President Trump issued an executive order on Wednesday prohibiting U.S. companies from purchasing information technology from firms that are controlled by foreign adversaries and pose national security risks. The Department of Commerce then added Chinese telecommunications giant Huawei to its Entity List, prohibiting the sale of U.S. goods to the company. While news reports have framed the actions as part of U.S.-China trade disputes, Huawei and other Chinese state-controlled companies pose significant espionage threats.
Huawei’s products do not meet basic engineering and cyber hygiene standards, and suffer from “vulnerabilities that are capable of being exploited by a range of actors,” according to a recent UK National Cybersecurity Centre report. The British agency warned that even extensive oversight mechanisms can provide “only limited assurance that the long-term security risks can be managed.”
In addition to Huawei’s direct ties to the Chinese government and military, Beijing’s 2017 National Intelligence Law raises national security concerns. This legislation stipulates that “any organization or citizen shall support, assist, and cooperate with state intelligence work according to law.”
Huawei and Chinese legal scholars have dismissed the significance of this law, suggesting that it cannot force Huawei to do the government’s espionage work on its behalf. However, as Chris Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, testified before Congress on Tuesday, “The law is important because it’s telling you what they do, but they’re going to get what they want anyway, law or not.”
Robert Strayer, deputy assistant secretary of state for cyber and international communications and information policy, echoed this assertion. “No company can object and say, ‘I don’t want to follow the mandate of Xi Jinping,’” he said in the same hearing. “It’s one-party state communist rule, and they have to follow the dictates of that government.”
If Huawei and other Chinese companies construct 5G (next generation) internet infrastructure, their systems “will provide near-persistent data transfer back to China that the Chinese government could capture at will,” warned former senior U.S. military leaders, including former Director of National Intelligence James R. Clapper Jr. and former director of the National Security Agency Keith B. Alexander, in a statement in April.
The siphoning of sensitive data is not a hypothetical problem. In 2012, China donated a new $200 million headquarters for the African Union (AU). Six years later, reports surfaced that every night for five years the building’s Huawei servers transferred massive amounts of data back to China. While the AU publicly denied the report, it has replaced the Huawei servers.
Last month, Vodafone admitted that it found backdoors in Huawei’s software, which could have provided Huawei with unauthorized access to Vodafone’s networks. Both companies, however, have downplayed the issue, and Vodafone announced that its 5G service will use Huawei equipment. The unstated reason: Huawei can offer prices its competitors like Nokia, Ericsson, and Cisco cannot match, since the Chinese company receives government financial support.
An argument that U.S. allies and others have raised against Washington’s Huawei ban is that it will slow the buildout of 5G networks. Building better security into next-generation internet infrastructure may indeed make these systems more expensive and slower to come online. However, many of today’s cybersecurity challenges stem from ignoring vulnerabilities in internet infrastructure built without security in mind. Repeating the past mistakes will only heighten the risks.
Wednesday’s executive order is a first step to addressing the challenge, but more must be done. Washington can stimulate the market to support secure products by expanding efforts with allies to create trusted suppliers lists not just for 5G but for all emerging technology. Working with partner nations and the private sector, Washington can protect the integrity and security of networks on which the U.S. and allied national security depend.
Annie Fixler is deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Mathew Ha is a research associate. Follow Annie and Mat on Twitter @afixler and @MatJunsuk. Follow FDD on Twitter @FDD. FDD is a Washington-based nonpartisan research institute focusing on national security and foreign policy.