The news media have closely followed recent efforts by Congress and the Federal Communications Commission to prohibit the use of Chinese equipment in U.S. communications networks, including equipment made by Huawei, on the ground that it poses a threat to national security.
By comparison, scant attention has been paid to the new cybersecurity strategy of the Department of Homeland Security. The DHS strategy calls for the implementation of comprehensive cybersecurity risk management practices, and advocates a sophisticated approach that will allow America to assess and reduce the cyber risk to government systems and critical infrastructure.
As the chief security officer at Huawei Technologies in the U.S. and the former lead cybersecurity official at the DHS, I believe it is in America’s best interest to follow the comprehensive DHS approach.
The DHS recognizes that many global actors can exploit the widespread vulnerabilities in government and private networks and systems. It does not target particular countries or companies in the misguided belief that threats originate only in certain parts of the world, or that only the products of certain companies are vulnerable.
By contrast, the National Defense Authorization Act, which lays out the annual budget for the Defense Department, would prohibit federal agencies and contractors from doing business with Huawei. Meanwhile, a proposal by the FCC would bar U.S. carriers that use Huawei equipment from receiving federal funds to provide broadband service to parts of the U.S. with little or no Internet access. Among those affected by the FCC’s proposed ban would be schools, libraries, rural health care providers, and low-income households, many of whom are Huawei customers.
Members of Congress may sincerely believe that barring one or two Chinese companies from the U.S. market will significantly protect the country’s networks. But today’s telecommunications industry is transnational and borderless. All of its leading players already use equipment developed or manufactured in China. In fact, such equipment accounts for a significant portion of the telecommunications and Internet equipment currently installed in American networks.
Any serious effort to protect U.S. networks will focus not on keeping out individual Chinese companies, but on establishing a comprehensive risk management approach that relies on recognized cyber risk management practices. This is precisely the approach advocated by DHS.
Because threats can originate anywhere, managing cyber risk is daunting. A white paper submitted to the FCC points out that an attacker “does not need to have telecommunications or Internet equipment inside the U.S., or even a person physically present in the U.S.” in order to launch a cyberattack. Programmable code can be implanted in hardware and software by virtual means, allowing malicious actors to conduct surveillance or launch an attack whenever and however they choose. Such unauthorized functionality can compromise the product of any company, anywhere in the world. Therefore, the risk from all providers must be assessed, with no providers simply assumed to be trustworthy.
Unfortunately, the recent report by the Office of Management and Budget demonstrates that most U.S. government agencies are vulnerable even to unsophisticated attackers. It suggests that greater congressional oversight and greater accountability of agency leadership are necessary to drive a more comprehensive approach to addressing national security and other risks.
At the same time, policymakers should bear in mind that overreaching or poorly targeted regulations usually have unintended consequences, such as those that will surely result from the FCC’s proposal to force rural carriers to remove China-sourced equipment from their networks. In many cases, Huawei’s is the only equipment that America’s small, independent carriers can afford. A federal order to remove it could pose “an existential threat” to small telecom operators across the country, according to the Rural Broadband Association. Such an order would also deny broadband Internet service to farms, schools, and hospitals that have no other means to get it.
Despite what Congress and the FCC are proposing, America’s real cybersecurity experts understand that the country will be made safer not by selectively banning one or two foreign companies from the U.S. market, but by implementing a comprehensive cybersecurity strategy—one that does not rely on trust, but instead uses robust processes that remove the need for it.
In a world of global supply chains, this is the only sensible approach. Once such processes are in place, then government agencies, private companies, and households can reap the advantages of new technologies and investments. Americans deserve nothing less.
Note, this article was originally published on Fortune.