The Federal Communications Commission (FCC) is working quickly to facilitate the deployment of fifth-generation (5G) wireless infrastructure, as formalized in the agency’s 5G Fast Plan (“Facilitate America’s Superiority in 5G Technology”). As the FCC moves ahead with these goals, by for example announcing the “largest spectrum auction in American history” in April 2019, cybersecurity officials are calling for increased attention to the potential risks associated with widespread 5G networks.

With download speeds of up to 20 gigabits-per-second, 5G proponents state the technology will enable new internet of things applications, such as remote health care services, connected “smart cities,” and self-driving cars, all sending and receiving data online. The increased role of wireless technology in critical infrastructure comes with a plethora of benefits and possibilities but also security risks, with higher stakes in the event of a breach.

Security Concerns Regarding Huawei

Over the past year, the cybersecurity discussion has focused squarely on Chinese company Huawei Technologies Co Ltd. (Huawei), the world’s largest telecommunications provider. U.S. State Department officials and members of the FCC have stated that using Chinese telecommunications equipment in 5G networks could give the Chinese government a way to access sensitive infrastructure and data. At a Senate Appropriations Financial Services and General Government Subcommittee budget hearing in early May, FCC Chair Ajit Pai stated:

What I will say is I believe that certain Chinese suppliers, such as Huawei, do indeed present a threat to the United States, either on their own or because of Chinese domestic law. For example, China’s national intelligence law explicitly requires any individual or entity subject to that law to comply with requests to intelligence services.

Commerce Department Adds Huawei to Blacklist

The simmering tension over Huawei has boiled over, against the backdrop of trade negotiations with China, with the following series of major developments recently:

• On May 16, the U.S. Commerce Department added Huawei and 68 of its affiliates to the Bureau of Industry and Security’s Entity List, restricting American companies from selling parts and components to Huawei without U.S. government approval, stating that “there is reasonable cause to believe that Huawei has been involved in activities contrary to the national security or foreign policy interests of the United States.” The move came one day after President Donald Trump declared a “national emergency,” calling for additional measures to “protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.”

• On May 19, Alphabet’s Google subsidiary stated that it would terminate business with Huawei for many Android hardware and software services, including restricting access to popular Google applications, such as Maps and Gmail, in new Huawei handsets, in compliance with the U.S. Commerce Department blacklist. Intel Corp., Qualcomm Inc., and Broadcom, some of the world’s leading chip suppliers, followed suit and also cut off ties with Huawei.

• On May 20, the U.S. Commerce Department temporarily rolled back the ban for 90 days, authorizing until August 19 transactions: (1) necessary to maintaining and supporting existing networks and equipment, (2) critical to providing service and support to existing Huawei mobile phones, (3) involving the disclosure of security vulnerabilities in Huawei equipment, and (4) necessary for the development of 5G standards.

• Google, in turn, announced that it would work with Huawei to provide security updates to the company’s Android operating system during the 90-day period, but that it would comply with the U.S. Commerce Department’s ban thereafter.

As reported in an analysis of the escalating conflict in The New York Times, China imported over $300 billion in semiconductor chips in 2018 alone. The prospect of doing business without U.S. components could present an existential turning point for Huawei. Meanwhile, the company has stated that it is working on its own operating system and will begin considering alternatives to Google’s Android.

Is Huawei Actually a National Security Risk?

Some analysts have questioned whether the concerns about Huawei relate more to the company’s market share and China’s parallel race to 5G more than any demonstrated cybersecurity risks. Huawei has taken an early lead in developing 5G technology, holding over 15 percent of the world’s 5G patents, according to research firm IPlytics. Meanwhile, the top U.S. company, Qualcomm, has over 8 percent of the crucial 5G patent filings. Huawei’s reach also grows in other areas, having just surpassed Apple to become the world’s second-largest smartphone vendor, behind Samsung, according to new International Data Corp. statistics.

Countering the FCC’s depiction of Huawei as a risk, MIT Media Lab founder Nicholas Negroponte in early May published an article in Fast Company, opining that:

The desire to ban companies like Huawei has little to do with technology, and nothing to do with effective risk management. Huawei has an unblemished 30-year cybersecurity record and more than 500 satisfied telecom customers around the world. None of them has ever experienced a security breach related to Huawei’s equipment. Furthermore, the company’s research today leads the world and is widely copied.

An official ban of the use of Chinese telecommunications equipment by U.S. companies might come in the form of a “national emergency” based on an “extraordinary threat.” But the real threat is that unsubstantiated accusations against Huawei will prevent the U.S. from having a more important, more rational conversation about the need to manage cyber risk.

International Developments

The debate over how to best secure critical wireless infrastructure is also heating up abroad, with a couple of major recent developments noted below.

• At the Prague 5G Security Conference, hosted by the Czech Republic in early May, cybersecurity officials from over 30 countries agreed on a non-binding security proposal, in part shaped by U.S. concerns. As reported by the Associated Press, the agreement states that “security and risk assessment of vendors and network technologies” should be taken into account in evaluating 5G equipment suppliers, as well as “the overall risk of influence on a supplier by a third country,” especially its “model of governance.” Chinese and Russian officials were not present at the meeting.

• As discussed in a previous post, an April leak from the UK’s National Security Council revealed that Huawei might play a role in the development of British non-core 5G infrastructure, much to the consternation of U.S. State Department officials, including Secretary of State Mike Pompeo who spoke in London in early May.

• European Union member states have until June 1 to conduct cybersecurity risk analyses, which will be used to form a coordinated bloc-wide risk assessment by October 1. On the basis of this assessment, EU countries will then have to formalize mitigation measures by the end of the year, which might include tests for suppliers considered security risks.