27 March 2019

Trump Is Right About Huawei

By FRED KAPLAN

President Donald Trump got something right. His administration’s recent rule barring the use of federal funds to buy products made by the Chinese telecom firm Huawei is sound national security policy. So is his urging of allied governments to do the same.

Even here, though, the Trump touch—the diplomatic equivalent of an inept gardener’s black thumb, turning even healthy plants to weed—has blighted the policy’s prospects.

To be fair, it would be a hard row to hoe for any president. Huawei is the world’s largest telecommunications manufacturer, with products selling in 170 countries, including in Europe, where it provides the infrastructure for networks under development by such giants as Vodafone, Deutsche Telekom, and BT Group. For these firms to cancel their contracts now would be very expensive, especially since Huawei’s wares are competitive with much more expensive brands.

The problem is that those wares are also potential backdoors for Chinese intelligence. If Huawei gains a foothold in the burgeoning market of 5G networks (as it is working hard to do), those backdoors would open access to streams of sensitive political, financial, manufacturing, and military data.

Huawei’s executives claim that no backdoors have been found in any of their commercial products. This isn’t quite true. In 2015, a German company found malware on the company’s smartphones. Intelligence officials say that is far from the only instance. But even if the claim were true, it would be irrelevant.

Richard Clarke, former White House counterterrorism czar, now CEO of Good Harbor Security Risk Management and co-author of Cyber War (one of the first books on the subject), says, “Chinese law requires Chinese companies to comply with requests from Chinese intelligence.” Huawei’s executives have said they would refuse such a request, but, Clarke says, “they can’t refuse.”

This has become more of a concern recently. Elizabeth Economy, director for Asia studies at the Council on Foreign Relations and author of The Third Revolution: Xi Jinping and the New Chinese State, says President Xi Jinping has “enhanced the Communist Party’s role in private companies, not just state-owned enterprises,” adding, “No company is fully safe from government interference.”

Despite these concerns, Britain, though still reviewing its relationship with Huawei, is leaning against Trump’s urgings, at least publicly. Ciaran Martin, head of the government’s National Cyber Security Centre, said a month ago that his agency can “manage” whatever security risks might crop up. But several intelligence officials and specialists in the U.S. have their doubts.

Chris Wysopal, co-founder and chief technology officer of the cybersecurity firm Veracode, says, “Any device is one firmware update away from containing a backdoor. Technology is continuously updated, so point-in-time checks are not sufficient.” The key, he says, is whether you “trust the organization and its policies and processes to maintain security for its customers.”

The Trump administration is hardly alone in distrusting Huawei. Australia was among the first to sound the alarm: Back in 2012, on the advice of its Security Intelligence Organisation, the government barred Huawei from bidding on contracts for the construction of its National Broadband Network.

That same year, the U.S. House Intelligence Committee issued a report concluding that Huawei posed a “national security threat.” Since then, New Zealand and Canada have joined the U.S. and Australia in declaring that the company’s components pose “significant security risks,” especially in 5G networks. Japan has canceled contracts too.

So many U.S. tech companies, including Verizon and AT&T, have backed out of deals—pending or actual—that Huawei abandoned the American market. In that sense, the Trump administration’s ban is a formality, issued mainly as a response to allies wondering why they were being asked to ban Huawei’s products when the United States hadn’t.

Formalizing the U.S. ban is unlikely to matter. The key issue, says Richard Clarke, “is no one trusts Trump.” Some other president “might have been able to build a coalition to stop Huawei from wrapping up the 5G market, but you can’t put together a coalition on this issue when you’ve been badmouthing NATO and destroying coalition efforts like the Iran nuclear deal.”

Some allies also suspect that Trump is using the campaign against Huawei as a bargaining chip in his broader trade war with China. Trump himself heightened this suspicion when he said he might let Huawei back into the U.S. markets if Beijing signed a trade deal with favorable terms for American companies. Trump has used national security as a prop for self-aggrandizement in the past, notably when he put tariffs on steel imports from Canada. So it’s not surprising that some dismiss the claims about Huawei’s national security threat as more deceit.

Trump has further stiffened the resistance of certain allies by employing imperial pressure tactics. The Wall Street Journal reported earlier this month that Richard Grenell, U.S. ambassador to Germany, wrote a letter to officials in Berlin, warning that the United States would stop sharing intelligence data if they didn’t cut off Huawei as a supplier. Chancellor Angela Merkel shot back that her country was “defining our standards for ourselves.”

Another obstacle to wider action is that Huawei’s practices can be shrugged away as normal. It is hardly the only firm to open its wares to the intrusions of intelligence agencies, and China’s is hardly the only agency to plug in. For many years, until Edward Snowden’s big document leak, the National Security Agency intercepted communications through the platforms and networks of several American software and telecom companies, often with their consent. A major difference is that the NSA’s intercepts were focused mainly on counterterrorism targets and approved by a special court (though the court was quite permissive). According to intelligence officials, China’s intercepts are broad and massive, covering military secrets and theft of trade secrets, among others.

The underlying problem is that the supply chain of telecom technologies has been allowed to spread globally, with no supervision and scant standards. In 2017, the Defense Science Boardissued a report—based on a yearlong study by a panel consisting of specialists from such organizations as Google, Qualcomm, IBM, the Johns Hopkins Applied Physics Laboratory, and the Defense Department—concluding that the vulnerabilities in the supply chain could allow adversaries to disrupt, degrade, or destroy weapons systems, financial networks, and critical infrastructure. “When done effectively,” the report stated, “malware insertions will not be detected until actuated,” and, if they are finally found, they may be misdiagnosed as “a design flaw.”

A quarter century ago, when banks, power plants, railways, electrical grids, and other vital systems started putting their control systems online, they could be excused for not knowing that, while saving costs and maximizing efficiency, they were making their networks—and our entire society—vulnerable to cyberattacks. Except for a few computer scientists, who had predicted the problem in the mid-1960s, at the dawn of the internet, no one understood the consequences. The first major studies on cybervulnerability weren’t released until shortly after industries and utilities made their leap into cyberspace. And when the facts were known, they actively lobbied against proposals for mandatory cybersecurity standards, arguing that “regulation”—the most obscene word in their lexicons—would wreck American innovation.

There are no such excuses today, when cyberattacks are commonplace and cybersecurity is a multibillion-dollar industry. And yet as corporations plunge into the heady and highly lucrative future of 5G, their executives and government protectors are mumbling the same arguments against doing anything that might impede the juggernaut. This time, American firms—which have been hit hardest by cyberattacks and have spent the most money to mitigate the damage—are doing the right thing, at least when it comes to keeping out stuff from obvious bad carriers like Huawei. As for the foreign firms that are ignoring what’s plain as day, they should, at least as a starting point, ask themselves what they would do if the president urging them to do more was someone other than Donald Trump

No comments: