Today, Germany's Der Spiegel reported on the latest wave of NSA Revelations (the provenance of which are unclear, but presumably they are Snowden-sourced).
According to the Der Spiegel article (link to GigaOm coverage in English), the most recently unveiled information indicates that the U.S. National Security Agency (NSA) was not only successful at compromising sometimes-witting-but-almost-certainly-unwilling American telecom and Internet service providers, but also at compromising American and non-American telecom and Internet infrastructure hardware and solution providers, without their knowledge.
Through what appears a combination of software hacking and cracking (and, possibly - from my personal perspective - infiltration and tampering with American components, chip-sets, etc. that feed into multinational company supply chains), the NSA has seemingly extended its global surveillance and information dragnet well beyond what had been previously reported, or even imagined.
One of the companies whose gear was reportedly compromised is my employer Huawei. The irony of this situation could not be richer (Reminder: this is a personal blog reflecting my personal thoughts).
For the last few years, China-headquartered Huawei has been the victim of a U.S. Government-wide (and beyond) conspiratorial witch-hunt. Vicious and baseless allegations have been made without end, with Huawei accused of being somehow financed, directed, controlled or otherwise uniquely vulnerable to Chinese Government cyber penetration and manipulation. Wilder and weirder myth and misinformation has been spread, slandering the company and its employees in many and nasty ways.
Never, not once - not once - has there been a shred of substantive evidence presented to support any such allegations.
Now, while to the best of my knowledge Huawei has yet to validate or invalidate the vague suggestions made by Der Spiegel, let's for the moment imagine there is some truth to what's been unveiled.
In that context, let's consider last year's U.S. House of Representatives Permanent Select Committee on Intelligence (HPSCI) "investigation" of Huawei which concluded with the company branded - with zero substantive reason - as some sort of threat to U.S. national security due to being somehow uniquely vulnerable to potential compromise by the Chinese Government.
As much of a circus-like sham as the whole exercise was, it is all the more shameful in light of today's revelations.
Indeed, HPSCI Chairman Rogers - the man charged with overseeing U.S. intelligence activities to prevent abuse, who has instead spent the last six months trying to sugar-coat such abuse - has forever redefined the height of hypocrisy by accusing Huawei of being uniquely vulnerable to compromise by one Government when, as the Chairman of HPSCI, he was almost certainly aware, the U.S. Government had already achieved this feat (at least per Der Spiegel).
You know, in the immediate wake of the initial Snowden Revelations, some joked that the reason the U.S. Government was so hell-bent on keeping Huawei out of the market was because they were uncertain they could penetrate and compromise our solutions as easily as they might the gear of our American or other Western peers.
If Der Spiegel has it right, such lighthearted wit was dead wrong.
Indeed, if Der Spiegel has it right, the whole Huawei embargo and witch-hunt was nothing more than good-old-fashioned protectionism and China-baiting - the NSA has proven that it doesn't matter where a company is headquartered in terms of it's vulnerability to potential malicious penetration and compromise.
These most recent NSA revelations expose past U.S. Government representations about Huawei (and similar opinions from sycophants like my favorite CSIS cyber-gasbag, as well as military-industrial-complex fan-boy groups like the U.S.-China Economic and Security Review Commission) as utterly baseless and equally and maliciously and knowingly duplicitous
Moreover, if Der Spiegel has it right, they have confirmed rather solidly that cyber vulnerabilities are universal, agnostic to geographies, location of headquarters, flags or borders, and demanding of universal industry-wide solutions to address such challenges.
Huawei-related fuming aside, back home, it's time for some serious accountability...
From the Administration. From the Congress.
U.S. intelligence agencies are now recognized - unequivocally - as the most advanced persistent threat to the integrity of global networks and data.
American standing on the world stage is lessened.
Our ability to project the values we have nourished and cherished for two-plus centuries is diminished.
We are increasingly distrusted abroad. Such distrust extends to our businesses, and will quite likely yet further adversely impact our economy.
Where will the buck stop?
December 29, 2013
December 18, 2013
Enough already with the vacuous HPSCI report on Huawei
Just over a year ago, in October 2012, the U.S.House of Representatives Permanent Select Committee on Intelligence (HPSCI) issued an empty, vacant, slanderous report suggesting that $35 billion dollar multinational Huawei Technologies somehow presents a threat to U.S. national security.
The report - the result of a bad-faith 11-month "investigation" by the Committee - is laughable in terms of its utter lack of substance, and generally dismissed as garbage, and not just by people who actually understand the information and communications technology industry, but within the Beltway as well.
But the damned thing keeps getting referenced in media reports as if it had merit. Check out the embedded 10 minute video which exposes the Committee's willful misrepresentations, point by point, and further details the costs of their tomfoolery.
December 06, 2013
Shame on you Associated Press, and you too Rep. Wolf
Just shy of 30 years ago, while a student at Georgetown, a
roommate of mine had a professor who's kid played in a local recreational soccer
league. His team was in need of coaches.
My friend and I, having both played soccer in high school, volunteered. Good fun.
About a decade later, in the mid-90’s, when I was a
mid-level Foreign Service Officer at the State Department in Washington, I
re-encountered the professor, who was consulting in State’s Strategy and
Planning Office.
Fast forward to 2010, when I was surprised to learn, after
joining Huawei, that the professor – still at Georgetown – was a member of
Huawei’s newly-minted International Advisory Committee, comprised of
illustrious business, academic and other counselors.
It is, indeed, a very small world.
Today, the Associated Press, in seeming-cahoots with Virginia
Congressman Frank Wolf, did a hatchet job on Professor Moran.
In September of this year, after Congressman Wolf (R-VA) “discovered” that the professor was
serving simultaneously on both Huawei’s International Advisory Committee and
the U.S. Government National Intelligence Council (a group of private sector analysts
and policy experts who advise the Office of the Director of National
Intelligence on various matters, including foreign investment in the United
States), he put pressure on the Director of National Intelligence and the professor was seemingly compelled to resign.
“Discovered?” Hardly a feat, given that both advisory positions
were prominently listed on the professor’s publicaly-available CV, and referenced
in his various publications.
Nevertheless, Wolf is one known to give an Administration
headaches, so the Administration, fully aware of the professor’s historical situation, bent over and forced the resignation.
Now, Wolf himself has some justified concerns with China,
but he also has an unfortunate and slightly-mad penchant for using Huawei, an
independent $35 billion globally-trusted and proven China-headquartered multinational,
as his proxy for China-bashing. (Indeed,
I would encourage you to pause in your reading this post and peruse my
April 2012 post featuring one of Rep Wolf’s more lunatic tilts at the Huawei
windmill before continuing).
Which brings us back to today’s Associated Press piece titled
Chinese
Firm Paid US Gov't Intelligence Adviser – a lurid and
grossly-misleading headline.
Go on. Read it. You’ll see.
Headline and remarkably-intentional journalistic bias aside, the story
is not news. Huawei, like many companies, particularly
multinational companies, has an international advisory committee. And advisors are compensated. Whoopee.
Go figure.
But, uh oh, shudder, the professor also serves on a U.S. Government
advisory committee. So, shamelessly
carrying Wolf’s dirty water, the AP blithely weaves conspiracy from
whole cloth, intentionally misleading readers.
Perhaps the most obvious example of shameless reporting: “In a policy paper distributed by Huawei,
Moran wrote in May that, ‘targeting one or two companies on the basis of their
national origins does nothing for U.S. security in a world of global supply
chains.’ Moran criticized what he described as ‘a policy of discrimination and
distortion that discourages valuable inward investment from overseas, while
providing a precedent for highly damaging copycat practices in other countries.’”
Let’s parse this out.
First off, the policy paper being referenced by the AP
is intentionally misrepresented by
the AP as somehow being a Huawei or Huawei-commissioned product. It is not. In fact, it is a paper published by the
Petersen Institute of International Economics, a world-respected economics and
trade think tank where Professor Moran serves as a Fellow.
Intentionally
misrepresented? Yes. When the AP was asked to appropriately
label the report, they declined, at the editorial level.
Now, let’s consider Professor Moran’s quotes from the policy
paper:
“Targeting one or two
companies on the basis of their national origins does nothing for U.S. security
in a world of global supply chains.”
Spot. On. See below.
“A policy of
discrimination and distortion that discourages valuable inward investment from
overseas, while providing a precedent for highly damaging copycat practices in
other countries.”
Yes. Exactly.
Why on earth would the AP suggest such statements
were somehow suspect? It boggles the
mind. All the more so in the wake of the
Snowden revelations that, by all indications, seem to be leading to a situation
in which U.S.-based companies will suffer similar discrimination in foreign
markets.
Shame on you AP for pandering to shallow, baseless,
discriminatory politicians and policy.
Shame on you Rep. Wolf for driving this bullshit. And shame on those in the U.S. Administration
that continue to demonize Huawei by virtue of its heritage in China.
Again (borrowing from my post two days ago):
The Information Communications Technology (ICT) industry is
transnational, essentially borderless. Whether you are Huawei, Cisco,
Alcatel-Lucent or Ericsson you are operating world-wide, equally vulnerable to
penetration or compromise, whether by the now-world-renowned experts at the
NSA, or whoever their counterparts may be in China, Russia or Israel. Knocking Huawei out of the market – any market
– does precisely squat to secure networks and data. And the U.S. Government knows all of this.
But (you might ask), hold on, wait a second, if the NSA
compromised U.S. companies, then certainly the Chinese Government can
compromise Huawei?
That analogy holds no water.
Let’s review:
The penetrations and compromises thus far unveiled by Edward
Snowden were primarily achieved by U.S. intelligence agencies either
compromising unwitting innocent companies or forcing unwilling (also innocent)
companies into unfortunate complicity.
In terms of the latter, from what we have learned to date,
the bulk of the data syphoned off by the NSA, et al was primarily extracted
from service operators or data managers under “legal” pretense. Knowledge of such witting but unwilling
compromise of these companies was almost certainly limited to a small few
within the companies, perhaps just C-level and legal.
Huawei is a different kind of company.
Think of the companies referenced above as water
companies.
Think of Huawei as a company that builds the pipes for the
plumbing systems used by the water companies.
The U.S. intelligence agencies went to the legal departments at the water companies and forced a spigot into their reservoirs, virtually draining them. Again, it is quite likely that very few people within the water companies were even aware of the quiet conspiracy.
Contrast that with a company like Huawei.
A quiet conspiratorial visit to the legal department or
C-level arm-twisting won't do the job.
In order to compromise Huawei’s gear, you would have to
infect each and every pipe (router, switch, etc.) which, given the volume of
product we produce and the thousands of researchers, coders and builders
involved – all around the world - would require an absurdly unbelievable and unsustainable
conspiracy of countless employees spanning far-flung countries where research, coding
and assembly take place.
But (you might ask), what about after-market “software
upgrades” or “patches” or some other digital or magical manipulation of the gear
after it’s been sold and deployed?
These are legitimate concerns.
But Huawei is not some *insert government name here*-directed
operation in some non-descript building in Shanghai or Silicon Valley. Huawei is a $35 billion company operating in
150 markets doing 70% of its business outside China, with state-of-the-art
Research and Development and software facilities scattered across the globe.
Huawei “software updates” don’t just get “pumped out”
willy-nilly. They are deployed in close
coordination with network operator customers and according to the security
procedures defined by those customers.
Moreover, within Huawei, every line of code – wherever
developed - is tracked and traced by “many eyes and many hands” (human and
virtual) which, again, would mean that for Huawei to wittingly “pump out” “back
doors” or “exploits” would again require a conspiracy of thousands of our
employees, not to mention the additional complicity of employees of our network
operator customers.
Absurd.
Could a rogue employee or group of employees plot
cyber-shenanigans within the company? Yes.
This could happen at any ICT company - we are all vulnerable. Yet, like any other world-leading ICT company
with a reputation and business to protect, Huawei has employed robust
disciplines to detect and quash such anomalies.
But a grand conspiracy?
Hogwash.
And the U.S. Government knows this. And so should Rep. Wolf.
And, as for the AP, we might grace them with not
having the experience or bandwidth to understand the issues, but they should certainly
have more journalistic integrity than to prostitute themselves to politicians…
December 04, 2013
Huawei, Korea, Pots and Kettles
Yesterday, the U.S. Administration and Senate leadership
tag-teamed a stab at undermining the legitimate commercial activities of a China-based multinational in South Korea in
order – seemingly (maybe?) – to give the Biden delegation visiting China some sort of additional
leverage in bilateral talks, perhaps related to the increasingly-contentious “Air Defense
Identification Zone” around the Diaoyu/Sanaku Islands.
That’s how I see it.
That, at least, would be a marginally rational explanation.
The purported explanation defies logic.
Yesterday, the Wall Street Journal and The Daily
Beast broke the story of a letter from the Chairs of the Senate Foreign
Relations and Select Intelligence Committees calling on the Secretaries of
State and Defense, as well as the Director of National Intelligence, to look
into “the potential threats and security
concerns” presented by Huawei’s involvement in a commercial wireless
network deal...in South Korea.
The Journal reported further that “the Obama administration is privately
raising concerns with officials in South Korea about their plans to let a
Chinese telecommunications giant develop the country's advanced wireless
network, expanding a quiet campaign to warn key allies against integrating the
Chinese technology into their systems.”
Okay. C'mon already. There should be zero possibility that anyone in the U.S. Government
is legitimately concerned about unique network security or data integrity
vulnerabilities associated with Huawei gear. The
facts are all too clear to the contrary. Consider:
The Information Communications Technology (ICT) industry is
transnational, essentially borderless. Whether you are Huawei, Cisco,
Alcatel-Lucent or Ericsson you are operating world-wide, equally vulnerable to
penetration or compromise, whether by the now-world-renowned experts at the
NSA, or whoever their counterparts may be in China, Russia or Israel. Knocking Huawei out of the market – any
market – does precisely squat to secure networks and data. And the U.S. Government knows all of this.
But (you might ask), hold on, wait a second, if the NSA compromised U.S. companies,
then certainly the Chinese Government can compromise Huawei?
That analogy holds no water. Let’s
review:
The penetrations and compromises thus far unveiled by Edward Snowden were primarily achieved by U.S. intelligence agencies either compromising
unwitting innocent companies or forcing unwilling (also innocent) companies
into unfortunate complicity.
In terms of
the latter, from what we have learned to date, the bulk of the data syphoned off by the NSA, et al was primarily extracted from service operators or data
managers under “legal”
pretense. Knowledge of such witting but
unwilling compromise of these companies was almost certainly limited to a small
few within the companies, perhaps just C-level and legal.
Huawei is a different kind of company.
Think of the companies referenced above as
water companies.
Think of Huawei as a company
that builds the pipes for the plumbing systems used by the water
companies.
The U.S. intelligence agencies went to the legal departments
at the water companies and forced a spigot into their reservoirs, virtually
draining them. Again, it is quite likely
that very few people within the water companies were even aware of the quiet
conspiracy.
Contrast that with a company like Huawei.
A quiet conspiratorial visit to the legal department or C-level arm-twisting won't do the job.
In order to compromise Huawei’s gear, you
would have to infect each and every pipe (router, switch, etc.) which, given
the volume of product we produce and the thousands of researchers, coders and
builders involved – all around the world - would require an absurdly unbelievable
and unsustainable conspiracy of countless employees spanning far-flung countries
where research, coding and assembly take place.
But (you might ask), what about after-market “software upgrades” or “patches”
or some other digital or magical manipulation of the gear after it’s been sold
and deployed?
These are legitimate concerns, though sadly, unfortunately, somewhat de-legitimized by the canned quotes from the Center for Strategic and
International Studies’ persistently-resident cyber-gasbag that were featured in the Daily Beast
article.
Per The Daily Beast, the aforementioned “expert” said
that “Huawei’s routers and switches may be clean at first. But the potential
for back doors, or exploits within the software and hardware of the equipment,
could be slipped into the gear through routine maintenance such as software
updates.” “They can pump out a software update and you have no idea what is in the
software.”
Such hyperbolic paranoia (or perhaps just utter ignorance of the business
realities in the ICT industry) borders on mind-numbing.
Huawei is not some <insert government name here>-directed
operation in some non-descript building in Shanghai or Silicon Valley. Huawei is a $35 billion company operating in
150 markets doing 70% of its business outside China, with state-of-the-art
R&D and software facilities scattered across the globe.
Huawei “software updates” don’t just get “pumped out”
willy-nilly.
They are deployed in close
coordination with network operator customers and according to the security
procedures defined by those customers.
Moreover, within Huawei, every line of code – wherever developed
- is tracked and traced by “many eyes and many hands” (human and virtual) which, again, would mean that for
Huawei to wittingly “pump out” “back doors” or “exploits” would again require a
conspiracy of thousands of our employees, not to mention the additional complicity
of employees of our network operator customers.
Absurd.
Could a rogue employee or group of employees plot
cyber-shenanigans within the company? Yes. This could happen at any ICT company - we are
all vulnerable. Yet, like any other world-leading ICT
company with a reputation and business to protect, Huawei has employed robust disciplines to detect and quash such anomalies.
But a grand conspiracy?
Hogwash.
And the U.S. Government knows this.
Which brings us back to the quest for a rational
explanation for the odd concert of Administration officials and Senate Chairs
attempting to interfere in the Korean commercial wireless marketplace. I posited one such explanation at the outset
of this post. A placeholder of sorts.
Far-fetched?
Maybe.
But one thing we do know, it has nothing to do with network security
or data integrity. Indeed, that fig leaf is growing frightfully thin...
November 04, 2013
When matters-of-State trump matters-of-commerce...Everyone loses
Heralding a new chapter of matters-of-state upending matters-of-commerce, a November 2, 2013 Australian Financial Review (AFR) article sports a telling title: “Global Digital Wars Take Australia Hostage” (link). In what seems, on balance, a well-researched article (with a couple of glaring exceptions), the AFR piece details how, among other things, American government pressure on Australian authorities may have contributed to an initial ban on Huawei’s participation in Australia’s National Broadband Network (NBN) three years ago, as well as that ban’s very recent renewal under the newly-elected regime Down Under.
The authors ably detail the ongoing saga of Australia’s Government-sponsored NBN project, first announced in 2008. They report that “while the Australian public first learned that Huawei had been sensationally barred from any involvement in the NBN in March 2012, the intelligence community appears to have made its mind up by 2008 at a time when Chinese espionage concerns were climaxing.” They add: “Around this time a highly classified team of three representatives from the Attorney-General’s Department, ASD and ASIO were sent on a global fact finding mission, which included a lunch in the CIA director’s personal ante room, to consult with Australia’s international intelligence partners on Chinese telco risks. Huawei was the key target. While the triumvirate could find no smoking gun, the report, which is believed to have been submitted to cabinet’s national security committee, was said to be very clear in its conclusion. In the words of one participant, “the risk of allowing Huawei to help build the NBN was just too serious to contemplate.”
According to the article, shortly thereafter, in April 2009, the initial NBN tender was cancelled, only to be re-opened not long later, with the possibility of Huawei participation. Another government review was conducted and, again, Australian intelligence services balked against Huawei involvement in the NBN. The article continues, reporting that while Huawei was “blindsided” when it was announced in June 2010 that Alcatel-Lucent had been selected as the initial NBN equipment supplier, the company continued to believe, based on indications from senior Australian Administration officials in 2011, that they would be chosen as “one of the NBN Co’s two primary vendors in a multi-company model that maximised competitive pricing tension and product innovation.” Once again, my countrymen stepped in: Per the article, “In November 2011 President Barack Obama paid his first official visit to Australia. One conspiratorial month later the Attorney-General’s Department asked Huawei’s brass to come to Canberra…” where “officials informed them they were being barred outright from involvement in the NBN, a message that was formalised in a letter months later.”
Finally, in terms of detailing the NBN tale to date, the AFR article neatly captures last week’s unfortunately updated news, reporting “In a single week the world’s largest telecommunications equipment provider, Huawei, has swung from the prospect of being triumphantly welcomed back into Australia’s national broadband network to having Prime Minister Tony Abbott humiliatingly reaffirm Labor’s ban on China’s national champion.” Again, Huawei had anticipated a policy course-correction in the context of a shift in Australian Government leadership. And, yes, again, the U.S. had been ratcheting up the screws on Australian authorities: “In an exclusive report in the AFR in July 2013, the only man to have ever led both the CIA and NSA, General Michael Hayden, alleged Huawei had ‘shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with’ and intelligence agencies have evidence to prove it.”
Hayden’s empty rhetoric aside, in addition to relaying the history of the NBN saga, the AFR article points out that the concerns about Huawei were, as much as anything else, defined by intelligence types “looking in a mirror:” “It is no small irony that the scores of intelligence operatives interviewed by the Financial Review over the past nine months repeatedly noted that early assessments of the Huawei risks were based on what agencies knew of the capabilities employed by western intelligence. “Put it this way,” one spook says, “If Huawei was run by Americans or Australians, we’d be doing what we say they are doing.” Later in the piece: “We are base-lining their capabilities and operations off what we know we can do – not on what they are actually doing…” And again: “Yet as another Australian intelligence executive notes, ‘The only reason we can make assessments like that is because we know we are up to with our own firms’”.
As for the glaring exceptions I referenced in the opening paragraph to this post, for whatever reason the authors seem to discard careful research in favor of shallow reporting in the article’s “The Evidence” paragraph, which begins with a reiteration of a very tired and obviously incorrect version of Huawei’s Founder and CEO bio. Per the AFR piece: “Ren Zhengfei, was a deputy director in the People’s Liberation Army’s Information Engineering Academy, which is associated with China’s electronic intelligence efforts.” Flash back to my March 23, 2013 blog post titled “Obscure 2000 Report – Source of much Huawei Mis-information – Corrected, Finally…” (link) in which I detailed how the U.S. Center for Strategic and International Studies (CSIS) – no friend to Huawei – put the false version of the bio to rest by exposing it as a misinformed media report from the year 2000 that had been subsequently mis-referenced by government and media for the better part of a decade. Notably, the opening sentence of “The Evidence” paragraph similarly features an equally incorrect version of Huawei’s Chairwoman’s bio.
The paragraph continues with additional mis-statements, again reflecting a rather bizarre deviation from studious reporting on the part of the authors. For instance, there is this statement: “Australian security authorities cite British intelligence highlighting that Huawei has been able to undercut foreign competitors, and obtain speculator market share growth, by enticing customers with up to $30 billion of ultra-cheap loans, or “vendor finance”, funded by Chinese state-controlled banks.” This bit of misinformation has been soundly debunked for almost two years. Indeed, in a June 13, 2011 blog post titled “Calling Foul on Exim’s Huawei FUD” (link) I carefully exposed the fallacy behind the “$30 billion in financing” claims. Huawei has further clarified (and updated) these facts on numerous occasions for numerous audiences – it is a bit befuddling that the AFR authors didn’t do the homework here that they obviously did in preparing the balance of their article.
“The Evidence” paragraph concludes with reference to “A senior official working inside ASD” who in 2009 claims “that by leveraging off an NSA executive embedded in ASD they were able to obtain a top secret ‘noforn’ (no foreign eyes) technical NSA report that identified irrefutably malicious “program code” that had been deliberately inserted into the “firmware” in Huawei devices. This backdoor could be installed or replaced with a benign substitute by Huawei executives remotely managing the network in question.” This is certainly intriguing (particularly in the context of the Australians leveraging "embedded" NSA executives to disclose U.S. "noforn" information to foreigners, allies or not), but hardly a verifiable source for reporting purposes, which, again, is puzzling given the more studious, fact-based approach taken in the balance of the article.
Indeed, further to that latter point, and in the context of "truthfulness" and the "reliability"of sources, we should perhaps remember that the NSA is the organization whose leader promotes "collecting the haystack to find the needle" (link) and yet, paradoxically, per multiple U.S. Government spokespeople, the NSA is in fact not hoovering up and analyzing our calls and mails, notwithstanding rather dramatic evidence to the contrary.
In any event, the article lays bare the fact that what is really happening Down Under is, in the authors’ words, “just a localised skirmish in a far wider and more complex conflict between the world’s two most powerful nations, China and the United States.” It’s certainly not about network security and data integrity. All parties are more than aware of the fact that every telecom gear vendor is subject to common, industry-wide vulnerabilities and threats. Blocking one vendor by virtue of its country of headquarters does nothing to secure networks and data, given that all vendors rely on common and global supply chains, which utterly exposes the hypocrisy of such blockades (and, incidentally, in terms of hypocrisy, why isn’t anyone pointing out that a primary winner of the Australia NBN deal - France-based Alcatel-Lucent - is the 50% owner of China-based Shanghai Bell, from which much of the NBN gear will almost certainly ship, and the balance of Shanghai Bell is owned by the Chinese Government?).
Why do we all lose?
Network security and data integrity are very real concerns, but politico-protectionist blockade-like remedies not only don't address these concerns, they introduce new ones: Stymied investment and innovation, fewer jobs, less competition, more expensive broadband and nasty market-access barriers that, if and when replicated, will very likely fragment the global information and communications technology industry and Balkanize the Internet. From there, the cycle renews and feed upon itself, leading, almost certainly and ultimately, to strife and conflict. Is this in anyone's best interest?
Why do we all lose?
Network security and data integrity are very real concerns, but politico-protectionist blockade-like remedies not only don't address these concerns, they introduce new ones: Stymied investment and innovation, fewer jobs, less competition, more expensive broadband and nasty market-access barriers that, if and when replicated, will very likely fragment the global information and communications technology industry and Balkanize the Internet. From there, the cycle renews and feed upon itself, leading, almost certainly and ultimately, to strife and conflict. Is this in anyone's best interest?
October 31, 2013
The State of the Surveillance State
Yesterday, we learned from Edward Snowden that the NSA
has penetrated the main communications links that connect Yahoo and Google data
centers around the world, complementing their court-supported compromise of
American technology companies at home with good-old-fashioned clandestine compromise
of those same companies abroad.
Think about it.
That’s hundreds of millions of records from hundreds of
millions of users – many of them Americans, whether at home or abroad – hoovered up
on a dynamic basis, stored and analyzed in massive secretive government data
centers. With zero effective oversight.
That’s a virtual wet dream for ex-Soviet era KGB and East
German Stasi types who once relied on tracking and monitoring citizens based on
reams of paper and warehouses of filing cabinets, as opposed to, for instance,
the NSA’s Utah data center with the capacity to store 5 Zettabytes (5 billion
Terabytes) of information.
Indeed, courtesy of www.opendatacenter.de: “Assuming that a filing cabinet with 60 files
(30,000 pages of paper) uses up 0,4 m², which would correspond to 120 MB of
data, the printed out Utah data center would use up 17 million square
kilometers.” (Note: The Continental U.S. is about 10 million square kilometers).
But I digress.
Ours is a country built on the rule of law and respect for –
fealty to – the rights of citizens. Both
of these fundamental precepts are increasingly at risk in terms of what has
become an out-of-control technology-run-amok surveillance state spawned by our post-Soviet
era government-inspired culture of fear.
Yes, we should expect our government to engage in
appropriate intelligence gathering activities for national security
purposes. And yes, we do have laws and
oversight processes in place to govern the activities of our intelligence
agencies to preclude abuse, at home or abroad.
But, advances in technology and storage and processing have ridiculously
eclipsed legal or oversight regimes, resulting in rampant abuse and invasion of
privacy, at home and abroad.
Do I trust my government to do what is “right?” Perhaps. Today.
But who knows what the world will look like in ten years. Look, I’m sorry, but given everything that has
been unveiled since June, and the consistent exposure by each succeeding
revelation of the latest round of government “clarifications” being, often as
not, patently untrue, I simply cannot accept nor trust government protestations
that “there is no abuse” and “there are laws to protect you,” etc.
I would prefer to benefit from a “trust-but-verify” process
(due props to President Reagan). Such,
however, thus far, seems an impossibility, in terms of the complexity of the
technologies involved, the vast, endless amounts of data being mined, analyzed
and stored, and the iron curtain of government secrecy cast over what the NSA
and other agencies may or may not be doing with that data. King George’s “writs of assistance” that our
Founding Fathers so valiantly objected to two-and-a-half centuries ago are back,
and on steroids.
In the name of national security we have effectively undermined
national security: Our adversaries are clever enough to evade the dragnet, our
allies are now alienated, our leading technology companies – key contributors
to our economic national security – are at risk of becoming pariahs, the infinite
data teats that our intelligence agencies have so greedily suckled may well go
dry, or, at the very least, sour. The
precedent we have set is a model for totalitarian and repressive regimes
worldwide to mimic, the deepest irony being that we have consistently accused
such regimes of such abuse in the past knowing full well that our own
transgressions were significantly more grievous.
Enough with the vain government protestations of innocence and good intent. It’s time for a reset. It’s time to rebuild trust. It’s time to restore American honor, pride,
privacy, and leadership. It’s time to
acknowledge that technology has outpaced and out-scaled outdated and, to some
extent, outlandish policy, law and regulation, and to adjust ourselves
accordingly.
October 13, 2013
The End of (knowing) ICT Company Complicity with Gov’t Spying?
The Snowden
revelations may very likely mark the beginning of the end of "knowing" corporate
complicity with government espionage.
That’s a
powerful statement. But I think it is an
inevitability.
It's
funny...I work for Huawei, a $35 billion China-based multinational technology
company that has suffered remarkable discrimination and market access barriers
in the U.S. due to concerns that Huawei product might somehow be compromised and
used for espionage by the Chinese Government.
The concern
has always been prospective, given that there has never been any proof of such past
or current activity.
Indeed, until the
Snowden revelations, U.S. Government concerns about Huawei were a bit
confounding. I mean, Huawei’s a multi-billion
dollar company doing business across the globe, including in every free-market
democratic nation allied with the U.S. Had everyone else been hornswoggled?
Post-Snowden,
it's been all too clear what prompted the concerns.
American companies had been compromised by
their government to support espionage, at home and abroad, and, so, the natural
assumption was that other governments were similarly penetrating companies
headquartered in their countries.
There
very well might be some truth to this, particularly in terms of state-owned
companies.
However, contrary
to popular (American) belief, not all companies in China are State-owned or
controlled. Indeed, there is an
increasing number of China-headquartered companies like Huawei which are
private. A company like Huawei that is
doing 70% of its $35 billion in business outside of China would have to be insane to
risk that business by knowingly allowing its product to be subverted by any
government.
One would
think that the same would have been the thought process of U.S.-based technology giants. We have learned, in the wake of Snowden, saying "no" was seemingly not an option.
Okay, as
Americans, facilitating our government’s legitimate need to gather intelligence
must be in our best and patriotic interest, no?
Perhaps. But at what cost? Our technology
leaders, which, wittingly - albeit by most accounts unwillingly - compromised their
gear and networks per Government dictate are now suffering in global markets due
to their compromise having been exposed.
Ironically,
Huawei – notwithstanding unsubstantiated accusations otherwise – has never been
asked, directed or otherwise been compromised or wittingly penetrated by any
government.
Whatever the
case, there is a growing and global crisis of confidence in the information and
communications technology (ICT) industry and the security and integrity of
networks and data.
China is investigating compromised American companies and
the U.S. maintains its political-protectionist blockade of China-based network
equipment companies. Brasil talks of a domestic
Internet while India considers banning U.S.-based email service providers and
Deutsche Telekom markets “Email made in Germany” as an alternative to
penetrated U.S. providers.
Balkanization,
fragmentation, regionalization…call it what you want, but it’s not in anyone’s
long-term interest. The ICT industry has
blossomed over the last two decades in large part because of globalized scale
and transnational innovative ecosystems and supply chains, digital and
physical. Confidence and trust must be
restored before 20 years of progress is undone.
And, lacking
a significant course-correction, the impact will be most harsh on U.S.-based
companies. The damage thus far is not unduly severe, but the impact of potential boycotts of perceived-to-be-compromised American companies will almost certainly have an increasing and adverse economic impact
in the U.S.
Sacrificing an industry that the
U.S. helped drive to global success is an absurd cost for whatever espionage benefit may have been
derived.
Moreover, "knowing" corporate complicity in government espionage is not sustainable because,
as we have all now learned, once the corporations have been outed as
compromised, they cease to be a reliable source of information if they are
shunned by consumers of their goods or services.
Somehow or
other, it worked until Snowden. It won’t
work anymore.
Governments
will not stop spying on each other, nor on the peoples and businesses of the world, including
within their own borders. This is a
given. But, industry – and everyday
citizens - need to stand up and reject legal or regulatory regimes that compel
the private sector to facilitate wholesale government data collection,
monitoring, analysis, storage and misuse or outright abuse.
This will not happen overnight.
While that
dialogue takes place, there should be three simultaneous conversations in three
separate but interrelated realms.
Service
providers and data managers must take a leadership role in driving the legal
and regulatory course-correction referenced above, and in that and a future more
protected information environment context, they should be required to divulge
to consumers (enterprise or individual) the type of information they might share with Governments and in
which appropriate and legal contexts.
In terms of
the nuts and bolts and software of network infrastructure, vendors should come
together to define independent third-party (including Government) certifiable
standards and best practices to better secure products and solutions –
hardware, firmware and software - spanning supply chains, and from ideation to
end-of-life.
Finally,
Governments need to agree among themselves a framework for acceptable behavior
in the ether. Espionage is a
given. But commercial espionage and, of
greater concern, disruptive or destructive cyber-activities should be defined,
discouraged and punished under mutually-agreed terms and conditions.
Again, none
of this will happen overnight.
But, just starting the dialogue - rather than having
consumers wallowing in fear and governments and industry vainly denying the
obvious – should at least, to some extent, mellow the ongoing crisis of confidence,
and, equally important, derail the fragmentation of the global Internet and ICT
industry.
September 03, 2013
HPSCI: Promising Past, Unfortunate Present
On July 14, 1977 the House of Representative passed a
resolution creating the House Permanent Select Committee on Intelligence
(HPSCI). A counterpart committee in the
Senate—the Senate Select Committee on Intelligence (SSCI)—had been in existence
for more than a year.
The creation of these oversight committees came out of the
recommendations of two congressional investigatory panels established in 1975 –
the Church Committee in the Senate and the Pike Committee in the House – both focused on allegations of illegal CIA and other intelligence and law enforcement Agency activities. Such activities ranged from covert
action programs involving assassination attempts against foreign leaders and covert
attempts to subvert foreign governments to efforts by intelligence agencies to
collect information on the political activities of US citizens.
HPSCI, specifically, is charged with the oversight of the
United States Intelligence Community, which includes the intelligence and
intelligence related activities of 17 elements of the US Government, and the Military
Intelligence Program.
Flash forward almost 40 years.
In November of 2011, HPSCI's Chairman introduced the “Cyber Intelligence Sharing and Protection Act (CISPA)” to “help American businesses better protect
their computer networks and intellectual property from advanced cyber attacks.”
The purported intent of the legislation was to “allow the Federal government to provide classified cyber threat
information to the private sector…” and to “empower American businesses to share anonymous cyber threat information
with others in the private sector and enable the private sector to share
information with the government on a purely voluntary basis, all while
providing strong protections for privacy and civil liberties.”
Importantly, the Chairman stressed that
the legislation would provide “liability
protection for companies that choose to protect their own networks or share
threat information.”
That ominous provision aside, the Chairman took great pains
to communicate that Americans need not fear for their privacy, hyping:
“The bill’s strong
protections for privacy and civil liberties include:
- Narrow definitions that permit only the voluntary sharing by the private sector of a limited category of information—cyber threat information—and only for cybersecurity purposes;
- Strict restrictions on the government’s use, retention, and searching of any data voluntarily shared by the private sector;
- Permitting individuals to sue the government in federal court for violations of the bill’s privacy restrictions;
- Requiring the independent Intelligence Community Inspector General to conduct a detailed review of the government’s use of any information voluntarily shared by the private sector, and provide an unclassified report to Congress;
- A sunset for the bill’s authorities in five years, requiring Congress to carefully review the use of the authorities provided under the legislation to determine whether they should be extended or modified.
- Narrow definitions that permit only the voluntary sharing by the private sector of a limited category of information—cyber threat information—and only for cybersecurity purposes;
- Strict restrictions on the government’s use, retention, and searching of any data voluntarily shared by the private sector;
- Permitting individuals to sue the government in federal court for violations of the bill’s privacy restrictions;
- Requiring the independent Intelligence Community Inspector General to conduct a detailed review of the government’s use of any information voluntarily shared by the private sector, and provide an unclassified report to Congress;
- A sunset for the bill’s authorities in five years, requiring Congress to carefully review the use of the authorities provided under the legislation to determine whether they should be extended or modified.
These are all interesting points, from an academic
perspective. Reality, however, is a bit more harsh.
The oversight that the Chairman's office is
charged with conducting has seemingly been perverted into cover-up: CISPA - notwithstanding the legitimate benefits that might be derived from honest interpretation and implementation - seems to have been, to some extent, an attempt to establish after-the-fact "legalization" (in part) of the illicit activities of the very intelligence Agencies HPSCI is meant to safeguard the American population against.
In the wake of the initial Snowden allegations in June 2013, the Chairman – the man responsible for leading this key Congressional Committee
charged with reining in intelligence agency abuses – barfed up an op-ed in the Detroit
Free Press (still posted on his Congressional website at http://mikerogers.house.gov/news/documentsingle.aspx?DocumentID=339391).
Key excerpts:
- As chairman of the House Intelligence Committee, it is my responsibility to ensure strict and thorough congressional oversight of the important work done by America’s intelligence agencies.
- I have been disheartened by dangerous national security leaks that have grossly distorted two vital NSA programs…Neither program allows the NSA to read e-mails or listen to phone calls of American citizens. Both programs are constitutional and do not violate any American’s Fourth Amendment rights. Both are strictly overseen by the Foreign Intelligence Surveillance Court, a federal court created in 1978 to protect the rights of American citizens in the course of foreign intelligence gathering.
- There are also several layers of checks and balances put in place around these programs within the executive branch and Congress. Both programs are overseen by lawyers and compliance auditors from the Department of Justice, the director of national intelligence and multiple independent inspectors general. Both have also been authorized by large bipartisan majorities in Congress and are regularly reviewed by the House and Senate intelligence committees.
- The first program allows the NSA to preserve a limited category of business records to help identify foreign terrorists and their plots to attack the U.S. This court-authorized program allows NSA to preserve only phone records such as the numbers dialed and the date, time and duration of calls. These records do not include the names or personal information of any American and do not include any content of calls.
- When the NSA wants to query the records, it must establish through a court-approved process that there is a reasonable suspicion a specific number is connected to a foreign terrorist. Only a limited number of analysts can obtain approval to conduct a narrow and targeted search of those numbers. If U.S. connections are found, they are passed to the FBI for further investigation. If the FBI wants to determine the identity of a phone number resulting from an NSA search, they must obtain a separate court order…”
- The second program, known as PRISM, allows the NSA to obtain a court order to access the electronic communications of suspected foreign terrorists overseas. Because much of the world’s Internet traffic flows through U.S. infrastructure, the law allows the NSA to obtain the specific communications of foreign suspects from U.S. companies with a court order. This program does not create a “back door” to any U.S. company’s server. This program cannot and does not monitor the communications of any U.S. citizens.
- All 535 members of Congress have had access to classified briefings describing the specific uses of these two programs, though not all members have chosen to attend these briefings.
- As chairman of the House Intelligence Committee, it is my responsibility to ensure strict and thorough congressional oversight of the important work done by America’s intelligence agencies.
- I have been disheartened by dangerous national security leaks that have grossly distorted two vital NSA programs…Neither program allows the NSA to read e-mails or listen to phone calls of American citizens. Both programs are constitutional and do not violate any American’s Fourth Amendment rights. Both are strictly overseen by the Foreign Intelligence Surveillance Court, a federal court created in 1978 to protect the rights of American citizens in the course of foreign intelligence gathering.
- There are also several layers of checks and balances put in place around these programs within the executive branch and Congress. Both programs are overseen by lawyers and compliance auditors from the Department of Justice, the director of national intelligence and multiple independent inspectors general. Both have also been authorized by large bipartisan majorities in Congress and are regularly reviewed by the House and Senate intelligence committees.
- The first program allows the NSA to preserve a limited category of business records to help identify foreign terrorists and their plots to attack the U.S. This court-authorized program allows NSA to preserve only phone records such as the numbers dialed and the date, time and duration of calls. These records do not include the names or personal information of any American and do not include any content of calls.
- When the NSA wants to query the records, it must establish through a court-approved process that there is a reasonable suspicion a specific number is connected to a foreign terrorist. Only a limited number of analysts can obtain approval to conduct a narrow and targeted search of those numbers. If U.S. connections are found, they are passed to the FBI for further investigation. If the FBI wants to determine the identity of a phone number resulting from an NSA search, they must obtain a separate court order…”
- The second program, known as PRISM, allows the NSA to obtain a court order to access the electronic communications of suspected foreign terrorists overseas. Because much of the world’s Internet traffic flows through U.S. infrastructure, the law allows the NSA to obtain the specific communications of foreign suspects from U.S. companies with a court order. This program does not create a “back door” to any U.S. company’s server. This program cannot and does not monitor the communications of any U.S. citizens.
- All 535 members of Congress have had access to classified briefings describing the specific uses of these two programs, though not all members have chosen to attend these briefings.
Subsequent revelations and confirmations from the
Intelligence Agencies themselves reveal virtually all of the observations in the Chairman's op-ed to be, seemingly, knowing and willful untruths - knowing and willful violations of the Chairman's primary commitment
and responsibility to the American people.
What else has he been lying about?
August 22, 2013
Wither the Waterworks?
In June and
July, I posted a flurry of blog entries related to the Snowden
revelations. Common across all of those
posts were my concerns about the potential Balkanization of the Internet.
Last week’s
report from Reuters (and others) that China's Ministry of Public Security
and a cabinet-level research center are preparing to investigate IBM Corp,
Oracle Corp and EMC Corp over security issues, is one early indicator of potential
fragmentation.
And this is not (just) about politics. Unlike the U.S. “national security” blackballing of companies like China-based Huawei - without a shred of proof of any compromise of the company, by any government - thanks to Snowden, China (and everyone else on the planet) has dead-bang proof that the U.S. Government has compromised major American-based ICT companies to facilitate its espionage activities.
Indeed, the Reuters report squarely echoed the concerns I expressed back in June and July: “Some experts have warned that Snowden's leaks could hurt the sales of U.S. technology companies in Asia and Europe, as reports of their complicity with NSA spying programs may lead foreign businesses and governments to purchase equipment and services from non-U.S. suppliers.”
The same day the Reuters report ran, August 16, Foreign Policy ran a piece titled “Can a Country Dodge the NSA by Rebuilding Its Internet?,” which offers yet further indication of the fracturing of the Internet and the globalized ICT industry that I worried about in June and July.
The Foreign Policy article reported on announcements from the Brazilian Government that Brazil intends to “build from scratch key parts of the country's web infrastructure that the country's leaders fear have been deeply infiltrated by the NSA.” According to the article, Brazil plans to launch a new geostationary satellite and to lay fresh underwater fiber to carry data from Brazil to Africa and Europe to ensure the “sovereignty” of its communications.
Can’t say I blame them.
But it’s an iffy proposition in terms of somehow better securing networks and data.
And motives get muddy when money’s involved – building out alternative networks means big business for someone and if there is a corollary sentiment to build and buy local, then initiatives launched for national security reasons, however legitimate, might morph into trade distorting or protectionist activities, in no-one’s long term interest.
Look, to some
extent, Snowden has done us all a favor.
Up until a
couple of months ago, the global cyber security conversation had been dominated
by U.S. Government fear-mongering at home and haranguing abroad. Now we know why. Now we also know that everything in every
communications network is vulnerable to compromise. Now we can have a rational conversation.
Now is not
the time to hunker down within our respective borders and regions and mount
inefficient industrial policies that will undermine the very benefits of
globalization that have spurred the information and information technology
revolutions over the last two decades.
No, now is the time for a real dialogue and real – non-political - solutions.
As significant as are the challenges we all face globally in terms of network security and data integrity, there are analogies and models related to past network and security-oriented challenges that can both inform and calm the process towards finding solutions.
Think about it: Throughout history, civilization has experienced the development of common utility-oriented infrastructures which better the lives of mankind, just as the Internet has done.
A fitting example might be the evolution from the ancient aqueducts of Rome to today’s modern water management and distribution systems.
A modern community water supply network typically includes elements ranging from water collection points to water purification and storage facilities to pumping stations and a pipe network for distribution of water to consumers.
Such systems ensure the efficient access to and distribution of water, as regulated by industry and government to ensure quality and quality of service.
There are companies that build the pipes and related infrastructure to support such networks, others that manage the purification, storage and delivery and provisioning of water-related services. Governments, in collaboration with industry, and representing the interests of the general public, have set and regulate standards to ensure ubiquity, interoperability and safety of water supplies.
The advantages of scale – in terms of economies and appropriately governed quality and safety – are obvious.
The analogy to today’s Internet is clear:
There are companies that build the equipment that serve as the backbone of information sharing and storage, others that manage such equipment and provide information-related services to consumers. Governments, in collaboration with industry, have a role in ensuring the integrity and protection of data.
Yes, as we are all aware, the Snowden revelations have introduced a crisis of confidence in terms of the role of Governments.
But imagine, in the context of water systems, a similar mass crisis of confidence, hysterical concern about holes drilled in community water system pipes, or tapped or contaminated reservoirs.
Imagine individuals en masse abandoning the efficiency and quality of established community water services, turning their backs on networks, drilling their own wells, risking purity, quality of service, drought, and related societal fragmentation.
Now consider again the analogy to the global Internet.
There are very real concerns emerging related to the security and integrity of information networks and the data that flows through them. Indeed, such concerns have reached a fever pitch: We hear daily of the very real tapping of the “the pipes” and the siphoning from “the reservoirs”. And we very rightly fear the poisoning of either.
The Internet has been and maintains the promise of being a boon to mankind.
Fragmenting the Internet is in no-one’s best interest. Drilling regional or national “wells” and relying solely on local “clouds” has the potential to undermine the very globally-distributed Internet-related benefits that we seek to protect – the free and open sharing of information and the efficiencies and economic benefits that come with worldwide and interdependent networks.
The recent revelations of government compromising of networks and data have effectively demonstrated that our global ICT systems are vulnerable and cyber concerns real. The cards are all on the table.
Now is the time for a public-private dialogue and concerted effort to better secure our networks and data according to common and global norms and standards and rules of behavior. Now is the time for a rational discussion of our global and mutual concerns, and of the need for real and effective solutions to address them.
July 25, 2013
Grassley Breaks New Huawei Bogeyman Ground
Libeling Huawei has become a sport in DC these
days.
Newest entry in the field?
Iowa Republican Senator Grassley who, per the Washington
Times, wielded Huawei FUD - marrying last year’s vapid Congressional “Intelligence”
Committee report with the more recent slandering of Huawei by PRISM-midwife Mike
Hayden in his attempt to subvert competition in Australia – against an Obama
nominee for a senior Department of Homeland Security slot, as well as Virginia
gubernatorial candidate Terry McAuliffe and, for good measure, Hillary Clinton’s
brother.
You just can’t make this shit up.
The hullaballoo is related to some Huawei executive having apparently
applied for and been granted an EB-5 immigrant visa. EB-5 is a special program under which people
can invest $500,000 to $1 million in certain U.S. companies in exchange for a
Green Card. The program’s been around
for years – under various names – and is akin to similar programs in Canada and
across the developed world.
The “scandal” that Grassley has birthed revolves around the suggestion
that the Obama DHS nominee – currently the head of U.S. Citizenship and
Immigration Services – somehow influenced the Huawei exec’s visa application,
which was associated with an investment (as required by the EB-5 visa class) in
a company owned by Secretary Clinton’s brother, a company that also happens to be
(per the Times) the fundraising arm of another company founded by would-be Virginia
Governor McAuliffe.
If you’re a Republican in today’s ueber-partisan Washington,
this is the sort of three-fer you can only dream about, especially when you can
wrap in Sinophobia.
Ignoring the fact that immigrant visas are applied for and
granted to individuals, not companies, Grassley cavalierly plays the Huawei-bogeyman
card, citing, as mentioned above, last year’s vacuous HPSCI report and the more
recent utterly-unsubstantiated comments made by has-been spook Hayden as
reasons to question the issuance of the visa to the Huawei executive.
Really?
Really.
July 21, 2013
Recapping: From Snowden to Hayden
For regular
readers, you are well aware that this blog has evolved since it was created in
2005 - from the wistful or proud musings of a father too-often on the road, to the
hopeful hype of a mobile tech geek, to the more recent focus on cyber-hysteria,
and the related American-inspired travails experienced by my employer Huawei
Technologies.
With respect
to the latter area of focus, things have reached a fever pitch.
Three-plus
years ago, when I joined Huawei, the blackballing of the company by the U.S.
Government was relatively easy – black and white – China bad, everything else
okay. There was no need for rules,
regulations or transparency – indeed, the protectionist machinations in use at
the time were generally ham-handed, what one might have expected from a tin-pot
regime, not the leader of the free world.
But over the
last year, we have seen a shift towards more rational dialogue, towards more
potentially fair and open policy - until recently, at least.
The
conclusion of last years’ House Permanent Select Committee on Intelligence
(HPSCI) “investigation” (hardly) of Huawei was a report which is broadly viewed
as redefining the word vapid. The
Economist perhaps captured it best: The report appeared “to have been written for vegetarians…not
much meat in it.”
That was a
turning point. The politics were exposed
for what they were.
Indeed, When
HPSCI Chairman Rogers and Ranking Member Ruppersberger jabbed fingers at Huawei
executives demanding “If you want to do
business in our country then you tell your government to stop hacking our
networks,” it was rather clear that their agenda was geopolitical, not truly
driven by any legitimate concern about Huawei.
After all, when it came to Huawei, after a years’ “investigation,” they
revealed that they had turned up exactly squat.
Meanwhile, in
the world of facts and rational thought, debate had turned to real challenges:
Given that the information and communications technology (ICT) industry had
evolved into a state of transnationalism, so too had cyber threats become
borderless, and there was growing recognition that only real and global
solutions would be effective at addressing such challenges (see related
blog post from April 2012 or, for a deeper review, my blog
post from July 2011).
The tide was
indeed turning.
In February
2013, President Obama issued an Executive
Order focused on Improving Critical Infrastructure Cybersecurity. A key element of his Order was the establishment
of a Cybersecurity Framework which would be “technology neutral and that enables critical infrastructure sectors to
benefit from a competitive market for products and services that meet the
standards, methodologies, procedures, and processes developed to address cyber
risks.”
Good
stuff. Right direction.
Another
major inflection point was the late March passing of the Continuing Resolution that
would fund the U.S. Government through the end of the fiscal year in
September. Late in the process, with a
Government shut-down imminent, a brief paragraph (Section 516) was slipped into
the hundreds-of-pages long document which would ban some federal purchases of
networked equipment “produced, manufactured or assembled” by any group with a
strong connection to China (“owned, directed or subsidized”).
Eeeek.
Eleven major
U.S. industry associations – ranging from the Chamber of Commerce to the
Information Technology Industry Council – wrote an April 4 letter
to Congressional leadership expressing dire concern that a ban on federal
purchases from China could make the US government vulnerable by restricting
access to the latest security technology and could invite reciprocity in terms
of the Chinese government screening technology from the U.S. in the same
way.
Per the U.S.
industry associations’ letter: “Geographic-based
restrictions run the risk of creating a false sense of security when it comes
to advancing our national cybersecurity interests. At a time when greater
global cooperation and collaboration is essential to improve cybersecurity,
geographic-based restrictions in any form risk undermining the advancement of
global best practices and standards on cybersecurity.”
Remarkable
words of reason.
While the
President had already signed the bill into law (at least until the end of the
fiscal year when a new budget bill will be considered), a White
House spokesperson was quoted in The Hill the day after the industry letter
was written: “The undefined terms of this
provision will make implementation challenging,” adding “It could prove highly disruptive without
significantly enhancing the affected agencies’ cybersecurity.”
More good
stuff.
Shortly
thereafter, the Government Accountability Office (GAO) – the investigative arm
of the US Congress – issued an unrelated study titled “Communications Networks:
Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of
Cybersecurity Efforts” which found that “No
cyber-related incidents affecting core and access networks have been recently
reported to FCC and DHS through established mechanisms…of the over 35,000
outages reported to FCC during this time period , none were related to
traditional cyber threats (e.g., botnets, spyware, viruses, and worms).” See my overly-snarky
blog post on this particular development, a reflection of facts yet further
trumping fiction.
Mere days
later, U.S. Secretary of State Kerry met with Chinese counterparts where both
sides committed to cooperating on cyber-security issues, a reflection of
yet more rational thought breaking out, and a concept about which I had pondered
in a March
2012 post.
That same
week, the world-renowned and respected Brookings Institution issued a
remarkably thoughtful and balanced White Paper titled “Twelve
Ways to Build Trust in the ICT Global Supply Chain.”
The Brookings
paper acknowledged the realities of today’s globalized ICT industry: “As trade grows more globalized, the supply
chain has become more complex and challenging. Contemporary commerce involves
hundreds of individuals, organizations, technologies, and processes across
continents,” and went on to propose rational, non-political solutions
towards addressing the related challenges, suggesting that “developing agreed-upon standards, using
independent evaluators, setting up systems for certification and accreditation,
and having trusted delivery systems will build confidence in the global supply
chain as well as the public and private sector networks that sustain them.”
Yes, indeed,
the tide was turning…
And then
along came Snowden.
We’ve all
read the same stories, but, for anyone interested in some perhaps novel flavor,
see my flurry of posts following his initial revelations, in which I have been
perhaps more concerned about the potential fragmentation of the Internet than
any impact on my employer: “Through
the Looking Glass” (June 6), “PRISM
and Internet Balkanization” (June 7), “PRISMs
and Mirrors and Cyber (Oh my)” (June 9), “Politics,
Intelligence and Lies – Get a Clue(train)” (June 11), “Internet
Balkanization Yet More Likely – PRISM+” (June 14), “A
Thickening Plot – A Devil’s Bargain?” (June 19).
Since Snowden,
having utterly lost the cyber high ground, various and sundry U.S. Government
authorities have scrambled – stumbling, fudging, lying – to rebuild trust, both
at home and abroad, as often as not, with attempts to divert attention
elsewhere.
A seemingly
key element of the strategy has been to ratchet up the China cyber-threat (which
is very real, mind you, as are the cyber threats from virtually every other
country on the planet), and, specifically, to differentiate U.S. espionage from
Chinese espionage on the grounds that the U.S. focuses on national security intelligence
while China steals commercial secrets.
The
differentiation strategy kinda fell apart on July 9 when the media began
broadcasting Snowden’s latest revelation: The
NSA had in fact been conducting commercial espionage across key Latin American
markets focused on the oil and energy sectors.
It would
appear, however, that some in the U.S. had a slight heads-up on this particular
leak, and tried to get out in front of it with some distracting chaff.
One day
earlier, on July 8, HPSCI Chairman Rogers re-emerged from his Huawei-bashing hibernation,
appearing on BBC 4 Radio, and, for the first time ever, suggesting that he had “proof”
of Huawei ties to the PRC and instances of corporate espionage. Yet again, however, he provided not a whit of
substance (link
to detailed blog post).
That same
day, PBS Newshour ran a program titled “U.S.
Government, Industry Fed Up With China Cyber Theft” featuring another noted
China-hawk, James Mulvenon. Mulvenon was
one of the principle authors of the 2005 RAND Report which
was only recently
revealed to have clumsily featured patently false information about Huawei.
Mulvenon,
notwithstanding a remarkably impressive pedigree, took the lateral
from Roger’s BBC script and graduated from a past record of innuendo to
out-and-out lying, stating, in reference to Huawei: “There's a well-documented record of them stealing core technology from
Cisco and from Nortel…I think that Huawei has directly benefited from being
able to take core R&D from other people.” What Mulvenon may “think” doesn’t make it
fact, and his reference to “well-documented records” is nothing but a flat-out
lie.
Thus, with
the media appropriately fluffed, it was time to trot out yet bigger guns. Next up to twirl a bright and shiny object to
distract attention from the increasingly damning revelations about U.S.
espionage activities, including in the commercial realm, was none other than
former NSA and CIA Director Mike Hayden, one of the midwives of PRISM.
In a July
19 interview with the Australian Financial Review which covered a
wide range of cyber issues, General Hayden took Mulvenon’s handoff and ran for what
he must have hoped would be a touchdown.
Asked whether
Huawei represents “an unambiguous
national security threat to the US and Australia, the General replied “Yes, I believe it does.” Asked if there was hard evidence of Huawei
having engaged in espionage on behalf of the Chinese state, Hayden evaded the tackle
with a linguistic summersault, stating “Yes,
I have no reason to question the belief that’s the case,” and then, of
course, added “as the former director of
the NSA, I cannot comment on specific instances of espionage or any operational
matters.” He then went on to cite
last years’ utterly empty HPSCI report as some sort of substantive proof point.
Talk about
circular bullshit…
(And, never
one to be left out, CSIS’s resident cyber flak – a Huawei-bashing cheerleader who never
fails to put out for the team – chimed in meaninglessly in a UPI
report: "Officials within
several agencies have privately told me that Huawei is a national security
threat." Why
does anyone listen to this guy?).
So, what
next?
From an
industry-wide perspective, in the wake of HPSCI having blown its insignificant load
last Fall, and until the Snowden hullabaloo, there had been quite positive
momentum towards the establishment of commercially rational and effective worldwide
standards and disciplines to better secure networks and information.
The U.S. Government,
caught with its cyber slip showing, is to some extent derailing the process
with mis-directing rhetoric.
Deal with it
guys. Enough with the bright and shiny
distractions. Enough with the Huawei
bashing. You got issues with China, then
manage them. But enough maligning of
innocent companies that are otherwise world-proven and trusted.
You got
something on Huawei – show it. You don’t
– and if you did, you’d have ponied up by now – then stow it.