New York Foreign Press Center Briefing with Robert Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy, Bureau of Economic and Business Affairs, on “U.S. Policy on 5G Technology,” in New York City.
Transcript
Okay, good afternoon. We’re pleased to have Robert Strayer with us today, but first let me just introduce myself. I’m the new director in the Foreign Press Center here in New York, Liz Detmeister, for those of you who we haven’t met. So the Deputy Assistant Secretary for Cyber and International Communications and Information Policy in the Bureau of Economic and Business Affairs at the U.S. Department of State is here today to speak with you, and I’ll turn the program over to him in just a minute. First, I have a few housekeeping items. Please take a moment to silence your cell phones. At the conclusion of his remarks, we’ll open the floor for questions. Please wait for the microphone that we’ll pass around as a courtesy, and please state your name and your affiliation before you ask your question. Today’s briefing is on the record. And with that, over to you.
Thanks, Liz. Thanks for that kind introduction, and I want to thank the Foreign Press Center for organizing this event. I understand this isn’t the first time there’s been an event here talking about transformative technologies. There’s very important international implications of any new technology both from a political perspective, an economic perspective, as well as from a national security perspective. We in the United States are very excited about the potential for the fifth generation of wireless technology to empower a vast array of transformative new applications that will benefit our country as well as societies around the world. 5G is going to have increased amounts of throughput of data up to 100 times what we have currently in 4G technology, as well as very low latency, that is, the time delay that it takes a device to connect to the internet and receive data back. So with those improved technologies, we’re gonna see many more devices connected to the internet, devices and sensors of what they call the internet of things. We’ll see 10s of billions of those new devices in just the next few years. Those devices will be able to communicate with one another and with systems automatically. That’s gonna empower a whole new set of types of critical infrastructure, so we’ll see autonomous vehicles, we’ll see telemedicine. We’re also gonna see the current types of critical infrastructure like electricity and water distribution being supplied through things like the smart grid for the case of electricity distribution. Those will occur through the backbone of this 5G technology. Because it’s gonna be so important to our societies, we want all countries around the world to think carefully about the security practices that should be in place to secure these 5G technologies. We encourage countries to adopt a risk-based security approach, and they should do that for any type of information or communications technology. With regard to 5G, we also think it’s very important to look at the supply chain of the vendors that will supply these critical services. In 5G there is the privileges that the vendor of technology will have both of its, providing its hardware and software will give it a lot of influence over how these critical systems operate when oriented toward the consumer or for governments. So for example, these vendors of hardware and software technology could cause data to be exfiltrated for purposes that are not authorized by the users, so that could cause the compromise of citizens’ privacy. The exfiltration data could also cause intellectual property that belongs to businesses and corporations to be taken or stolen, and it could also cause the disruption of those critical services like water and power distribution. So it’s very important that we have trust in those vendors for 5G technologies. One indicator of trust that we’re very concerned about is that a vendor not be under the control of a foreign government without appropriate judicial controls. We know that the national intelligence law in China as well as other laws empower the government there to require any entity within China to comply with the mandates of the intelligence and security services in China. We think that’s very concerning, particularly because there is no independent judiciary that stands in the middle between those entities and the government. So in effect, they are under the direction of the Chinese Communist Party. There’s other indicia of trust that we’re concerned about. We think that companies should have transparent ownership structures that are well understood and that comply with our Western laws related to corruption, related to export controls and to intellectual property theft. We think that the best practices of corporate governance are indicators of whether or not you can trust a company to be in such a privileged position in these 5G networks. It’s important to understand in 5G networks that there will be much more software on the systems. That increased software really presents an increased cyber attack surface area, that is, there’s much more code that can be compromised. There are frequently updates to software that are the operating system as well as software that is running the devices, which is called firmware. When those updates occur, code can be introduced in the systems that cause them to be compromised, that would enable the disruption of those systems, or the data that’s running over them, including location data and other information, to be exfiltrated outside the network surreptitiously. So it’s very important that we have trust in those vendors. Last May, the Czech Republic organized a conference with about 40 countries there to talk about best practices related to securing 5G technology that focused on policy areas, technical areas, as well as the economics, the funding of 5G systems. That conference resulted in a set of principles called the Prague Proposals that we’re encouraging countries around the world to adopt. We think those are good, high-level principles that can then be integrated into each country’s decision making about what kind of vendors and what kind of system requirements they want to set for 5G technology. Here in the United States, on May 15th, President Trump signed an executive order on information communications technology supply chain security, which adopts, sets a legal framework in place that will allow us to adopt many of the principles that are part of the Prague Proposals. We’ve also noted that, as of last March, the European Union Commission also set out a security framework for 5G. It includes a principle that says that an evaluation should occur of the ability of a third country to influence the vendor of 5G, the 5G equipment supplier. So we think that’s a very important criteria to have in place. I should note that when we’re talking about the radio access network, which is the non-core part, that is the part where there are transmitters that’ll be closest to the user, and it’s closest to where your handset device or other sensor will communicate with, the vendors for those are not American. So this is not us pushing U.S. technology. In fact, Ericsson, which is Swedish, Nokia, which is Finnish, and Samsung, which is South Korean, are the three major providers outside of the Chinese providers. Of course, there’s a much larger ecosystem of 5G that will be empowered that will include U.S. technology, but we are in no way benefiting these large integrators for any competitive purpose because they’re not American. They’re actually headquartered in other countries around the world. The other point I wanted to make, too, is that because our devices will be connected for all these critical uses in all parts of the network, anywhere there’s computing going on within a 5G network will become critical. So there’s no portion of the network that one could say is okay to have untrusted vendors. You want to have a trusted vendor in all parts of the 5G network, wherever there is computing taking place, that is, the collection, the processing, or the storage of data. So with that, I’d be happy to answer any questions.
Okay, my name is Harrison. I report for the News Agency of Nigeria. Why is the United States Government so wary of China?
So I don’t know if everyone heard the question. Let me repeat it. So we’re, in our efforts here, our diplomatic efforts here, we’re sharing our views about how we see the importance of 5G technology and the importance of securing it and having trusted vendors. It’s agnostic as to the country. And we realize that each country with the information we share with them is still going to make its own sovereign decision. We encourage them to make the sovereign decision on their own. They need to, every country needs to have its own calculus about the risk that it’s willing to accept in these technologies. We, of course, have an interest in working with other governments because we share important government information with them, and we have very interconnected economies. If a factory is compromised through autonomous manufacturing that goes down in another country, that can quickly affect the United States and other allies because we don’t see that factory providing that part of the supply chain that others have come to rely on. And just with regard to China, we know that their national intelligence law has that feature of them being able to mandate that vendors like Huawei and ZTE comply with mandates of their intelligence and security services without an independent judicial review, which does us, does cause us serious cause of concern.
Almost a follow-up. Hi, Sherwin Bryce-Pease, South African Broadcasting. I just wanted to read you something that our President Ramaphosa said a few months ago. Quote: “The standoff between China and the United States, “where the technology company Huawei “is being used as a victim because of its successes, “is an example of protectionism “that will affect our own telecommunications sector, “particularly the effort to roll out the 5G network, “causing a setback to other networks as well.” How do you respond to criticism like that?
Yeah. We certainly appreciate the South African president’s ability to make decisions that are in the best interests of all South Africans, and which your nation will do at the end of the day. We would say that, as I mentioned earlier, there is no U.S. company that stands to benefit from the campaign, the diplomatic campaign of sharing our concerns. And in fact, on the point about whether there’s a setback for other countries, we don’t think there is one. We, in the United States, are only going to be using three trusted vendors, which are Ericsson, Nokia, and Samsung. We actually were the first to start rolling out 5G in major cities. We have over two dozen major cities with 5G. Second place was South Korea and third is likely to be China. So we’re seeing that the rollout with just those vendors, we think there’s no slowdown in our ability to implement 5G by going with those more trusted vendors.
Hi, Kaori Yoshida from Nikkei. I had a question about rural America, and some wireless carriers in rural U.S. are able to use equipment or are using equipment from Chinese firms, including those under U.S. sanctions. And are you concerned that these rural areas will experience a delay in the rollout of 5G technology, and what steps are you taking to avoid that from happening? Thanks.
Thank you for the question. Our four largest wireless carriers in the United States have all committed not to using untrusted vendors in their 5G rollouts. As your question notes, though, some of our rural carries in their 4G networks currently have some of these untrusted vendors. Our process for implementing the executive order to secure the information and communications technology supply chain will likely address this issue. That is on a roughly five month implementation period under the executive order, so we haven’t yet announced our policy with regard to the rural carriers, but we are going to work closely with them as well as with Congress. There are a number of bills in Congress seeking to address this issue that will, I think, be borne out in the next couple of months.
We’ve got a question in the back.
Hi, this is Carol with Wallsttv.com. Just wondering, so for, you mentioned several times only trusted vendors are gonna be used and how this is going through a risk-based approval process. Is there any thought in the future that 5G network is gonna be nationalized?
No, we’re not planning to nationalize our 5G network. We think that competition is important, that we work with the private sector to, who knows best how to map out their next-generation networks.
Hi, Vincenzo Pascale, Messaggero di sant’ Antonio, Italy. We know that most of the cyber attack come from Eastern Europe and Russia. Why do you have so a main focus on China with 5G and not with Eastern Europe and Russia?
Thank you for the question. We are sensitive to the fact that we all need to improve the cyber security of all parts of the information communications technology ecosystem, whether that’s 5G networks, telecom networks, or the computers that we’re using every day for all kinds of other work, and all the databases that retain massive amounts of data. We need to improve the cyber security of all of those. The United States director of national intelligence has assessed that there are really four countries that we’re most concerned about, and that includes Russia, China, Iran, and North Korea, from a cyber security perspective. So we’re talking about addressing cyber security overall, but in this particular context of 5G security, we want to talk about trusted vendors. We see no reason to add to the overall risk profile that we’re facing by having untrusted vendors. In this case, there are two major Chinese vendors for 5G technology that we consider unsecure. So we say both address the cyber security issues, including those that emanate from territories in Eastern Europe or in Russia, as well as address this supply chain security issue for 5G technology.
Thank you, Manik Mehta, I’m a syndicated journalist. You mentioned earlier that we want countries to adopt risk-based security approach. What does that exactly mean, and could you define it? Also, would you like to highlight, not highlight, but at least update if you are putting any extra measures in place to avoid a repetition of the security lapses we saw in the last election?
Yes, okay, thank you for both of those questions. So risk is fundamentally based on a few things, but it’s the vulnerabilities potential to the system, think about the vulnerabilities of any network, as well as thinking about the threat actors. And if you have untrusted vendors, that feeds into the threat analysis because those are most easily compromised and more likely to do something in someone else’s interest and not in your interests. So we think that trusted vendors feeds directly into a threat model that should give anyone serious cause for concern when they’re doing that overall risk analysis. There are a number of measures that wireless operators will put in place to help secure the vulnerabilities, but as I mentioned earlier, when you have a system where there is software that can be updated overnight almost instantaneously, there is no way to review all the source code, all the lines of software that go into that that could compromise the entire network, so that allows a malicious threat actor to infiltrate the network and cause disruption or the exfiltration of data. We know, for example, that for years China has caused, China Telecom, one of the carriers there, has caused the routing of internet traffic to not go through its normal mechanism but to then be routed through China instead of its normal conduits through the internet. The United States and 14 other governments last December attributed one of the largest instances of industrial espionage in modern history to the Chinese Ministry of State Security. The Chinese Ministry of State Security working with a private company there was able to cause what they call managed service providers or managed cloud providers, which are basically IT systems for major global companies. They caused at least companies in 12 different countries to be compromised, their data to be taken, and some of that data to be shared with commercial enterprises in China. So, and on your last point about election security, we’ve taken a number of steps to improve the security of our elections and to take steps against those who would seek to convene influence operations in the United States using social media platforms. So I can’t talk about that necessarily in this context of all the specifics, but we are working very seriously on that. We’ve also put grants out to our state and local governments to help them secure their election infrastructure.
Hi, Tamami Shimizuishi from Nikkei. I have two questions. The first one is, I understood like these Chinese firms now labeled as the untrusted, but what kind of steps they need if they want to be included as a supply chain to the U.S. telecom companies? And then second question is, I understood all these four top carriers will not use any these Chinese suppliers for building the future 5G network, but I understood like they need to use the kind of fundamental network already existed, like 4G network, and then I wonder is any of them have any these Chinese, the parts or the system embedded for the kind of previous-generation network?
Yeah, thanks for those questions. So that partially came up in the earlier question. Someone asked about the rural carriers. So there are, some of our rural carriers in their 4G networks have what we consider untrusted vendors in their networks, and we’re going, we’ve said that we’ve got concern about any 5G network having untrusted vendors. I, the bigger question about how a company goes from being untrusted to trusted, I mentioned there’s a number of indicia of trust, of ownership structure, of compliance with export control laws, with intellectual property theft, and with anti-corruption practices that are indicia of trusted companies. I would note that there are two pending indictments against Huawei, one related to the theft of intellectual property from T-Mobile and the other one related to a multi-year campaign to commit bank and wire fraud that deceived banks about the nature of Huawei’s subsidiary in Iran that was in violation of U.S.-Iran export control laws. There’s been no admission or any attempt by Huawei to remedy that situation. They’ve just sought to deny it, and so I don’t think we’re at a position yet to opine on what would be, make a company trusted.
Hi, I’m Nicolas Rauline from the French newspaper Les Echos. It seems there is a problem in the cities with price. The biggest problems of many cities are, is the price, and it seems Huawei has the cheapest prices on the market. So how can you fight against that? And my second question, is it a possibility for you to completely close the U.S. market to Chinese companies in terms of 5G?
So I’ll just take the last question first. I just want to be clear. We’re not seeking to close the U.S. market from anyone, but we want to just be clear is that we will use the highest standards of security related to our information communications technology, and that, admittedly, will have some effects on the market of what is allowed to be put into very critical systems for the future of our citizens, and we would, as we talk to others around the world, critical for their national security and economic security as well. Oh, and then the, sorry, the price question. So every year, dozens of changes happen between one vendor and another vendor. These types of changes happen all the time. There is arguably some price advantage because of the government subsidization by the Chinese development bank and the Chinese export-import bank of Chinese technology. That’s one of the reasons why we think it’s important that the Prague Proposals, those principles that we arrived at with that group of dozens of other countries in Europe, was to say that it should be transparent about all the terms of any of these financing deals. Many countries have gotten themselves in the position over the years of having massive debt burdens because they weren’t paying any of the cost up front, and so what initially appeared to be a very cheap deal turned out to be very expensive. It’s well known that in Sri Lanka the government had to put up as collateral their port, and they ended up giving that port over to the Chinese Government for a 99-year lease to settle their debt situation. So we think it’s really important that countries think about what is the long-term, sustainable model for information communications technologies, and we’re all the time seeing Nokia and Ericsson being selected by telecommunications operators in country, so that’s telling us that they are offering something that’s competitive and something that those operators in those countries deem to be economically viable for a longer period of time.
Hi, David McClure with NHK News. Two questions, first about the potential economic impacts of barring Huawei or ZTE from participating in U.S. markets, and then second, if there is any possibility to impact the way that the United States shares intelligence with other countries that choose to use Huawei or ZTE, other companies that the United States has deemed to be not safe.
Yep, thanks for those questions. So on the rollout of the technology, we think we’re leading the world in that with dozens of cities already deploying 5G on a commercial basis, not just on a trial basis. We know that Ericssson, Nokia, and Samsung are leaders in that market and have ample supply to supply the buildout of 5G. So we don’t see any delay in choosing these more trusted suppliers. From what I can tell, the only people who are really the original source of suggesting that Huawei is a more sophisticated technology and is, would be in the best position is really the company itself in Shenzhen. I’m sorry, and your second question was the…
Any possibility that countries that choose to use Huawei or ZTE will have some, in some way be affected in the U.S.’s ability to share intelligence?
Yep, so we have important information-sharing relationships around the globe with countries, we benefit, our partners benefit. We want to make sure we can maintain those relationships by having a vigorous flow of information, a bilateral flow of information. But if countries implement in their telecom networks that are doing 5G untrusted vendors, we’re going to have to reassess how we’re sharing information with them to ensure that we’re not compromising that very vital data.
I think we have time for about three more questions.
Thank you so much. I want to ask the question about 5G and concern of terrorism. Has there been, do you think it will have an impact on especially organizations and operation like ISIS? Will it help them, or it will be able to help you in stopping them with their recruitment? And my other question, again, related to terrorism, a wider question, broader, I wanted to ask right now there are talk about that ISIS is restructuring its organization, the focus on more global scale. Have you noticed any change on their behavior in term of their cyber activities, especially in term of recruitment in Western countries, Europe and United States?
Would you mind stating your name and outlet?
Majeed Gly, Rudaw Media Network.
Thanks for the question. Some of that on the counterterrorism approach is a little bit outside my normal lane, but what I can say is that we’re very focused on countering violent extremist content online, the way that terrorists can use online activities to gain recruits or to use online platforms to do, to increase their financing, or to communicate, to coordinate a potential attack. So those are things that we’re working on with American and global platform companies to ensure that we’re addressing the violent extremism that can be online. And we’re also addressing those other concerns about how terrorists can use the internet. That’s somewhat separate from the underlying infrastructure. There, of course, is anywhere there’s more internet connectivity, one needs to ensure that there are appropriate policies in place to address platforms or other communications mechanisms from being misused or abused by potential extremist elements or terrorists.
Sophie Ding, Asahi Shimbun. Are you aware of any instances of industrial espionage on the part of China?
So the one case that, there have been a long history of industrial espionage by China that led to an agreement between President Xi and President Obama when they signed an agreement in 2015 in the Rose Garden to ensure that there would be no more economic espionage through cyber means. We note that has continued, and very importantly, last December the United States and 14 other countries attributed a massive industrial espionage campaign through cyber means to the Ministry of State Security in China.
Do we have any more questions? Okay, well, then thank you very much.
Thank you.