Friday, January 10, 2020

Senior State Department Official On State Department 2019 Successes on Cybersecurity and 5G Issues

Released January 9th, 2020:

Office of the Spokesperson

Washington, D.C.

MODERATOR: Okay, as we continue our series of 2019 retrospectives and looking forward to 2020, we’ve brought in one of our leaders from the Economics Bureau. here will talk to you. He’ll start with some opening comments and then take some questions. And all right, sir, take it away.

SENIOR STATE DEPARTMENT OFFICIAL: Great. Thanks for that introduction. Happy New Year, everyone. Thanks for coming today. So I lead the part of the State Department that’s responsible for our international engagement on cyber security and digital economy matters. The State Department leads the United States’ efforts to promote an open, interoperable, reliable, and secure cyberspace and to see technology deployed around the world, including 5G technology, that’s secure and reliable.

As we see now, roughly half the world’s population now will be connected to the internet. We’re
looking forward to seeing the next the 3 billion people connected after that. But from that, even that amount of deployment we’ve seen, and we’ve obviously gained tremendously in the form of economic growth, trillions of dollars are generated a year just because we’re able to have greater efficiencies; greater sharing of data, information; improved supply chains from the internet in the ecosystem internationally that we have.

Of course, with those great opportunities come great challenges as well. Inherently cyberspace is borderless, therefore actions taken by one country in one part of the world can instantaneously affect others in other parts of the world, therefore we must have cooperation and coordination in cyberspace. We must use diplomatic tools to ensure that we are coordinated with partners, allies, and other friends to bring them along, and then also talk to competitors and adversaries about activities in cyberspace to ensure stability in cyberspace and to promote and prevent – promote successful outcomes that prevent cyber incidents from happening that could otherwise disrupt the commerce that we see throughout cyberspace.

One of the most significant accomplishments we had this year on the cooperation front was in late September during the High-Level Week at the UN General Assembly. Deputy Secretary Sullivan led a ministerial engagement where we had 26 other countries join in signing a joint statement about our united views on stability in cyberspace, committing to hold – first of all, committing to norms of responsible state behavior in cyberspace, responsible state behavior, and committing to hold nations that act contrary to those norms accountable for transgressions against these norms of responsible state behavior.

But for more than a decade we have been working – the United States and other governments have been working – the United Nations developed roughly 12 norms of responsible state behavior. And so the golden rule of those norms is that one nation should not attack another nation’s critical infrastructure that is providing services to the public. We saw actions that went against that in recent years, including in 2018 in the form of Russia’s launch of the Not Petya attack which disabled critical infrastructure around the world, as well as North Korea’s actions with the WannaCry ransomware attack that disrupted critical services to the public as well.

So we’ve promoted those norms. We’ve also been involved following the National Cyber Strategy, which was released in September of 2018. Over the last year of implementing, we’ve been the interagency lead for implementing our national cyber deterrent strategy. That is where we are marshalling additional tools – that is, consequences – that are timely, costly, and consequential enough to convince adversaries that they should not use irresponsible cyber tools to achieve their ends in cyberspace.

We know that our key competitors and adversaries in cyberspace see cyber as an asymmetric tool to achieve their ends. They will use cyber to achieve their political, economic, and even military ends in cyberspace, so we must be vigilant in how we respond to those. And it’s important that we continue to develop global consensus around responsible state behavior in cyberspace.

My office is also in charge of leading our efforts to work with our partners and allies and others to educate them about risks from the fifth generation of wireless technology, or 5G. We talked about the great opportunities that’s going to provide because it’s going to be the underpinning of all of our future critical infrastructure and provide tremendous amounts of data that can be used for artificial intelligence and enable a whole new set of services and activities online.

But of course, when we have that much connectivity, the disruption of it or the amount of data, sensitive personal data and corporate data is – can be put at risk in those networks. That’s why we think that we need to only have the most trusted of vendors providing 5G equipment – that is, the software and hardware – for those networks.

Over the last year, we’ve worked very closely with European countries in particular because they’re one of the first to move out on 5G. We had the European Union’s risk assessment come out in early October that noted a number of the concerns that we’ve been sharing with them, which include that because of the nature of 5G there will be a whole new expanded software attack surface area because it’s much more software dependent, and that countries need to focus on the risk of influence of a third country over vendors for those networks.

We’ve pointed to countries like China that have a national intelligence law that require a company to take actions when required to by the intelligence and security services and to do so secretly. So that kind of influence has been highlighted in the risk assessment in the EU, and it was further buttressed by a EU Council conclusions that came out on December 3rd that also acknowledged that they need to look at the legal and policy frameworks that govern a company that will be a vendor for 5G.

So we’ve had tremendous progress in that. There will be now a set of security recommendations, a toolbox they call it in the EU, coming out likely this month or in the next couple months from the EU. So in the next year we’re going to be focused very much on helping European countries implement these security measures.

Security for 5G is not just about the technical cyber measures that can include encryption, the architecture of the network, the configuration. It also focuses on what we call the non-technical measures; that is, the ability to trust a vendor in the network. It’s inherently possible for a vendor in the supply chain to insert malicious code in the many millions of lines of code and it not be discovered through any kind of technical means along the way, therefore you must have trust in the network. We’ve seen the Europeans recognize that and we’ve seen governments around the world start to recognize that concern. So we’ve made a lot of progress in that area.

The third thing I wanted to highlight was the State Department is also the lead for many of the international communications standards bodies that we engage in around the world. This last year was the World Radiocommunications congress – Conference in Sharm el-Sheikh, Egypt, which was important because that’s what they call their spectrum conference. As a result of that conference, which ended in November, we identified 17 gigahertz of millimeter-wave spectrum, which will be very important for 5G deployments. That – the spectrum that was identified for 5G there aligns with the Federal Communications Commission 5G FAST Plan. That means that we will have consistent efforts around the globe to have the same bands used for 5G that allow interoperability of equipment and an increase in the scale of equipment that’s all using the same bands. That was an important outcome for us and for the continued deployment of 5G in the United States.

I guess the last thing, or fourth thing, I should – I wanted to mention too was that Secretary Pompeo announced in the summer of 2018 that we were going to start a Digital Connectivity and Cybersecurity Partnership, which is a way of us providing assistance to countries around the world to help them deploy sustainable models for digital infrastructure to increase their connectivity, and to do so in ways that are open, secure, and consistent with democratic values.

In the last year we’ve now announced over $51 million in – through – in 2019 for this Digital Connectivity and Cybersecurity Partnership in just the Indo-Pacific region. That was our initial focus. And just in December we announced $10 million that we’re going to deploy into Latin America. So that program will continue into the next year, in 2020, and we’re looking forward to seeing successes in the form of additional training for countries and those countries coming along with seeing our model for an open and interoperable internet.

So with that, I’d love to take any questions you have.

MODERATOR: Matt.

QUESTION: Yeah. Hi, thanks. Over the last two weeks or so there’s been – there have been a lot of reports of an uptick in Iranian cyber attacks, harassment, that kind of thing. I’m wondering if that squares with what you’ve seen and if there’s any way of you – if you guys are tracking a surge in this, particularly after the Soleimani strike.

SENIOR STATE DEPARTMENT OFFICIAL: Well, what I can say is we know that for some time that Iran has been one of the most malicious actors out there. They’ve attacked our critical infrastructure in the past – our banks in 2012, and in 2016 and 2017 they executed data deletion operations against the Saudis and against private infrastructure in Saudi Arabia. So we’re very concerned about Iran’s capabilities and activities. I can’t specifically comment, unfortunately, on the tracking. That would be classified here related to Iran – Iran’s cyber activities.

QUESTION: Can I follow up?

MODERATOR: Go ahead.

QUESTION: I was going to say, can you elaborate at all if you’ve given any guidance to the diplomatic facilities or any State Department entities about stepping up their cyber security after what’s gone on with Iran?

SENIOR STATE DEPARTMENT OFFICIAL: I don’t think we’ve publicly said anything about that. Our Diplomatic Security Bureau is in charge of putting out advisories internally to our posts, and so I’d defer – refer you to them on that point. I would say that, as you probably know, the Department of Homeland Security has put out advisories related to this, to the Iranian threat, and we’ve talked to private – the private sector in the United States about being vigilant, and that’s the same message we send internationally as well. Unfortunately, I don’t have anything new other than what’s already been put out.

MODERATOR: Is that it? Carol.

QUESTION: Yeah. How vulnerable do you judge the U.S. being to the risk of Iran breaking into the infrastructure, and how would you – how would you compare Iran’s capabilities with that of China and North Korea and Russia?

SENIOR STATE DEPARTMENT OFFICIAL: Well, our Director of National Intelligence has put Iran on par with the other three countries as far as relative risk and their ability to intrude into industrial control systems of – into physical infrastructure. I don’t want to sort of characterize any more than that about our vulnerabilities as we are always reminding the private sector and individuals they need to be vigilant about the threats that they face from both criminals and other actors as well as the more sophisticated nation-state actors.

QUESTION: Well, is, say – is it a bigger threat to the infrastructure than, say, financial institutions, or can you talk generally about it without being specific, naming companies or networks?

SENIOR STATE DEPARTMENT OFFICIAL: Sorry, I can’t go into the specific. The Department of Homeland Security is in charge of sort of identifying that, and they’re – what they want to say publicly is what we would defer to as far as the threat to the United States and threat to sort of global infrastructure. I don’t want to step on their messaging.

QUESTION: Okay. Scale of 1 to 10, how big is the threat?

SENIOR STATE DEPARTMENT OFFICIAL: I’m not going to answer a hypothetical.

MODERATOR: Next? Nike.

QUESTION: Yes, hi. Thank you so much for coming to talk to us. So VOA broadcasts to many countries in Asia and in Africa. Many of them are eager to develop economies with high-tech communications. What did you – what does the U.S. say to these countries who are eager to develop their 5G networks and who see the most attractive equipment and financial packages are all Chinese? How many years back would – if they resist the offer by Huawei, how many years back would that set their 5G development?

SENIOR STATE DEPARTMENT OFFICIAL: Listen, zero is the answer to that question. I will say Huawei has had a global campaign of propaganda that’s been joined forces with – by the Chinese Ministry of Foreign Affairs to convince people that they will be set back if they do not use Huawei technology. That is absolutely false. Nokia, Eriksson, and Samsung are worldwide right now deploying 5G networks.

Just yesterday, Nokia announced that it signed over 60 commercial deployments. These aren’t just trials. These aren’t inflated numbers. They have more than 60 commercial deployments around the world. They’re already in numerous networks around the world, in their 4 – 3G and 4G networks. Turning to 5G, those three radio access network providers all can supply these countries.

And we would say to those countries it’s really important that you come into any contractual relationship with any company, but especially one of these Chinese companies, with complete awareness about the debt burden that you’ll be asked to take on in the long term, about the preconditions that can apply to that, about the ways that your data might be used or exfiltrated in the future, about the governance of the internet, about the policies that will be pushed forward.

We know that China has pushed forward models that have said we should limit access to the internet in the form of who’s allowed to be on it, what kind of content is on – content filters are applied to the internet, and as well as using it for things like assigning social credit scores and the policies that have been adopted through a surveillance network in the Xinjiang province in China. We think that countries should be very much aware that if they do business with a company like Huawei they are setting themselves up to be part of these types of governance models that are not consistent with probably the best interest of their public or with democratic values.

QUESTION: Do you see most Southeast Asian countries or Africa countries on board with the U.S. on this security warning?

SENIOR STATE DEPARTMENT OFFICIAL: So we’re seeing a greater recognition that they need to look at the supply chain and look at the factors that one needs to consider in the form of whether or not you can trust the vendor themselves and the ability of the vendor to influence the hardware, the software updates, and that technology. That’s been acknowledged by numerous countries now.

The deployments of 5G, especially in Southeast Asia and in Africa and other places in the developing world, are just starting. It’s going to play out over a period of years. So it’s too early to judge, I think, to say that whether or not they’ve adopted, if you will, a U.S. model. Really what we’re trying to have a discussion about is an awareness of the security issues. It’s not just cyber security. It’s an understanding that the supply chain inherently sets you up to be vulnerable because those trusted partners are already on the inside, and they have almost complete ability to update software and introduce changes to ways that the hardware and software operates over time.

So that understanding about the increased risk, I don’t think anyone was even talking about in 2018. I think through our efforts – if I may say – are why that now there’s a global discussion about the security of the supply chain.

MODERATOR: David.

QUESTION: On this 5G issue, it seems like in a lot of countries, in Africa and also in Europe, that your warnings about how China can coopt that system have fallen on deaf ears and a lot of countries are proceeding with plans to work with Huawei on building out their 5G networks. Can you speak a little bit to your frustration, if there is any, that they seem to be ignoring these demands from the U.S.? And what are you doing to counter that?

SENIOR STATE DEPARTMENT OFFICIAL: So I think that we’re hearing a lot of acknowledgment of the concerns we’d been raising and we’re hearing countries say they understand that. As I mentioned earlier, the European Union has put these specific concerns into their risk assessment, into the council conclusions. We anticipate seeing even more in the toolbox of security (inaudible) in the early part of this year.

We’ve also seen a number of country – a number of telecom operators quietly go with Ericsson, Nokia, and Samsung, and rest assured that Huawei was in their bidding at the same time. They’re probably even offering a lower price. We don’t know exactly, but that – there are a number of operators that are quietly doing this. It is really this Huawei-generated propaganda campaign out there that highlights every Huawei win as if it was a – the only thing that’s happening in the marketplace.

And I would just point out that a lot of these contracts are not yet executed on. They might sign something, but it does not actually lead to actual deployment of networks. Many countries are waiting for these European Union council – sorry – European Union security recommendations before they move out on deployment of the infrastructure.

And the other thing we talk to companies – countries about is it very important that they, at the end of the day, are responsible for their citizens’ wellbeing. It is a national security decision. It is not one that they should cede to the private companies, the telecom operators who do not have a full understanding of all the national security interests that are at stake and that which we talk to them about in our many bilateral engagements.

QUESTION: Thank you. To follow up on Nick’s question, in Europe we spoke about the progress with the EU as a global institution. Which other countries of concern where the discussions are still difficult on Huawei and the 5G?

SENIOR STATE DEPARTMENT OFFICIAL: Oh sorry, I just missed the very end.

QUESTION: Which are the countries of main concern, whether discussions in Europe are more difficult on Huawei?

SENIOR STATE DEPARTMENT OFFICIAL: Well, there’s discussions going on in many countries in Europe. I mean, I’m just reflecting what you can read in the press any day, and that’s in Germany there’s a lot of discussion going on about – they announced a toolkit that many of us consider to be inadequate, that suggested that just having some testing would be able to identify whether or not a vendor had a potential to introduce vulnerability. The testing will never find these vulnerabilities injected into millions of lines of code. So there’s a lot of debate going on in numerous countries in Europe at this time.

But we have seen operators in, for example, Norway already go with Ericsson or Nokia. We’ve seen many, as I said, go quietly and select a trusted vendor.

MODERATOR: Cool. Joel.

QUESTION: Thanks for doing this. I want to just go back to what you were saying about educating countries in governance models. Do you think that China will use their 5G deployments overseas to expand their own surveillance into – or perhaps this social credit score that you mentioned. Would there be – would China use overseas 5G networks to have a – to build out a global social credit score program?

SENIOR STATE DEPARTMENT OFFICIAL: We can’t say for sure what they will do. I think that’s in part because 5G is in a nascent stage. We don’t know all the data that people put into this network. There’s obviously a potential for much more personal data. We’ve seen, of course, how China has used surveillance through connected devices, including technology provided by Huawei to surveil its own citizens. It’s hard to say what would be done abroad.

We do know that the company has no choice but to follow the mandate of the Chinese Communist Party. They have – the company has no ability to stop that, because they don’t have a rule of law system and they don’t have an independent judiciary. So the real concern is all the potential things that could happen.

I can’t say, sitting here now, that I’m certain that this or that will be established. But there’s tremendous risk, especially for people who care about human rights and uses of data, to put yourself in a situation where a major part of your infrastructure, which you cannot replace easily, will be governed by a system that is not transparent and does not follow the rule of law.

MODERATOR: Alex.

QUESTION: Sorry I missed this, if you already addressed it, but I just wanted to ask for sort of a 5G-focused readout on the Pompeo-Raab meeting today. Did Pompeo press him on that issue? What was the reaction?

SENIOR STATE DEPARTMENT OFFICIAL: I haven’t seen anything on it yet.

QUESTION: And in terms of when the UK decision might come, have you heard – gotten any sort of sense of when we might find out?

SENIOR STATE DEPARTMENT OFFICIAL: I hear it’s soon.

QUESTION: One last one. I think Senator Cotton introduced a bill that would basically restrict countries that receive – that use Huawei in their 5G networks from receiving U.S. intelligence. And I just wondered if you would support that bill, if you think that should be passed.

SENIOR STATE DEPARTMENT OFFICIAL: Well, I can’t comment on that bill. We haven’t formed an interagency opinion on that. But I would also point out that – I think everyone knows, may know – that the National Defense Authorization Act contain a provision that requires the Intelligence Community to assess the cybersecurity quality of the infrastructure of any partner that they’re going to engage into agreement with.

And that follows into the general scope of what we’ve been sharing with countries, not as a threat to them, but to say that because of the sensitive information that we share with countries on a daily basis, because of the very robust information-sharing relationships that we have, operational relationships, we don’t want to see those degraded by the fact that we cannot share information in the same expeditious manner that we do today, by finding new channels or having to reassess how we do that. So we don’t want to end up in a position where we’re reassessing our information-sharing capabilities. So that’s why we in part ask them to ensure that they are going to trusted vendors.

QUESTION: Can I just ask a follow-up on that? Is the presence of a Huawei network, like in a country like the UK, automatically a deal breaker in terms of being able to share this kind of sensitive intelligence that you share with them now? I mean, it – just by Huawei being present, does that automatically mean that the network has some vulnerability that would let it —

SENIOR STATE DEPARTMENT OFFICIAL: We’re not ready to sort of say what – how we will respond, or how we might have to respond. We will have to do a reassessment is what we would say of any part of a network has Huawei or a untrusted vendor. There’s others that could be out there that we would consider untrusted. What we want is trusted suppliers, how we know – we know how they do their software upgrades; we know who’s responsible for the hardware and the software technology.

With NATO partners especially, we talk about the need to have good troop mobilization. We do not want to provide potential adversaries access to all the kind of data that proliferates around people’s daily activities that they would gain insight into what we’re doing because they also are the vendor for the telecom network.

So there’s a number of concerns that we sort of lay out there for our partners to make sure they’re aware of as they’re making these decisions, but we haven’t decided how exactly we would have to respond. But we would have to do some kind of reassessment.

QUESTION: So you’re pretty confident that the Scandinavians and the South Koreans aren’t going to become evil? It sounds that way. I mean, why do you have so much confidence in Ericsson, Nokia, and Samsung, that they’re not going to flip into a Huawei?

SENIOR STATE DEPARTMENT OFFICIAL: Yeah. Well, in part they’re publicly traded companies, so they respond to a board of directors. They appear to Western legal systems.

QUESTION: Now.

SENIOR STATE DEPARTMENT OFFICIAL: Yeah. If – Matt, if there were to be a change in the country, in the company, yeah, then you might have to reassess.

QUESTION: Well, why aren’t there any American companies out there in this?

SENIOR STATE DEPARTMENT OFFICIAL: So we’re talking about this —

QUESTION: Or are we not trusted either?

SENIOR STATE DEPARTMENT OFFICIAL: We talk about this radio access network, which is only a small – so Cisco is a major provider, Qualcomm is a major provider for other parts of the network. And on – we’re on the cusp of a change in the whole market where I think we’re going to see less lock-in to these five major providers in the world, and disaggregation where they – different components can be bought from different providers, and won’t be locked in.

QUESTION: Well, does that mean that you could possibly, if in Nick’s scenario, someone – a country goes with Huawei, that that – the vulnerability could be watered down by bringing in other companies, if there is this disaggregation so that you could basically minimize – even if Huawei is there, you could minimize the – or is that just some —

SENIOR STATE DEPARTMENT OFFICIAL: So our interagency experts’ assessment is that any smart components that belong to Huawei are a risk that’s too high to have, given what’s going to ride on these networks, given that there’ll be telemedicine, that there’ll be autonomous vehicles. I will say that as far as I can tell, the way that China develops their technology is to have a closed ecosystem that Huawei would just as soon have everything provided by Huawei chips and be totally politically integrated. And in part they subsidize all parts of that, too. The government subsidizes companies there. They have an unfair set of practices that make it cheaper. So I think it’s highly unlikely that even assuming that kind of hypothetical that they would ever be using Western components.

QUESTION: Okay. Last thing. We had a briefing – I think it was the week before Christmas, right – that touched on this Russian effort at the UN, and you were guys were trying to stop it, but it didn’t have much hope of success, for a new cybercrime thing. And in fact, it went ahead and it passed. And so there’s this commission that it set up that’s supposed to report back by I think it was August.

SENIOR STATE DEPARTMENT OFFICIAL: Yeah, I think that’s right. Yeah.

QUESTION: Now that you’ve failed to stop it, what are the options to now prevent this commission from producing something that is then accepted by —

SENIOR STATE DEPARTMENT OFFICIAL: Yeah. What we really need to ensure is that that mechanism not be a conduit or a pretext for Russia to further have entrenched their view that there should be controls on content and controls on access to information. So we were going to – we’re going to participate in that process.

QUESTION: So you are? Okay.

SENIOR STATE DEPARTMENT OFFICIAL: We will have to participate because we don’t want to let that outcome happen. We were opposed to it passing because we think it’s entirely redundant. More than 60 countries have signed onto the Budapest Cybercrime Convention of 2004. But I don’t – we can’t just stand by while this —

QUESTION: But given the vote that created the commission, what – do you think that you have a realistic shot at doing what you’re saying, preventing this commission from coming out with a recommendation for a new treaty that has these problematic Russian elements in it?

SENIOR STATE DEPARTMENT OFFICIAL: I think so. I think the people around the world don’t want to see their access to information limited. They don’t want to see their access to the internet limited. I think that is a distinct minority view that thugs like to have, and I think there’s a lot more good-natured people than thugs.

QUESTION: So who will be the engaged – who, you?

SENIOR STATE DEPARTMENT OFFICIAL: It’ll be some part of – INL also works on this issue at the State Department.

QUESTION: Thanks.

MODERATOR: All right. Sarah, anything?

QUESTION: My question was asked.

MODERATOR: Okay. Anybody else? All right. Last one.

QUESTION: Sorry. The provision you mentioned of the NDAA, I know that was only signed into law December 20th, so it hasn’t been that long, but is it coming up? Is it something that U.S. officials are using in conversations with UK officials to say – to kind of shot across the bow, look, this is something that we can take into account as you guys make your decision on whether to integrate Huawei into your 5G?

SENIOR STATE DEPARTMENT OFFICIAL: First of all, it’s too early I think to respond that quickly to a legislative item. But also I’d say that we’re having very close conversations, very vigorous conversations, with the United Kingdom right now. So I don’t want to characterize what exactly is being said.

MODERATOR: All right. Thanks, everybody.

QUESTION: Thanks a lot.

No comments:

Post a Comment