Maksim Kabakou - Fotolia

RSA Conference panel tackles Huawei security risks

Four panelists discussed the ban on the world's largest telecommunications equipment manufacturer in relation to to supply chain risk.

SAN FRANCISCO -- Huawei security risks sparked a heated debate during a panel discussion at RSA Conference 2020 this week.

The keynote session, titled "How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei" was moderated by Craig Spiezle, founder of Agelight Advisory and Research Group, with panelists Katie Arrington, cyber information security officer of acquisitions for the U.S. Department of Defense; Donald "Andy" Purdy, chief security officer of Huawei Technologies USA; Bruce Schneier, security researcher and lecturer at the Harvard Kennedy School; and Kathryn Waldron, fellow at R Street Institute.

The four panelists debated several topics, from 5G capabilities and kill switches to espionage and trade wars, but returned to one common thread: the ban against Huawei. Earlier this month, the U.S. Department of Justice announced indictments against the company for racketeering and conspiracy to steal trade secrets.

During the panel discussion, Purdy pushed back on the U.S. government's ban. "Are we going to consider a vendor trusted just because they are not headquartered in China? One thing I've learned at this conference is that you cannot trust anyone," he said in his opening remarks.

Purdy appeared to be arguing for a technical standard for eliminating backdoors and hidden threats, versus relying on the vague claims about Huawei security risks to justify the ban.

"If it's possible to virtually implant hidden functionality, then the issue of 'OK, we're blocking Huawei equipment' solves the problem. That doesn't solve the problem. We need to make sure we find the bad stuff in all of the products."

Throughout the discussion, Arrington reiterated one point: The Department of Defense upholds its ban and indictment against Huawei.

"We have our own data and the recommendation was made to take Huawei out for a very specific reason," she said, though she didn't specify what the reason was.

However, Arrington argued Huawei security risks weren't purely about backdoor access and had more to do with giving a Chinese company control over large swaths of America's telecommunications infrastructure. "The law is the law. We can sit and juxtapose the 'things' but the law is the law and I am going to enforce the law. We have our data, our research. I don't know if anyone on the panel can see classified information, but I can tell you where we sit, there's a reason why we did what we did. Backdoors being what they are, that's not the problem. It's when you are willing to convey control to another country."

Spiezel interjected by saying, "France, the U.K., the EU -- they said we are willing to manage the risk and accept Huawei in certain parts of our infrastructure and supposedly they've been shared the same intelligence data you've been shared."

Again, Arrington focused on the legality of the ban.

"We uphold the law. Your senator, congressman, your president all had a reason they did what they did. We found a major risk with one particular thing," she said. "The court of appeals held it up. It ain't changing, so let's move forward."

Schneier said the ban on Huawei doesn't solve the inherent security risks around, for example, 5G infrastructure. "This won't solve the problem, but it solves an easy piece of the problem, and that's a plausible argument," he said. "I think we have a bigger problem -- we don't have many alternatives."

Waldron questioned the ability of the U.S. to ban Huawei from the supply chain entirely.

"The supply chain is context-specific. You have to take a lot into consideration: the technical solutions, the pervasiveness of the infrastructure in question, the history and structure of the company in question and the history and legal structure of the company of origin. I think the U.S. has quite rightly raised concerns based on these factors on Huawei. But as we've seen the U.S. has had limited success in regard to their strategy of kicking Huawei out of the global system and I think that raises some questions."

Moving forward, Waldron believes that the charges against Huawei will affect all technology coming out of China.

"Because of Huawei, in the minds of policymakers in Washington, technology companies from China is now synonymous with the name of the Chinese government. And they won't undo that, regardless of how much testing they go through."

Purdy concluded the often-heated debate by saying, "Block Huawei if you must, but we need to do a whole lot more to make America safer and make America more competitive in the world."

Next Steps

RSA Conference news and analysis

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing