October 31, 2013

The State of the Surveillance State

Yesterday, we learned from Edward Snowden that the NSA has penetrated the main communications links that connect Yahoo and Google data centers around the world, complementing their court-supported compromise of American technology companies at home with good-old-fashioned clandestine compromise of those same companies abroad.

Think about it.

That’s hundreds of millions of records from hundreds of millions of users – many of them Americans, whether at home or abroad – hoovered up on a dynamic basis, stored and analyzed in massive secretive government data centers.  With zero effective oversight.

That’s a virtual wet dream for ex-Soviet era KGB and East German Stasi types who once relied on tracking and monitoring citizens based on reams of paper and warehouses of filing cabinets, as opposed to, for instance, the NSA’s Utah data center with the capacity to store 5 Zettabytes (5 billion Terabytes) of information.

Indeed, courtesy of www.opendatacenter.de: “Assuming that a filing cabinet with 60 files (30,000 pages of paper) uses up 0,4 m², which would correspond to 120 MB of data, the printed out Utah data center would use up 17 million square kilometers.” (Note: The Continental U.S. is about 10 million square kilometers).

But I digress.

Ours is a country built on the rule of law and respect for – fealty to – the rights of citizens.  Both of these fundamental precepts are increasingly at risk in terms of what has become an out-of-control technology-run-amok surveillance state spawned by our post-Soviet era government-inspired culture of fear.

Yes, we should expect our government to engage in appropriate intelligence gathering activities for national security purposes.  And yes, we do have laws and oversight processes in place to govern the activities of our intelligence agencies to preclude abuse, at home or abroad.  But, advances in technology and storage and processing have ridiculously eclipsed legal or oversight regimes, resulting in rampant abuse and invasion of privacy, at home and abroad.

Do I trust my government to do what is “right?”  Perhaps.  Today.  But who knows what the world will look like in ten years.  Look, I’m sorry, but given everything that has been unveiled since June, and the consistent exposure by each succeeding revelation of the latest round of government “clarifications” being, often as not, patently untrue, I simply cannot accept nor trust government protestations that “there is no abuse” and “there are laws to protect you,” etc.

I would prefer to benefit from a “trust-but-verify” process (due props to President Reagan).  Such, however, thus far, seems an impossibility, in terms of the complexity of the technologies involved, the vast, endless amounts of data being mined, analyzed and stored, and the iron curtain of government secrecy cast over what the NSA and other agencies may or may not be doing with that data.  King George’s “writs of assistance” that our Founding Fathers so valiantly objected to two-and-a-half centuries ago are back, and on steroids. 

In the name of national security we have effectively undermined national security: Our adversaries are clever enough to evade the dragnet, our allies are now alienated, our leading technology companies – key contributors to our economic national security – are at risk of becoming pariahs, the infinite data teats that our intelligence agencies have so greedily suckled may well go dry, or, at the very least, sour.  The precedent we have set is a model for totalitarian and repressive regimes worldwide to mimic, the deepest irony being that we have consistently accused such regimes of such abuse in the past knowing full well that our own transgressions were significantly more grievous.

Enough with the vain government protestations of innocence and good intent. It’s time for a reset. It’s time to rebuild trust.  It’s time to restore American honor, pride, privacy, and leadership.  It’s time to acknowledge that technology has outpaced and out-scaled outdated and, to some extent, outlandish policy, law and regulation, and to adjust ourselves accordingly.

October 13, 2013

The End of (knowing) ICT Company Complicity with Gov’t Spying?

The Snowden revelations may very likely mark the beginning of the end of "knowing" corporate complicity with government espionage.

That’s a powerful statement.  But I think it is an inevitability.

It's funny...I work for Huawei, a $35 billion China-based multinational technology company that has suffered remarkable discrimination and market access barriers in the U.S. due to concerns that Huawei product might somehow be compromised and used for espionage by the Chinese Government.

The concern has always been prospective, given that there has never been any proof of such past or current activity.  

Indeed, until the Snowden revelations, U.S. Government concerns about Huawei were a bit confounding.  I mean, Huawei’s a multi-billion dollar company doing business across the globe, including in every free-market democratic nation allied with the U.S.   Had everyone else been hornswoggled?

Post-Snowden, it's been all too clear what prompted the concerns.  

American companies had been compromised by their government to support espionage, at home and abroad, and, so, the natural assumption was that other governments were similarly penetrating companies headquartered in their countries.   

There very well might be some truth to this, particularly in terms of state-owned companies.

However, contrary to popular (American) belief, not all companies in China are State-owned or controlled.  Indeed, there is an increasing number of China-headquartered companies like Huawei which are private.  A company like Huawei that is doing 70% of its $35 billion in business outside of China would have to be insane to risk that business by knowingly allowing its product to be subverted by any government.

One would think that the same would have been the thought process of U.S.-based technology giants.  We have learned, in the wake of Snowden, saying "no" was seemingly not an option.

Okay, as Americans, facilitating our government’s legitimate need to gather intelligence must be in our best and patriotic interest, no?  Perhaps.  But at what cost?  Our technology leaders, which, wittingly - albeit by most accounts unwillingly - compromised their gear and networks per Government dictate are now suffering in global markets due to their compromise having been exposed.

Ironically, Huawei – notwithstanding unsubstantiated accusations otherwise – has never been asked, directed or otherwise been compromised or wittingly penetrated by any government.

Whatever the case, there is a growing and global crisis of confidence in the information and communications technology (ICT) industry and the security and integrity of networks and data.

China is investigating compromised American companies and the U.S. maintains its political-protectionist blockade of China-based network equipment companies.  Brasil talks of a domestic Internet while India considers banning U.S.-based email service providers and Deutsche Telekom markets “Email made in Germany” as an alternative to penetrated U.S. providers. 

Balkanization, fragmentation, regionalization…call it what you want, but it’s not in anyone’s long-term interest.  The ICT industry has blossomed over the last two decades in large part because of globalized scale and transnational innovative ecosystems and supply chains, digital and physical.  Confidence and trust must be restored before 20 years of progress is undone.

And, lacking a significant course-correction, the impact will be most harsh on U.S.-based companies.  The damage thus far is not unduly severe, but the impact of potential boycotts of perceived-to-be-compromised American companies will almost certainly have an increasing and adverse economic impact in the U.S.  

Sacrificing an industry that the U.S. helped drive to global success is an absurd cost for whatever espionage benefit may have been derived. 

Moreover, "knowing" corporate complicity in government espionage is not sustainable because, as we have all now learned, once the corporations have been outed as compromised, they cease to be a reliable source of information if they are shunned by consumers of their goods or services.

Somehow or other, it worked until Snowden.  It won’t work anymore.

Governments will not stop spying on each other, nor on the peoples and businesses of the world, including within their own borders.  This is a given.  But, industry – and everyday citizens - need to stand up and reject legal or regulatory regimes that compel the private sector to facilitate wholesale government data collection, monitoring, analysis, storage and misuse or outright abuse.  

This will not happen overnight.

While that dialogue takes place, there should be three simultaneous conversations in three separate but interrelated realms.   

Service providers and data managers must take a leadership role in driving the legal and regulatory course-correction referenced above, and in that and a future more protected information environment context, they should be required to divulge to consumers (enterprise or individual) the type of information they might share with Governments and in which appropriate and legal contexts.

In terms of the nuts and bolts and software of network infrastructure, vendors should come together to define independent third-party (including Government) certifiable standards and best practices to better secure products and solutions – hardware, firmware and software - spanning supply chains, and from ideation to end-of-life.

Finally, Governments need to agree among themselves a framework for acceptable behavior in the ether.  Espionage is a given.  But commercial espionage and, of greater concern, disruptive or destructive cyber-activities should be defined, discouraged and punished under mutually-agreed terms and conditions.

Again, none of this will happen overnight.

But, just starting the dialogue - rather than having consumers wallowing in fear and governments and industry vainly denying the obvious – should at least, to some extent, mellow the ongoing crisis of confidence, and, equally important, derail the fragmentation of the global Internet and ICT industry.