Pages

3 September 2019

Every telecom company can be hacked and “everybody should be suspect,” Huawei USA’s chief security officer says

By Eric Johnson

In May, President Trump signed an executive order aimed at Chinese telecommunications giant Huawei, authorizing the federal government to block sales of equipment from “foreign adversaries” to American companies.

The fear, boiled down to basics, is that because China’s government has historically had close control over its tech industry, it could force Huawei to let it spy on American networks. Trump’s executive order was supported by FCC chairman Ajit Pai, who in May said, “protecting America’s communications networks is vital to our national, economic, and personal security.”

An ensuing ban on US companies doing business with Huawei has since been postponed, twice and is currently set to take effect in late November. The ban was delayed because many small wireless carriers, especially in rural areas of the US, have come to depend on Huawei’s cheaper equipment.


On the latest episode of Recode Decode with Kara Swisher, Huawei’s chief security officer in the US, Andy Purdy, said the US government should scrutinize foreign telecom companies — but it should do so equally. He called for the creation of “objective and transparent” standards by which the government could evaluate the security of telecom products.

“Back when Edward Snowden released information about the Prism program that was allowing the US government to spy all over the world, there was a situation where the US government was using Cisco equipment to spy elsewhere in the world,” Purdy said. “There was a question, well, did Cisco let them or did the US government hack into Cisco products? It doesn’t matter.

“China and other countries can hack into everybody’s products around the world,” he added. “They can hack into Nokia and Ericsson. You will say you’re only worried about China, that doesn’t mean that you don’t have to have a comprehensive program to evaluate all the products to make sure we’re safe.”

Purdy, who previously worked in the George W. Bush White House and the Department of Homeland Security, also raised an eyebrow at Pai’s support of telecom regulation, saying of American-based operators: “I trust them a lot more than I trust the government to say you should do this and that.”

“Everybody should be suspect,” Purdy said. “I mean, that’s the bottom line ... when we talk about fear from China or wherever, the telecom operators have an absolutely critical role, and so we need to make sure there are programs to make sure they are conforming to the kinds of measures that are best practiced. You have to have measures to make sure — independent verification of all the products — to make sure bad guys haven’t hacked into anybody’s products.”

You can listen to Recode Decode wherever you get your podcasts, including Apple Podcasts, Spotify, Google Podcasts, and TuneIn.

Below, we’ve shared a lightly edited full transcript of Kara’s conversation with Andy.

Kara Swisher: Hi, I’m Kara Swisher, editor-at-large of Recode. You may know me as someone who is waiting for someone in the US government to say, “It’s my way or the Huawei,” but in my spare time I talk tech and you’re listening to Recode Decode from the Vox Media Podcast Network.

In all seriousness, today in the red chair is Andy Purdy, the chief security officer of Huawei Technologies USA. He previously worked in the White House under George W. Bush and then at the Department of Homeland Security, where he helped launch the Computer Emergency Readiness Team. As you probably know, his employer now finds itself in the middle of a messy dispute between the American and Chinese governments. Andy, welcome to Recode Decode.

Andy Purdy: Thank you. It’s good to be here.

So why don’t we give everyone an update. I want to get into your background and how you got where you are because you have a really fascinating background, but give an update of where we are with Huawei and the US government and the Chinese government.

Well, there are a lot of moving pieces right at the moment. This week, President Trump announced that there would be a 90-day extension of the limitation on American suppliers to be able to sell to Huawei, about $11 billion worth of technology comprising about 40,000 to 50,000 American jobs that are at risk in this.

Explain what they are, what they’re selling. Let’s assume people don’t know, aren’t following every turn of this.

It’s a part of a multipronged effort by the government against Huawei, this part focusing on our suppliers, basically alleging that there is national security concerns about what these companies sell to us, these Silicon companies.

President Trump met with I think six CEOs of the companies a couple of weeks ago at the White House. So basically, unless the license is granted to an individual company to sell to Huawei, Huawei cannot buy from that company after the expiration of the next 90 days.

Right, so they’ve extended it 90 days.

Right.

And why extend it 90 days?

Well, we’re in the middle, in the crosshairs between US and China in the trade talks. Not a position that we wanted to be in, not a position that we’re happy to be in, but it appears to be that we seem to be part of some kind of three-dimensional chess and it’s not really clear where it’s going to end.

I think most Americans ... We favor a trade deal with China, but right now there’s so many different moving pieces that it’s really hard to tell whether that’s going to happen and if it’s going to happen, when it’s going to happen.

At all. So, these companies, including Google and many others, sell things to Huawei.

Yeah. Microsoft, Intel, Qualcomm, etc. Yes.

Right, and these parts are used — I’m sorry, I’m not trying to be stupid, I just want people to understand — they are used in various technologies that Huawei deploys.

Various kinds of telecommunication gear that we sell around the world. About 30 percent of all Huawei components for all of our global products come from US companies. If we can’t get this resolved, if our suppliers can’t get it resolved, we’re going to have to find another avenue.

And the argument that the Trump administration and others are using is that Huawei is a national security concern and allowing you ... kind of putting you in a boat with, say, Iran, and giving any help to you all will hurt our national security.

Well, it’s interesting. That seems to be the position of some of the ...

That’s what I mean.

Anti-China, anti-Huawei folks. Some of the others are saying there needs to be — and President Trump has said this at one time or another — that there needs to be scrutiny of what we buy, as to whether or not those particular products have some special national security significance or they’re particularly rare or something like that, that perhaps a decision would be made that we would not be allowed to buy those.

But right now, it’s reversed, so that the presumption is that we can’t buy any of those things. So, those companies have to apply for a license to be allowed to sell us any of the things.

Exactly, exactly. And it’s also against the backdrop of President Trump tweeting against Google very frequently about them being treasonous and helping... There’s a lot of pressure in lots of ways in this and it is all part of the trade talks and the idea of advantaging China, essentially.

So, let me go first into your background and then we’ll get more to where we are in the state of play in terms of security, because I think one of the issues is, what is a global company? What is a country and what are their national security interests and where we are as a technology community from a global perspective, because I think that’s one of the issues. Talk a little bit about your background so people get a sense of what you’ve been working on.

Well, I was a lawyer for a long time. I was a federal prosecutor, worked on three congressional investigations, worked for the House Select Committee on assassinations, for example. And I was acting general counsel of the US Sentencing Commission, so I have a lot of experience in terms of corporate compliance, which is an aspect of what we’re talking about.

In my work at the Sentencing Commission, I came to do a lot of work on new technologies and the kinds of punishments appropriate for those. As it happened, when the White House set up a team to write the US national strategy, I was asked to be a member of the 10- or 12-person staff that wrote the strategy that President Bush released in 2003.

Can you explain what that was for people, the sentencing?

Basically it was a high-level strategy of how the United States could take a more coordinated strategic approach. Essentially what we need to worry about as a nation, what we need to do about it. Everything from national security threats to cyber security awareness, user awareness, that kind of thing, and trying to set in motion, creating the capabilities for our government and our critical infrastructure and our users, to be more secure from a cybersecurity and privacy perspective.

And those would be attacks on everything from the grid to banks to anything at all.

Yeah, exactly.

So, explain the Computer Emergency Readiness Team.

Well, it’s US-CERT. I ran the national cybersecurity division, so I was the lead cybersecurity official in the US government, but the CERT, the US-CERT is one of many CERTs around the world that shares information about attacks, about discovered vulnerabilities in products and networks, and works together to collaborate to try to make sure that the key stakeholders understand the risks out there and that the risks are managed and there’s prompt response to threats so we can prevent them from becoming much more serious.

Talk about those threats. What are they at this point? There’s been a lot written about grid attacks. There’s been a lot written about banks. Every time there’s an airline outage, I’m like, “I wonder what that was?” Even though sometimes it’s just ...

Well, I think the reality in the years since I left the White House staff, which was 16 years ago, the biggest cybersecurity issues, with a couple of exceptions, have been data breaches. So there’s been a lot of talk about what’s necessary for cybersecurity, what’s necessary to protect privacy.

But as a nation, we haven’t come that far in terms of having robust capabilities to assess the risk, to manage the risk and promote resilience. As our technologies move from what they’ve been, from an analog to a digital world, we are going to become much more dependent as a nation. Our governments, our critical infrastructure, our private organizations, our citizens, are much more dependent on information and communication technologies.

Well, we have. I mean, we’re kind of there.

Unlike in past years, where some of the worst things that you had to fear, and there were a couple of exceptions, were a data breach, now as we, in the next five to 10 years, become dependent on these systems for everything — for sensors, sensors to machine, machine-to-machine communication — almost everything that we do will be intertwined with that, so we’re going to be increasingly dependent on the functioning of government and critical infrastructure for our way of life.

So, the bad things that can happen in the cyber world can be much worse than they have been heretofore. So we have to be prepared from a security perspective. We had organized the effort for the national strategy to secure cyberspace in the aftermath of 9/11, and one of the key concepts of that was, you don’t wait until you know the bad guys are going to start training on flying airplanes into buildings.

You have to look at what the fundamental risks are, the threats, what the vulnerabilities are and the consequences if they go bad, so that way we can be secure as a nation. That’s what we’re struggling to build, those kinds of capabilities.

So, where are we right now? What are the biggest threats? I mean, you talked about data breaches, obviously, and that’s more around privacy and consumer... It’s more about fraud, essentially. From your perspective, what are the ones we’re facing the most? Including state actors like China or Russia or Iran and anybody else, it’s been more Russia moving in on the United States. In certain ways, it’s been Iran. It’s been lots of different countries. North Korea.

Yeah, the biggest concerns certainly are and have to be from a national security perspective. What could nation states do to impact this? So, the potential of affecting our command and control, for example, if we’re in a kinetic war, military force, the possibility that a series of sophisticated, prolonged cyber attacks could lay the groundwork for some kind of a military attack. Those kinds of things. To make sure that we control the battlespace, to make sure we have access to information, to make sure our society can function, including our defenses. That’s probably one of the biggest things.

And of course, people fear attack, say, on the power grid. If you can bring down the power grid, that could be part of sustained kind of attacks or other kinds of attacks. As we become dependent on these systems, the data, and we often talk about personal data from a privacy perspective, but the data on which the networks and systems function.

For example, the banking system, the Swift data, we have to not only have the information, we have to have accurate information. So, if the bad guys can either block us from having the information or they can corrupt the accuracy of the information so we don’t know where it’s corrupted, it could shut us down in devastating ways. So there are a number ... those are some of the kinds of things that we’re really worried about.

Even just the Russian bot stuff, even just on regular information, shows how easy it is to do that. In fact, that’s actually really effective. It’s sort of muddying all the waters so that you can’t see anything clearly, essentially.

Well, and when you look at things like spam, which can contain an awful lot of malware, and these botnets, these organized networks of bots, which are basically computer robots, your computer can be taken hostage by somebody and you don’t even know what’s happening.

So, the ability to launch attacks from millions of computers using these techniques, that creates this white noise of cyberspace, that makes it easier for the bad guys to operate hidden in that white noise. They don’t have to use the most significant sophisticated cyber threats. They can use normal threats because everything is a little too vulnerable.

Right, absolutely.

So, we’ve got to try to drain the swamp on that, so that way we can see the more sophisticated attacks and attribute to whoever’s doing it the fact that they’re doing it and we can force them to stop.

We’ll talk about the elections in a little while, but right now, where are the biggest threats for the government and here in the United States?

Well, essentially the US government and I think most governments use a risk analysis. For example, the UK does an analysis of the communication networks. They say, “Okay, well, the communication networks are essential. What are the key nodes? What are the key parts of the network?” So, let’s find out what those are. Let’s identify the risks to those. Let’s make sure there’s diversity of supplier, more than one supplier for each of those. Make sure there’s not somebody who has too big a market share so that way you can promote resilience because you want to make sure things are up and running.

In the US, our communication, AT&T, Verizon, the major companies, they’ve worked very well in a voluntary way with some direction from our Federal Communications Commission to try to identify what are the priorities for managing the risk and maintaining the resilience of our communication networks.

So, there’s been an awful lot of public-private collaboration to do that. Department of Homeland Security has just launched ... is coming out with some results of an effort. Let’s analyze 5G risk. What do we need to worry about? What do we need to do about it?

We’ll get into that in a minute, yeah. So, when you’re working for ... How did you get to Huawei?

Well, I worked at a number of jobs after I left the Department of Homeland Security, working for a number of small startups, and then I was at Computer Sciences Corporation, a defense contractor, and I got recruited by the man who, until he joined Huawei, was the chief information officer for the UK government. He had just led a transformation of that.

He basically pitched me over some months about the fact that I could be an advocate for safer cyberspace from a Chinese company. And the model in the last seven years, how it has unfolded of what we’ve done, how we’ve tried to strengthen our defenses, our ability to detect attacks on cyber security and privacy, our ability to promote the resilience of the things that we do and make our products more secure, has been everything that I was told it would be. So, it has been a tremendous, tremendous experience.

And yet Huawei’s been dragged in and the controversy, I think, has been accused of being a spy for the Chinese government.

You know, it’s interesting. When you look at the big investigation, which was the House Intelligence Committee investigation in 2012, if you look at what they reported, there were no allegations.

I know that. I get that.

In fact, there are no allegations now and some government officials have said ... There’ve been one or two government officials who I think have misstated what the evidence is. They believe it’s more about the country than the company, more about China than Huawei. They’re afraid that China could force us to do bad things, not that there are allegations. So in a way, it’s an allegation that we would do bad things for the China government.

Right, and we’ll get into that in a minute because I think that’s been a big sort of the national freak out over something like FaceApp or whatever the technology is, is that the governments are working too closely with the companies or the companies are under duress to work for the government, which is a different style than here in the United States, although I think our government does put a lot of pressure on tech companies that isn’t as well-known, but it’s not as coordinated. People feel it’s coordinated.

We’re here with Andy Purdy. He’s the chief CSO, which is the chief security officer, of Huawei Technologies USA. Huawei is a Chinese company which has gotten into a bit of a controversy with the United States. They arrested one of its top executives, or detained, I guess. Is that correct right now?

No, she was arrested.

Arrested.

Now she’s on house arrest pending extradition proceedings back to the US.

Right. The issue was that she was trying to get technology she wasn’t supposed to get, essentially.

It’s an alleged violation of export control laws.

Right, exactly.

It was allegedly some kind of conduct relative to banks that were helping to finance some transactions. I haven’t studied it, but it’s something like that.

Right. But behind this is the idea that Chinese companies, Chinese-owned companies, which are becoming more global, have not had as much ... From the consumer space, recently we’ve had TikTok I guess, but mostly it’s not been ... Chinese companies have stayed there. Some of the bigger ones that are there have remained in China and have been popular in China — I’m just talking about the consumer ones — and have not moved globally. But China’s strength in technology over the past couple, I guess the past decade or more, has been significant and impressive in a lot of ways. People had thought of China as not an innovative place, but there’s been a lot of fast-forward movements by Chinese companies.

The worries have grown that these companies are working hand in glove with the Chinese government. Talk a little bit about that concept, because I think that’s really what’s behind it, rather than a lot of things.

Well, I’m not an expert in what happens in China, but there are certainly government companies. There are companies that are publicly traded that are majority owned by the China government. Then there are companies that are privately owned, and we’re the largest privately owned company in China. They certainly know the difference between official government ownership and what have you. The allegation is that because of the way the China government operates as a government, different from the US and our allies, that they have the power to do things or force us to do things that would violate the concepts in a country that has what the US would call a rule of law.

It’s a very different kind of a context and a different situation. Our leadership has been quite active in maintaining distance from the Chinese government during the seven years I’ve been there. I think the track record that we have — and we made the point earlier about allegations — that we’ve operated in over 170 countries and there have been no major cybersecurity incidents in those 170 countries, some would think that would at least buy us a conversation with the US government that right now the US government’s not really willing to have with us.

No, no. They’re assuming the worst, presumably that there are these ... Especially with the rollout of 5G. Let’s talk a little bit about that. The 5G is being rolled out across the country and Huawei’s a big player in this area. I don’t want to dumb anything down because it’s super complex, but the argument is that if we let the Chinese outfit all this, we’re in danger of letting them spy on everything. I think that’s the dumb version of it.

The ability to shut down communication networks.

Right, exactly.

I think that actually ...

That one day Xi is going to shut everything down.

Right. On-off switch or whatever. I think that would probably be the primary concern, although most of the attention is on the surveillance.

Right.

Well, it’s interesting because the context for the 5G discussion is really about security of communication networks. The fact that there’s all this focus about us, we’re an equipment vendor. The fact is that telecom operators have a tremendous amount of authority and control. We sell them the equipment. They decide whether we will service the equipment. If they do hire us to service equipment, when and how we do it. They control the data. They control monitoring the data. When you look at the security of our communication networks as we think about 5G, that is a critically important part of it.

For example, when you look at Mexico, where we have a giant equipment sale to AT&T that runs major networks in Mexico, there is no pressure by the US government, unlike in other countries. There’s no pressure by the US government to force AT&T to rip our equipment out of Mexico. In fact, there’s no pressure on them not to include us in 5G. Well, the reason is because the US government understands — and AT&T is one of the best in the world — this is how we manage risk. This is what the telecom operators do. Whatever the theoretical risk is, AT&T can handle it. In fact, the same goes for Nokia and Ericsson. The US doesn’t have a comprehensive approach to these issues. They’re trying to work on it. I think DHS is doing a lot of good, but Nokia and Ericsson, that are deeply embedded in China ...

For example, Nokia has a joint venture with Shanghai Bell, a Chinese government-owned company. They’re allowed to do business in the US only because they’ve entered into, as has Ericsson, a government-monitored risk mitigation program. That’s what we would like to talk to the US government about. We would like to enter into a government-monitored risk mitigation agreement. That despite Nokia and Ericsson’s deep ties to China, they’re allowed to do business. Risk mitigation is the concept.

Then fast-forwarding to 5G, just as I think there’s kind of been a misemphasis on equipment vendors versus the role of telecom operators, because it really is a shared responsibility as 5G is built on the 4G system. I’m not a technical expert either, so I may dumb it down. Hopefully, I’ll be accurate when I do it, but one of the big debates is between the core, where the most sensitive functioning is, the core of the network, and the radio access network. There’s issues about whether or not — and we’re only trying to sell into the radio access network, the RAN, and not sell into the core — there’s arguments that as 5G goes out and you have millions and billions of devices, that’s going to blur the distinction between the core and the RAN.

But the fact is the experts have a roadmap for security standards that maintains the difference, which is built on the old 4G measures of security, but they’re enhanced security mechanisms for 5G. There are real benefits to the technology for why you would keep the radio access network from the support.

The argument being that they can’t really spy. Like there isn’t really an ability because there’s so many vendors and operators and distributors of all these different things, like AT&T buying those things. I’m going to back up just a second. For people who don’t know 5G, give a quick explanation of what’s coming. It’s always coming. It’s always about to be here, but 5G will do ... For the general listener.

Well, 5G at a high level is going to enable technologies to help the digitization, creating digital vertical industries. The most commonly-referenced one, like autonomous driving, remote surgery, but you will have efficiency in energy, efficiency in manufacture. Farming, you’ll have sensors out there — they’re even now seeing sensors on cows — and sensors communicate with machines. 5G helps you bring the computing power to the edge, to the end user, so that people and organizations can serve society, organizations better. It’s predicted to be probably the greatest ...

They will be.

... enabler of jobs in the history of mankind as we move into the enabling aspects of 5G. It allows more data, faster. It reduces latency, which is like a response time. For autonomous driving, the communications will be that rather than a car, for example, at 70 miles an hour stopping in three or four feet, it’ll stop in a centimeter. Latency means you improve those kinds of abilities for it to serve, but really bringing computing power to the edge to serve citizens and organizations.

Right. The concept is the idea that everything will be digitized. Every part of the equation down to the cow, for example. That’s why the security concerns are greater because every single act will have a digital element to it, presumably.

Well, but part of it is we have the part we’ve been talking about in terms of telecommunication networks, then you have like Internet of Things. There’s separate security for all those devices.

Right.

The fear is all of a sudden you’re going to have billions of devices launching attacks, but we have these standards and emerging standards for how we’re going to handle that. That’s not unique to Huawei being an equipment vendor. Perhaps most importantly, as I mentioned, in the UK, in the US you won’t just have one supplier like Huawei in the radio access network.

Well, that’s the fear. That is the fear, that Huawei’s way ahead in these areas. That they will dominate.

Even in the US, you’ll ... Even that we’re way ahead, you’ll have at least three vendors. That’s why it’s part of the competition that people don’t realize. We can contribute certain things, but we have a fragile ecosystem of competition in telecommunication, which is why, for example, nobody ever talks about this, why in China, the race for 5G there, Nokia and Ericsson are allowed to compete against Huawei and Chinese companies. Regardless of what you think of the Chinese government, they see the value in some aspects of a market-driven economy.

Right. Right. The deployment of it properly.

The competition helps promote reduced price, innovation, and better security. The UK government Parliamentary Committee just released a report saying the communication networks in the UK will be less secure if Huawei isn’t part of it because having the resilience of multiple suppliers is critical to maintaining functioning.

How do you operate in this environment? Because in a lot of ways, Huawei’s ... They’ve just picked a company to be the example. They picked the correct company to do that, to be made an example of to force the idea around security, because I think that’s what’s around it. There’s just been a whole lot of coverage of the idea of what’s secure, whether you allow companies in. I was just at a security conference in Aspen, and the admiral there who was talking about the Pacific, he runs a Pacific fleet and a bunch of other things, was talking about his nervousness is not over anybody but China, like in terms of technologically sophisticated surpassing of US technology.

Well, the fact is, that to the point we talked earlier about risk, back when Edward Snowden released information about the PRISM program that was allowing the US government to spy all over the world, there was a situation where the US government was using Cisco equipment to spy elsewhere in the world. There was a question, well, did Cisco let them or did the US government hack into Cisco products? It doesn’t matter. China and other countries can hack into everybody’s products around the world. They can hack into Nokia and Ericsson. You will say you’re only worried about China, that doesn’t mean that you don’t have to have a comprehensive program to evaluate all the products to make sure we’re safe.

We see some great things that Department of Homeland Security is doing to try to raise the bar and increase our capabilities. We see it in Australia. We see it in Germany. It’s just that then they say, “We’ll block Huawei.” Well, no. Let’s create capabilities that provide an objective and transparent basis for which products are worthy of trust. I don’t mean which products were worthy of trust last week. I’m talking about today. Those are the capabilities that we have to all work together as a global society and make sure we have the standards and we have independent verification for everybody’s products. We’re not going there yet. That’s a mistake.

What do you imagine then is the way out of this situation? Because it does change week to week. It’s fascinating to watch that. I’ve talked to companies that are being impacted by this, the companies that work with Huawei. They have similar worries, that they’re not allowed to work with or sell to or work with companies that they need to to be global citizens and being sort of pressured to do so because it’s under national security concerns.

Well, if I had the answer to that question, I would probably be sitting in a big White House somewhere. We have a complicated situation, and the trade talks appear to be very, very difficult with so many different factors going on. I certainly don’t think and we don’t suggest that the trade talks solve Huawei’s problems, but it looks like, if there’s going to be a trade deal, there’s going to be some kind of resolution of the Huawei situation, but people misunderstand that. People think, “Oh, well, that means it’s political because you’re going to negotiate away Huawei.” No. This government, and I still know a bunch of people in it, is not going to just say, “Oh, a company can play a major role in American communication networks without very strict controls.”

We’ll only be allowed to do business in this country if we’re under controls at least as strict as Nokia and Ericsson, and that’s the way it should be. And someday we’ll get to the point that the US has a comprehensive program on how to determine whether a product’s worthy of trust. At that point, we’ll be allowed to compete for that business. Hopefully it’s in the next five or 10 years. I think the big danger is ... I think we’re really at a watershed. If, for example, on the $11 billion we buy from American companies, if we find our way and are forced to buy from other people, if we’re forced to create our own alternative to the Android platform for example, we might not come back.

I like a world where 30 percent of all Huawei components come from American companies. I like a world where folks buy the best stuff everywhere in the world. We have comprehensive programs to address risks because that’s fundamental, but we’ve got to be working together to have the competition for innovation and the sharing of information. We’ve been shut down at a bunch of universities in the US where we pay them money to conduct research and publish it publicly.

We shouldn’t cut off our nose to spite our face. We shouldn’t endanger 40 to 50,000 American jobs from American companies that sell to Huawei when it’s clearly no national security concern about the ability to sell those particular products. If you think anything that helps China or anything that helps Huawei helps China, then we’re talking trade barriers.

Right, right. Well, I think it’s a larger concern of China moving around the globe, being dominant in technology and the next age being the Chinese age, the next age of technology.

One of the things I also think behind this is — because I hear it a lot from Silicon Valley, I’ve had interviews with Mark Zuckerberg and others — one of the things that struck me when I did an interview with him about a year ago, started this conceptual idea of it’s us versus the Chinese to dominate the next technology age. It’s being used as in a little bit of an excuse. Well, as a big excuse by tech companies, US tech companies who have screwed up, like Facebook, to say, I call it the “Xi or me” argument. Like, I need to be big, you can’t break me up, because if not, China will take over everything.

It’s a ridiculous argument on many levels. At the same time, the US has dominated the internet age, the beginning parts of the technology age, and most of the big companies in this world are US companies, technology companies. That’s changed rather significantly, and especially, you know, there’s Israeli companies, obviously, there’s European companies, there’s Russian companies, sort of. But in general, China is the competitor to the US, and many people have written about this. Talk a little bit about that concept, if there has to be a zero-sum game of who dominates the next internet age.

Well, I don’t think it has to be a zero-sum game. And in fact, as we try to learn lessons from the current situation we’re in, some people draw the lesson that, well, America made a major mistake by not having a company like a Nokia, Ericsson, or a Huawei. They’re saying that was a big mistake, but we have to remember that our resources went into other things. People made choices based on opportunities and profit and innovation.

Similarly, when one is now saying, well, what do we do going forward now? We don’t have the strong company like a Nokia or Ericsson. Do we try to spend billions to create a company that’s going to create 6G? Is that the smart thing to do?

I don’t automatically assume that we made a mistake, nor that it would be smart to do that, but I do think we need to strengthen one thing that we have as a disadvantage in our country. We have a disadvantage in our ability to formulate industrial strategies.

Right.

We have to have government, we have to get government and private sector to work together to figure out, okay, going forward, what are the most important things for us to prosper and be safe? And so, for example, we might decide, well no, it doesn’t make sense to build our own 6G, perhaps we spend money to improve how we monitor the networks. And I know DHS is trying to do some of that stuff.

Maybe we put some emphasis in cybersecurity measures and detection measures that we can find things better, and that you can do like a white listing, or like a program like Apple does with some things, so you can be sure that what gets delivered is what’s secure, trusted computing modules, things like that.

Maybe it makes more sense to spend money on that and spend the other money on, how do we do some of the things to use the digitization of vertical industries so that we can create the jobs, because that’s what it’s about. It’s not about — although we sometimes say it is — about the US beating China or the UK or whatever in the race for 5G. No, we want the advantages of the jobs-enabling and life-enabling characteristics of these things.

What falls off of it. Right.

That’s what we need to promote.

What is preventing that industrial policy? We had that for so many years. I mean, there was so much ... One of the myths about Silicon Valley, and a myth about a lot of things, is that these things just happened by the sweat of their brows, they’re just innovative and then it just happens, or I made this, I’m getting paid this enormous amount of money, but it’s because of my work, when in fact it’s about policies and everything else that advantage certain people and don’t advantage others.

The mythology of Silicon Valley is that they did it all by themselves, when in fact it was a government program. It was enabled by the government. I mean, the internet’s excellent proof that the government does sometimes work.

How do you get to that idea that the government should work very closely with technology companies without seeming like you’re doing what people think is happening in China, where it’s a too close relationship, which I think was broken by the Snowden revelations in many ways, and it’s still healing, that.

Well, and frankly, when you look at how our European allies, and we don’t know how it’s going to come out in the end, are pushing back on the US pressure to block Huawei from 5G. They’re basically saying, particularly the UK and Germany, you didn’t give us any evidence that Huawei did anything wrong ...

They’re just assuming you did something.

We’re going to put in place measures to address the risk, and we’ll apply the measures to all vendors. I think what you’re talking about needs to be led by the private companies, because you’re right, there are things, like in the early days of the internet, there are probably some technologies that came out of the space race and other things...

So, for example, in 2017, Samsung and Intel and the securities industry association created a paper to recommend how the government and private sector should work together on exactly what we’re talking about. How do we promote the creation of jobs in the various industries, and the most likely places you can create jobs, so it’s not the government picking winners and losers, but it’s creating a level playing field, it’s creating opportunities, taking regulations away.

But smart people have to sit down and say, “What do we think?” And kick around ideas of what’s most important. And sometimes there may have to be some things where the government spends R&D, but it’s a very few and far between things that they need to spend.

But in the tragedy of the commons, if there are some things where we really need the government to spend, and we’ve got to put up, we’ve got to put the money up, but the private sector needs to lead and say, how do we work together? You look back and say, “Why don’t we have high-speed trains in America?” Are we about to make a bigger mistake with 5G? We’ve got to have the leaders come together and say let’s develop a strategy, because the Chinese don’t have that problem.

No, they don’t.

Although they make some, they run headlong into things, I’m not sure the Belt and Road Initiative is really working out for them, and you know, they throw a lot of money away, but it’s not always buying what they need.

It’s also a mentality of long term. Scott Galloway, who I do my Pivot podcast with, was talking about this idea of the Chinese government, you know, they’ll move whole towns. If one American farmer gets a hangnail, it’s like massive coverage, and the political implications are high, and it’s harder to move that way to make industrial policy, essentially industrial policy, and make it stick.

Absolutely.

At the same time, in some of these areas, like 5G and whatever’s coming next, you do need to have a coordinated thing, which hasn’t happened from our government in a long time. It is on some level, and I do, I actually do think the Edward Snowden thing did impact it, even though you can feel it from Silicon Valley people, they talk about it all the time.

Well, I think for example, I think Chancellor Merkel, the head of Germany, I think she remembers the fact that the US was monitoring her phone calls. I think they sometimes feel the US comes across as a bully.

Absolutely. So, what has to happen next ... Are you hinged on these trade talks, this idea that this will at some point settle, or what happens to the deployment of 5G in this country?

Well, what will happen is it looks like they will have a diversity of suppliers, probably Nokia, Ericsson, and maybe Samsung might be the third, in terms of the radio access networks. And what it will mean is it won’t be as good or as efficient or as cost effective. The prices will be higher, and they’ll move forward with something that they call 5G, and it will just take longer to get the full benefits of it.

And then Huawei will move to be working with governments across the world who haven’t been pressured by the US to stop.

Well, and hopefully in the long term, you know, I think Huawei really takes a long-term view of its business and opportunities. You know, Huawei is going to be around.

And when you think about sort of how the company’s been caught in it, if you had to, you know, I think most ... You’re going to have a group of people that are going to think, no matter what, this is a company that is under the thumb of the Chinese government, and the risks are there, because they could at any time be turned on.

And I think it sounds really crazy, but this, I call it the national freak-out over FaceApp. Like, “Putin’s got my pictures as an old person.” Like, it’s the conceptual idea that in this age of violation of privacy, and control of data, and the idea that companies can have a hegemony over tech in a way that’s very dangerous, it’s like having the best nuclear weapons, I guess, that you’re not going to ever not have Chinese, especially Chinese companies, not be suspect no matter what.

Well, and I think everybody should be suspect. I mean, that’s the bottom line, and we have to remember and we have to hold ... I don’t know if the Federal Communications Commission chairman, Chairman Pai, he suggested there be greater regulation of our telecom operators. I don’t know about that. I think we’ve got really good telecom operators, and I trust them a lot more than I trust the government to say you should do this and that.

But when we talk about fear from China or wherever, the telecom operators have an absolutely critical role, and so we need to make sure there are programs to make sure they are conforming to the kinds of measures that are best practiced. You have to have measures to make sure — independent verification of all the products, to make sure bad guys haven’t hacked into anybody’s products.

That’s the kind of thing, when you have an objective basis for trust, that’s going to help make us safer, not only in our minds, but in fact.

And if you had to pick the three most important security issues — national security or otherwise — across the globe, what do you imagine them to be? Aside from the fact that you work for a Chinese company, what would that, from your perspective, be?

Well, that’s a very difficult issue. One of the most important areas, of course, is our communication networks, but we have such diversity of suppliers in different parts of the country, it’s like our power grid, partly because of the flaws of it, you have segmented parts of the power grid, and our telecom operators are segmenting their networks, so if bad things happen, it only happens to a very small part.

So, I’d have to think about those things where the data, because we have ransomware attacks, which are a big problem. And so, the data that is most important on which, like, our monetary system runs, we’ve got to make sure that that is inviolate, that we can get access to it, and it’s going to be 100 percent accurate all the time.

I think the accuracy of data on which our systems rely for the functioning of what’s most important to us in the world is the way to go. And I think DHS is doing the right thing by saying, “Okay, let’s do a risk assessment of 5G, but let’s identify those other things that are most important to us as a society and then make sure we put the adequate protections in place.”

Well then, finishing up, how do you assess ... Obviously the biggest thing on people’s minds is election security, whether it’s the manipulation of Facebook or whether it’s voting machines, or there are all kinds, a range of security issues around that, and it’s, that’s it’s a global issue going forward.

How do you imagine that threat is seen? Because this legislations is not passing. A lot of this legislation is being held up in the Senate due to partisanship. That’s a perfect example of something that’s critically important, that at the same time hasn’t been addressed correctly.

Well, I think there’s an awful lot of effort going into it. I know DHS, I know the multi-state ISAC, I know the state legislatures are putting a lot of time into it.

They are.

And if you think about it in terms of, okay, you’ve got a voting machine, starting from the smallest thing, well, we can do a lot to secure a voting machine, okay? And then who are you going to share it with?

Microsoft has some interest. I was just at Microsoft seeing some of their new ideas around this.

So, it’s a combination of the traditional kinds of perimeter defenses, but it’s also things like encryption and making sure that you control the repository of whatever the data is. So, you control it in motion and at rest, both before it’s transmitted and after it’s transmitted. And then the question of, well, how do you bring it all together?

So, it’s really a multilayered kind of an aspect, and we’ve got to try to make sure that the people who make the decisions that we’re going to do electronic voting don’t just say, “Oh, I want to be able to say we’re doing electronic voting so we’ll get out ahead of our security measures,” because it’s all about risk, and we can manage risk effectively. And the question is you need independent people, it’s like financial audits. There’s a reason that auditors come in. We need to have independent experts come in to evaluate the things that are most critical, and then elections are certainly one of them.

And then finishing up, when these trade talks, I think most people feel the Huawei thing will go away when the trade talks end. When do you imagine ... 5G, because the point is 5G rolling out properly to citizens to create entrepreneurial opportunities, to create businesses, all kinds of things that fall off of it. So many businesses do fall off this technology. What do you think is at risk if it doesn’t get deployed properly?

Well, I think it will be deployed. I mean, it’s not going to get out ahead of its rails. I think it will be deployed. It’s kind of like the Comedy Central bit where they ... Noah was talking about the AT&T phone that had 5GE on it. It’s like, there’s going to be something they call 5G, it’s just not going to give the full performance and full capabilities. And so, the job-creating aspects of it won’t be, you know, fully enforced. I mean, I think that’s probably the worst that happens.

That we’ll have a crappy system that will be more or les ...

It’s like we don’t have high-speed trains. We don’t know what we’re missing. We don’t have decent 5G or good 5, we’re not going to know what we’re missing.

Right, right, and well, the US has always lagged behind in so many ways. We had ...

And in fact, the price is a lot higher than we ought to pay.

Exactly. We had, one time we had the chairman of the FCC, and we showed that the US was like below Lithuania, or some country, it was some country we should not have been lower than, Namibia, I don’t know, and the price was number one. It was fascinating, and that we were just like, this is just, why do we have the most lagging, this is broadband, in the days of broadband access, and it was really interesting to see what held it back. At the time it was something else. It wasn’t security concerns.

Thank you so much for coming on. I really appreciate it. It’s a really interesting issue, and I think it’s gotten sort of sucked up into nine different issues. But what’s critically important is, as you said, is testing the resilience of these systems, and in terms of protecting risk analysis around them, because that’s what the most important part is, to do this before you sort of get into these more broad debates about country versus country, and I appreciate it.

No comments:

Post a Comment