In RSA Showdown, Analyst Says U.S. Must Choose Between Surveillance and Security

SAN FRANCISCO—The threat presented by Huawei is not—as U.S. officials have been warning allies—about espionage, a leading academic on the issue told participants at the hottest ticket of this year’s RSA cybersecurity conference.

“There is a lot more to [Fifth Generation Network] security than supply chain,” said Harvard Kennedy School security technologist Bruce Schneier before an audience of hundreds of security professionals. “5G is insecure primarily because the protocols are insecure, because governments, like the United States, like to use the systems to spy.”

While governments such as Germany’s have said they would require providers to implement end-to-end encryption in order to comprehensively protect against spying—by all entities—the U.S. has not.   

“If we like the fact that we can use the cellular networks to spy on our adversaries, then they get to spy on us,” Schneier said to rousing applause. “Pick one. You can't have both.”

The Wednesday afternoon session at RSA featured Schneier and R Street Institute fellow Kathryn Waldron alongside the Defense Department’s Acquisitions CISO Katie Arrington, and a representative from the forbidden company itself: Huawei security chief Andy Purdy. 

Attendees were expecting sparks to fly between Purdy, a former leader of Homeland Security Department’s cybersecurity division, and Arrington, who is leading the Defense Department’s effort to mitigate supply chain risk in the defense industrial base. Arrington stressed it’s simply her job to implement the law: Congress’ 2018 ban on federal agencies using products or services from Huawei, ZTE, and a number of other Chinese technology companies.   

Since 2018, efforts to remove Huawei from the global information and communications technology ecosystem have expanded to include a Federal Communications Commission initiative to “rip and replace” equipment already embedded in rural networks across the country and a ban on U.S. entities selling products or services to Huawei. 

Purdy is not alone in noting the high cost of these actions to U.S. companies and rural Americans, in addition to Huawei, a point he sought justification for.

Arrington’s main defense of the U.S. policy was something she wasn’t allowed to talk about: information from the intelligence community, which is referenced in a 2012 report from the House Select Intelligence Committee, but has never been disclosed.

“We have our data. We have our research,” Arrington said. “I don't know that anybody on the panel can see classified information. I can tell you, from where we sit, there's a reason why we did what we did.”

Schneier conceded to Arrington on the logic of removing Huawei over a fear of damage to network functionality, if not espionage, although he stressed that kind of compromise could be executed by any number of actors across the vast technology ecosystem.  

“This might be an American product, but this is not made in the U.S.,” he said, holding up an iPhone. “Its parts don't come from the U.S., its programmers carry different passports, any one of which could subvert this system.” 

Schneier said it seemed like what the U.S. was really after was the ability to also be able to bring down or degrade global network communications by controlling more of the infrastructure, which drew chuckles from the audience.

Waldron ultimately weighed in on Arrington’s side, saying fear of Huawei and efforts to remove it from the ecosystem are legitimate. But she advised caution in shaping the U.S. response to data theft attributed to Chinese actors.

She also noted connections between the supply chain debate and what might be seen as a separate policy discussion—the Justice Department’s efforts to have companies provide law enforcement access to encrypted communications—and the precedent-setting potential of the latter.

“There's been a resurgence lately in the going-dark debate and whether or not the U.S. government should essentially build in backdoors for the sake of law enforcement and child exploitation online, which is a very noble cause,” Waldron said. “But I think we need to be aware of how encouraging backdoors in that policy debate could lead to terrible precedence in regards to building backdoors that could [make the communications network] vulnerable.” 

“Just because you think you're having two different policy discussions, doesn't mean you're not going to accidentally end up somewhere where you compromise both of them,” she said.