author photo
By Bruce Sussman
Thu | Jan 2, 2020 | 10:44 AM PST

We're here. It is now the decade when the promises of 5G will become a reality. 

And Chinese telecom giant Huawei is continuing its push to build the 5G infrastructure in countries around the globe.

This is not possible right now in the United States, but should it be?

I sat down with the Chief Security Officer of Huawei USA, Andy Purdy, at SecureWorld Seattle to get his views on how and why Huawei could be viewed as a safe and trustworthy choice to build the world's 5G networks.

5G, Huawei, and security concerns

As a backdrop to our interview with Huawei's CSO, consider the following.

During 2019, the U.S. Department of Commerce (DOC) added about 100 people and entities linked to Huawei, along with Huawei itself, to the United States "Entity List."

Being on that list effectively bans you from doing business with the U.S. federal government and complicates the ability of other U.S. organizations to do business with you.

In Huawei's case, the DOC says the decision to add Huawei and related companies to the list was because of the following:

"...a reasonable basis to conclude that Huawei is engaged in activities that are contrary to U.S. national security or foreign policy interests and its non-U.S. affiliates pose a significant risk of involvement in activities contrary to the national security of the United States."

And the Intelligence and National Security Alliance (INSA) spelled out what is at stake here in easy to understand terms:

"Using Chinese equipment in 5G infrastructure entails significant risks. According to U.S. government authorities, equipment made by Chinese companies, such as Huawei and ZTE, could give China the ability to vacuum up all of the information that passes through it—including sensitive diplomatic, military, and commercial information—and to remotely disrupt U.S. wireless infrastructure in times of conflict.

As Americans become increasingly dependent on 5G-capable services, a disruption of 5G networks could cause significant harm to U.S. national security, the U.S. economy, and the health and safety of American citizens. Using Chinese equipment in 5G infrastructure entails significant risks. According to U.S. government authorities, equipment made by Chinese companies, such as Huawei and ZTE, could give China the ability to vacuum up all of the information that passes through it—including sensitive diplomatic, military, and commercial information—and to remotely disrupt U.S. wireless infrastructure in times of conflict.

As Americans become increasingly dependent on 5G-capable services, a disruption of 5G networks could cause significant harm to U.S. national security, the U.S. economy, and the health and safety of American citizens."

Huawei CSO interview on cybersecurity and national security concerns

I asked Andy Purdy, Huawei's Chief Security Officer, about these concerns in an interview for The SecureWorld Sessions podcast. Listen here, or keep reading for interview excerpts below.

[SecureWorld] I understand you have a background working in the U.S. Government.

[Andy Purdy, Huawei CSO] 
"I was a lawyer for a long time. And then I moved into cybersecurity joining the White House staff, was part of a team that wrote the US national strategy to secure cyberspace, then went over the Department of Homeland Security and help set that up. And for two years, I was in charge of cybersecurity."

[SW]  Thinking of all your experience with Homeland Security and the government, how has it been for you to be on the other side of that?

[Purdy]  "Well, I think I have an appreciation for what the government is trying to do in the larger perspective as we move into a world where it's not just the old military domains of land, sea, and air. Space is going to be a factor at some point. But cyberspace is kind of the fifth domain.

And we have to, the United States has to make sure that we and our allies are safe, we have to make sure we address the risk. I think in the long term, the government's moving in the right direction in terms of trying to come up with a comprehensive approach. It looks like the European Union, Germany may be a little bit ahead of that.

But eventually, you know, they will do that and that kind of thing is what's necessary to make America safer. I think they are kind of bending over backward because of the geopolitical situation between China and the U.S. and the bottom line is that banning Huawei is not making America safer."

Can we trust Huawei?

[SW]  I am thinking of what happened in 2019 concerning Huawei. Indictments related to intellectual property theft, some of the headline-grabbing arrests in Canada and other places. The U.S. adding Huawei to the Entity List. With all of the smoke around Huawei, can you understand why some in security believe there's gotta be a fire there as well?

[Purdy]  "Well, I think it's important for people to realize that the US government has not made any allegations of significant cybersecurity wrongdoing against Huawei.

That's one of the reasons that U.K. and Germany earlier in 2019 basically pushed back and said, well, the almost year long campaign of the U.S. to block Huawei around the world is getting very little, very little traction. And those allies, among our closest, said, 'You haven't said anything, you haven't even alleged Huawei has done anything wrong, much less provided any evidence.'

So what they're doing is what I think the cybersecurity experts I talk with behind the scenes recognize that you need. A comprehensive approach to address the risk. And it's not just the equipment, although independent testing of the equipment is necessary.

The telecom and mobile operators, they have to make sure they are following the appropriate standards and best practices, not only so that we can protect personal data, but as we become more dependent on 5G and Internet of Things, we're going to need those systems and networks to be up and running our lives are going to depend on it. So it really is important that we raise the bar on cybersecurity. But a comprehensive approach is the only way to go.

One frustrating thing is sometimes people hear that I'm a defender of Huawei and they have a tendency not to listen to what I'm actually saying. I would suggest I'm not a defender of Huawei.

People say well, do you trust China? And do you just trust Huawei? I don't trust anybody. I think the approach has to be, you don't ask people for trust. We need to have mechanisms in place, and they exist, where you don't need to trust anybody. Because the mechanisms are in place to make sure we have an objective and transparent basis to know that we're going to be okay."

A comprehensive approach to 5G security?

[SW]  Okay, I hear what you're saying that there needs to be a broad approach. When it comes to Huawei, what have you told the government or indicated to the industry that you're willing to do to show it is trustworthy?

[Purdy]  "Well, the government's not willing to meet with us. And that is certainly one of the direct consequences of the US-China trade talks. In a normal situation, they would talk to us.

And in fact, some of the different messages that go public, among administration officials create some misunderstanding by people. They're kind of like, 'Oh, well, is there a possibility that Huawei is just going to be able to do business in the United States?'

The fact is, Huawei will never be allowed to do business in the United States under less restrictive conditions than Nokia, and Ericsson operate under. They're only allowed to operate in the United States because they operate pursuant to government monitored risk mitigation, which undoubtedly includes product testing, despite their deep ties to China.

The assembly, the manufacture, the R&D that takes place in China. Their alliances with the Chinese government, somehow they found means to address the risk. We'd just like to have a conversation with US government about what kinds of risk mitigation could be put in place.

But it's not just about the equipment. It's also got to be about the strength of the customers, the strength of the telecom operators, and making sure that any equipment vendor when they later service equipment, there has to be strict controls such as we impose on ourselves and with our customers. So that there's not an opportunity for any foreign power to use that access to service equipment to cause harm to the United States or our allies."

[SW]  One oft he things I heard you say on CNBC is that if you get banned from a country, essentially that country becomes less safe because of the global supply chain and the way things are set up. Will you elaborate?

[Purdy]  "Competition helps drive down cost, helps drive down price helps increase innovation helps promote additional security features. And it promotes resilience. You need multiple suppliers of your communication network. So if one goes down, you're still going to have access to the information."

[SW]  Many believe 5G is coming with increased security risks. And U.S. government cyber leaders have said 5G has to be built on trust because of the way it's going to change the fabric of everything that we do in the future. What do you think about that?

[Purdy]  "There's a lot of things that aren't being said quite accurately about what 5G means and what it entails. But there's a global effort to make sure that with each roll-out of business scenarios of 5G, the first one is beginning with speed for mobile devices, that there are standards to make sure that the system is more safe than it was before.

And in fact, we've been criticized because we're active in the standards efforts. A lot of companies and governments are, but I'd encourage the U.S. government to jump in, the water is fine. Everybody needs a lot of help in understanding what the threats are understanding what the vulnerabilities are and how we can address those how we can manage the risk and promote resilience in a way that provides transparency.

That's what the European Union's trying to do. They're going to do a big threat mapping of 5G, that's what Germany's doing, that's what we all have to do because it takes hard work to identify the most significant threats and make sure you have processes and tools in place that guarantee you're not going to be harmed by that particular threat. Processes and tools to guarantee, like you say, there's trust there, because you've gone through the process."

There is much more in our podcast interview with Huawei Chief Security Officer Andy Purdy. 

Who will trust Huawei in 5G's big decade? That remains to be seen.

Comments