Summary

  • WHAT: Washington Foreign Press Center On-the-Record Briefing
  • WHEN: Tuesday, November 26, 2019, 11:30 a.m. EST
  • WHERE: The Washington Foreign Press Center; Washington, DC

 

MODERATOR:  Okay.  Welcome, everyone to the Washington Foreign Press Center.  My name is Cheryl Neely, and I’m very pleased to have you and our special guests here for an update on how the U.S. is addressing 5G and security.

First, the ground rules.  This is on the record and camera, so that’s pretty easy.

And first, I would like to introduce our briefers.  Immediately to my left, we have Commissioner Brendan Carr.  He has been commissioner of the Federal Communications Commission since 2017.  In his position, he focuses on regulatory reforms in telecommunications, and he is leading the FCC’s work to modernize the infrastructure rules governing the buildout of 5G and other next-generation networks.

In the middle, we have Dr. Thyaga Nandagopal, who serves in the Directorate of Computer and Information Science and Engineering of the National Science Foundation.  He is the Deputy Division Director for the Division of Computing and Communication Foundations.  Prior to this position, he managed wireless networking and mobile computing research within the networking technologies and systems programs at the NSF.

And finally, we have Adam Hickey, Deputy Assistant Attorney General in the National Security Division at the Department of Justice.  He supervises investigations and prosecutions of foreign state-sponsored computer intrusions and attacks, economic espionage, export control and sanctions violations, and malign foreign influence.

And for the first two speakers, there was a link in your invitation to the bios.  For the deputy assistant attorney general we have a printed bio at the front desk, if you would like a copy.

Okay.  And with that, I will turn it to our briefers for opening statements.  Thank you.

MR CARR:  Thanks very much.  Thank you to the State Department for the opportunity to join in this press briefing.  I look forward to discussing 5G and the steps that we’re taking in America to ensure secure, trusted, and vibrant communications networks around the globe.

I’m happy to take questions from the esteemed members of the foreign press that are here today.  Even if you’re not esteemed, I’ll still take your questions.  And I’d like to begin with some opening remarks before I take those questions, but happy to address anything that you all may have.

Advancing the build out of 5G networks has been the leading focus for me at the FCC.  And after all, 5G networks will be the platforms upon which a new wave of jobs and economic opportunity will be created.  Indeed, all these lifechanging technologies that we just hear about today – from connected cars to smart cities, remote surgery, virtual applications, virtual reality – none of that will work, or it won’t work very well, without 5G.

And so as networks transition from carrying voice calls and emails to these lifechanging applications, the security of these networks become only more important.  There’s already so much in modern society that runs on interconnected networks, from banking to transportation and even our power grids.  This will become more so as carriers continue to build out 5G.  If these networks are threatened, everything that we have come to rely on is threatened.

In the U.S., we’ve acknowledged the threat that Chinese telecom firms pose to our networks for some time.  In 2012, a congressional committee issued a report recommending that companies avoid using Huawei and ZTE equipment.  In 2018, Congress passed legislation that prohibits U.S. Government agencies and contractors from using Chinese equipment.

In May of this year, President Trump issued an executive order to secure our ICT infrastructure and supply chains.  And separately, the Department of Commerce added Huawei to the entity list which imposes restrictions on its access to the U.S. market based on Commerce’s determination that the company engaged in activities that are contrary to U.S. national security interests.  And just this month, U.S. Attorney General William Barr wrote a letter at the FCC, where I work, stating that we should not signal that Huawei and ZTE are anything other than a threat to our collective security.

So the FCC’s open to proceeding on the threats posed by Huawei, ZTE, and other equipment providers last year.  The record that developed made clear the security threats posed by these firms.  Both companies have close ties to China’s communist government and military apparatus.  It’s been reported, for instance, that Huawei employees work as agents for the People’s Liberation Army.

Both companies are subject to Chinese law that obligates them to cooperate with any request from the country’s intelligence services and to keep those requests secret.  Indeed, China’s national intelligence law requires that all organizations cooperate with the state intelligence work and provides them with no right to refuse.  It also gives Chinese Government the power to take over a company’s communications infrastructure.

Both companies have apparently engaged in conduct like intellectual property theft, bribery, and corruption.  Indeed, an independent cyber security firm recently found that over half of the Huawei firmware images they analyzed had at least one potential backdoor, and that each Huawei device they tested had an average of 102 known vulnerabilities.

There’s no sign that they will cease this pattern and these practices.  With this and other evidence, it’s not hard to see the threat that companies like Huawei and ZTE pose to communications networks.  And because 5G networks are interconnected, even a small amount of compromised equipment could be devastating to a country’s national security.  5G means that our secure networks must be secured both at the core and at the edge.

I’ve heard some comments that Huawei equipment is cheaper than other equipment, and that’s one reason to put it in the network.  But I’d suggest that we need to take a long-term look at that value proposition.  5G and the rollout of Huawei equipment is part of China’s Belt and Road Initiative; it’s the digital version of that plan.  And what do we see already with that Belt and Road Initiative?  Debt-laden investments in ports, in railroads, in physical infrastructure.  And we’re seeing the same thing happen with Huawei and other gear.

And when countries around the world default on those infrastructure projects, the physical ones, we’ve seen China take action, including seizing those assets.  In the digital world, with the Huawei equipment, that can mean seizing the data that is going through these networks.  So it’s a very real threat.

At the FCC, we’re in a position to do something about that threat, and we are.  Just last week, my colleagues and I voted to prohibit carriers from using federal dollars to purchase any equipment or services from companies that pose a national security threat, including Huawei and ZTE.  And we’re not stopping there.  We are seeking additional comment on whether we should require all Huawei and ZTE equipment in communications network in the U.S. to be pulled out of that network and replaced with secure equipment.

So importantly, this discussion is not just about network security in some narrow technical sense.  It’s also about what I’ve described as 5G values, values that China very clearly does not share.  Indeed, President Xi told security officials in January that China does not walk the Western road of constitutionalism, separation of powers, or judicial independence.  I think that’s an understatement.  Chinese tech companies have a track record longer than a CVS receipt of illegal and malign conduct: violating sanctions, stealing IP, reported lying about extensive partnerships with military apparatus, and oppressive state surveillance activities.

So part of this conversation and similar ones taking place around the globe is about our shared 5G values.  We need to work together to ensure that companies supplying the equipment and services integral to 5G networks are ones we can trust.  And I’m pleased to report that we’re seeing many countries recognize this position.  In March, the European Commission released a set of recommendations to improve 5G security, which include assessing the risk that equipment vendors could be influenced by third-party countries.  More recently, in May, the Czech Republic hosted representatives from more than 30 countries to build a common approach to 5G security, and that effort produced the Prague Principles which are a set of recommendations on how to build a secure and trustworthy 5G network, which, again, recognizes the risks of a third country wielding influence over an equipment supplier.

Australia issued 5G security guidance to protect their networks, including from vendors who are likely to be subject to extrajudicial direction from a foreign government.  Japan has imposed requirements to take cybersecurity measures, including ones to respond to supply chain threats.  Taiwan has extended its existing measures regarding trusted equipment vendors to cover all 5G government networks and critical infrastructure.  And most recently, U.S. Vice President Mike Pence and Polish President Duda signed a memorandum of understanding on 5G security.

So we’ve seen a great deal of progress on securing 5G networks over the course of the past year.  I’m confident that this progress will continue.  And I look forward to answering any questions you may have.

MODERATOR:  And we’ll go next to Thyaga.

MR NANDAGOPAL:  All right.  Good morning, everyone.  Thank you for – thank you to State Department for giving us an opportunity to brief the press.  At the National Science Foundation we have long believed that security and connectivity are the foundations of the digital economy, and part of this foundation also implies an implied trust that the networks and the systems we put in place work the way they’re intended to do, right.  So I think that’s a critical piece that we can all acknowledge that if we lose faith in our systems, then we will no longer use them.  And digital economy depends on people using them widely and sharing the benefits at every member of every aspect of society.

So one of the things that we have done to advance this is we invest heavily in all of these aspects in the networking and the connectivity space.  We invest over $60 million each year into advanced research that kind of demonstrates the feasibility of new systems that can become the foundations and cornerstones of communication networks.  So what we call as 5G has started with our investments more than 15 years ago from the National Science Foundation, and today, we are looking beyond 5G and continuing to invest in those.

Similarly, in the security space, we invest every year upwards of $80 million in securing networks and systems across the digital economy.  So through our secure and trustworthy cyberspace programs, which have – has seeded a lot of interesting research into identifying vulnerabilities, protecting systems, and also developing the future workforce that can protect us from future attacks and vulnerabilities.  So these are things that the NSF strongly values and continues to invest and put money behind these principles.

With that, I want to identify why vulnerabilities are a critical piece of software that everyone has to pay attention to.  Let’s think about the networks we use today.  We think of 4G and LTE as the networks that drive discussions today.  However, an often overlooked fact is that this thing called soft SMS that we all – the text messaging that we all rely on is based on a system from the ’90s called Signaling System No. 7 – SS7 protocols.  So these protocols were developed back in the ’90s, nobody had a look – a behind-the-scenes look at how these things operated.  Engineers designed it, they put something in place, and it turned out there’s a bunch of a software vulnerabilities that existed in those that were never really paid attention to.

And now, with – everyone knows that if you’re doing a banking transaction you get a SMS code on your phone that tends to ask you to confirm, “Hey, this is you, right?” if you enter this code on your text.  Now, there are attacks that are being discovered even today that allows any third person to pretend it’s you and it’s your phone that’s receiving that text, and basically bypass any kind of two-factor security that modern financial systems rely on to a large extent.  In fact, folks may be aware, Twitter recently opened up – they used to have just a phone-based authentication.  They have now added additional options to allow – to bypass not just what had a single phone-based model, but also other authentication models because of the recognition that this matters and are secure.

Now, why does it matter here?  This vulnerability that I’m talking about is just one example and it’s a software vulnerability, right.  It is not something that had this legacy system that has been in place for more than 30 or 20 years now, and it still continues to this day.  And why have now no one patched it?  It has not been patched because it’s what we call as a legacy system.  Once you put in a piece of software and it runs on for a while, and people move on to writing more advanced stuff, now the old knowledge and the design principles that govern those decisions are in some sense lost, and some of these vulnerabilities are not discovered in time.  And you discover them much later, many years down the road, and those vulnerabilities often end up revealing critical flaws that can be exploited by a malicious actor and bring down entire networks, right.  And not just entire networks, but compromise – more critically, compromise data, right, make you vulnerable to snooping, right, loss of privacy and your assets – financial information.  So those are – that’s why it’s very important to pay attention to software security.

There is also a lot of discussion that has happened in the past about hardware security.  The emergent nature of hardware and the intel – very complex designs that have gone into modern systems have – create areas where such vulnerabilities can be inserted into the supply chain, by like someone who’s assembling a chip.  They could put in an extra chip on the board that, if unverified, could be triggered remotely at a much later time.  It can pass design checks, functional design checks for example.  But it could be triggered at a later time when you are least expecting it.

So there are vulnerabilities on both ends, but I specifically want to call out software vulnerabilities, because one key facet of 5G networks that folks are really touting as a positive is the ability to do a lot of functions that previously used to be done in hardware in the software domain.  So why does that confer an advantage?  5G, by virtue of doing a lot of these functions in software, allows for quick development cycles.  You don’t need to change the equipment in the field; you can just simply push a remote upgrade to your software to the base station on your device and suddenly it can do some new things it was not able to do before.  You don’t have to send people to climb up towers or upgrade systems on the fly.

So software-based functions allow us to generate and develop new capabilities for 5G networks really quickly and also to scale, to make this network support more people and more devices with less effort, which is why it’s highly desirable.  However, it also – if improperly designed, the very software-based architectures also opens up these networks to more attacks, right.

And one can always talk about auditing a piece of software before it’s deployed.  So yes, when I create – well, when I audit a network, let’s say – it doesn’t matter which vendor it’s from – I could ask the vendor to demonstrate the code and say, “Show me the entire code, let me check it, verify it before I put it on the network.”  It will pass all the security checks.

However, when there is a performance upgrade, when there is a minor issue that you face, you’ll want to call the vendor.  Operators always call the vendors and say, “I have this problem.  Can you fix this?”  And they will say, “Well, here is an upgrade.  I’m going to push this out today.  Can I do it?”  And you will not have – often there is not enough time to do a full-scale, again, audit of that update, and therefore you can always introduce vulnerabilities into the system.  Whether it’s intentional or unintentional, these things can happen over time.

And the history of operating systems is a great example for anyone who has seen this.  You have seen patches, and patches to fix problems caused by patches.  And the current IT ecosystem or IT development ecosystem is not set up to support quick and rapid audits or real-time audits of all the code that comes up.  This is an area that the National Science Foundation has been investing a lot through its investments in formal methods and verification processes, but there’s a lot more work to be done.

And the fact that 5G has a lot of the software components is what makes it much more vulnerable to security threats, right.  And again, it’s better to start with a model that incorporates security by design and follows through with sound, valid scientifically verified implementations.  So even the current 5G standards have – even though they have put in a lot of effort into addressing some of the security concerns, whether it’s preventing use of Stingray-like devices on a 5G network and so forth, there are many design choices that have been put in place, but those design choices always – do not always in any combination do not lead to sound, secure implementations.

There are certain ways of verifying that certain choices are more secure than others, and these choices often come at the expense of performance.  So if you want a highly secure system, it may not be as – it may not produce probably as much throughput as a completely insecure system, because it’s a performance penalty to be paid ensuring that the traffic and everything is secure.  So operators have to, in some sense, make a design choice at times.  Okay, do I compromise on security or performance, or do I find a sweet spot?  And the standards of design to allow all of – all these options.

So being able to have a correct implementation that is secure does not always – it’s not always guaranteed.  And therefore every country that is relying on an operator deploying a 5G network has to always think about, “Is this design implementation secure?” right.  And we do not have a way to validate those things on the fly, once again.  A system engineer can essentially go and say, “I’m going to tweak the system to probably better performance because I’m experiencing high congestion in this particular cell tower,” and that could open up a flaw, right.  Because we still don’t understand the impacts of all of those changes.

So there is a lot of work that needs to happen.  So I would argue that continuous visibility and real-time validation of network behavior is very, very important.  And the ability to audit a network at any given time – what they call the spot checks of a network – is very, very critical.  Which is why having this ability into the vendor’s code and their processes is extremely important.  And I believe the commissioner has spoken a little bit about the challenges to that effect.

So I will basically leave that there, saying that the current standards process, while there is a lot of efforts being made to secure networks, it’s – we can appreciate that, but it is not the be-all and end-all.  Because there is always rush-to-market concerns and the ability to make money out of the deployed networks that kind of override sometimes the performance hits that providing a fully secure network will cost.

So we need a lot more work to be done, but there are certain common principles that I articulated earlier about being able to audit and verify and validate in real time that every operator and vendor needs to be able to support.

MODERATOR:  Thank you.  Adam.

MR HICKEY:  Good morning.  I’ll begin, as my colleagues did, with thanking the Foreign Press Center for hosting this – Cheryl, you in particular – as well as all of you for being here today.

In my job at the Justice Department, I’m responsible for supervising our investigations into both computer hacking and the theft of trade secrets sponsored by foreign governments, in addition to our foreign investment security reviews, or the CFIUS process as you may know it.  And across my portfolio, I have seen how actors can use and exploit access – that equipment and service providers have – to their customers’ networks.  Let me give you a couple examples.

Last December, we unsealed an indictment charging two Chinese nationals and charging them with hacking into computer networks of managed service providers and using that access to target MSP customers around the world in at least a dozen countries, including in Europe.  Now MSPs, as you may know, manage the IT infrastructure of some of the world’s largest, most significant companies.  And the defendants are accused of exploiting the MSPs’ access to client networks and using that access to steal the clients’ intellectual property and confidential business information.  And the indictment also alleges that the defendants were doing this in association with the Chinese Ministry of State Security.

And the second example, in 2017, we resolved a criminal investigation of a software company that had been hired as a contractor for the Defense Department.  And during our investigation, we determined that the source code for DOD networks was being written by employees in the company’s back office in Russia.  Because it was stored in Russia, it was susceptible to being intercepted by Russian intelligence services, pursuant to a legal regime known as SORM.

So when we look at 5G, we are increasingly concerned about the security of our telecommunications networks and their supply chains.  We are more concerned because, one, more and more functions will depend on those networks.  It’s not just about our phones.  More devices and services will be connected, meaning that human life and safety as well as traditional government functions are going to ride on those networks.  Second, our national defense is going to depend not only our networks but those of our allies as well.  And third, traditional mitigation measures like segregating and securing the core of the network won’t be sufficient.

Too often, we talk about security in terms of evidence that a provider has already stolen data or disrupted services; but if you wait to see a smoking gun, you might end up taking a bullet.  It matters whether a provider in question has already willfully violated other laws, obstructed justice, or stolen intellectual property.  It matters whether it behaves in an anti-competitive or abusive matter – manner, rather.  It matters whether it operates under an authoritarian government, where it can be leveraged in the future at a time and place of that government’s choosing to serve that country’s national interests.

The providers we choose to build the next generation of telecommunications networks must be trustworthy because we are entering a long-term relationship with them.  It’s not going to be possible to audit everything they do.  We’ll have to rely on their good faith and their respect for the law.  That is why we need to support the evolution of trusted markets, trusted sources of supply for telecommunications equipment and services.  Among other things, a trusted market is governed by the rule of law, where government requests for information are checked by statutes and regulations and an independent judiciary, and corporate structures and financing are open and transparent.

Part of how we achieve trusted markets is to recognize that security is a feature worth paying for; or to put it a different way, that the cost of a product or service includes not just the money you pay for it but also the consequences of future theft and disruption it enables.  Paying more at the front end, in other words, can reflect the value we place in trust and security in the long term, and certain actions the USG is taking now which prevent the use of untrusted providers in certain contexts correct for distortions that currently exist in the market for telecommunications equipment and services.

Commissioner Carr referred to a letter that the attorney general recently sent to the FCC, and I’ll quote from it briefly.  As he wrote in that letter, the market is “wildly distorted” by state funding, and indeed that might be the point – “to lock up as much of the market as possible” and “lead to irreversible market dominance…causing unmitigatable harm to our national security.”  Avoiding that and promoting trusted, diverse, and free markets is a Department of Justice priority.

And I look forward to taking your questions.

MODERATOR:  All right.  Thank you all for those opening comments.  We will open the briefing up to question and answers.  We will be using the handheld mikes, the wireless mikes, so please wait for the microphone before you ask your question and state your name, outlet, and country that you’re from.  And we may have one or two questions from our journalists who are participating from the New York Foreign Press Center, and thank you very much.

I think first we’ll call on Jan from Czech Radio, if you’re – yes, go ahead, in the back.

MR CARR:  Not Jan.  Looked like a Jan.  (Laughter.)

QUESTION:  Hi, good morning.  My name is Jan Kaliba.  I am from Czech Radio, the public broadcaster from Czech Republic.  You mentioned (inaudible) conference, and we are an example of a country with some kind of cultural war between the political representation who favor China and speaking favorably to China and supporting Huawei to take part on building 5G network in the Czech Republic as a member of EU and NATO, and on the other hand part of the political representation and also the national security agency and cyber security agency telling people that there are the threats you are describing here.

So now the time is important for the future of building the 5G network, so what’s your communication right now towards Czech Republic or similar country who will decide soon regarding the future of building this network, and how would it – what effect would it have on the relations if the Czech Republic go forward and allow Huawei or Chinese companies to built 5G in the country which is a EU and NATO member?  Thank you.

MR CARR:  Yeah, thanks for the question.  I think right now where you see the FCC and the State Department is engaged extensively overseas, I think we’re making a lot of progress.  I mentioned some of the countries that have taken action recently.  The goal is to make sure that every country has secure, trusted vendors in their network, and we’re making progress on that.

I leave it to the State Department to talk more broadly about U.S. relations with countries that may have insecure equipment in the network.  But from what I understand, I’ve heard State Department officials, I believe, talk about needing to revisit the nature and extent of information sharing if countries do have a significant amount of insecure equipment in their network.  State will be able to speak more directly to that issue, but that’s my understanding of where things currently stand.

MR NANDAGOPAL:  I heard this question from some countries that talk about, oh, we have to deploy our 5G networks now, so we have to make these decisions and we are struggling with which vendor to go with.  One – a different way to look at the problem is this:  What is the rush to get into a decision right now?

So one of the – many of the touted benefits of 5G come from having a 5G RF network plus a 5G standalone core network, so it is important to point out that many of the core standards of – that define the standalone core have not yet been defined.  They are still in process of ratification, so we are talking about at least a couple of years before the equipment that can guarantee or provide the full-feature set of 5G are going to be out in the market.

So I want to kind of clarify that it’s not like there is a 5G network that’s going to be fully full-featured and going to promise all the benefits ASAP.  It’s going to be incremental process.  Clearly, the U.S. and China and many other countries are deploying early versions of it to keep exploring the gains, but for many countries there is also value in kind of waiting to see the entire features that come out, because in some sense every upgrade is also going to cost you money.  So there may also be value in just waiting to see the entire features fully deployed before plunging headlong into a large-scale, country-wide upgrade of the system, especially for smaller countries.

MODERATOR:  Next question.  Renzo.  Could you make sure the microphone is on as well?  Okay, thank you.

QUESTION:  Hi.  Is it on?

MODERATOR:  Continue.  Thank you.

QUESTION:  Okay.  My name is Renzo Ruf.  I work for CH Media, which is a group of newspapers in Switzerland.  I have a DOJ question.  In Switzerland, we have a telecom company that wants to work with Huawei.  Would there be consequences when it comes to legal issues?  Because Switzerland is a market economy, so the country won’t tell the company that it can’t do that.

MR HICKEY:  Will there be legal consequences in Switzerland or here, are you saying?

QUESTION:  Bilateral, sort of.

MR HICKEY:  So I take the question to be very similar to the first question, which is what happens if other nations choose untrusted providers.  And like Commissioner Carr, I think the – formally I defer to the State Department, but we will have to think about how secure is the information we share with other nations.  We take that into account now, right.  We fold into determinations about what we share, “Well, is someone else going to be on that network and see what we’re sharing with that government?”  So you can play it forward and recognize that we’ll probably have to make a similar calculation in the future.  Whether there will be legal consequences, I’m not sure I follow quite that, what you might be thinking of when you say that.

QUESTION:  Because it’s a private company —

MODERATOR:  Could you wait for the microphone, please?

QUESTION:  Thanks for this.  Because it’s a private company, would you sanction the whole country if a private company makes a decision to work with one of these Chinese companies?

MR HICKEY:  Yeah, I’m not making any kind of prediction as to sanctions or any kind of legal consequence in the way you’re asking about it.

MODERATOR:  And just as a matter of course, questions about any sanctions would be referred to the U.S. Treasury.

MR HICKEY:  I think – look, the point of a briefing like this and other briefings is to lay out facts with the hope that you will take our point of view and some of the evidence we’re pointing to back to your consumers, and so that those – your constituents and also political actors will read our point of view and weigh that in the balance of the choices that they make.  I don’t think any one of us is up here today to issue any kind of threat or ultimatum.

MODERATOR:  Thank you.  Next question, Beatriz, in the back.

QUESTION:  Thank you.  Beatriz Navarro with La Vanguardia.  I see your point that, I mean, the whole issue of this briefing is to warn other countries about the risk of 5G, but many countries have already made up their minds, like Spain and some other big EU countries.  I wonder what do you think about their mitigation effort.  Is there a way to mitigate the risks that emanate from the 5G technology?  Thank you.

MR CARR:  Well, one concern that we’ve had at the FCC when it comes to Huawei equipment, and part of what led to our decision last week to stop federal funding for carriers that put Huawei equipment in their network, is that it’s very difficult given the way that Huawei gear is designed and deployed to engage in mitigation tactics.

So a lot of vendors, for instance, in the equipment space put out essentially stock pieces of equipment that you could send to some sort of lab and check for issues before it goes into the network.  The way a lot of the Huawei gear is deployed is it’s bespoke, and so they will send individual engineers out into rural communities in the U.S. to install, to code, and to custom build.  And from their perspective, they offer that as a bonus that you are getting custom equipment.

From our perspective, that presents another level of risk because you can’t test an out-of-the-box piece of equipment and know that’s the same box, the same coding that’s going to go into the U.S. network.  So that’s part of what was underlying our decision is the difficulty of some screening and mitigation measures that have been used before.

MR NANDAGOPAL:  And then for countries that have already decided that they have to go with at least one – a particular vendor, I would always argue that it is in the country – it’s in the company’s financial interest, the provider’s financial interest, to create diversity, as Adam just pointed out, that – because diversity means you are able to play off of market forces and help them compete against each other.  So you want to have a diversity of vendors because, hey, if there is a flaw that affects one part of the network, at least you can ensure that the network is robust because other parts of the network will still continue to operate and survive.

So there is value in ensuring that you are not making any exclusive contracts or offers to any – I mean, so just financial savviness for these companies and operators to make the decision not to just go all in with one, but ensure there is financial diversity.  And that’s the way U.S. markets behave.  U.S. operators always have a diversity of suppliers for – in all of the equipment, and I think it’s a wise move that others should probably think about.

MR HICKEY:  Let me offer three quick points.  With respect to mitigation, I think it was Commissioner Carr who said this, that the architecture of a 5G network is going to be fundamentally different from prior legacy networks.  One simple difference is that the current 4G model, essentially the core, the center of the network, the node through which information passes, if you prioritize security there, the thinking goes the endpoints are less consequential.  5G isn’t going to have that concept of a core; it’s going to be more distributed.  So it will be much harder to say, well, this is the part that matters more than the part that doesn’t.

Second, if you want to know how well mitigation works in certain circumstances, maybe read how others have tried it.  And I know the UK has its national security – National Cyber Security Centre, which has a security center devoted to auditing Huawei equipment.  They’ve put out public reports, and you can read in those reports their assessment of Huawei code, how – I don’t want to use to word “buggy,” but how buggy it is or how many – how difficult it is to audit, and their prediction as to whether they can assure the security of that network.  That gives you, I think, an indication of what it’s like to try to mitigate in that context.

And third, being a prosecutor, my optimism is limitless.  I think we are seeing more receptivity to our message, and that receptivity is often behind closed doors.  I don’t hear a lot of people, when we meet with them, disagree with our assessments as to threat and risk.  They may make different – I’ll call them business decisions in the short run, but I think actually we are persuading people of our view.  There may be different decisions on the margin, but I don’t know that the world is as locked in as some would have you believe.

MODERATOR:  Thank you.  Is that Bas?

QUESTION:  Yeah.

MODERATOR:  Okay.  Hi, Bas.

QUESTION:  Hi.  I’m Bas Blokker.  I’m from the Netherlands, from NRC newspaper.  I hear what you just said, and I wanted to follow up on this because, as you said, behind closed doors they say different things sometimes than outside.  What we keep reading is that, for instance, UK says those security risks are manageable and that – this morning I read that the German secretary of economics said we are as afraid of U.S. espionage as of Chinese.  So what’s going on there?

MR HICKEY:  Well, I’m not going to speak to any particular government.  My own experience in the U.S. Government is that different officials might put things slightly differently depending on who you talk to within the government.  My sense, I’ll repeat it, is that the arguments we’re making about threat and network architecture and the value of security, more or less they are getting a warm reception.  That may mean because of budgetary or other constraints some nations may make different choices in the near term, but that doesn’t mean that there is a binary choice and we have, quote, unquote, “lost” the struggle for 5G.  I don’t think it’s going to look quite like that.  As Dr. Nandagopal laid out, this is a longer term infrastructure development.  So we – you’re seeing us as part of a longer term strategy trying to educate the world about how we think about it.  I don’t think – this is not going to be decided before the end of 2019.

With respect to legal regimes, there’s a very big difference – and if you want me to go into more detail I will – between the Chinese national security law and the statutes and regulations and procedures we have in place here that allow for the collection of information subject, of course, to challenges to an independent judiciary.  I think the differences between the two systems are pretty clear.

MR NANDAGOPAL:  I think even within the countries that you mentioned, it has to be recognized that it’s not a unilateral or unanimous voice that is saying those things, right.  There are differences of opinions and I would argue that, like what Adam was saying, there’s a lot of what you call stakeholders within those countries that agree with all the points that are being made at this stage right now.

MODERATOR:  We have time for one or two more questions.  And do we have any of our journalists here from Asia who had a question?  Okay, not at this time.  Please, go ahead.

QUESTION:  My name is Martin.  I’m with NZZ Switzerland.  We hear about 5G networks going up in the U.S. to a limited extent by the large U.S. telecoms.  What are we to make of the security of those early networks going up?  First question.

The second question:  The U.S. is really endorsing Ericsson from Sweden, Nokia from Finland, and Samsung from South Korea here as trustworthy vendors.  How do you ensure that they remain trustworthy, how do you work concretely with them?  And maybe a third question to Adam:  How does the Commerce’s proposed rule from this morning about securing the supply chain of ICT interact with the CFIUS process?  I’m not exactly —

MR HICKEY:  Sure.  I’m happy to clean that one up after my colleagues answer.

MR CARR:  So I’ll start with the 5G buildout in the U.S.  Right now, the U.S. has the largest 5G build in the world.  We had about 13 cities get 5G last year.  We have about 30-some odd cities today that have 5G, going to about 42 cities by the end of the year.  Those builds up to now have been by some of the largest providers in the U.S.  Those are providers that almost exclusively made decisions years ago not to include some of this equipment that’s at issue today in those networks.  It’s a lot of the smaller, rural providers that are not first to 5G.  They’re still building out 4G networks that are the ones that up to now have had a lot of the Huawei equipment in their networks.  And so that’s principally been the focus of our actions at the FCC as opposed to those larger network providers that don’t have so much of the equipment in it.

I think your point about other countries that have vendors in the space, I think that’s further evidence that the FCC position here, the U.S. position here, is not one of economic protectionism.  We don’t have a national champion in this particular space to the extent that you have with China and Huawei.  And again, I think if you look at the confluence of evidence, both some of the structures that are in place in China, the lack of an independent judiciary, the unity of interest often between these companies and the communist regime, and then some specific actions within these companies that set them apart from those other companies that you mentioned.

MR NANDAGOPAL:  So with respect to verifying existing stuff, right.  So one of the things that I can speak in support of the companies in the U.S. is that they are making a commitment to open source code and projects.  So one example – like an audible example is the ONAP – ONAP; Open Networking Automation Platform – that has partners from pretty much every stakeholder within the United States networking communications community who are participating to create open source code base that will help automate and orchestrate resource allocations on these 5G networks.

Now, why is this important?  Because this is open source.  There is a larger community of people who are looking at this.  They can identify problems and verify and validate issues with them ASAP.  And these are the – this is the code that gets deployed on networks.  So that commitment is open – to open source is something that is probably somewhat more unique of the countries in the Western world to some extent.  I think the other countries tend to leverage open source, but not contribute as much.  So that’s another way of providing the stability and to making sure these networks are secure.

MR HICKEY:  And to answer your third question.  So Mr. Carr referred to the President’s executive order in May.  The proposed rule that came out this morning is a proposed regulation implementing that executive order.  It’s out for comment, so it’s not a final rule; it’s a notice of proposed rule-making.

The way I think about CFIUS is it’s capital inflows into the country.  This EO and that rule relates to the purchase of goods and services from abroad.  So rather than capital inflows, think of it as the inflows of goods and services.  So it’s separate legal regime.

MODERATOR:  Thank you.  And we’ll take our last question from New York.

QUESTION:  Claudio Pagliara from RAI (inaudible).  I would like just to get some more accurate answer about a specific country – my country, Italy, which is in close talks with China about 5G.  So which kind of consequences for a country which is a strategic ally of United States, like Italy, if Italian Government would decide to go on in this direction?  Thank you.

MODERATOR:  Thank you.

MR HICKEY:  So I think I – like I said a few minutes ago, we’re not here to threaten or scold; we’re here to share information.  We’ve expressed our concerns that if you use 5G equipment, or part of a 5G network includes equipment from an untrusted provider, there are likely to be greater risks of consequences, both to the theft of information and the disruption of that network.  So that is the bottom-line message of what we’re saying, is 5G networks are going to matter more than the phone network you use right now.  It’s going to carry more data and be more of a critical part of our life and critical infrastructure.  And so if you don’t trust who’s building it, you are leaving yourself open to problems in the future.

And at this point, I think we will leave it to our allies hopefully to internalize that information and make decisions based on it.  And we’ll see where it goes.  But I think, as I said, we have the sense that this a longer term problem, this is a big problem.  It’s not going to go away in a few months, it’s not going to get solved at the press conference.  I think we’re going to continue to share information and our experience as we can going forward.

MODERATOR:  Great.  If there are no further burning questions, we have just another minute.  And seeing none, we’ll end it there.  I’d like to thank all of our briefers for being here today.  Thank you so much, as well as to our journalists.  And with that, we will conclude the event.

U.S. Department of State

The Lessons of 1989: Freedom and Our Future