June 19, 2013

A Thickening Plot; A Devil's Bargain?

Over the last two weeks since the uncloaking of the U.S. Government's PRISM and related global  surveillance and data-mining activities, I have twice suggested that perhaps one of the most damaging outcomes will be the fragmentation of the Internet (link to June 7 post; link to June 14 post).

In both posts, my focus was not on the technological architecture of the Internet, but, rather, on what has to date been a remarkably global Internet service ecosystem, led by innovative and first-to-market American companies. 

I have expressed concern that the reports of leading U.S. Internet companies in cahoots with the American intelligence apparatus could lead to a profound lack of trust in these companies, particularly outside the U.S., resulting in a mass migration to alternative (existing or greenfield) non-U.S. Internet destinations, social networks and other Internet services that market themselves as "safe" or independent from spy agencies.

While such a power-shift in the Internet service industry could well introduce a new era of Internet innovation and competition, it might not bode terribly well for the American incumbents, or even U.S.-based newcomers.  

Of equal or greater concern, however, is that such a trend could lead to the fracturing or Balkanization of the Internet, at least on a service level, undermining the openness and freedom and global exchange of information that the Internet has fostered over the last two decades.

As mentioned above, what my recent musings haven't focused on is the impact that the PRISM+ and related revelations might have on the global ICT industry.

Over the last couple of years I have rather regularly commented on the prejudicial treatment my employer - China-headquartered Huawei Technologies - has experienced in the U.S.  When you peel away all of the histrionic fear-mongering, you come up with not a shred of remotely substantive cause for any unique-to-Huawei cyber- or national security concern.  It all boils down to the company being domiciled in China.  And given that every one of our competitors do as much R&D and coding and building in China as we do, the domicile of headquarters is hardly an indicator of a unique threat.

In many of those posts on anti-competitive U.S. policies, I have raised the concern that the political protectionist  policy model being pursued in the U.S. - however poorly veiled as cyber security initiative - might set a precedent for similar such policies in other markets, to the detriment of U.S. companies doing business overseas.  There were any number of times over the last two years when I thought such mimicking of or retaliation against U.S. policy might be triggered.

It seems PRISM+ may have done the trick.

TechInAsia ran an article today titled "Chinese Media: Snowden Says Cisco Helped the US Spy on China" (link).  The article quotes from and links to multiple Chinese Media outlets noting that Cisco equipment powers much of the Chinese Internet and reporting that Cisco had been identified as somehow linked to the U.S. Government's PRISM or related spying tools.  

While the article notes that it is unclear if PRISM leaker Snowden or anyone else has actually specifically charged Cisco with such collusion, it adds: "...It probably doesn't matter at all...regardless of what Snowden actually said, Cisco and other American companies are going to have a much harder time winning Chinese contracts than they used to."

I'm not certain that such challenges will be limited to Chinese contracts.  Indeed, will Cisco and other American companies have any more success proving negatives in China or elsewhere than Huawei has had in the U.S.?  Can these companies expect treatment somehow different than the hybrid Star Chamber-witch hunt experience that Huawei has suffered in the U.S.?  Did American policy-makers and politicians not anticipate that their antics and precedents might backfire on them?

The TechInAsia article concludes with a poignant point which takes a slightly different direction on the Balkanization concern that I have been expressing in recent posts: "Just a decade or so after Internet and communications technology brought the whole world closer together, it increasingly looks like hacking and surveillance scandals and suspicions are likely to tear it back apart."

Sad, but seemingly true.

Protection of our nation's networks and data is a paramount policy goal.  But, equally important should be policy which further encourages the blossoming of the open Internet, open and free communications and exchange of information, freedom of speech and democratic values.  

As of this point in time, we seem to have sacrificed or are in the process of sacrificing the latter - not only in terms of practice and integrity within the homeland but also in terms of our ability to export such values abroad - for the former.  A devil's bargain indeed.

June 14, 2013

Internet Balkanization Yet More Likely - PRISM+

A little over a week ago, it became known that Verizon was surrendering data on all telephony traffic over its networks to U.S. security agencies.  A day later, a young U.S. intelligence operative – a rare and anomalous “patriotic traitor” – leaked the details of a top secret U.S. Government global digital surveillance and data mining program built on access to the rich and almost-endless data reservoirs of leading American Internet companies (PRISM). 

This morning, Bloomberg reported (link) that “Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information…” ranging from advance notice of “zero day-exploit” flaws in software, other vulnerabilities, hardware and software specifications of gear shipped overseas, metadata from any individual device.  Further, as Bloomberg reports, “some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S.

Among other things, the existence of such programs calls into question the purpose of the much bally-hooed Cyber Intelligence Sharing and Protection Act (CISPA), introduced in the House of Representatives in 2011, which would allow for the sharing of vulnerability information between the U.S. government and technology and manufacturing companies to help the U.S government investigate cyber threats and ensure the security of networks against cyberattacks.  It seems that this is already happening in the absence of any statutory authority.  (Aside: Ironically, in terms of recent PRISM and related news, the White House has in the past opposed CISPA because it “lacks confidentiality and civil liberties safeguards”).

More importantly, what Bloomberg exposed today goes well beyond sharing of vulnerability information.  Indeed, according to Bloomberg, “In some cases, the information gathered may be used not just to defend the nation but to help infiltrate computers of its adversaries.”  This is certainly true in terms of zero-day vulnerabilities.  Consider the following excerpt from Gigaom’s reporting today (linked):

“Imagine you’re a government customer of Microsoft’s, in some country that isn’t the U.S. You’re already anxious over the PRISM scandal and its implications for data processed in the firm’s cloud. Now this: according to a Bloomberg report on Friday, when Microsoft finds a vulnerability in its software it informs U.S. intelligence agencies before its own customers. 

So, in theory, apart from having advance notice to patch their own systems, those agencies could exploit that zero-day vulnerability to hack into your data, before Microsoft gives you a chance to patch the flaw. And it’s not just Microsoft. According to the report, “thousands of [U.S.] technology, finance and manufacturing firms” are closely aligned with American national security agencies.”

Equally concerning, or more so from an individual perspective, in terms of the metadata that is collected from compromised U.S. hardware vendors in accord with another recently-unveiled U.S. Government program code-named “Blarney.”  While it remains unclear to what extent Blarney relies on “backbone hacking” as referenced by PRISM leaker Snowden and/or the “software and hardware specifications” that Bloomberg reports U.S. tech companies are sharing with security agencies, whatever the combination, the information gathered includes, per Bloomberg, “which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.

To the extent such activities are truly extra-territorial, they are not subject to U.S. law nor is any oversight or permission required by the Foreign Intelligence Surveillance Act or the FISA Court.  Interestingly, per Bloomberg, “Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.’s major spy agencies.”

As for any potential violation of U.S. law or the privacy and liberties of American citizens, Bloomberg reports that “before they agreed to install the system on their networks, some of the five major Internet companies…asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general…granting them immunity from civil lawsuits.”

In a related and somewhat heartening report, the New York Times detailed today (link) how Yahoo!, one of the companies named as part of the NSA's PRISM data collection program, didn't go quietly.  The company was behind a 2008 FISA court challenge to fight a court order requiring the company to give data to the U.S. Government without a warrant. 

According to the Times, "the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”  Yahoo! lost.  While Yahoo! was not identified as the plaintiff at the time of the case, limited information about the case and its resolution was made partially public, putting other American Internet companies on notice a legal challenge would likely be fruitless.

A week ago today, just as PRISM was being unveiled for the public, I posted my concern that PRISM might herald a fracturing of the Internet as non-U.S. customers – governments, enterprises and individuals – may well lose trust in American Internet incumbents and leaders (link to my June 7 post).  Today’s additional information - claims that thousands of U.S. tech vendors are apparently engaged in voluntary information exchange with America’s spy agencies – amplifies my worry.

Indeed, Gigaom reported yesterday (link) that “a division of the Swedish government has prohibited government bodies from using Google Apps.”  While the Swedish review predates the outing of PRISM, per Gigaom,“it’s fair to view the news as the latest proof point in the resistance to relying on shared infrastructure certain United States companies run because the U.S. government can access data.”

We will doubtless see more of this.

It is true that the Internet has ushered in a new era of and architecture for espionage and crime.  And our Government is correct to take measures to ensure our national security and safety. The over-reaching that has been reported over the last week should be of concern to every American in terms of the potential – or very real - violation of their personal privacy and liberties.  But we should also be concerned about the broader impact. 

Notwithstanding that spies and criminals wield the Internet to their own ends, the benefits that the Internet has extended far eclipse such concerns, as does the potential sacrifice of those benefits (and I’m not just talking about the devastating commercial impact that a global loss of trust might have on American Internet and tech companies, and, by extension, the broader U.S. economy).  

The Internet – intrinsically global in nature by virtue of the globalization of information and communications technologies – has been a powerful force for the exchange of information, for freedom of speech, for democratic values.  The fracturing, fragmentation or Balkanization of the Internet is in no-one’s long-term interest, including even the U.S. national security agencies whose overreach via PRISM and otherwise may well have backfired in terms of future access to global intelligence.

June 11, 2013

Politics, Intelligence and Lies: Get a Clue(train)

My last three posts have been on the topic of PRISM (so, I'll not bother with links - just click the preceding entries)...

As the story continues to play out, I am seeing patterns of misinformation, disinformation and out-and-out lies that we've seen before, recently in terms of Benghazi, over a decade ago in Iraq, and, finally, very personal to me, in the context of my (still-gainful) employment over the last three years

Notwithstanding the protestations from the U.S. Government, it seems clear that whatever the Government's intent, PRISM infringes - actually or prospectively (being gracious) - on the personal liberties and rights of American citizens, and, hopefully of some concern to my countrymen, completely and utterly violates the rights and personal information of innocent non-U.S. citizens.

Some would label the Government's protestations misinformation.  That might be generous.  At the same time, we do indeed have an essential need to gather intelligence to secure our homeland.  Our challenge - dramatically multiplied in the wake of PRISM's outing - is to do so while balancing our obligations to the liberties and privacy of our countrymen, and other innocents abroad.

Turn to Benghazi, one of three burning scandals in Washington these days.  I'll dismiss the other two: IRS/Tea Party and FBI/AP/Fox - the former being a dumb reflection of how polarized our nation has become (but hardly a strategic initiative from the top); the latter, not to diminish the unique nature of tapping the 4th estate, being little more than an extension of everything PRISM is about.

Adversaries are slamming the Administration for having orchestrated lies about Benghazi, initially explaining away insufficient security as unfortunate happenstance - who could have predicted the spontaneous uprising over a spurious YouTube video? Notwithstanding the current wisdom that it was an Al Qaeda-inspired terrorist assault, some might think that either story is just another cover-up.

Indeed, at least one rumor has it that Benghazi was targeted because the U.S. compound was a transshipment point to illegally funnel arms to Syrian rebels.  I'm not saying I buy into this, but, I do perceive more misinformation, which, if true, would mean that some of the Congressional folk assaulting the Administration are disingenuous, all the more so knowing that the Administration cannot defend itself. 

Some would call this back-and-forth partisan bickering an instance of conflicting disinformation campaigns, or worse. Most, at the very least, would call it politics. Whatever intelligence the Government may have had in advance of, during or after Benghazi, the one thing that seems sure is that the American people will very likely never know.

Flash back a decade-and-change, to a time when we, the American people, were sold an ugly bill of goods (WMDs in Iraq) to justify a war.  It matters not whether there was some alternate good cause for such a conflict - and I am a firm supporter of our troops in any context - it matters that the pretext for war was trumped up.  Fake intelligence.

Some might call these lies.

And now (indulge me this brief paragraph and then read on - I do return to the broader issues), we come to Huawei, my employer.  For the last three years (and earlier, but my tenure only extends that far), Huawei has been repeatedly maligned and slandered by various and sundry U.S. Government and Congressional authorities, alleged, without a whit of proof, of being susceptible to Chinese Government penetration and compromise.  No need to even fake any intelligence.

I have called this disinformation.  I have called this politics.  (See the last couple of years' posts on this blog).

The American people deserve better from our Government.  

In 1999, little known to other than the digerati (or geeks like me), online activists seeking to reintroduce humanity to the corporate world via technology, issued a document known as "The Cluetrain Manifesto" (linked).  The Manifesto proclaimed that "through the Internet, people are discovering and inventing new ways to share relevant knowledge...getting smarter faster than most companies."

The Manifesto continued: "Most corporations...only know how to talk in the soothing, humorless monotone of the mission statement, marketing brochure, and your-call-is-important-to-us busy signal. Same old tones, same old lies."  Sound familiar?  

Focused on the conversation between consumers and businesses, and highlighting that the Internet was shifting "power" from the latter to the former, Cluetrain called on corporations to engage in a real and open dialogue, with their continued commercial success in the information age be imperiled.

Of the 95 Thesis included in the Manifesto, a number of them - most of them - seem quite relevant to the current relationship between American citizens and their Government, and the need for change.

A handful of examples:
  • Companies need to come down from their Ivory Towers and talk to the people with whom they hope to create relationships.
  • The inflated self-important jargon you sling around—in the press, at your conferences—what's that got to do with us?
  • Command-and-control management styles both derive from and reinforce bureaucracy, power tripping and an overall culture of paranoia.
  • Companies make a religion of security, but this is largely a red herring. Most are protecting less against competitors than against their own market and workforce.
  • Elvis said it best: "We can't go on together with suspicious minds."

It is time America. 

Time to demand less politics, less misinformation, fewer lies.  It is time for real and interactive dialogue.

June 09, 2013

PRISMs and Mirrors and Cyber (Oh my)...

Last week's PRISM news, complemented by today's Guardian outing of NSA's related "Boundless Informant" tool which enables the Agency to catalog its global - including U.S. - surveillance data (link to Guardian article), would seem to indicate that the U.S. - not China - still reigns cyber-supreme, not just in disruptive capability (e.g. Stuxnet), but also in espionage and data exfiltration.

This really shouldn't come as any surprise to anyone, although the depth and breadth of the NSA reach is astounding, as is the compromising of American Internet companies.  Indeed, to this latter point, we may be witnessing perhaps the most remarkable instance ever of the U.S. Government effectively torpedoing one of our most successful and vibrant industries.  See Friday's post - linked.

Today's Washington Post offered a bit more visibility into how PRISM supposedly works, continuing to rely on a confidential informant or informants. The Post also reiterated official public statements from the various compromised U.S. Internet companies, which continue to deny any knowledge of any system that allows the government to directly query their central servers.  

At the same time, the Post quoted anonymous Internet company sources that did indeed acknowledge PRISM's existence as a tool for the NSA and other Agencies to access information about foreign customers.  These sources reportedly told the Post that they were pressured by authorities to grant easier access to data they were "entitled to" under secret Federal Intelligence Surveillance Act (FISA) court orders.

Such Court orders are believed to be, in many cases, blanket, open-ended requests, per Section 702 of FISA.

According to today's Post and other reports, the way PRISM works is via "equipment" installed at Internet company locations which is "tasked" by NSA "collection managers" who receive results without interaction with company staff.  Sounds a bit as if the Internet companies are mirroring the data on their servers to PRISM gear, which would make their claims of "no direct server access" a bit, um, coy.

Speaking of mirrors...

In my initial June 6 post on PRISM (linked), I briefly observed that the U.S. Government compromising of commercial entities via programs like PRISM might explain why companies like my employer - China-headquartered Huawei - have been alleged to be susceptible to Chinese Government manipulation.  I suggested that the U.S. Government was looking in the mirror, assuming its behavior of others.

My observation was somewhat flawed.

You see, PRISM, and other such programs, treat networks like plumbing. In the case of PRISM, the Government compromised the Internet companies to tap data in a manner utterly agnostic to the "pipes" - the telecom infrastructure - over which such data flowed.   So, the mirror analogy doesn't work in terms of the political-protectionist policies blocking companies like Huawei from bringing competition to the U.S.

So-called national security concerns related to Huawei have been based on perceptions that due to its Chinese heritage, company employees might be coerced by the Chinese Government into planting "backdoors" in the gear it builds, enabling the Chinese Government to somehow access networks to extract data.  

This is technologically feasible (but nowhere near as reliable and universal as PRISM), but such rogue employee activity would be quickly detected and quashed by Huawei security assurance programs.   And the U.S. Government knows this.  Moreover, they know that every other telecom vendor is vulnerable to the same potential compromise as Huawei, given that they all operate globally, including in China.  

Wouldn't it be fair for the U.S. Government to believe that Huawei could be compromised the same way that NSA compromised U.S. Internet companies?  No.  Secret and discrete PRISM "equipment" tapped into or otherwise mirroring Internet company servers known only to select company executives is a believable scenario (indeed, the proof is in the fact that it has remained covert for six years).  

But, a scenario in which tens or hundreds of thousands of individual commodity network infrastructure components - built and tested to global standards to ensure interoperability across multiple vendors - could all be compromised and coordinated to produce actionable intelligence in any sustainable fashion without being detected?  

That's a conspiracy theory that would require the complicity of thousands.  That just doesn't hold up in the real world.  

So, no, the U.S. Government was not looking in a mirror, but, rather, ironically enough, a prism, and then projecting its behavior - skewed and distorted -  onto its perceived adversary, resulting in ineffective, anti-competitive and trade-distorting policies related to companies like Huawei that have done nothing to make American networks or data more secure.  And they know this.

June 07, 2013

PRISM and Internet Balkanization

Yesterday's outing of the U.S. Government's PRISM intrusions into the lives of virtually every Netizen on the planet - with some level of complicity from the likes of Google, Facebook, MS, Yahoo! and others (notwithstanding their remarkably consistent protestations of not having allowed "direct access" to the NSA) - may well herald a fracturing of the Internet.

On the one hand, we are witnessing a digital business opportunity unseen since the blossoming of the commercial Internet.  While Google, Facebook, et al are sure to survive in the homeland - although there's a hue and cry coming once the average American realizes what's been done - what once seemed relatively secure global hegemony is now in peril.

Trust is fragile.

Let's consider Europe, a market in which people take their privacy rather seriously, where the American pre-Internet (and still) experience with direct mail marketing is, in some countries, outright illegal.  Indeed, in Europe, because of such concerns, it is illegal for an EU citizen's personal data to be processed or even hosted on servers outside the EU, unless the company doing the processing is in a country that has data protection laws of as high a standard as the EU.

Even before the PRISM outing, the U.S. was not deemed to conform to these standards, but the PRISM-compromised Internet companies benefited from an EU "Safe Harbor" provision through which they could self-certify their conformity to EU-style standards.

Needless to say, no-one's gonna put much credence in such self-certifications in the wake of yesterday's news.

It is a distinct likelihood that alternative social networking and Google-esque platforms will emerge in Europe - and other markets - where Netizens perceive more meaningful data protection rules and checks on Government intrusion.  This is the commercial opportunity I referenced above.  And the Euro-nationalists will eat it up.

Balkanization? No, but a re-ordering?  Quite likely.

And it gets worse for America - now tossed down from the moral Internet high ground - from a political perspective.

Granted, PRISM doesn't equate to the Internet censorship and related digital and very real-world suppression of free speech in markets like Iran and, to lesser extent, China.  But, no matter what is happening with the data being PRISM'd, just the fact that it is being collected undermines America's credibility in terms of Internet freedom, perhaps empowering some authoritarian regimes to extend their online restrictions and crackdowns, or - worse yet - their own cyber mischief targeted at Americans online.

And, sadly, I think PRISM may just be the tip of the iceberg.  Stay tuned...

June 06, 2013

Through the Looking Glass

In the early 1990's, as a junior U.S. Foreign Service Officer detailed to the U.S. Uruguay Round market access trade negotiations team, I had some limited exposure to intelligence - commercial intelligence - gathered, I was led to believe (I cannot confirm), by ECHELON (link to Wikipedia).

While ECHELON was originally established to monitor Cold War nemesis communications, it graduated, seemingly - as early as the 1990's - to far broader communications interception.

Our digital world has come a long, long way since then.

Our real world has evolved as well.

Our's has become, indeed, a frightening age.

And, sadly, fear is being used as an excuse for all manners of abuse, and by our own Government, and not just abroad, but at home...

Today, the Washington Post posted an article titled: "U.S. intelligence mining data from nine U.S. Internet companies in broad secret program" (linked).

Per the Post, in a program labelled "PRISM," "the National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. internet companies, extracting audio, video, photographs, e-mails, documents and connection logs..."

Private sector "taps" to PRISM reportedly include Microsoft, Yahoo!, Google, Facebook, Paltalk (which is said to have "hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war"), AOL, Skype, YouTube and Apple.

Ours is a brave new world.

As an American, I am profoundly disturbed, and deeply offended, and, well, in the spirit of our age, I am fearful.

As an employee of a China-based multinational (Huawei) that U.S. Government representatives have regularly labelled - unfairly and without substance - as somehow vulnerable to Chinese Government influence or penetration, I now fully understand why...

...As I have long surmised, the U.S. Government has been looking in a mirror.  And it is not limited to Huawei, China or otherwise.  Of late, we hear more and more about Iran and North Korea (the latter somewhat stretching incredulity).

I am not surprised.

And, excepting my brief mention immediately above, this is not a Huawei-related rant.

The U.S. Government is right to be concerned about Chinese or other Government or non-State entities tapping our networks for espionage or intellectual property rights theft purposes.  But our protestations that we would not engage in such practices are hollow, all the more so given that we are doing so within the homeland, against our own countrymen, which borders on abomination.

We, Americans, cannot - should not - be ruled in, because or by fear.  We risk everything that we have stood for over the last two-and-a-half plus centuries.

June 01, 2013

U.S., China to team up on issues of cybersecurity?

Today, Canada's Globe and Mail headlined an article "U.S., China to team  up on issues of cybersecurity" (linked), which reported:

"The United States and China have agreed to hold regular, high-level talks on how to set standards of behaviour for cybersecurity and commercial espionage, the first diplomatic effort to defuse the tensions over what the United States says is a daily barrage of computer break-ins and theft of corporate and government secrets."

In March 2012, I blogged an entry titled "Mad About Cyber-Security" (linked), in which I commented:

"The U.S. and China must agree to certain behaviors, and then project adherence to those behaviors...All of today's inflammatory cyber-rhetoric and cyber-political flailing about is serving no-one’s true cyber-interests. Globalization is real. The ICT industry is global. Our digital economies are increasingly interdependent. Cyber-threats do not respect - or even recognize - national borders (e.g. Stuxnet did some collateral damage outside Iran). Today's superpowers must acknowledge that their bilateral (and mutual multilateral) tension and conflict are not going away and, as such, should at the very least strive to manage common vulnerabilities in such a manner that both sides can continue to maintain their respective national AND economic securities, to their mutual benefit."