It's probably a national security issue, but... coming out of the White House, there's a lot of talk of it being a trade issue. And I wish they would stop doing that. Or at least, if they are doing that, stop talking about it as a national security issue. Pick one."
The panel was moderated by Craig Spiezle, managing director of Agelight Advisory & Research Group and chairman emeritus of the Online Trust Alliance.