U.S. CTO: Don’t trust Huawei. Edward Snowden: Don’t trust anybody
U.S. chief technology officer Michael Kratsios came to the Web Summit conference in Lisbon, Portugal, with a stern message: You don’t want Chinese telecommunications giant Huawei in your 5G future.
“The Chinese government has built an advanced authoritarian state by twisting technology to put censorship over free expression and citizen control over empowerment,” he said on the main stage Thursday afternoon. “The government continues extending its authoritarianism abroad, and in no case is this more clear than with Huawei.”
It was an unusually direct slam, at an event which usually plays up themes of international cooperation and learning (and runs a sister event in Hong Kong). But Kratsios plunged ahead.
“Chinese law compels all Chinese companies, including Huawei, to cooperate with its intelligence and security services, no matter where the company operates,” he warned. Then he reminded his audience of reports last year by Le Monde that Huawei’s work on the African Union’s headquarters building was followed by data being exfiltrated to servers in Shanghai for five years.
Kratsios—whom President Trump nominated as U.S. CTO in March, filling a slot that had stayed vacant for two years—urged European governments to reject Huawei’s offers to help build their 5G networks. “If we don’t act now, Chinese influence and control of technology will not only undermine the freedoms of their own citizens but all citizens of the world,” he said.
The trustworthiness of Huawei’s network gear—a separate issue from its smartphones—is getting to be a touchy subject all around. But it’s not a settled one.
Not all governments feel as alarmed as that of the U.S. and allies such as Australia. Beyond the European governments that Kratsios urged to stop tolerating the Chinese telecom giant, the African Union denied the spying allegations and then signed a tech collaboration deal with Huawei this spring. Those last two details didn’t make Kratsios’s speech.
Back in Washington, an 18-month review conducted for the Obama administration found no evidence of Huawei spying in 2012.
On the other side of the Atlantic, a March 2019 report for the British government found no backdoors either. But that report by the Huawei Cyber Security Evaluation Centre Oversight Board also cited grave insecurities in how Huawei ships and patches the software in its network gear. Its glum summary: “It will be difficult to appropriately risk-manage future products in the context of U.K. deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.”
In October, Federal Communications Commission chairman Ajit Pai proposed rules that would bar companies receiving federal universal-service funding from buying “equipment or services from companies posing a national security threat”—with Huawei and another Chinese provider, ZTE, specifically named.
“Rather than asking people to trust you, show them why they don’t have to trust you.”
They would also compel certain universal-service recipients to “remove existing equipment and services from designated companies from their networks,” a farther-reaching proposition. Both have bipartisan support on the five-member FCC. Pai’s Democratic colleague Geoffrey Starks has already endorsed them in hearings and speeches.
But without a full-scale rip-and-replace of network hardware, what can you do with connectivity that might not merit much trust? The first headline speaker at Web Summit offered a simple bit of advice to any tech firms that might be tuned into his remote video appearance: Encrypt your customers’ communications from one end to another, without any backup keys.
“Rather than asking people to trust you,” Edward Snowden suggested to telecom vendors, “show them why they don’t have to trust you.”
Sen. Ron Wyden (D.-Ore.) made the same basic prescription Wednesday in a letter to the FCC’s Pai. It urged the FCC to “ensure that encryption and authentication features included in 5G standards are enabled” by the nationwide carriers—then suggested that the commission consider mandating end-to-end encryption, ensuring that content could not be read even when cached on carrier servers.
Apple’s iMessage and Facebook’s WhatsApp provide end-to-end security by default, while standard-issue SMS isn’t even encrypted in transit over the air.
Encrypting 5G wouldn’t grind down the risk of eavesdropping to zero. But it would limit that risk on the individual parties to any one conversation, as Snowden said at the end of his Web Summit talk: “The only people you have to trust are the people that you’re talking to.”
Disclosure: I moderated two panels at Web Summit, in return for which the organizers covered my airfare and lodging.
(62)