Supply Chain Council of European Union |

Huawei controversy shows US need for robust supply chain security strategy

5G technology, through enabling greater digital connectivity at faster speeds, promises to revolutionize everything from smart city internet of things devices to self-driving car communication. And as with any new technology, there are notable cybersecurity threats to be addressed. This includes some of the risks underscored by U.S. government concern about Chinese telecommunications company Huawei, a privately owned but state-subsidized firm that is widely considered to be a global leader in providing 5G technology.

There are real national security and cybersecurity risks presented by 5G technology in general, and in particular with respect to Huawei’s 5G technology. But the U.S. government’s mishandling of these risks and the diplomatic messaging around them underscores something much bigger than Huawei, and something much bigger than 5G: the need for the United States to develop a better supply chain cybersecurity strategy in our increasingly data-driven world.

Huawei’s 5G technology poses national security risks, as does its potential global market dominance in this space. The United Kingdom’s Huawei Cyber Security Evaluation Centre has found Huawei code to be extremely buggy, as have other analyses of Huawei systems. And Nicholas Weaver has argued these vulnerabilities are in fact the “dirty secret” of most computing infrastructure and are not unique to Huawei. However, not every vulnerability is a backdoor — this fact has been missed or misunderstood in commentary about Huawei 5G cybersecurity and adds to the complexity of understanding this technology in which the United States is not dominant.

Some vulnerabilities are just vulnerabilities, there accidentally as a result of human error in the coding process. Other vulnerabilities could theoretically be bugdoors, meaning vulnerabilities that a government finds already there and tells the company to leave in place for exploitation; and others yet could theoretically be backdoors, where the government deliberately plants a hole to be exploited. But without publicly shared evidence of intent, it is difficult to know that any security holes in Huawei systems are bugdoors or backdoors.

Beyond cybersecurity risks with Huawei’s 5G software and hardware itself, there are also national security risks, as in many cases, with incorporating Huawei’s telecommunications equipment into American infrastructure. For instance, during a crisis scenario, it’s possible that Beijing could turn to Huawei to hand over data, provide access to foreign 5G systems, manipulate foreign 5G systems, or even shut down foreign 5G systems entirely. It is not unheard of for governments, including Beijing and others, to leverage the resources of telecoms incorporated within their borders during times of crisis. Many have argued that China’s weaker rule of law, and thus weaker checks and balances on such government powers, make it more likely the government could exert such influence.

All of this said, the U.S. government has blended discussion of national security concerns around Huawei, like Chinese espionage, with economic concerns about Huawei’s global market dominance. In light of the fact that neither the United States nor its European allies have any companies that can seriously compete with Huawei in 5G — at least across the entire “tech stack,” from 5G smartphones to 5G radio towers, all of which Huawei produces — many countries have understandable reservations that the U.S. position is not about real cybersecurity risks, but is in fact about using Huawei as political leverage in the ongoing trade war. Australia and New Zealand have banned Huawei from their 5G systems, but Canada and India, among others, have not and continue to send mixed messages.

This mishandling of the policy around and communication of Huawei 5G risks underscores the United States’ much broader need to rethink, and redevelop, a better supply chain security strategy in an increasingly data-driven age. While supply chain security questions aren’t new, notable changes over the last several years explain why the international context has changed.

The global internet has broader and deeper reach today than it did a decade ago, and the world is more digitally and economically interconnected. Consumer products like the iPhone, for example, contain hardware and software from many different countries. Moreover, software is increasingly running the hardware of our lives. With 5G, for instance, more computing is moving to the “edge,” meaning functions that were previously less software-driven in 4G systems will be increasingly software-driven in 5G counterparts. Global contestation over data access and exploitation is also intensifying, as more countries seek to regulate access to and derive value from data that powers technologies like machine learning.

With all of this comes greater concern about supply chain cybersecurity in the modern age, particularly when it comes to software that could be remotely accessed and updated and could thus leave systems and data vulnerable. In 2017, for instance, the U.S. government banned the software produced by Russian antivirus company Kaspersky Labs from use on federal government systems. Russia itself is pushing for greater software independence from the West. The European Union’s executive branch, meanwhile, recently circulated an internal policy document outlining a proposal for “technological sovereignty” that would essentially work to reduce E.U. reliance on software and hardware manufactured abroad.

Many countries are concerned about supply chain cybersecurity. The contention about Huawei in particular highlights this problem in the United States, where the government has not established clear and objective criteria by which to evaluate the security of digital systems made abroad. The United States has talked about Huawei’s security risks while blurring them with economic risks; American officials, despite claiming they have evidence to this end, have also yet to publicly release information that indicates Huawei is a security threat. Several U.S.-incorporated companies say this data has not been provided privately by the government either.

Currently, an approach that deems literally every Chinese technology company an inherent national security threat is overly sweeping and questionable at best, including because it would be undesirable and difficult to “decouple” two digital economies that are so greatly intertwined. The Kaspersky case also provides an interesting example of how foreign-based software was deemed a national security threat through a process that could be described as less than transparent.

What the United States needs instead is a clear strategy and plan to help manage the relationship between national security and modern economic risks in supply chain management, particularly related to digital infrastructure. The U.S. government should establish, in cooperation with industry, academic experts, and global partners, consensus “objective” criteria by which to evaluate levels of trust in both hardware and software products developed and/or maintained by foreign-incorporated companies. For instance, should other countries replicate a United Kingdom-style vulnerability assessment on telecommunications equipment?

What about something similar on the legal side? Germany’s foreign minister has discussed evaluating if a company would be compelled by law to pass sensitive data to a government. And what about establishing standard technical and policy mitigation options through similar mechanisms? For example, are there cases in which encrypting communications on a network would shield user data from a 5G supplier, or does that not matter if the supplier can remotely apply patches?

As the world becomes increasingly software-driven, and as the global digital supply chain becomes more interconnected, the U.S. needs an established and repeatable process to handle and communicate supply chain security risks. For the case of Huawei’s 5G technology and American messaging and policy around it may not exactly be a precedent the U.S. wants to set.

Justin Sherman is a cybersecurity policy fellow at public policy think tank New America.

Related posts

Supply chain hacks are on the rise. But most companies aren’t prepared


Clearing Supply Chain Hurdles


EV Companies Forced to Address Supply Chain Issues