How Huawei could affect U.S.-ally relationships

A federal official said the government would "reassess" how it shares sensitive intelligence with foreign allies who use products from Huawei or other vendors the U.S. deems too risky, but stopped short of endorsing legislation in Congress that would ban such sharing.

In a background briefing with the media, a State Department official fielded questions about ongoing friction with European allies over how best to ensure the security of emerging 5G telecommunications networks.

Last week Sen. Tom Cotton (R-Ark.) introduced legislation that would ban intelligence sharing between the U.S. and any country that uses products made by Chinese telecom giant Huawei in its 5G network. That would seem to represent a step further than the position outlined by Secretary of State Mike Pompeo last year, when he warned the U.S. wouldn't be able to share information and may not be able to co-locate American military resources with countries that "put [Huawei] in some of their critical information systems."

The official said the executive branch has yet to form an interagency position on Cotton's bill, but suggested the U.S. would most likely look to limit especially sensitive information-sharing efforts or seek alternative means of communication with those countries rather than cut them off entirely.

The message U.S. officials are sending is not a threat but "to say that because of the sensitive information that we share with countries on a daily basis, because of the very robust information-sharing relationships that we have, operational relationships, we don't want to see those degraded by the fact that we cannot share information in the same expeditious manner that we do today, by finding new channels or having to reassess how we do that," the official said according to a readout of the briefing.

Asked if the use of Huawei by a U.S. ally like the U.K. amounted to a "deal breaker" when it comes to sharing sensitive intelligence, the official stopped short, saying no determination has been made.

"We're not ready to sort of say what -- how we will respond, or how we might have to respond," the official said. "'We will have to do a reassessment,' is what we would say of any part of a network has Huawei or a[n] untrusted vendor."

The U.S. has banned Huawei products from government networks, altered rules to prevent telecom carriers using the company's equipment from receiving grants to help build rural broadband infrastructure and placed Huawei on a Department of Commerce export control list that will severely limit its ability to buy parts and components from American companies in the future. Those domestic moves have been paired with a diplomatic offensive abroad, with the U.S. urging allied countries to adopt similar policies and freeze Huawei out of contract negotiations for new 5G networks. That part of the plan has had only limited success.

The U.S. would "say to those countries, 'It's really important that you come into any contractual relationship with any company, but especially one of these Chinese companies, with complete awareness about the debt burden that you'll be asked to take on in the long term, about the preconditions that can apply to that, about the ways that your data might be used or exfiltrated in the future, about the governance of the internet, about the policies that will be pushed forward,'" the official said.

In particular, Germany -- which declined U.S. pressure to ban Huawei last year and where its top carrier, Telefonica Deutschland, has tapped both Huawei and Nokia for its 5G work -- was named as a country of concern. The German government put out security guidelines that called for technical evaluations and other forms of testing to minimize the risks for Huawei and other foreign firms, something the State official called "inadequate."

Germany "announced a toolkit that many of us consider to be inadequate, that suggested that just having some testing would be able to identify whether or not a vendor had a potential to introduce vulnerability," the official said. "The testing will never find these vulnerabilities injected into millions of lines of code."

Other allies have had little trouble finding those security problems. An evaluation of Huawei's source code last year by an oversight body set up by the British government and the networking company found "serious and systemic defects" in the software and little progress in fixing previously identified vulnerabilities. The review board warned it could provide "only limited assurance" to the government that those risks could be mitigated over the long term. However, the report attributed those bugs to incompetent software engineering rather than intentional malice.

This article first appeared on FCW, a partner site of Defense Systems.