WEBVTT 00:00.450 --> 00:02.620 - Hello, and welcome to LiveAtState, 00:02.620 --> 00:04.310 the State Department's interactive 00:04.310 --> 00:06.770 virtual press briefing platform. 00:06.770 --> 00:09.190 I'm delighted to welcome participants joining us today 00:09.190 --> 00:12.400 from Europe, Africa, and around the globe. 00:12.400 --> 00:14.840 Today we'll be speaking with Robert L. Strayer, 00:14.840 --> 00:16.910 Deputy Assistant Secretary for Cyber 00:16.910 --> 00:20.480 and International Communications and Information Policy. 00:20.480 --> 00:22.770 The topic of today's discussion and Q&A 00:22.770 --> 00:25.970 is U.S. policy on 5G technology. 00:25.970 --> 00:27.640 Before I turn it over to Mr. Strayer 00:27.640 --> 00:29.100 for some opening remarks, 00:29.100 --> 00:32.470 I'd like to make a few comments on procedures for questions. 00:32.470 --> 00:34.510 You can start submitting your questions now 00:34.510 --> 00:37.550 in the Questions tab at the top of your screen. 00:37.550 --> 00:39.480 If you see someone else ask a question 00:39.480 --> 00:41.360 you would also like us to answer, 00:41.360 --> 00:44.000 you can upvote it by clicking the Like button 00:44.000 --> 00:46.080 to the right of that question. 00:46.080 --> 00:48.350 We will try to answer as many as we can, 00:48.350 --> 00:49.810 but our time is limited, 00:49.810 --> 00:52.310 so please vote to indicate the questions 00:52.310 --> 00:54.580 you'd most like us to cover. 00:54.580 --> 00:55.560 If you would like to receive 00:55.560 --> 00:57.470 a transcript of today's briefing 00:57.470 --> 01:00.840 and links to broadcast-quality audio and video files, 01:00.840 --> 01:02.570 please fill out the short survey 01:02.570 --> 01:06.060 by clicking on the Polls tab at the top of the event page. 01:06.060 --> 01:08.010 And with that, let's get started. 01:08.010 --> 01:09.880 DAS Strayer, thank you for joining us today. 01:09.880 --> 01:12.540 I'll turn it over to you for some opening remarks. 01:12.540 --> 01:13.373 - Thank you. 01:13.373 --> 01:14.770 The United States wants to maintain 01:14.770 --> 01:18.040 a secure cyberspace for future generations. 01:18.040 --> 01:21.550 We and our partners recognize that cyber policy issues 01:21.550 --> 01:24.920 are critical to not just protecting communications networks, 01:24.920 --> 01:27.970 but also to national security, human rights, 01:27.970 --> 01:31.010 and economic prosperity around the world. 01:31.010 --> 01:33.820 Because of its impact on these vital interests, 01:33.820 --> 01:36.680 cyber policy is a foreign policy priority 01:36.680 --> 01:38.480 for the United States. 01:38.480 --> 01:41.370 The security of information communications technologies, 01:41.370 --> 01:46.000 or ICTs, is an essential element of national security. 01:46.000 --> 01:48.600 These networks and services play a crucial role 01:48.600 --> 01:53.130 in the safety, security, and prosperity of each nation. 01:53.130 --> 01:56.450 The fifth generation of wireless technology, or 5G, 01:56.450 --> 02:00.000 will be transformative by providing consumers and businesses 02:00.000 --> 02:02.810 with up to 100 times faster connections 02:02.810 --> 02:05.940 than 4G networks provide, and with low latency, 02:05.940 --> 02:06.810 which is the time devices need 02:06.810 --> 02:09.440 to communicate with one another. 02:09.440 --> 02:10.880 Billions of new devices 02:10.880 --> 02:12.980 will become connected to the internet, 02:12.980 --> 02:14.780 enabling the internet of things. 02:14.780 --> 02:16.180 And these connections will empower 02:16.180 --> 02:19.490 a vast array of new critical services, 02:19.490 --> 02:22.550 from artificial intelligence to autonomous vehicles 02:22.550 --> 02:26.150 to telemedicine and automated manufacturing. 02:26.150 --> 02:28.490 Since 5G networks will begin to touch 02:28.490 --> 02:30.500 every aspect of our lives, 02:30.500 --> 02:33.710 the stakes could not be higher for its security. 02:33.710 --> 02:35.470 As countries around the world expand 02:35.470 --> 02:38.270 and update their ICT infrastructure, 02:38.270 --> 02:42.780 we are urging them to adopt a risk-based security framework. 02:42.780 --> 02:44.530 An important element of this 02:44.530 --> 02:47.610 is a careful evaluation of the supply chain 02:47.610 --> 02:49.420 and equipment vendors. 02:49.420 --> 02:51.860 In particular, this evaluation should result 02:51.860 --> 02:54.060 in the exclusion of equipment vendors 02:54.060 --> 02:55.930 that are subject to unchecked 02:55.930 --> 02:59.423 or extrajudicial control by a foreign power. 03:00.390 --> 03:01.750 These vendors could be ordered 03:01.750 --> 03:05.870 to undermine network security, to skim personal information, 03:05.870 --> 03:09.950 conduct espionage, distribute cyber attacks, 03:09.950 --> 03:12.580 and disrupt critical infrastructure. 03:12.580 --> 03:14.240 A significant cause for concern 03:14.240 --> 03:15.820 are a number of Chinese laws 03:15.820 --> 03:17.560 that compel their companies 03:17.560 --> 03:20.710 to cooperate with intelligence and security services 03:20.710 --> 03:23.750 without independent judicial controls. 03:23.750 --> 03:26.220 Responding to this risk, the United States enacted 03:26.220 --> 03:28.800 the National Defense Authorization Act last year, 03:28.800 --> 03:30.860 which prohibits the U.S. Government 03:30.860 --> 03:32.090 from using equipment or services 03:32.090 --> 03:34.580 from certain high-risk companies 03:34.580 --> 03:38.920 that are associated with, owned, or controlled by China. 03:38.920 --> 03:41.670 And no major U.S. wireless carrier 03:41.670 --> 03:44.900 plans to use Huawei or ZTE equipment 03:44.900 --> 03:47.593 in the buildout of its 5G network. 03:48.430 --> 03:50.240 The good news is that many other countries 03:50.240 --> 03:53.200 are also acknowledging this supply chain risk 03:53.200 --> 03:56.420 and strengthening their ICT security. 03:56.420 --> 03:59.160 And last month, the European Union Commission 03:59.160 --> 04:00.720 released a set of recommendations 04:00.720 --> 04:04.100 to improve the cyber security of 5G networks, 04:04.100 --> 04:07.140 noting that evaluations of equipment suppliers 04:07.140 --> 04:10.910 should include the risk of influence by a third country, 04:10.910 --> 04:15.350 notably in relation to its model of governance. 04:15.350 --> 04:19.150 These criteria must be rigorously applied. 04:19.150 --> 04:21.270 Moving forward in early May, 04:21.270 --> 04:23.610 the Czech Republic is hosting an important conference 04:23.610 --> 04:28.610 on 5G security that is attracting scores of countries. 04:28.690 --> 04:30.530 The United States welcomes their leadership 04:30.530 --> 04:34.000 and supports this initiative to create nonbinding principles 04:34.000 --> 04:35.860 on 5G network security 04:35.860 --> 04:39.130 that will drive global conversations on this issue. 04:39.130 --> 04:43.020 At the same time, many countries are not yet focused on 5G, 04:43.020 --> 04:44.910 but it's not premature for countries 04:44.910 --> 04:47.590 primarily using 2G and 3G networks 04:47.590 --> 04:48.930 to consider their strategies 04:48.930 --> 04:52.590 for ensuring future network security now. 04:52.590 --> 04:55.518 Decisions about who builds and how you secure 04:55.518 --> 04:58.280 4G infrastructure are crucial 04:58.280 --> 05:01.930 because they will affect the security of future 5G networks. 05:01.930 --> 05:04.623 With that, I would be happy to answer your questions. 05:05.840 --> 05:07.530 - Great, thank you, sir. 05:07.530 --> 05:09.710 First question comes from Martin Koelling 05:09.710 --> 05:12.050 at Handelsblatt in Germany. 05:12.050 --> 05:15.310 What are the risks and opportunities for cyber security 05:15.310 --> 05:17.090 in the 5G era? 05:17.090 --> 05:20.030 What is the speed and timeline of 5G expansion? 05:20.030 --> 05:21.860 What is the role of new technologies 05:21.860 --> 05:25.780 like pseudo-satellite, e.g. Softbank and Loon? 05:25.780 --> 05:27.480 - So a number of new technologies 05:27.480 --> 05:30.570 will be built upon the 5G infrastructure. 05:30.570 --> 05:32.900 They will be empowered by the internet of things, 05:32.900 --> 05:35.320 they will be empowered by the very low latency 05:35.320 --> 05:37.420 and very high, up to 100 times 05:37.420 --> 05:40.550 what is current throughput on the networks. 05:40.550 --> 05:41.490 So we're going to see all kinds 05:41.490 --> 05:43.540 of not just new communications, 05:43.540 --> 05:46.380 but the ability for all kinds of critical infrastructure 05:46.380 --> 05:49.670 to ride over that infrastructure itself. 05:49.670 --> 05:51.910 So there's tremendous amount of economic growth 05:51.910 --> 05:53.860 that will occur in all the applications 05:53.860 --> 05:58.560 that ride on top of the actual infrastructure itself. 05:58.560 --> 06:00.690 So unlike the 4G networks of today, 06:00.690 --> 06:05.200 where they're relied on primarily for communications 06:05.200 --> 06:09.900 and the use of our smart devices, handheld smartphones, 06:09.900 --> 06:14.900 new types of direct machine communications will occur. 06:16.940 --> 06:20.580 - Next question is from Jack Stubbs at Reuters in the UK. 06:20.580 --> 06:23.580 How does the U.S. view the UK's reported decision 06:23.580 --> 06:26.700 to allow Huawei to build parts of its 5G network? 06:26.700 --> 06:28.250 And what do you want to achieve 06:28.250 --> 06:31.110 at the 5G conference in Prague? 06:31.110 --> 06:33.850 - Well, first I would note that the United Kingdom 06:33.850 --> 06:36.230 has not announced a final decision. 06:36.230 --> 06:38.130 Like all of us, they're on a path of having 06:38.130 --> 06:42.480 continued conversations about security of 5G networks. 06:42.480 --> 06:44.520 I'd also point out that the United Kingdom, 06:44.520 --> 06:47.050 through their Huawei oversight board report, 06:47.050 --> 06:49.360 noted there were hundreds of vulnerabilities, 06:49.360 --> 06:51.820 including systemic engineering problems 06:51.820 --> 06:53.940 with Huawei technologies. 06:53.940 --> 06:55.100 So we're looking forward to continuing 06:55.100 --> 06:56.580 the conversations with them, 06:56.580 --> 06:58.060 and with a number of other countries 06:58.060 --> 07:01.280 at the Czech Republic-hosted conference 07:01.280 --> 07:03.470 that will occur later this week in Prague 07:03.470 --> 07:06.190 that will help define some nonbinding principles 07:06.190 --> 07:08.450 that all of us can apply to improving 07:08.450 --> 07:10.970 the security of our 5G networks, 07:10.970 --> 07:13.870 including with respect to the supply chain of the vendors. 07:15.120 --> 07:16.830 - Now, our platform is, 07:16.830 --> 07:18.790 as I was mentioning before the show, democratic. 07:18.790 --> 07:20.950 And we're going to turn next to the question 07:20.950 --> 07:22.240 that has the most votes right now, 07:22.240 --> 07:25.770 which is from Mark Bridge at The Times in the UK. 07:25.770 --> 07:28.180 Recently, you indicated that use of Huawei 07:28.180 --> 07:30.980 anywhere in a nation's 5G infrastructure 07:30.980 --> 07:34.143 would harm cooperation between that nation and the U.S. 07:34.143 --> 07:35.900 Britain will use Huawei equipment 07:35.900 --> 07:38.080 in parts of its 5G infrastructure. 07:38.080 --> 07:41.600 Will cooperation between the U.S. and the UK be hindered? 07:41.600 --> 07:44.220 - It's premature to address that exact part of the question, 07:44.220 --> 07:45.820 but I will say this: 07:45.820 --> 07:48.280 As our economies become more interconnected, 07:48.280 --> 07:50.730 including our digital economies, 07:50.730 --> 07:53.820 more data transmits between the United States and Europe 07:53.820 --> 07:55.450 than any other part of the world, 07:55.450 --> 07:58.060 which of course includes the United Kingdom, 07:58.060 --> 07:59.982 we know that a disruption to services 07:59.982 --> 08:02.730 or a disruption to the ability to store 08:02.730 --> 08:06.740 or access information that transmits between those routes 08:06.740 --> 08:09.170 across the Atlantic will impact all of us. 08:09.170 --> 08:12.320 So indeed, it's not just about the sharing of intelligence 08:12.320 --> 08:14.490 or the cooperation on information sharing, 08:14.490 --> 08:16.217 it's about all the services that we're providing 08:16.217 --> 08:21.060 across the Atlantic today that could be disrupted. 08:21.060 --> 08:22.610 And it's not just the disruption, 08:22.610 --> 08:24.097 but as well as the intrusion of, 08:24.097 --> 08:26.833 insertion of cyber vulnerabilities 08:26.833 --> 08:29.373 or the use of the networks for espionage. 08:30.890 --> 08:32.500 - Next question along similar lines 08:32.500 --> 08:34.250 from The Wall Street Journal. 08:34.250 --> 08:37.100 What is the government's planned course of action 08:37.100 --> 08:40.400 for the now likely case that European allies such as Germany 08:40.400 --> 08:43.090 allow Huawei to build their 5G networks, 08:43.090 --> 08:44.633 in some detail if possible? 08:45.600 --> 08:47.570 - Well, it's premature to assess that. 08:47.570 --> 08:50.637 I mean, we have said that if the risk to, 08:50.637 --> 08:55.560 if other countries insert and allow untrusted vendors 08:55.560 --> 08:58.660 to build out and become the vendors for their 5G networks, 08:58.660 --> 09:01.360 we will have to reassess the ability for us 09:01.360 --> 09:03.630 to share information and be interconnected with them 09:03.630 --> 09:05.590 in the ways that we are today. 09:05.590 --> 09:07.370 Exactly how that will be done 09:07.370 --> 09:10.510 will depend on the risk of the equipment 09:10.510 --> 09:12.163 that's put into the new networks. 09:13.910 --> 09:15.580 - Expanding a bit from Europe, 09:15.580 --> 09:18.410 Nike Ching from Voice of America asks: 09:18.410 --> 09:19.790 Can you please give us a sense, 09:19.790 --> 09:22.490 what is the strategy in alerting nations 09:22.490 --> 09:27.480 in Southeast Asia and Africa where Huawei is very popular? 09:27.480 --> 09:28.313 - All right. 09:28.313 --> 09:30.360 So a year ago nobody was talking about 09:30.360 --> 09:33.730 the supply chain risks related to 5G networks, 09:33.730 --> 09:36.240 and there was a limited discussion 09:36.240 --> 09:38.209 related to 4G and 3G networks 09:38.209 --> 09:41.470 on the importance of supply chain security. 09:41.470 --> 09:43.710 So we've continued to have discussions 09:43.710 --> 09:45.260 with governments around the globe 09:45.260 --> 09:47.090 about supply chain security 09:47.090 --> 09:48.610 and its importance for all types 09:48.610 --> 09:49.750 of telecommunications networks, 09:49.750 --> 09:52.290 both the current generations of telecom networks 09:52.290 --> 09:54.260 as well as future generations. 09:54.260 --> 09:56.460 So we're gonna continue to engage with those governments. 09:56.460 --> 09:58.180 We're going to share our views 09:58.180 --> 10:02.610 and our understandings about what are the avenues, 10:02.610 --> 10:07.050 and what is really going to be an enhanced attack surface 10:07.050 --> 10:11.640 in 5G because of the ability for much more software 10:11.640 --> 10:13.010 that will drive the networks' ability 10:13.010 --> 10:15.867 for a potential adversary to compromise that software 10:15.867 --> 10:18.650 in any part of the networks. 10:18.650 --> 10:20.050 Furthermore, we're talking to countries 10:20.050 --> 10:21.730 about the shared values that we have, 10:21.730 --> 10:24.910 our shared values related to fundamental human rights 10:24.910 --> 10:26.340 and civil liberties. 10:26.340 --> 10:27.770 We want to talk about the importance 10:27.770 --> 10:30.253 of enabling the sharing of data 10:30.253 --> 10:32.320 in ways that are not going to be compromised 10:32.320 --> 10:34.650 that could result in authoritarian governments 10:34.650 --> 10:36.100 getting access to data 10:36.100 --> 10:38.741 and potentially compromising peoples' ability 10:38.741 --> 10:41.604 to have free expression, to peacefully assemble, 10:41.604 --> 10:43.850 or to exercise freedom of religion. 10:43.850 --> 10:46.980 We have, of course, seen that in China in recent years 10:46.980 --> 10:48.580 and we're very concerned about 10:48.580 --> 10:51.330 the ability of a government to compel 10:51.330 --> 10:54.250 telecommunications providers to provide that type of data 10:54.250 --> 10:56.453 to a government that has that track record. 10:57.760 --> 10:59.610 - Next question is from Steven Swinford 10:59.610 --> 11:02.270 at the Daily Telegraph in the UK. 11:02.270 --> 11:03.780 Do you believe that allowing Huawei 11:03.780 --> 11:07.460 to help build Britain's or any country's 5G telecoms network 11:07.460 --> 11:08.970 will risk national security 11:08.970 --> 11:12.833 even if it only applies to non-core parts of the network? 11:13.817 --> 11:15.850 - It's the United States' position 11:15.850 --> 11:19.740 that putting Huawei or other untrustworthy vendors 11:19.740 --> 11:24.453 in any part of the 5G telecommunications network is a risk. 11:25.380 --> 11:28.910 We are concerned that even at the edge of that network, 11:28.910 --> 11:30.780 where we're going to see increasingly 11:30.780 --> 11:32.877 what they're calling software-defined networks 11:32.877 --> 11:36.212 and the virtualization, the software virtualization 11:36.212 --> 11:39.270 of activities as part of the network 11:39.270 --> 11:43.160 that are done more today by hardware than software, 11:43.160 --> 11:45.100 but as they're increasingly done by software 11:45.100 --> 11:47.460 there's that increased attack surface. 11:47.460 --> 11:50.690 Having potentially compromised equipment 11:50.690 --> 11:52.400 and software provided by vendors 11:52.400 --> 11:56.640 in any part of that network is an unacceptable risk. 11:56.640 --> 11:58.390 - So a question along similar lines 11:58.390 --> 12:01.590 from Laurens Cerulus from POLITICO. 12:01.590 --> 12:03.160 Do you consider the distinction between 12:03.160 --> 12:04.730 core and radio networks 12:04.730 --> 12:07.950 a sensible approach to managing 5G security? 12:07.950 --> 12:10.070 - It is our position in the United States 12:10.070 --> 12:13.716 that there is no way that we can effectively mitigate 12:13.716 --> 12:18.030 the risk to having an untrustworthy vendor 12:18.030 --> 12:19.993 in the edge of the network. 12:23.100 --> 12:24.960 - Next question from The Wall Street Journal. 12:24.960 --> 12:29.180 Is there anything that the U.S. Government and/or its allies 12:29.180 --> 12:32.430 could do to help Huawei's rivals in America and Europe 12:32.430 --> 12:34.060 to become more competitive, 12:34.060 --> 12:36.220 or to shield them from potential retributions 12:36.220 --> 12:37.730 on the Chinese market? 12:37.730 --> 12:39.060 - I need to be clear here. 12:39.060 --> 12:41.370 The effort that we're undertaking around the world, 12:41.370 --> 12:44.750 our global diplomatic effort, has nothing to do with trade. 12:44.750 --> 12:47.960 It's 100 percent about national security interests. 12:47.960 --> 12:51.630 The conversations we're having are about national security. 12:51.630 --> 12:53.850 That said, it's also important to point out 12:53.850 --> 12:56.180 that there is no U.S. provider 12:56.180 --> 12:58.050 for the wireless radio networks, 12:58.050 --> 13:00.490 so we're not advancing a U.S. interest here. 13:00.490 --> 13:02.580 The primary competition to the Chinese 13:02.580 --> 13:05.370 are a Finnish company, a Swedish company, 13:05.370 --> 13:06.720 and a South Korean company. 13:08.300 --> 13:10.570 - Next question from Meaghan Tobin 13:10.570 --> 13:12.840 at the South China Morning Post. 13:12.840 --> 13:16.130 How will the U.S. approach to military cooperation 13:16.130 --> 13:19.820 and intelligence sharing with nations which use Huawei 13:19.820 --> 13:22.230 in some aspects of their 5G networks, 13:22.230 --> 13:25.180 for example, allies like the Philippines and Thailand, 13:25.180 --> 13:28.070 within the U.S.'s historically conducted military exercises, 13:28.070 --> 13:30.580 how will that change if those are both going ahead 13:30.580 --> 13:33.060 with Huawei 5G tests? 13:33.060 --> 13:35.760 - Well, certainly we want to have the opportunity 13:35.760 --> 13:37.660 to continue to have engagement with those governments 13:37.660 --> 13:41.910 about the future buildout of the 5G networks. 13:41.910 --> 13:44.530 They're in 4G, have 4G networks they, like all of us do, 13:44.530 --> 13:45.860 that are, they're now just starting 13:45.860 --> 13:47.390 to build out 5G networks. 13:47.390 --> 13:49.620 So we hope to convince them that in their 5G networks 13:49.620 --> 13:53.163 they should not have untrustworthy vendors in the network. 13:54.180 --> 13:56.970 That said, if there is an insertion 13:56.970 --> 14:00.040 of an untrustworthy vendor into a network, 14:00.040 --> 14:01.960 we're going to have to evaluate our ability 14:01.960 --> 14:03.460 to share information 14:03.460 --> 14:05.832 and how we would share that information. 14:05.832 --> 14:08.210 - Next question is from Markus Balser 14:08.210 --> 14:12.370 at Sueddeutsche Zeitung in Germany. 14:12.370 --> 14:15.310 Despite U.S. pressure, Germany refuses to exclude 14:15.310 --> 14:17.310 Huawei's 5G technology. 14:17.310 --> 14:19.330 How is this step seen by you? 14:19.330 --> 14:21.370 And is there a risk that Germany 14:21.370 --> 14:23.603 will lose access to intelligence sharing? 14:25.370 --> 14:27.253 - So on the positive note, 14:28.240 --> 14:31.260 Germany has released a set of security standards 14:31.260 --> 14:34.740 related to 5G, which include looking at the ability 14:34.740 --> 14:38.930 for another country to undermine the data security laws 14:38.930 --> 14:41.063 in Germany and in the European Union. 14:42.590 --> 14:44.650 Acknowledging that general standard, though, 14:44.650 --> 14:46.770 the actual implementation that would occur 14:46.770 --> 14:48.700 down the road is very important. 14:48.700 --> 14:50.760 It's crucial that that be, 14:50.760 --> 14:53.610 that particular element related to the supply chain 14:53.610 --> 14:56.130 and the ability of a third country 14:56.130 --> 15:00.020 to compel its vendors to act in the interests of that, 15:00.020 --> 15:02.454 of an authoritarian country be considered. 15:02.454 --> 15:05.920 If that is actually applied in a rigorous way, 15:05.920 --> 15:09.563 then it should lead to the prohibition of Huawei 15:09.563 --> 15:13.033 and ZTE from networks in Germany and around the world. 15:14.010 --> 15:16.070 - Next question comes from Poland: 15:16.070 --> 15:21.070 The EU is coming up with the ACTA2 policy, A-C-T-A-2 policy. 15:21.840 --> 15:23.890 How beneficial are these kinds of policies 15:23.890 --> 15:26.303 as they infringe on our right to information? 15:27.490 --> 15:29.330 - I'm not actually familiar with that law. 15:29.330 --> 15:33.076 - Okay, well, we can attempt to come back to that 15:33.076 --> 15:35.033 at a different briefing. 15:36.330 --> 15:38.060 The next question is again about 15:38.060 --> 15:43.060 the ability of other companies to build out the 5G networks, 15:45.190 --> 15:47.190 specifically from Les Echos. 15:47.190 --> 15:48.023 The question is: 15:48.023 --> 15:50.576 Do Ericsson and Nokia have enough capacity 15:50.576 --> 15:53.193 to build the U.S. 5G network? 15:54.100 --> 15:56.520 - Well, in our wireless carriers' view, 15:56.520 --> 15:58.390 I'm here representing the U.S. Government, of course. 15:58.390 --> 15:59.760 I cannot comment exactly 15:59.760 --> 16:02.040 on their internal supply chain issues. 16:02.040 --> 16:04.810 But my understanding is that our carriers 16:04.810 --> 16:06.610 have no concern about the ability 16:06.610 --> 16:10.300 for Ericsson, Nokia, and Samsung to supply their networks. 16:10.300 --> 16:13.670 Of course, they have said that they're not going to use 16:13.670 --> 16:18.150 Huawei or ZTE technology in their 5G networks. 16:18.150 --> 16:19.780 I think it's also important to recognize 16:19.780 --> 16:21.050 that when we talk about 5G, 16:21.050 --> 16:24.020 there's an entire ecosystem of component parts 16:24.020 --> 16:25.900 that will go into that well beyond 16:25.900 --> 16:28.080 just the wireless radio interface. 16:28.080 --> 16:29.990 There will be all kinds of networking 16:29.990 --> 16:31.370 and rallying that go on. 16:31.370 --> 16:33.360 There are American companies and companies around the world 16:33.360 --> 16:36.190 that supply that, including Cisco and Juniper. 16:36.190 --> 16:39.047 There's also gonna be a very big importance too 16:39.047 --> 16:42.400 as we see more and more of the network virtualized, 16:42.400 --> 16:45.540 that is, software taking over the role 16:45.540 --> 16:47.900 that was previously performed by hardware. 16:47.900 --> 16:49.730 There'll be more data storage in effectively 16:49.730 --> 16:51.770 what is the cloud, a cloud environment. 16:51.770 --> 16:54.330 So there's many companies providing cloud infrastructure 16:54.330 --> 16:56.883 for that 5G ecosystem. 16:58.290 --> 16:59.980 - The next question from Parmy Olson 16:59.980 --> 17:01.650 at The Wall Street Journal. 17:01.650 --> 17:04.110 Can you elaborate on how the U.S. is defining, 17:04.110 --> 17:07.398 quote-unquote, sensitive networks for 5G infrastructure? 17:07.398 --> 17:09.950 And is that definition different 17:09.950 --> 17:12.730 from the UK's current definition? 17:12.730 --> 17:14.560 - Well, I don't really want to get into 17:14.560 --> 17:16.980 how we would define what are more sensitive networks 17:16.980 --> 17:18.240 and less sensitive networks. 17:18.240 --> 17:21.700 I would just revert back to the point I was making earlier, 17:21.700 --> 17:23.370 which is that in our view, 17:23.370 --> 17:27.450 because of the interconnectedness and the dramatic changes 17:27.450 --> 17:29.890 we're going to see in what 5G enables, 17:29.890 --> 17:32.010 that underlying infrastructure affecting 17:32.010 --> 17:35.180 the entire value stack of applications above it, 17:35.180 --> 17:37.940 that there are truly critical services 17:37.940 --> 17:40.090 that will be provided that we cannot see undermined 17:40.090 --> 17:42.330 in any part of a 5G network. 17:42.330 --> 17:44.120 We should be concerned about all parts 17:44.120 --> 17:46.500 of the 5G network going forward. 17:46.500 --> 17:49.410 And so therefore, no part of a 5G network 17:49.410 --> 17:53.170 should have parts or software coming from a vendor 17:53.170 --> 17:54.980 that could be under the control 17:54.980 --> 17:56.813 of an authoritarian government. 17:57.850 --> 18:00.330 - Next question from journalist Han Chen: 18:00.330 --> 18:02.040 Huawei and the Chinese Government 18:02.040 --> 18:04.600 have repeatedly denied U.S. allegations 18:04.600 --> 18:07.440 that Huawei equipment poses a security risk, 18:07.440 --> 18:09.150 claiming that the U.S. has not offered 18:09.150 --> 18:11.060 any concrete evidence. 18:11.060 --> 18:14.120 What is your strategy in countering those claims? 18:14.120 --> 18:16.850 - Well, I think it's important to recognize 18:16.850 --> 18:18.690 that there's been a number of allegations 18:18.690 --> 18:20.930 that Huawei and ZTE over the years 18:20.930 --> 18:24.815 have been involved in intellectual property theft. 18:24.815 --> 18:28.150 In fact, there's currently an indictment against Huawei 18:28.150 --> 18:30.180 in the United States for the theft 18:30.180 --> 18:32.570 of intellectual property from T-Mobile, 18:32.570 --> 18:35.458 and that indictment notes that there was a campaign 18:35.458 --> 18:38.277 within the company to provide bonuses 18:39.510 --> 18:43.143 to employees who stole intellectual property. 18:44.780 --> 18:46.460 It's also important to recognize 18:46.460 --> 18:49.830 that it's not just the intellectual property theft. 18:49.830 --> 18:51.650 It's the ability for the government 18:51.650 --> 18:53.110 under their national intelligence law 18:53.110 --> 18:56.182 to compel that company to act in any way 18:56.182 --> 19:00.874 that is in the interests of the Chinese Communist Party. 19:00.874 --> 19:05.330 So in the future, they could be asked to do things 19:05.330 --> 19:06.580 they're not asked to do today. 19:06.580 --> 19:08.903 The way we look at it is there is a combination 19:08.903 --> 19:11.863 of intent, capabilities, and opportunity. 19:12.730 --> 19:14.690 With regard to intent, 19:14.690 --> 19:17.660 we've seen that China has a history 19:17.660 --> 19:19.440 of intellectual property theft 19:19.440 --> 19:20.830 that has occurred over the years 19:20.830 --> 19:24.760 that resulted in a statement in the Rose Garden in 2015 19:24.760 --> 19:28.640 with President Obama that it was not lived up to. 19:28.640 --> 19:31.350 We noted last December, on December 20th, 19:31.350 --> 19:34.250 that China was behind the global hacking 19:34.250 --> 19:36.350 of what are called managed service providers, 19:36.350 --> 19:40.921 including global cloud providers around the world. 19:40.921 --> 19:43.750 And what China did is they used that data that it stole 19:43.750 --> 19:46.150 from some of the biggest companies around the world 19:46.150 --> 19:50.250 to provide to its own companies for their economic benefit. 19:50.250 --> 19:52.370 So we know there's a history of intellectual property theft. 19:52.370 --> 19:56.620 We also know there's a use of data in China 19:56.620 --> 19:59.420 that's contrary to the values that we have in the West. 19:59.420 --> 20:02.650 We've seen data used to assign social credit scores 20:02.650 --> 20:05.670 to then conduct surveillance against citizens, 20:05.670 --> 20:07.650 and then to use that information 20:07.650 --> 20:11.820 to put more than a million Uighurs into re-education camps. 20:11.820 --> 20:14.700 So those uses of data are completely contrary 20:14.700 --> 20:16.500 to the West's view, so we know there's an intent 20:16.500 --> 20:18.000 to use data in different ways 20:18.000 --> 20:19.900 than we would ever want to see used 20:19.900 --> 20:23.290 under our views about fundamental human rights. 20:23.290 --> 20:25.517 Secondly, we come to the capabilities. 20:25.517 --> 20:26.580 With regard to capabilities, 20:26.580 --> 20:28.870 we know there's the national intelligence law in China, 20:28.870 --> 20:30.240 the counterterrorism law, 20:30.240 --> 20:31.650 and then a number of other laws 20:31.650 --> 20:34.140 that come together to provide the Chinese Government 20:34.140 --> 20:36.800 complete control over their private sector 20:36.800 --> 20:38.710 and state-owned companies. 20:38.710 --> 20:40.080 And then lastly, opportunity. 20:40.080 --> 20:41.370 As I mentioned before, 20:41.370 --> 20:45.110 the attack surface in a 5G network is greatly expanded. 20:45.110 --> 20:47.110 Some have asked, where is the smoking gun? 20:47.110 --> 20:49.200 Well, it's hardly appropriate to ask 20:49.200 --> 20:50.470 for the smoking gun evidence 20:50.470 --> 20:52.580 when we don't even have 5G networks built out yet, 20:52.580 --> 20:55.220 we don't have a history of 5G, 20:55.220 --> 20:57.500 and the, especially as use cases get built out 20:57.500 --> 21:00.160 to provide massive amounts of new data, 21:00.160 --> 21:01.800 the temptation will be there 21:01.800 --> 21:06.000 to come after that data and use it for illicit purposes. 21:06.000 --> 21:10.030 So that all combined, the intent, the capabilities, 21:10.030 --> 21:11.931 and the opportunity, what we really have here 21:11.931 --> 21:13.910 is a loaded gun, 21:13.910 --> 21:16.360 is something that Western democracies who value human rights 21:16.360 --> 21:17.960 should think very carefully about 21:17.960 --> 21:20.360 if they want to give that to an authoritarian regime 21:20.360 --> 21:22.893 with very different values about the uses of data. 21:24.800 --> 21:26.570 - Next question from Peter O'Dwyer 21:26.570 --> 21:28.930 at The Times, Ireland edition. 21:28.930 --> 21:30.950 Was the EU commission's decision 21:30.950 --> 21:33.570 to ask member-states to carry out a risk assessment 21:33.570 --> 21:36.820 of the security risks posed by 5G technology 21:36.820 --> 21:38.570 rather than to ban Huawei 21:38.570 --> 21:40.870 sufficient from a U.S. point of view? 21:40.870 --> 21:41.870 And what should Ireland, 21:41.870 --> 21:43.840 which is currently undertaking such an assessment, 21:43.840 --> 21:46.500 consider as part of that exercise? 21:46.500 --> 21:48.930 - We think that the European Commission's recommendation 21:48.930 --> 21:52.660 to conduct assessments by the end of June 21:52.660 --> 21:55.140 and then come up with a European-wide policy 21:55.140 --> 21:57.100 is a positive first step. 21:57.100 --> 22:00.590 Of course, it's very important that this analysis, 22:00.590 --> 22:03.320 this evaluation, be done in a very rigorous way, 22:03.320 --> 22:05.451 particularly as it relates to the supply chain. 22:05.451 --> 22:07.190 As I mentioned earlier, 22:07.190 --> 22:09.520 the European Union's recommendation 22:09.520 --> 22:11.530 says to consider the governance 22:11.530 --> 22:14.850 of third countries where vendors are located. 22:14.850 --> 22:17.370 So it's very important to look at the laws in that country, 22:17.370 --> 22:20.980 the legal regime, the ability for companies there 22:20.980 --> 22:23.020 to seek independent judicial redress, 22:23.020 --> 22:24.890 to object if they are compelled 22:24.890 --> 22:26.820 to do something by the government. 22:26.820 --> 22:28.310 That, of course, does not exist in China. 22:28.310 --> 22:30.030 There is not an independent judiciary 22:30.030 --> 22:32.120 and there is an inability for companies to say 22:32.120 --> 22:35.350 that they do not want to comply 22:35.350 --> 22:38.660 with Chinese Communist Party direction. 22:38.660 --> 22:40.840 So with that in mind, 22:40.840 --> 22:43.130 we are hopeful that countries in Europe 22:43.130 --> 22:46.270 apply that type of framework and evaluation 22:46.270 --> 22:48.760 as they think about what kind of vendors 22:48.760 --> 22:50.660 they want in their 5G networks. 22:50.660 --> 22:55.660 So as I said, the European Commission's recommendations 22:56.230 --> 22:58.530 highlighting security related to 5G 22:58.530 --> 23:01.970 and including the fact that supply chain security 23:01.970 --> 23:04.280 is important is a positive first step, 23:04.280 --> 23:06.900 but it's gonna be, the truth, the sort of, 23:06.900 --> 23:09.508 it will be borne out in how the, 23:09.508 --> 23:13.210 those standards and those evaluations are done 23:13.210 --> 23:14.043 in the months ahead. 23:14.043 --> 23:15.670 So we're in a very critical time 23:15.670 --> 23:17.476 for discussions with the European Union 23:17.476 --> 23:19.083 in the next few months. 23:20.180 --> 23:22.250 - Another question from POLITICO. 23:22.250 --> 23:25.100 Can operators maintain a multi-vendor policy 23:25.100 --> 23:27.020 to manage their cyber security risks 23:27.020 --> 23:29.493 without having access to Chinese vendors? 23:30.850 --> 23:32.260 - Certainly. 23:32.260 --> 23:34.200 I think that question probably refers 23:34.200 --> 23:37.610 to who's managing the networks themselves. 23:37.610 --> 23:40.320 There's a number, a wide number of Western companies 23:40.320 --> 23:43.460 providing cybersecurity threat intelligence 23:43.460 --> 23:46.340 and cybersecurity management tools. 23:46.340 --> 23:48.169 If you just go to the RSA cyber conference, 23:48.169 --> 23:51.760 there's tens of thousands of companies that are there. 23:51.760 --> 23:54.020 There's no reason that one would 23:54.020 --> 23:56.320 have to necessarily turn to a Chinese company. 23:58.002 --> 24:00.610 - A question from Jack Stubbs at Reuters in the UK. 24:00.610 --> 24:03.470 Has the U.S. approach to 5G shifted away from Huawei 24:03.470 --> 24:06.250 and towards calling for increased security standards 24:06.250 --> 24:07.390 across the board? 24:07.390 --> 24:09.630 If so, why the shift? 24:09.630 --> 24:10.983 - There has not been a shift. 24:10.983 --> 24:12.930 Our entire diplomatic effort 24:12.930 --> 24:14.520 has always started with the premise 24:14.520 --> 24:16.560 that we need a risk-based security framework 24:16.560 --> 24:20.210 that includes looking very carefully at the supply chain. 24:20.210 --> 24:22.820 We think that an evaluation of the supply chain 24:22.820 --> 24:24.500 for a risk-based approach, 24:24.500 --> 24:26.110 that includes looking at the insertion 24:26.110 --> 24:30.270 of intentional vulnerabilities, must require, 24:30.270 --> 24:33.120 requires someone to look at the countries 24:33.120 --> 24:34.720 where those vendors are located 24:34.720 --> 24:36.820 and the laws of those countries, 24:36.820 --> 24:39.090 particularly as it relates to authoritarian regimes, 24:39.090 --> 24:41.010 their ability to compel companies 24:41.010 --> 24:43.100 to act in that country's interest. 24:43.100 --> 24:45.535 So we've started from that general framework 24:45.535 --> 24:48.710 and we look at the laws that are in place 24:48.710 --> 24:51.610 and then the vendors that are subject to those laws 24:51.610 --> 24:53.970 are the ones that we say should be excluded 24:53.970 --> 24:58.800 from providing 5G infrastructure. 24:58.800 --> 25:01.400 So we're not targeting a particular country. 25:01.400 --> 25:02.940 I know there's been a number of questions 25:02.940 --> 25:06.690 about particular countries, companies within countries. 25:06.690 --> 25:08.560 We've answered those questions, in our view, 25:08.560 --> 25:12.200 about those companies' activities 25:12.200 --> 25:14.250 and some concerns about them, 25:14.250 --> 25:16.770 but the overall framework that we're applying here 25:16.770 --> 25:19.800 is a security framework that does, 25:19.800 --> 25:23.020 that is then applied to a particular country 25:23.020 --> 25:24.173 and particular vendors. 25:25.030 --> 25:27.710 - Next question, another from Africa, 25:27.710 --> 25:32.600 from Pearl Matibe at NewsDay, in Zimbabwe. 25:32.600 --> 25:35.330 Zimbabwe is doing deals with China. 25:35.330 --> 25:37.700 What are the next steps that would ensure 25:37.700 --> 25:41.200 emerging markets with U.S. 5G technology infrastructure? 25:41.200 --> 25:42.760 Is the U.S. open to establishing 25:42.760 --> 25:44.963 a working group with the diaspora? 25:46.520 --> 25:49.840 - Well, I will say more generally, 25:49.840 --> 25:53.850 the Chinese One Belt, One Road program 25:53.850 --> 25:56.300 has been offering countries in Africa 25:56.300 --> 26:00.130 and around the world what are basically loan terms 26:00.130 --> 26:01.070 that you would never find 26:01.070 --> 26:06.070 in any type of Western development bank, 26:06.440 --> 26:08.470 but what we ask the countries to think about 26:08.470 --> 26:10.310 is the strings that are attached to that. 26:10.310 --> 26:12.910 These are essentially predatory loans. 26:12.910 --> 26:17.910 They often ask for collateral to be attached to those loans. 26:18.330 --> 26:19.430 As we see in some cases, 26:19.430 --> 26:21.700 it's required countries to give up the ownership 26:21.700 --> 26:24.450 of their ports when they weren't able to make payments. 26:25.770 --> 26:27.840 They've also done these deals 26:27.840 --> 26:30.730 in many cases in non-transparent ways. 26:30.730 --> 26:32.370 It's very hard for the public 26:32.370 --> 26:35.740 and others to have knowledge of what kind of deals 26:35.740 --> 26:39.480 are being struck in these deals. 26:39.480 --> 26:42.413 They're not in, done in the best practices 26:42.413 --> 26:43.960 that we would consider in the West 26:43.960 --> 26:48.370 to be ways that countries and companies 26:48.370 --> 26:50.360 should be doing business. 26:50.360 --> 26:53.760 So we would like to have a very close dialogue 26:53.760 --> 26:55.520 with countries like Zimbabwe 26:55.520 --> 26:58.450 about how we can potentially assist them 26:58.450 --> 26:59.980 in financing their infrastructure. 26:59.980 --> 27:02.140 There's a number of development banks around the world 27:02.140 --> 27:05.233 who are able to invest in that type of infrastructure. 27:06.320 --> 27:10.880 So whether it's all sorts of important infrastructure, 27:10.880 --> 27:12.900 including telecommunications infrastructure, 27:12.900 --> 27:15.240 we seek to be very engaged with them 27:15.240 --> 27:17.530 and look for opportunities to make 27:18.400 --> 27:21.250 that economic prosperity come about 27:21.250 --> 27:23.180 in ways that are transparent 27:23.180 --> 27:25.540 and will lead to the long-term prosperity 27:25.540 --> 27:27.810 of citizens in those countries. 27:27.810 --> 27:29.420 - And we have one final question, 27:29.420 --> 27:31.330 this one again from POLITICO. 27:31.330 --> 27:34.630 Have you been satisfied with the draft Prague principles 27:34.630 --> 27:36.470 that you've seen so far? 27:36.470 --> 27:38.010 What elements do you consider key 27:38.010 --> 27:40.223 for these non-binding principles to work? 27:41.560 --> 27:43.890 - Well, I will say that I am very satisfied 27:43.890 --> 27:46.790 with our engagement with the Czech Republic 27:46.790 --> 27:49.939 and their very diligent work on these principles. 27:49.939 --> 27:52.085 I don't want to get ahead of them and the announcement 27:52.085 --> 27:54.640 of the principles that they are going to have 27:54.640 --> 27:55.580 at their conference. 27:55.580 --> 27:58.860 I look forward to having discussions with them. 27:58.860 --> 28:00.480 We really appreciate their leadership 28:00.480 --> 28:02.090 on this important issue 28:02.090 --> 28:04.780 and their drafting of the principles. 28:04.780 --> 28:05.820 - And before we wrap, 28:05.820 --> 28:07.650 I would like to give you the opportunity 28:07.650 --> 28:09.590 for any final remarks. 28:09.590 --> 28:10.423 - Thank you. 28:10.423 --> 28:11.320 Thank you very much for having me, 28:11.320 --> 28:14.730 and I appreciate everyone who's been on in the online world, 28:14.730 --> 28:17.280 participating and asking all these great questions. 28:18.650 --> 28:21.240 This really comes to a fundamental question about values, 28:21.240 --> 28:25.450 about entrusting in your data with countries, 28:25.450 --> 28:27.450 and those that share values with you. 28:27.450 --> 28:31.580 And in important ways, we've seen the compromise 28:31.580 --> 28:34.000 of those values and the violation 28:34.000 --> 28:36.580 of fundamental human rights and civil liberties 28:36.580 --> 28:38.725 with regard to the freedom of expression, 28:38.725 --> 28:40.460 freedom of assembly, 28:40.460 --> 28:43.800 and the freedom to practice religion as one chooses. 28:43.800 --> 28:46.560 So we urge countries to think very carefully 28:46.560 --> 28:51.560 as they implement requirements related to 5G infrastructure, 28:51.980 --> 28:53.997 including related to the supply chain, 28:53.997 --> 28:56.800 and think very carefully about the values 28:56.800 --> 28:58.330 of the companies and the countries 28:58.330 --> 29:01.020 that they are being asked to do business with 29:01.020 --> 29:02.790 and receive offers from countries 29:02.790 --> 29:05.623 that have a track record that is checkered at best. 29:06.893 --> 29:09.410 - Unfortunately, that is all the time we have for today. 29:09.410 --> 29:11.160 Thank you again for your questions 29:11.160 --> 29:13.920 and thank you, DAS Strayer, for joining us today. 29:13.920 --> 29:16.310 To those who participated in today's conference, 29:16.310 --> 29:18.370 if you would like to clip audio or video 29:18.370 --> 29:19.700 from today's program, 29:19.700 --> 29:20.690 we will send you links 29:20.690 --> 29:23.620 to broadcast-quality files momentarily. 29:23.620 --> 29:25.210 We will also provide a transcript 29:25.210 --> 29:26.850 as soon as it is available. 29:26.850 --> 29:29.150 If you would like to receive any of these products, 29:29.150 --> 29:30.900 please remember to fill out the survey 29:30.900 --> 29:34.140 located on the polls tab of this event page. 29:34.140 --> 29:35.830 Thanks again for your participation 29:35.830 --> 29:39.053 and we hope you can join us for another briefing again soon.