Senior officials overseeing U.S. cyberintelligence expressed strong skepticism over Canada’s recent declaration that it possesses sufficient safeguards to address the risk of cyberespionage through devices made by Chinese telecom equipment maker Huawei.
Top officials from the cyberpolicy office of Defence Secretary Jim Mattis, the FBI and the U.S. State Department’s Office of the Co-ordinator of Cyber Issues convened in Washington last week to discuss cyberthreats, according to Pierre Paul-Hus, the Conservative Party’s national-security critic, and Christopher Parsons, a research associate at the Munk School’s Citizen Lab at the University of Toronto, who both attended the meetings.
Mr. Paul-Hus said he asked the U.S. officials whether they agreed with Scott Jones, the head of Ottawa’s Canadian Centre for Cyber Security, who in testimony to a Commons Committee on Sept. 20 dismissed the need to follow the United States’ and Australia’s lead in barring Huawei from playing any role in the telecom networks that will connect the next generation of smartphones.
Mr. Jones told House of Commons standing committee on public safety and national security that the federal government has a robust system of testing facilities for Huawei equipment and software to prevent security breaches − one he suggested is superior to those of some of Canada’s allies.
“I asked the question [about Huawei] and gave the example of Scott Jones and they started to laugh when Canada says we can manage this company. They just started to laugh and said ‘no we can’t,’” Mr. Paul-Hus said in an interview with The Globe and Mail.
Mr. Paul-Hus said the Americans were adamant that the Canadian and British approach to test Huawei equipment rather than ban it is inadequate to uncover potential back doors in the Chinese firm’s gear. Canada’s Communications Security Establishment, the spy agency responsible for protecting the country from cyberattacks and espionage, has set up what are called “white labs” that are paid for by Huawei. Technicians test equipment at the labs for back doors and capabilities that can be built in that could allow Chinese hackers to covertly intercept data or disable communications networks.
“What they [told me is] if the U.S. can’t manage Huawei, how can Canada? They have much more than we have on security technology and everything. So if they don’t trust Huawei, they don’t understand how Canada can,” Mr. Paul-Hus said.
Mr. Paul-Hus said the American officials he met asked that he not reveal their names because they were providing background briefings. The U.S. embassy in Ottawa said Mr. Paul-Hus was invited as part of a small group of Canadians to learn about U.S. national-security policy.
Mr. Parsons, the Munk School research associate, said U.S. intelligence officials expressed “some skepticism” that Mr. Jones had expressed such confidence in Canada’s ability to properly test Huawei equipment, especially since the Chinese firm is a major target of the Five Eyes intelligence alliance that includes the United States, Australia, Britain and New Zealand.
“It is reasonable to assume that the American government has unique insights into the capabilities of Huawei that only a few members of that company are aware of, so when they are raising these kinds of warnings, which they do relatively frequently, I think it is incumbent to take it pretty seriously,” Mr. Parsons said.
Just because Canadian white-lab tests may not find any back doors or problems with routers, the Americans told Mr. Parsons it “doesn’t mean there wasn’t anything, which means the ability to information assurance project is significantly challenged.
“The U.S. intelligence community has a very deep understanding of the nature of the technology as well as the capability of Huawei to insert things into the devices,” he said.
Michael Wessel, a commissioner on the congressional U.S.-China Economic and Security Review Commission, a watchdog organization, publicly questioned Mr. Jones recent claims that Huawei security testing has protected Canadians since the white labs were set up in 2013.
“Canadian officials arguing that they have sufficient testing procedures to protect against threats posed by Huawei or other Chinese-owned telecom companies is out of step with the realities of an ever-evolving cyber landscape,” Mr. Wessel said in statement to The Globe.
He noted that Canada experienced significant cyberintrusions when health-care providers were compromised this summer and in May, Bank of Montreal’s and Canadian Imperial Bank of Commerce’s Simplii Financial were targeted and customer data was stolen by hackers. There are no indications that China was behind the cyberattacks.
“As Canada builds out its 5G networks and new architectures that require unique security capabilities, it is difficult to imagine that current testing regimes will sufficiently respond to potential threats posed by Huawei, as detailed by U.S. authorities,” he said.
The chiefs of six U.S. intelligence agencies and three former heads of Canada’s spy services have said publicly they consider Huawei one of the world’s top cyberintelligence threats and that its 5G technology could be used to conduct remote spying, maliciously modify or steal information or even shut down systems.
Huawei, the world’s largest maker of telecommunications equipment and the No. 3 smartphone supplier, has been shut out of the giant U.S. market as well as Australia because of national-security concerns. Japan is also studying whether to impose regulations to reduce the security risks from using network equipment from Chinese manufacturers including Huawei.
Under Chinese law, companies must “support, co-operate with and collaborate in national intelligence work” as requested by Beijing, and security experts in the United States and Canada warn that equipment produced by firms such as Huawei could be compromised on behalf of China’s ruling party.
U.S. security expert Bryson Bort, fellow at George Mason University’s National Security Institute and chief executive of Scythe, an information security firm, scoffed at Mr. Jones’s assurances to MPs that using Huawei products to build 5G technology won’t pose an espionage danger to Canadian equipment because Ottawa ensures the Shenzhen firm’s equipment is sufficiently tested.
“Mind-boggling to say the least,” Mr. Bort said of Mr. Jones’s assertion in an interview with Axios, a digital U.S. media outlet. He noted that any back doors in 5G hardware would be hidden and hard to find. “You have to set up the right conditions to even see them,” he said.
Mr. Jones told the parliamentary committee that Ottawa is leery about excluding firms such as Huawei because it believes reducing the number of telecom equipment suppliers would mean Canada would be more vulnerable if one vendor’s equipment was infected.
Canadian providers BCE Inc., Telus Corp. and Rogers Communications Inc. all use Huawei equipment in their cellular networks. The Globe reported in May that Huawei has established a vast network of relationships with leading research-heavy universities in Canada to create a steady pipeline of intellectual property that the company is using to underpin its market position in 5G.