For regular
readers, you are well aware that this blog has evolved since it was created in
2005 - from the wistful or proud musings of a father too-often on the road, to the
hopeful hype of a mobile tech geek, to the more recent focus on cyber-hysteria,
and the related American-inspired travails experienced by my employer Huawei
Technologies.
With respect
to the latter area of focus, things have reached a fever pitch.
Three-plus
years ago, when I joined Huawei, the blackballing of the company by the U.S.
Government was relatively easy – black and white – China bad, everything else
okay. There was no need for rules,
regulations or transparency – indeed, the protectionist machinations in use at
the time were generally ham-handed, what one might have expected from a tin-pot
regime, not the leader of the free world.
But over the
last year, we have seen a shift towards more rational dialogue, towards more
potentially fair and open policy - until recently, at least.
The
conclusion of last years’ House Permanent Select Committee on Intelligence
(HPSCI) “investigation” (hardly) of Huawei was a report which is broadly viewed
as redefining the word vapid. The
Economist perhaps captured it best: The report appeared “to have been written for vegetarians…not
much meat in it.”
That was a
turning point. The politics were exposed
for what they were.
Indeed, When
HPSCI Chairman Rogers and Ranking Member Ruppersberger jabbed fingers at Huawei
executives demanding “If you want to do
business in our country then you tell your government to stop hacking our
networks,” it was rather clear that their agenda was geopolitical, not truly
driven by any legitimate concern about Huawei.
After all, when it came to Huawei, after a years’ “investigation,” they
revealed that they had turned up exactly squat.
Meanwhile, in
the world of facts and rational thought, debate had turned to real challenges:
Given that the information and communications technology (ICT) industry had
evolved into a state of transnationalism, so too had cyber threats become
borderless, and there was growing recognition that only real and global
solutions would be effective at addressing such challenges (see related
blog post from April 2012 or, for a deeper review, my blog
post from July 2011).
The tide was
indeed turning.
In February
2013, President Obama issued an Executive
Order focused on Improving Critical Infrastructure Cybersecurity. A key element of his Order was the establishment
of a Cybersecurity Framework which would be “technology neutral and that enables critical infrastructure sectors to
benefit from a competitive market for products and services that meet the
standards, methodologies, procedures, and processes developed to address cyber
risks.”
Good
stuff. Right direction.
Another
major inflection point was the late March passing of the Continuing Resolution that
would fund the U.S. Government through the end of the fiscal year in
September. Late in the process, with a
Government shut-down imminent, a brief paragraph (Section 516) was slipped into
the hundreds-of-pages long document which would ban some federal purchases of
networked equipment “produced, manufactured or assembled” by any group with a
strong connection to China (“owned, directed or subsidized”).
Eeeek.
Eleven major
U.S. industry associations – ranging from the Chamber of Commerce to the
Information Technology Industry Council – wrote an April 4 letter
to Congressional leadership expressing dire concern that a ban on federal
purchases from China could make the US government vulnerable by restricting
access to the latest security technology and could invite reciprocity in terms
of the Chinese government screening technology from the U.S. in the same
way.
Per the U.S.
industry associations’ letter: “Geographic-based
restrictions run the risk of creating a false sense of security when it comes
to advancing our national cybersecurity interests. At a time when greater
global cooperation and collaboration is essential to improve cybersecurity,
geographic-based restrictions in any form risk undermining the advancement of
global best practices and standards on cybersecurity.”
Remarkable
words of reason.
While the
President had already signed the bill into law (at least until the end of the
fiscal year when a new budget bill will be considered), a White
House spokesperson was quoted in The Hill the day after the industry letter
was written: “The undefined terms of this
provision will make implementation challenging,” adding “It could prove highly disruptive without
significantly enhancing the affected agencies’ cybersecurity.”
More good
stuff.
Shortly
thereafter, the Government Accountability Office (GAO) – the investigative arm
of the US Congress – issued an unrelated study titled “Communications Networks:
Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of
Cybersecurity Efforts” which found that “No
cyber-related incidents affecting core and access networks have been recently
reported to FCC and DHS through established mechanisms…of the over 35,000
outages reported to FCC during this time period , none were related to
traditional cyber threats (e.g., botnets, spyware, viruses, and worms).” See my overly-snarky
blog post on this particular development, a reflection of facts yet further
trumping fiction.
The Brookings
paper acknowledged the realities of today’s globalized ICT industry: “As trade grows more globalized, the supply
chain has become more complex and challenging. Contemporary commerce involves
hundreds of individuals, organizations, technologies, and processes across
continents,” and went on to propose rational, non-political solutions
towards addressing the related challenges, suggesting that “developing agreed-upon standards, using
independent evaluators, setting up systems for certification and accreditation,
and having trusted delivery systems will build confidence in the global supply
chain as well as the public and private sector networks that sustain them.”
Yes, indeed,
the tide was turning…
And then
along came Snowden.
We’ve all
read the same stories, but, for anyone interested in some perhaps novel flavor,
see my flurry of posts following his initial revelations, in which I have been
perhaps more concerned about the potential fragmentation of the Internet than
any impact on my employer: “Through
the Looking Glass” (June 6), “PRISM
and Internet Balkanization” (June 7), “PRISMs
and Mirrors and Cyber (Oh my)” (June 9), “Politics,
Intelligence and Lies – Get a Clue(train)” (June 11), “Internet
Balkanization Yet More Likely – PRISM+” (June 14), “A
Thickening Plot – A Devil’s Bargain?” (June 19).
Since Snowden,
having utterly lost the cyber high ground, various and sundry U.S. Government
authorities have scrambled – stumbling, fudging, lying – to rebuild trust, both
at home and abroad, as often as not, with attempts to divert attention
elsewhere.
A seemingly
key element of the strategy has been to ratchet up the China cyber-threat (which
is very real, mind you, as are the cyber threats from virtually every other
country on the planet), and, specifically, to differentiate U.S. espionage from
Chinese espionage on the grounds that the U.S. focuses on national security intelligence
while China steals commercial secrets.
It would
appear, however, that some in the U.S. had a slight heads-up on this particular
leak, and tried to get out in front of it with some distracting chaff.
One day
earlier, on July 8, HPSCI Chairman Rogers re-emerged from his Huawei-bashing hibernation,
appearing on BBC 4 Radio, and, for the first time ever, suggesting that he had “proof”
of Huawei ties to the PRC and instances of corporate espionage. Yet again, however, he provided not a whit of
substance (link
to detailed blog post).
Mulvenon,
notwithstanding a remarkably impressive pedigree, took the lateral
from Roger’s BBC script and graduated from a past record of innuendo to
out-and-out lying, stating, in reference to Huawei: “There's a well-documented record of them stealing core technology from
Cisco and from Nortel…I think that Huawei has directly benefited from being
able to take core R&D from other people.” What Mulvenon may “think” doesn’t make it
fact, and his reference to “well-documented records” is nothing but a flat-out
lie.
Thus, with
the media appropriately fluffed, it was time to trot out yet bigger guns. Next up to twirl a bright and shiny object to
distract attention from the increasingly damning revelations about U.S.
espionage activities, including in the commercial realm, was none other than
former NSA and CIA Director Mike Hayden, one of the midwives of PRISM.
In a July
19 interview with the Australian Financial Review which covered a
wide range of cyber issues, General Hayden took Mulvenon’s handoff and ran for what
he must have hoped would be a touchdown.
Asked whether
Huawei represents “an unambiguous
national security threat to the US and Australia, the General replied “Yes, I believe it does.” Asked if there was hard evidence of Huawei
having engaged in espionage on behalf of the Chinese state, Hayden evaded the tackle
with a linguistic summersault, stating “Yes,
I have no reason to question the belief that’s the case,” and then, of
course, added “as the former director of
the NSA, I cannot comment on specific instances of espionage or any operational
matters.” He then went on to cite
last years’ utterly empty HPSCI report as some sort of substantive proof point.
Talk about
circular bullshit…
(And, never
one to be left out, CSIS’s resident cyber flak – a Huawei-bashing cheerleader who never
fails to put out for the team – chimed in meaninglessly in a UPI
report: "Officials within
several agencies have privately told me that Huawei is a national security
threat." Why
does anyone listen to this guy?).
So, what
next?
From an
industry-wide perspective, in the wake of HPSCI having blown its insignificant load
last Fall, and until the Snowden hullabaloo, there had been quite positive
momentum towards the establishment of commercially rational and effective worldwide
standards and disciplines to better secure networks and information.
The U.S. Government,
caught with its cyber slip showing, is to some extent derailing the process
with mis-directing rhetoric.
Deal with it
guys. Enough with the bright and shiny
distractions. Enough with the Huawei
bashing. You got issues with China, then
manage them. But enough maligning of
innocent companies that are otherwise world-proven and trusted.
You got
something on Huawei – show it. You don’t
– and if you did, you’d have ponied up by now – then stow it.
