Huawei backs supply chain security standards in wake of SolarWinds breach
Chinese telecommunications giant Huawei is backing the idea of tough global cybersecurity standards of critical supply chains, in particular following a recently uncovered major breach of many U.S. federal agencies.
“Set up global standards that are very tough … so that you have a hard baseline of good cybersecurity practices and thresholds and criteria, so you don’t have to go to bed at night worrying about your supply chain, whether you are a consumer, whether you are the customer, or whether you’re the government,” Don Morrissey, Huawei’s head of Congressional, State and Local Government Affairs, told The Hill during a virtual interview on Thursday.
The breach of IT company SolarWinds, which U.S. intelligence officials have said was “likely” carried out by sophisticated Russian hackers, has been classified as a supply chain incident, because it involved the attackers infiltrating SolarWinds software to gain access to up to 18,000 of its customers.
These customers included at least nine federal agencies, among them the Commerce, Defense, Homeland Security, State and Treasury departments, and many private sector groups.
Huawei, one of the largest 5G equipment manufacturers in the world, has come under fire in recent years by the Trump administration and bipartisan members of Congress over both cybersecurity concerns and concerns over its ties to the Chinese Communist Party.
The company is on the Commerce Department’s “entity list,” effectively blacklisting the group, and was classified by the Federal Communications Commission (FCC) last year as a national security threat, with U.S. companies banned from using FCC funds to purchase Huawei equipment.
Huawei is challenging the FCC designation in court.
In addition, former President Trump signed legislation into last year that established a fund to help smaller telecommunications groups rip out and replace equipment deemed to be a national security threat, and classified Huawei as such.
Morrissey strongly emphasized the cybersecurity of Huawei products to The Hill on Thursday, and said the company backed the idea of the U.S. putting in place tougher standards for companies involved in critical supply chains.
“You see this in the SolarWinds case, you have a loose definition of a ‘trusted vendor’ that is a geostrategic appellation,” Morrissey said. “Then you have a trusted vendor that is used as a trojan horse for a nation state attack.”
“That tells you we need baselines for all new vendors, not just those that are so-called ‘trusted,’ ” he added. “We need good cybersecurity definitions of what a trusted vendor is, and that only comes from very tough regimes on risk assessment, risk management, third-party testing. Then you have the ability to set a new baseline that gives consumers, customers and governments the ability to see everything that is happening and have some assurance.”
Morrissey stressed that “the key question for the U.S. is trust,” and that “the final consideration should be meeting the criteria for a more rigid risk assessment risk mitigation and third-party testing on what you produce, that’s extremely important.”
Morrissey’s comments were made the day after President Biden signed an executive order to improve the supply chains of critical resources, including semiconductors used in many new technologies such as modern cars. The order included a requirement for key agencies to submit a report within a year on issues including cyber threats to sector-specific supply chains.
The Trump administration also took steps to limit Huawei’s access to semiconductors, or chips, by restricting the company’s access to American software and technology used to make chips.
Morrissey told The Hill that the company reached out to the Biden administration about working together on supply chain security, describing the executive order as “a smart move.”
“We have communicated our urgent desire to communicate with the Biden administration and to work collaboratively with them to look at good, solid solutions to very rigorous cybersecurity baselines across all vendors,” Morrissey said.
When asked if the Biden administration had responded, he said that “we’ve communicated our willingness to engage, the administration is very new.”
The Biden administration is still considering how it will approach Huawei. The Trump administration made pushing back against the company a key priority, and worked with allied nations to highlight security concerns. Several nations, including the United Kingdom and France, have subsequently taken steps against the company as well.
A few of Biden’s top nominees for federal office have been questioned about Huawei. It has proved a sticking point for Commerce secretary nominee Gina Raimondo, whose nomination was put on hold by Sen. Ted Cruz (R-Texas) last month due to his concerns that she had not been clear about whether Huawei would remain on the entity list.
Raimondo said during her Senate nomination hearing that she would “review the policy, consult with you, consult with industry, consult with our allies, and make an assessment as to what’s best for American national and economic security,” but did not specifically commit to the company remaining on the list.
Morrissey pointed out that removing Huawei from the blacklist was not as simple as the secretary deciding to do so. He pointed to a clause in the 2020 National Defense Authorization Act that requires the Commerce Department to present evidence to Congress that the company is no longer a security threat before it can be taken off the entity list.
“It’s a pretty direct set of certifications that have to be done,” Morrissey said. “We think we can meet those certifications over time, and we hope the Commerce Department will get to that, but the Commerce Department’s, executive branch’s responsibilities to the Senate, to the House are pretty clear under the legislation.”