The security concerns posed by the introduction of 5G technology extends beyond the borders of the United States and will require a serious discussion about the government’s role in that market moving forward, top officials said Sept. 19.
The potential threats are great enough, according to Sen. Mark Warner, D-Va., that they’ve created a bipartisan awareness on Capitol Hill and an understanding that traditional market forces may not solve the issue. Instead, the new technology could require government intervention.
“You would be amazed at the number of my colleagues from both parties who understand this threat and realize that our traditional laissez-faire approach may not work here,” Warner said. “We may need to find ways to develop a better product, support one or more of the entities out there, urge them to collaborate together.”
The underlying problem is that U.S. companies are not major players in the 5G components space, allowing foreign entities to lead the marketplace and subsequently gain influence in smaller nations.
Day two of the Cybersecurity and Infrastructure Security Agency’s cybersecurity summit at National Harbor was marked by consistent discussion of security threats posed by 5G, particularly from the Chinese telecommunications company Huawei and its inexpensive technology that could entice the investment of smaller, poorer countries.
“What’s the alternative for some of these eastern European states? … for Africa?” said Chris Krebs, director of the CISA, an agency within the Department of Homeland Security tasked with protecting critical infrastructure from cyberattacks. “There is no alternative and that’s, I think, the biggest opportunity space for the United States and our allies and … say ‘how can we use American, Western, Korean and Japanese innovation to take back that space?”
To solve the problem, the government may need to assist in the production of viable alternatives, Warner said.
“It will require active engagement of our government with one or more vendors to make sure we can say that … here’s our alternative and here’s how you can get it at, maybe not exactly the same price point as Huawei, but here’s where it’s not going to be twice as expensive,” Warner said.
What unsettles the U.S. government is Huawei’s ties to the Chinese government. Warner pushed back against critics who call for evidence of a backdoor for the Chinese government into Huawei products, instead claiming the threat is a stream of security updates that could eventually include malware at the direction of the Chinese government.
“That’s one aspect … what’s the relationship between the company and country?” Krebs said. He also noted that aside from the Chinese government backing, Huawei’s emphasis on secure products is “demonstrably absent.”
What 5G means in the United States
The conversation turned broader later in the day, with another top CISA official warning against foreign products in general.
“Longer term, I think it’s really important for us to continue have a conversation about the state of our economy and the dependence that we have on foreign manufacturers … for products in our telecommunications systems,” said CISA Assistant Director for Cybersecurity Jeanette Manfra.
Within U.S. borders, Krebs warned of using Chinese products at all in the telecommunications space. He said that larger carriers have taken a “fairly disciplined approach” to removing Chinese components in their infrastructure, but a good chunk of rural carriers have been “pretty lousy.”
“The broader piece for us is really where equipment is being built, where the equipment is coming from” said Grant Schneider, federal chief information officer. “It’s much easier for us to all say ‘I don’t want to buy this from this country’ … Saying ‘no’ is really, really easy. But if those are the only suppliers, then it’s going to be a challenge.”
But the fundamental problem for foreign firms is the flow of data. This was a central issue with the use of Moscow-based threat intelligence company Kaspersky’s products. Several officials emphasized that it’s important for industry and government to know where their data is flowing to, specifically what country.
“You have to acknowledge that there are some laws that will compel a company to provide access to information, whether they want to or not,” Manfra said. “In our case, federal data – we’re not okay with that.”
The United States government has taken action in recent weeks. The government recently officially banned products from Kaspersky from use within the federal government and Huawei has faced significant sanctions this year. Chinese telecom company ZTE also faced sanctions last year. Krebs warned that ultimately the threat from China was broad.
“If you’re in any of the targeted strategic sectors that China’s interested in, you are a target,” Krebs warned. “If you do business with the Chinese, you are a target. If you do business in China, you are a target.”