CFR Presents

Asia Unbound

CFR experts give their take on the cutting-edge issues emerging in Asia today.

Print Print Email Email Share Share Cite Cite
Style: MLA APA Chicago Close

loading...

Huawei, Cybersecurity, and U.S. Foreign Policy

by Adam Segal
October 10, 2012

Reps. Mike Rogers and Dutch Ruppersberger hold a news conference on Huawei and ZTE in Washington House Intelligence Committee Chairman Mike Rogers (R-MI) (L) and Rep. Dutch Ruppersberger (D-MD) hold a news conference to release a report on "national security threats posed by Chinese telecommunications companies Huawei and ZTE" on Capitol Hill in Washington October 8, 2012. (Yuri Gripas/Courtesy Reuters)

Most of the attention generated by the report by Chairman Mike Rogers and Ranking Member C. A. Dutch Ruppersberger of the House Select Committee on Intelligence (HSCI) has focused on the issues of trade, trust, and Huawei’s and ZTE’s future access to the U.S. market. The report, however, should also be seen as another step in the effort to construct a coherent foreign policy response to cyber espionage.

The domestic agenda has revolved around three debates: the government’s role in setting security standards for the private sector; how the government and private sector should share threat information; and the respective roles of DHS and NSA in defending the private sector. The foreign policy component has been more difficult. Deterrence statements that the United States reserves the right to respond to a cyberattack through kinetic means are not credible in the case of espionage. The call for norms of behavior and rules of the road in cyberspace are applicable to the use of force and acts of war, but not spying. Moreover, the U.S. position, especially in regard to China, is basically that it should be able to continue what it is good at—political and military spying—while Beijing ceases something Washington prohibits by law—economic espionage.

The public foreign policy response to Chinese cyber espionage has been naming and shaming, and raising the issue at high level bilateral meetings. After months if not years of limiting themselves to saying that state-based actors were behind an attack without specifying which state, U.S. officials are no longer shy about calling out China, Russia, and others as being the culprits. The Office of the National Counterintelligence Executive called Chinese actors the “world’s most active and persistent perpetrators of economic espionage.” High level meetings, such as Secretary Clinton’s meeting with Foreign Minister Yang Jiechi and Secretary Panetta’s discussion with Defense Minister General Liang Guangjie, are now used to express American unhappiness with Chinese attacks.

These have not had the desired effect yet; Rear Admiral Samuel Cox, Cyber Command’s intelligence chief, recently said that attempts by Chinese hackers to steal corporate secrets have been growing. Now the HSCI report has suggested two additional steps: penalizing individual entities and increased intelligence community (IC) involvement in monitoring foreign private sector actors. The report is about Huawei and ZTE, but is also signaling to Chinese entities that if there is enough* open source and classified intelligence to suggest attacks on U.S. economic interests, then the U.S. government will respond. In this instance, Rogers and Ruppersberger suggest limiting access to the domestic market, but future options could include financial, travel, or other sanctions directed not just at companies but also universities or individual hackers.

The report also hints at, but does not discuss directly, the possibility that Chinese companies will come under (greater?) scrutiny from the intelligence community. The report notes that the investigation involved two connected elements: a review of Huawei and ZTE and an effort to “ascertain whether the IC is appropriately prioritizing and resourced for supply chain risk evaluation.” This is not publicly discussed—footnote three mentions a classified annex with “information about the resources and priorities of the IC”—but I assume it means counterintelligence against Chinese collection efforts.

The question of what is enough or appropriate evidence is going to be difficult for the United States moving ahead. Many will find U.S. government assurances that it has the goods unbelievable, and the report itself is thin on details, with the majority of evidence being nothing direct but rather the Chinese firms refusal to answer questions or giving contradictory and confusing responses.

Most of the threats the report identifies as being characteristic of Huawei—unsecured supply chains in China, vulnerability of middle managers to recruitment by intelligence agents, government access to networks for state security—could be said to afflict any telecommunications company in the world. These are real threats and the solution promoted by many, including Huawei, is a transparent process of inspections that could be scaled globally (a process Huawei agreed to in the United Kingdom). The report dismisses Huawei’s suggestions as insufficient and the process as too complicated. Both may be true, but Rogers and Ruppersberger could have made more of an effort to describe a process that would work. Here the report missed an opportunity to address its own credibility issues, broaden the problem, and build a coalition.

Post a Comment No Comments

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required

Pingbacks