US Senators demand answers from Pentagon for alleged Huawei reprieve

The US Department of Defense has reportedly vetoed plans to further disrupt the Huawei supply chain, seemingly paying attention to the ‘rule of unintended consequence’.

Over the course of the last 18 months, the US Government has effectively been using the economist version of guerrilla warfare to dilute the influence of Huawei and China on the global technology industry. Success has been debatable, though the plan certainly worked on ZTE, and now three US Senators are questioning why the Pentagon has reportedly blocked plans to ramp efforts.

“We write regarding recent public reports that the Defense Department objected to a proposed change to Commerce Department regulations that would have made it more difficult for U.S. companies to sell to Huawei from their overseas facilities,” the Senators wrote.

“Given the national security risks surrounding Huawei’s technology and operations, concerns which resulted in the addition of Huawei and its affiliates to the Department of Commerce’s Entity List in May 2019, we respectfully ask for a member-level briefing on the Department’s rationale for its reported objection.”

Senators Ben Sasse of Nebraska, Tom Cotton of Arkansas and Marco Rubio of Florida, the authors of the letter, are all incredibly vocal leaders of the US aggression towards China. Sasse has been particularly active surrounding the on-going conflict in Hong Kong, while Cotton authored the Bill which would ban US intelligence sharing with Huawei friendlies, and Rubio has attempted to use legislation to extinguish the hope of any exemptions to the Entity List.

The latest twist in this saga concerns efforts from the US Commerce Department to further impact the Huawei supply chain. As it stands, US suppliers can work with other Huawei suppliers, as long as US components do not make up more than 25% of the product. The new rules would see this number reduced to 10%, potentially spelling disaster for the Huawei supply chain.

But it seems the Department of Defense are taking a much wider view of the move than the Department of Commerce. The Pentagon is worried about how this ban would impact sales for US businesses, potential job losses and the sums which can be redirected towards R&D to ensure the US technology industry remains cutting edge.

This is potentially the ‘law of unintended consequence’ in action. Although there is no official confirmation from the Pentagon that it did indeed block the Department of Commerce, the Senators are attempting to bring the saga into the public domain.

What has largely been ignored to date is the impact of the Huawei offensive on the fortunes of US businesses. In the immediate aftermath of Huawei entry onto the Entity List, the share price of several companies was hit hard. Micron Technologies was one such firm, and in a recent earnings call, quarterly revenue were reported down 43% year-on-year. Qualcomm, Xilinx, Skyworks Solutions, Qorvo and Neophotonics are only a few of the companies who have skin in the game.

The US strategy to combat Huawei is seemingly having more of an impact on US firms than it is the intended target. It might seem like an unpopular move to block increased aggression against the Chinese vendor, but it might will be the most logical decision.

There are a couple of points worth considering. Firstly, what impact is the strategy having on US companies. Secondly, what impact is the strategy having on Huawei. And, what are the potential secondary and tertiary consequences of the initial impacts.

Firstly, several US technology companies are suffering due to the ban. Secondly, Huawei is continuing to report year-on-year financial growth, therefore negative impacts are arguably limited. But the most interesting element of this story are the consequences because of the action to date.

In being unable to work with US suppliers, Huawei has been forced to look elsewhere, in most cases to Chinese suppliers, or create its own alternative. HiSilicon, the Huawei-owned semiconductor company, has likely been offered greater importance, while the firm is also creating an in-house alternative to the Android mobile operating system. Where Huawei can’t replicate products on its own, the Chinese ecosystem will benefit.

Not only are revenues being deprived from US suppliers, Huawei is removing reliance on an international supply chain while also driving more R&D funds to Chinese companies. China’s technology industry could be viewed as getting a boost, while the US influence is diluted. Arguably this is only because of US aggression towards Huawei.

This is all a very theoretical argument of course, and the chances of success or failure depend on the ability of Huawei to replicate the performance and efficiency of the US components of its supply chain. But it is a potential outcome which few have seemingly been paying attention to.

US contemplates its own version of GDPR

The U.S. National Telecommunications and Information Administration has started a 30-day public hearing process to gather comments on its policy options towards consumer privacy protection.

Shortly after Europe’s General Data Protection Regulation (GDPR) came into force in late May, “a global tidal wave of new and updated privacy regulations” have followed hot on the heels of GDPR as it was called at the recent Digital Futures conference (see the picture). Regulations and laws passed in jurisdictions from India to California with other markets in between have largely modelled after the European legislation.

In the latest move, on Tuesday September 25, the US federal government, through the National Telecommunications and Information Administration (NTIA), kick-started a month-long process to hear from the public on the approach towards privacy protection.

“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” said David Redl, NTIA Administrator and Assistant Secretary of Commerce for Communications and Information. “The Trump Administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

The feedback requested is two-fold. The first part is on the outcome of any future privacy legislation. This includes:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.

All these are rather similar to what GDPR and the up-coming e-Privacy regulation are designed to achieve.

Meanwhile the NTIA is also requesting comments on the overall “High-Level Goals for Federal Action”, the key points including:

  • “Harmonize the regulatory landscape” between existing and future legislations;
  • “Legal clarity while maintaining the flexibility to innovate” to enable new business models and technologies while privacy is protected;
  • “Comprehensive application” to “all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws”;
  • “Incentivize privacy research” in technologies and services that improve privacy protections.
  • FTC should be the enforcement agency

However a few other points stand out that deserve a closer look. One probably deserves a full quote:

Employ a risk and outcome-based approach.  Instead of creating a compliance model that creates cumbersome red tape—without necessarily achieving measurable privacy protections—the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes.  Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.  Outcome-based approaches also enable innovation in the methods used to achieve privacy goals.  Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance.

NTIA’s focus is clearly to avoid heavy-handed measures to regulate what can be done, but rather giving flexibility to businesses to make their own judgement what measures to take. This is also in the same spirit as the first part of the consultation which is “focuses on the desired outcomes of organizational practices, rather than dictating what those practices should be.”

Another point that draws our attention is related to “Scalability”, which stresses that small companies operating in good faith, and 3rd party processing data on behalf of other organisations should be treated differently from big companies that own and control personal data.

The two points above combined make a balanced message for the internet giants, which are not necessarily the biggest fans of privacy regulations. While they are afforded more flexibility, they are also going to be treated more strictly if they contravene. However as we wrote earlier, because of their size, the Googles and Facebooks of the world are much quicker in ticking the compliance boxes.

One more point that worth highlighting, probably for entertainment purposes than anything else, relates to “Interoperability” with other major global legislations. Here, for whatever reason it pointedly does not refer to GDPR but uses the example of “APEC Cross-Border Privacy Rules System.”

In general, the NTIA’s approach is balanced and measured, which is largely in line with our attitude towards privacy protection. On one hand we deplore the blatant abuse of privacy by companies like Facebook and Cambridge Analytics. On the other hand, we also sympathise with the small and medium-sized businesses operating in Europe, most of which had to scramble some policies at the eleventh hour, but may still fall foul of consumers. France’s private data protection agency CNIL (Commission nationale de l’informatique et des libertés) registered a 64% increase in consumer complaints after GDPR came to force over the same four months last year.

As Mary Meeker highlighted, draconian laws could limit the exploratory nature of tech innovators. That many countries model their privacy legislation after GDPR confirmed that Europe’s policymakers are “world-class in setting standards”, as a recent article in The Economist put it. But in the same article the newspaper also highlighted the gap between Europe and the AI leaders, China and US, neither of which is role model in guarding individual privacy, though for entirely different purposes.

In a recent Telecoms.com online poll, a third of the respondents agreed with the statement that there should be “flexible rules to allow users to trade privacy for benefits”. An optimal regulatory environment should give this minority group the freedom to do so while providing the other two third consumers with strict privacy protection.