With lawmakers increasingly wary of Chinese-made 5G infrastructure, cybersecurity experts say even peripheral use of the equipment in networks could lead nowhere good.
Senators have a warning for U.S. allies whose network providers plan to incorporate Chinese-made 5G telecommunications gear.
"We're telling the world, 'If you buy Chinese 5G stuff, you're not doing business with us,'" Sen. Lindsey Graham (R-S.C.) said in his questions to two U.S. cybersecurity experts about the nation's 5G cybersecurity policy.
Those officials maintained that the nation's "risk-based" cybersecurity policies and supply chain protections offer solid protection, but Graham, who chairs the Senate Judiciary Committee, was trying to pin them down to broader implications. He made his remarks in a Judiciary Committee hearing on the developing 5G market and potential threats from Chinese companies such as Huawei and ZTE.
"Every nation should think long and hard" about opening up their telecommunications infrastructure to potential data theft and espionage from Chinese-made 5G network equipment, committee Ranking Member Sen. Dianne Feinstein (D-Calif.) said.
U.S. cybersecurity agencies have repeatedly sounded the alarm on gear made by Huawei and ZTE, calling it a cybersecurity and economic threat because the companies are legally tied to the China's government and intelligence operations.
The senators and U.S. cybersecurity experts are concerned about the installation of Huawei and ZTE equipment -- not only in U.S. telecomm infrastructure, even though U.S. carriers have vowed not to use it -- but in the telecom infrastructure of European allies.
In April, the U.K.'s National Security Council voted to allow the use of Huawei gear in "non-core" portions of the country's developing 5G network. On May 14, news reports from the U.K. said Huawei's Chairman Liang Hua had said the company would sign a "no spying" agreement with the U.K. government for its 5G equipment.
Robert Strayer, deputy assistant secretary for cyber and international dommunications and information policy in the State Department's Bureau of Economic and Business Affairs, told the Judiciary committee that the U.K.'s decision to allow Huawei gear into non-core network functions "isn't final."
The U.S. hasn't yet prohibited interconnection with other countries' networks based the presence of Chinese telecommunications gear.
Strayer warned, however, that even in the "non-core" portion of 5G infrastructure, dubbed the Radio Access Network, the equipment could introduce vulnerabilities in the secure networks of the "Five Eyes" nations -- Australia, Canada, New Zealand, the U.K. and the U.S. -- that share intelligence information. Chinese 5G gear in the edge of a countries' network, he said, could also allow access to critical infrastructure networks and to regular, but critical, telephony communications such as those related to troops deployments.
The separation of core and peripheral network duties and gear, said Strayer, becomes less meaningful with 5G. "5G more seamlessly integrates the core and edge," he said.
Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said allied countries' 5G networks that contain Chinese makers' equipment could pose a threat to federal networks, particularly those of the Defense Department, even without direct spying or data theft emanating from the gear.
"It's increasingly about the availability of the network," he said. If a portion of the traffic from a Defense Department mission in Europe, Africa or elsewhere is riding on a commercial network that's supported by Huawei, DOD command and control could be short-circuited. "They would control our ability to communicate," Krebs said
According to Krebs, Huawei and ZTE pose a three-pronged cyber threat in developing 5G markets where they are used. Those threats, he said, can also transfer to countries that may not use the companies' products, but are connected to networks that do.
Citing a U.K. oversight board report, Krebs said the design of Huawei gear "isn't great, so there are a number of vulnerabilities" that can be exploited -- not only by the Chinese government, but by other "capable actors," including Russia, Iran and North Korea. Software updates to the equipment is also a problem, particularly if those updates come directly from China, he said. The third issue, according to Krebs, is how Huawei and ZTE maintain their equipment in customer networks.
"The way they manage this equipment tends to be by shipping out Chinese nationals to the host country for hands-on" maintenance, he said. "You have a physical insider threat."
Krebs and Strayer told the committee that European telecom gear makers Nokia and Ericsson and South Korea's Samsung offer better 5G equipment than Chinese suppliers.
"We'll be secure in the U.S." with 5G, said Strayer, since all four major U.S. telecommunications carriers have vowed not to use Chinese gear in their networks. It is the presence of Chinese equipment in U.S. allies' networks that is concerning, he said.
Krebs said a possible gap in the U.S. could lie with small, mostly rural telecommunications companies that find the Huawei gear cheaper. Krebs said CISA is working with those service providers to help them address risks and find alternatives.