Saudi Arabia a critical partner in fighting cyberthreats, White House cyber official says

Written by

A top White House cybersecurity adviser defended President Biden’s recent trip to Saudi Arabia, saying on Thursday that the Saudis are critical allies when it comes to thwarting America’s digital adversaries China and Iran.

Biden has been criticized for the trip and particularly for his decision to give Saudi Crown Prince Mohammed bin Salman a friendly fist bump despite bin Salman’s alleged connection to the murder of Washington Post journalist Jamal Khashoggi.

Anne Neuberger, the White House deputy national security adviser for cyber and emerging technology, didn’t mention Khashoggi during a talk at the Center for a New American Security in Washington. But she did lay out a realpolitik case for working with the Saudis to protect American cyber interests. For instance, she said, the Saudis will prove to be a vital partner in ensuring the Chinese telecom giant Huawei, which the U.S. has accused of being a tool for Beijing’s espionage operations, is blocked from further gains as a global telecommunications provider.

“We’re very concerned about the Chinese presence in telecommunication networks,” Neuberger told Daniel Silverberg of the Center for a New American Security. “It’s very hard to secure a network if you don’t have confidence in the core gear.”

Neuberger said Western telecommunications’ providers have historically had a hard time competing with Huawei in the Middle East because the Chinese government so heavily subsidizes the firm’s products, thereby reducing costs for often cash-strapped governments. The Saudis will help the U.S. convince Middle Eastern and African countries to choose Western telecom providers when they invest in next generation networks, she said.

Huawei’s financial advantage should lessen with the advent of Open Radio Access Networks (Open RAN) that rely on interoperable technologies and offer more flexibility, Neuberger said. U.S. and Saudi telecom agencies are working together to fuel private sector collaboration on the rollout of 5G networks and as part of that arrangement the Saudis will do a pilot Open RAN deployment, she said.

Neuberger said Biden administration officials see Open RAN as “so interesting” because it builds on both cloud and software approaches “where the US and other Western countries have a key lead, where the costs can compete.” She said this reality made the agreement the administration forged with the Saudis to partner on Open RAN research “such a priority.”

Neuberger praised the kingdom for putting “real initiative” into Open RAN.

“We are behind other countries in setting cybersecurity requirements for the critical elements of infrastructure, the most significant water, power, pipelines, hospitals in the country, as well as the technology that crosses all of them.”

anne neuberger, white house cyber official

The recent U.S. trip to Saudi Arabia also yielded a commitment from the kingdom to “strategically invest” in projects aligning with a global infrastructure plan that Biden and G7 leaders announced in June. The White House has not said how much the Saudis will contribute, instead describing the kingdom’s commitment to work together with the U.S. to “mobilize” hundreds of billions in investment.

Silverberg told Neuberger that since she offered him a “very concrete deliverable” from the trip to Saudi, he wanted to hear her cost benefit analysis since the president has been widely criticized for meeting with bin Salman.

Neuberger is looking for other countries to “show up” in the cyber fight, she said, an apparent reference to the president doing the same in Jeddah. She also highlighted the importance of partnerships with “counterpart countries” to “align on cybersecurity standards so that we’re speaking to our technology sectors with one voice about how they need to build security.”

Countries throughout the Middle East can be effective partners in fighting the threat of Iranian ransomware, Neuberger said. FBI Director Christopher Wray warned about Iranian ransomware in June, she said, referring to Wray’s public disclosure that Iranian state-backed hackers had planned a ransomware attack against a Boston children’s hospital.

“We’re working to build secure infrastructure around the world,” Neuberger said. “Clearly, the Saudis are a key player in the region.”

Neuberger traveled to South Korea this week and told Silverberg she spent much of her time there speaking with South Korean President Yoon about how to block the North Korean regime from using ransomware to fund its missile program.

“The continued advancements and number of launches in the North Korean missile program is a priority for us so given that cyber is such a core driver of revenue, it’s [ransomware] something we must address,” Neuberger said. “We’re doubling down and planning to do much more work to make it riskier, costlier and harder for North Korea to gain funds that way.”

An iron fist may also be needed at home, Neuberger suggested. Calling the Colonial Pipeline hack a “major milestone in US domestic cybersecurity,” Neuberger said the incident galvanized the administration to act “because it represented status quo. It represented where we were with regard to having a major oil and gas pipeline serving the entire East Coast with no requirements on what their cybersecurity needed to be.”

Neuberger said the administration has put a premium on reaching industry and that she will meet with CEOs from nine railroads next week to provide a classified briefing on the potential for Chinese or Russian disruption of rail networks. These briefings will emphasize the importance of prevention and cyber defense, she said.

Calling incident response and reporting are only half of the solution, Neuberger said the other half has to be “a consistent set of mandated cybersecurity practices.”

“We are behind other countries in setting cybersecurity requirements for the critical elements of infrastructure, the most significant water, power, pipelines, hospitals in the country, as well as the technology that crosses all of them,” she said, pointing to recently passed Australian legislation requiring critical infrastructure providers to meet enhanced cybersecurity standards.