Katie Arrington, the Defense Department’s (DoD) Chief Information Security Officer for Acquisition and a driving force behind the Pentagon’s recently released Cybersecurity Maturity Model Certification (CMMC) program, voiced a vigorous defense on Feb. 26 of U.S. law and policy that bans the Federal government and its contractors from doing business with China-based network equipment maker Huawei.
The legality of that ban – rooted in the company’s alleged close ties with the Chinese government and fears that its network equipment could be used for nefarious purposes by the government – was upheld by a Federal district court judge earlier this month.
Speaking as a panelist late Wednesday at the RSA security conference in San Francisco to a large and not-always-entirely sympathetic crowd, Arrington held firm to two key points in the practical rationale behind the Huawei ban as it relates to her duties to improve security at DoD and in the defense industrial base.
“The law is the law,” she said. “In my job – I work for DoD – I’m going to enforce the law.”
And, she said, Huawei equipment is a “known risk … too much of a risk.” She continued, “my job is to buy down risk … I worry about my weapons systems.” Cutting Huawei gear from the supply chain “is a have-to-do, because the risk is so high.”
“We have our data, we have our research,” including classified research, Arrington said. “I know why we did what we did.”
Defending Huawei on the panel was Donald Purdy, chief security officer at Huawei Technologies USA, who argued it was unfair to single out his company because it has its headquarters in China, when other equipment makers located elsewhere may present a host of vulnerabilities on their own. He argued that the supply chain needs to be examined from a global perspective, and based on the premise that “there are other attack vectors that can be used.”
The large size and scope of the technology supply chain security issue was illustrated by Bruce Schneier, a well known cryptography expert and lecturer at the Berkman Center for Internet & Society at Harvard Law School.
“Supply chain security is impossibly hard,” he said, arguing that security problems stem in part from older and weaker protocols that were favored by the U.S. in order to facilitate intelligence gathering by the government. “When you think of the supply chain,” he advised, “don’t worry about the company.” Instead, he said, look at the coders employed by them, and all the hands that a product passes through before it reaches an end user.
Because no commercially available equipment can be completely trusted to be free of “backdoors” constructed to allow for spying and intelligence gathering, Schneier said he didn’t know whether a “trustworthy network can be built out of untrustworthy parts.” The answer to that, he said, “is a research question at the DARPA [Defense Advanced Research Projects Agency] level … We should do that.”
When DoD evaluates technology and security, Arrington said, “we look at where source code was written” and what has happened to it since then. The agency also requires risk mitigation testing – “the testing we say needs to be done” – rather than what suppliers perform on their own, she said.
Schneier asserted that the worry with all equipment is that “lots of competent engineers can put in a backdoor that will never be disclosed.” Purdy argued that if it’s possible for engineers from many countries to build into technology backdoors for their benefit, then “blocking Huawei is not the problem.”
Asked whether DoD would evaluate the security of Huawei products, Arrington replied, “this is a moot point, the law is already done.” She also said “you can never solve all the problems” with supply chain security, but the government needs to identify the biggest problems and deal with those first.
“I am on the good side … I came here today to say the truth and hold the line,” she said. Tech security issues, she said, “snuck up on us” because proper security was not developed 20 years ago. “Can we do better? Yes. Will we do better? Yes,” she concluded.