#RSAC: Raucous Panel Debates Huawei Risk to US Supply Chain Security

Donald (Andy) Purdy, chief security officer at Huawei Technologies USA, levelled some harsh criticism aim at the US government during a panel at the RSA Conference in San Francisco.

Purdy was participating in an extremely animated and contentious panel on supply chain security. In his opening remarks, Purdy asked (rhetorically) if the US is ready for its “worst day” with communication and supply chain resilience. He went on to ask if it was, in fact, effective risk mitigation for the US to rip and replace Huawei equipment and argued that there are other, more important areas of risk that should be focused on.

“There are other attack vectors,” Purdy said. “Are we going to consider a vendor trusted just because they are not headquartered in China? One thing I’ve learned at this conference is that you can’t trust anyone.”

Huawei has been banned from federal networks in the US by law after it was alleged that the Chinese network equipment vendor was integrating backdoors into its 5G technologies. The US has also pressured its allies, including the UK, to block Huawei equipment.

Katie Arrington, cyber information security officer of acquisitions at the US Department of Defense (DoD) argued strongly in support of the government ban on Huawei as a way to lower risk.

“You can’t secure everything,” Arrington admitted, “but we have our own data and the recommendation was made to take Huawei out for a very specific reason.”

She added that the law is the law, and US lawmakers have passed a law banning Huawei.

“Are we going to consider a vendor trusted just because they are not headquartered in China?”

“Our job at the DoD is to make sure that you’re safe, that we’re doing our best to reduce the risk,” she said. “We have our data and there are reasons why we are doing the things that we are doing.”

Purdy repeatedly replied to Arrington with the question of whether or not America is ready for the worst possible day. He also asked Arrington to respond to the accusation that at least five nations in the world can virtually implant hidden backdoors in hardware and software.

“Please help America be safer to help figure out how we can come up with uniform standards and conformance programs, testing and continuous monitoring, to help make sure we’re safe,” Purdy said.

Arrington shot back defiantly stating that the DoD is already doing continuous monitoring. She repeated that the classified intelligence that she has been privy to made it clear that Huawei’s 5G is an “exacerbated big risk.

“When you are willing to convey control to another country, that is a problem in the US, end of story. Period,” she said.

“When you are willing to convey control to another country, that is a problem in the US, end of story. Period”

Supply Chain: An Insurmountable Problem

Bruce Schneier, security technologist, researcher and lecturer at the Harvard Kennedy School, commented that in his view, supply chain security is an insurmountable problem. It’s not just about trusting the country of origin for a vendor either as the global supply chain is highly distributed.

That said, Schneier also noted that detecting software backdoors can be very difficult, if not impossible. Schneier added that what the US wants is to be able to spy on others but it doesn’t want anyone else to have the same capabilities.

“Our best hope for the worst day is that our stuff doesn’t work and neither does theirs,” Schneier said to a round of audience applause.

Arrington retorted that you have to assume some risk in the supply chain. That said, she strongly stated that when there is a product that could take over and run the most critical things in a country, that’s an unacceptable risk.

“I don’t want to be in a world where I wake up one morning and things don’t work,” Arrington said. “I want to make sure that control remains here.”

Purdy argued that if it is possible that multiple countries have the ability to implant hidden backdoor functionality, then blocking Huawei doesn’t solve the problem.

“We need to make sure we can find the bad stuff in all the products and we hope this community can help with that,” Purdy said.

Arrington agreed that there is a need to look at all vulnerabilities and help to ensure security throughout the supply chain. To that end, she noted that the DoD has been working on the Cybersecurity Maturity Model Certification (CMMC), to provide a framework to ensure verifiable trust and integrity in the supply chain.

The moderator for the panel discussion, Craig Spiezle, founder, Agelight Advisory and Research Group, asked Arrington if Huawei would be able to participate in the CMMC to qualify its 5G products in the future, which elicited a swift reply.

“It’s against the law, why would you ask such a silly question,” she quipped.

What’s Hot on Infosecurity Magazine?