Computer viruses, malware, and other cybersecurity threats are a global problem. But politics are intruding on the global response.
The cybersecurity organization Forum of Incident Response and Security Teams (First) confirmed Wednesday that it suspended Huawei’s membership due to US sanctions against the company. The decision was earlier reported by The Wall Street Journal.
First aims to coordinate responses by both governments and companies to information security threats. Its members include government agencies, as well as telecommunications carriers, financial services companies, hardware and software makers, security firms, and academic organizations.
Earlier this year the Trump administration added Huawei to a list of companies banned from acquiring US-made technology without permission. That led US chipmakers to say they would stop selling semiconductors to the Chinese company, and Google to withdraw the company’s licenses to use key apps such as Gmail and the Play Store app marketplace—at least for new products.
The US has long worried that Huawei could help the Chinese government spy by either building backdoors into its systems or handing over information about security bugs in its products before they’re fixed. But the US has never presented evidence of Huawei spying on behalf of the Chinese government. Huawei insists that it does not and would not spy for the Chinese government and would not be legally obligated to do so. But legal experts question Huawei’s claim that it wouldn’t have to help the Chinese government spy.
It might seem like common sense to stop sharing information about security vulnerabilities with a company that the US government worries might misuse the information. But excluding Huawei could have security downsides as well. “The reliability and security of today’s internet is rooted in security professionals around the world, and across industries and companies, cooperating across borders and even between competitors on a daily basis to mitigate the impact of security incidents,” First said in a statement. “When regulation directly affects this ability to cooperate, the stability and security of the Internet can be placed at risk.”
The problem is that Huawei’s phones and telecommunications equipment are used all over the world, not just China. If Huawei misses out on security information about, say, the Android operating system on its smartphones, its customers’ devices could be exposed to attack. Once infected, those devices could then be used to attack devices and networks from other suppliers.
Huawei did not respond to a request for comment.
It’s not the first time that professional organizations have had to grapple with the implications of US sanctions against Huawei. Last May the technology professional organization IEEE, the Institute of Electrical and Electronics Engineers, briefly told its members to stop using Huawei employees as peer reviewers for academic papers. The IEEE lifted the restriction only a few days later.
First says it is continuing to work with both Huawei and the US Commerce Department’s Bureau of Industry and Security to address concerns about Huawei’s participation in the organization. It also called on the US government to create an exemption to its sanctions for cybersecurity, similar to the exemptions for medicines, intellectual property rights, and search and rescue. Such an exemption would “enable the truly global incident response capability, which we and other organizations represent.”