January 30, 2015

Pots and Kettles, Take 2: As Ye Cyber-Sow…

Four years ago this week I posted a piece on the remarkably hyperbolic hypocrisy of Western governments' condemnation of Chinese export financing, titled “Export Financing: Pots and Kettles” (linked).  A New York Times article two days ago (linked), which reported on a letter from a group of U.S. industry groups to the Chinese Government decrying new “discriminatory” Chinese cyber regulations, prompted me to return to the pots and kettles analogy, albeit in a different context.

The joint-associations’ letter calls for “urgent discussion and dialogue regarding the growing trend of Chinese government policies requiring use of ‘secure and controllable’ or Chinese-developed and/or controlled Internet and information communications technology (ICT) products, solutions, and services based on ‘cybersecurity’ justifications. Internet and ICT.”

The letter, specifically referring to a 22-page regulation approved by the Chinese Government late last year, outlines a number of the offending Chinese “secure and controllable” initiatives: “ICT products and services must undergo intrusive security testing, contain indigenous Chinese intellectual property (IP) (e.g., local encryption algorithms), comply with Chinese national standards, and restrict the flow of cross-border commercial data. The same policies also mandate that vendors file sensitive IP, such as source code, with the Chinese government.”

With repeated reference to the inherently global nature of the ICT industry, the letter makes very solid points, such as: “It is in the interest of the global ICT industry to work with all countries to ensure that the ICT supply chain produces secure and trustworthy products for all our customers around the world.” 

Further, the letter informs: “Sovereign interest in a secure and development-friendly cyber economy is best served, in any country, by policies that encourage competition and customer choice, both of which necessitate openness to nonindigenous technologies, as well as close collaboration between industry and government in formal and informal public-private partnerships and other mechanisms.

Spot. On.

Finally, the letter concludes, reiterating the call for a dialogue “to discuss constructive, alternative approaches toward the goal of enhanced security,” and then hammering home: “…it is of critical importance that policies be developed in a transparent and open manner with adequate public consultation; not interfere with the procurement activity of commercial entities; not discriminate or provide questionable subsidies to domestic products; and not create technical barriers to trade that are more trade restrictive than necessary.”

Damned straight.

Notably, these are not new anti-discriminatory positions for these U.S. trade groups, nor are they limited to China, indeed, they’ve been staked out quite forcefully and on multiple occasions in terms of U.S. development of similarly discriminatory policies masquerading as “cyber-security” initiatives.

In April, 2013, many of the same signatories to the recent joint association letter to the Chinese Government signed on to a letter to the leadership of the U.S. Senate and House of Representatives objecting to a provision included in Appropriations legislation which was later signed into law by the President.  That provision bars select Federal Agencies from acquiring information technology (IT) systems unless ‘the head of the entity, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity’ has made a risk assessment of potential “cyber-espionage or sabotage...associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.”   

The aligned industry groups warned that the provision set a troubling and counterproductive precedent that could have significant international repercussions and put U.S.-based global IT companies at a competitive disadvantage in global markets.

Further, and very, very straight to the essential point, the associations wrote: Fundamentally, product security is a function of how a product is made, used, and maintained, not by whom or where it is made. Geographic-based restrictions run the risk of creating a false sense of security when it comes to advancing our national cybersecurity interests. At a time when greater global cooperation and collaboration is essential to improve cybersecurity, geographic-based restrictions in any form risk undermining the advancement of global best practices and standards on cybersecurity.

Yet further, the April, 2013 letter to Congressional leadership warned – presciently – that the provision could fuel potential retaliation, stating, specifically: “The Chinese government may choose to retaliate against U.S.-based IT vendors by enacting a similar policy for screening IT system purchases in China.”  More generally, the letter worried further about copycat legislation: “Governments in other countries may seek to emulate this policy, harming U.S. IT vendors who wish to sell in those markets. Similar policies are already being pursued by some foreign governments. We are concerned this provision would severely undermine the U.S. government’s efforts to contain these policies.”

Finally, the letter concluded reminding the recipients that “the global IT sector is committed to working with Congress and the Administration to consider constructive approaches that avoid geographic-based restrictions and focus instead on the appropriate and effective methods to meet our cybersecurity challenges. In the near term, we strongly encourage a meaningful bilateral dialogue between the United States and China to address cybersecurity concerns in a manner consistent with best security and trade practices.”

Great stuff (which you hear echoed in the more recent letter to Chinese authorities, excepting the bits about retaliation and copycatting, for, well, the obvious reasons…).

Then in July, 2013, TechAmerica, a signatory of both the April, 2013 letter and the more recent letter to Chinese authorities, wrote to the leadership of the U.S. House of Representatives Appropriations Committee reiterating opposition to the renewal of the offending Appropriations legislation provision

TechAmerica labeled the proposed legislation “problematic at best” and, indeed, “counterproductive,” in that it would hinder “the ability of these departments and agencies to obtain world-class, state-of-the-art technology innovation and services in a timely fashion while essentially undermining the ability of U.S. based ICT firms to conduct international trade and commerce on a level playing field by facing similar retaliatory localization measures by other foreign governments in markets critical to the U.S. commercial sector.”

Then, in September, 2014, the Information Technology Industry Council (ITI), a signatory to both the April, 2013 letter and the more recent joint industry missive to China, wrote to the Senate and House Armed Services Committees objecting to a Defense Authorization provision that require U.S. intelligence agencies to advise the Congress of every instance in which an ICT component from a company “suspected of being influenced by a foreign country, or a suspected affiliate of such a company” is competing for or has been awarded a contract related to a DoD or Intelligence network or “networks of network operators supporting systems in proximity…” 

Per the ITI letter, “in short, we fear the language in Section 1083 will not help the government achieve its security objectives and could have several unintended economic and security consequences.”  ITI went into great detail defining faults in the provision, under the following headings:  “The language is ambiguous and many terms are not defined.”  “Standing alone, a company’s activity in, or relationship with, a foreign country may not be dispositive as to whether its products or services are secure.”  “There is strong potential for global backlash on U.S. ICT companies.”

In November, 2014, the Silicon Valley Leadership Group (not a signatory to any of the previous letters, but with some overlapping membership) also wrote to the leadership of the Senate and House Armed Services Committees, worried about the same provision that ITI targeted, sagely borrowing and extending language from the April 2013 letter detailed above: “Product security is a function of how a product is made, used, and maintained, not by whom or where it is made, or by the relationship a vendor has with any particular government. Geographic restrictions are not helpful to improving cybersecurity and at worst could in fact preclude an organization from procuring the best or most appropriate technologies for their mission.” 

Like in previous letters from other signatories, SVLG also expressed concern for copycat initiatives: “…this approach invites retaliation against U.S. companies in global markets. Governments around the world closely watch U.S. policies, and a U.S. law (or even proposal) that would discriminate against a vendor based on its relationship with a foreign country (or government) could embolden other governments to enact similar restrictions as  a condition of sale into their own markets.”

Are the new Chinese regulations copycat?  Yes.  Well, in many or most ways, with a couple of exceptions... 

First off, the Chinese regulations are also (one might imagine, at least) a partial response to the abysmal treatment that major China-based ICTs have experienced in the U.S., such treatment defined by vague, opaque, “unwritten” policies that have served as quite effective market access barriers.  

Secondly, the Chinese provisions are reportedly quite far-reaching, in terms of, such as, according to the joint industry association letter, demands for access to source code and mandatory back-doors.

But otherwise, yeah, pretty much tit-for-tat regulations.

But, there are differences in terms of implementation and enforcement, which are both infrastructural and cultural.

On the U.S. side, notwithstanding the unwritten policy referenced above, the process has been less about promulgating regulation and more about publicly debating legislation that may or may not ever become laws or rules, often as not with the Administration in cahoots with the Congress.  The end result, in American culture, is practically the same.  With or without enacting a law or rule, American purchasers are “chilled,” dissuaded from buying from vendors of certain geographical heritage even if only because spooked by just the specter of legislation.

The Chinese side doesn’t have the same institutional flexibility, and the culture is almost opposite.  
There is no legislature to use as a sounding board and/or to broadcast the informal chill.  There’s no public debate.  There’s just the government, and then whatever rules emerge.  However, unlike in the U.S. the rules are only sometimes enforced, and, generally speaking, ignored – not even a chill - until enforced, and consistently so.

A relevant case in point would be China’s so-called “Multi-level Protection Scheme,” introduced in 2007, which supposedly mandated that core ICT products used by Government and infrastructure companies, such as banks and transportation, must be provided by Chinese companies.  But the MLPS wasn’t enforced in pretty much any way until after 2010, and then only sporadically (otherwise we wouldn’t be talking about the new regulations promulgated at the end of 2014).

So, summing up, what we have is an escalating mess.  ICT leaders, whether based in the U.S., China or elsewhere, are all suffering, and will likely suffer further if the techno-nationalist trends in both and more countries persist. 

How do we take this in a new direction? 

Given the nature of the regime in China, it would seem unlikely that any China-based company would engage or have any success should they choose to do so in swaying the Chinese government. And a China-based company having any success talking reason into U.S. law- and policy-makers is, in my personal experience, a not-insignificant long-shot.

But, the U.S. regime does lend itself to that sort of influence, and U.S. companies are historically not shy about voicing their opinions to government (see all of the above).  Maybe if the American-based companies want a change in the new Chinese regulations, they might, in a show of good faith to the Chinese authorities, unite their disparate initiatives into one and begin simultaneously championing similarly fair environments in both countries, perhaps even in the context of alignment with their China-based non-members.

Indeed, this would seem a natural threshold to a broader, more rational (commercially and technologically) global conversation about the utterly borderless nature of the ICT industry - and the critical global supply chains that fuel ICT companies - and the irrationality and ineffectiveness of national policies based on old world geographical borders that are largely irrelevant in the digitalized, globalized ICT market.

January 23, 2015

Should We Worry About a Cyber-Princip?

This post resurrects a concept I initially proposed almost three years ago, the idea of borrowing from military/diplomatic history to address current and future cyber/diplomatic challenges, a concept that has seemingly become more mainstream over the last couple of years.

In March of 2012, I blogged about the potential model of the arms control treaties that emerged in and around and after the age of Mutually Assured Destruction (link).  This time around, I’m going yet further back in time, but to reinforce the same idea.

At the turn of the century, 117 years ago, the world’s great powers gathered in The Hague in 1898 to discuss what would be the first true multilateral treaty focused on the conduct of warfare, the laws of war, methods of arbitration, and, interestingly, for the purposes of this post, arms control.

There were any number of reasons for the Conference, depending on your historian of choice, ranging from commercial and political fears that a Golden Age might fall to war, to a growing global pacifist movement, to Czar Nicholas II’s concern that Russia had fallen so far behind militarily that only an arms accord might freeze the gap (Nicholas convened the conference).

Whatever the case, there were not-insignificant numbers of people of influence within the major nation States that responded to the Czar’s call to assemble that were genuinely worried about the pace of development of military technology.  

Indeed, from Napoleon’s war at the turn of the previous century, through the mid-century Crimean and American Civil Wars; from Britain’s colonial conflicts in Africa, to the Franco-Prussian and Spanish-American wars late in the century, it was becoming exceedingly obvious that war was becoming increasingly hellish (although few imagined the technology and mass-army inspired horror and devastation that World War I would bring a mere decade-and-a-half later).

A number of Conventions were agreed when The Hague Conference closed in 1899, ranging from arrangements related to dispute settlement and arbitration, the treatment of prisoners of war, a ban on bombardment of undefended towns, the protection of hospital ships, etc.  More intriguing, perhaps, were the conventions focused on arms control, which were as much about “behavior” as anything else, in terms of managing prospective technological threats. 

To wit, the “Declaration concerning the Prohibition of the Discharge of Projectiles and Explosives from Balloons or by Other New Analogous Methods,” which provided, for a period of five years, in any war between signatory powers, no projectiles or explosives would be launched from balloons, "or by other new methods of a similar nature."

And then there was the “Declaration concerning the Prohibition of the Use of Projectiles with the Sole Object to Spread Asphyxiating Poisonous Gases,” which provided that in any war between signatory powers, the parties would abstain from using projectiles "the sole object of which is the diffusion of asphyxiating or deleterious gases."

As a final example, there was the “Declaration concerning the Prohibition of the Use of Bullets which can Easily Expand or Change their Form inside the Human Body such as Bullets with a Hard Covering which does not Completely Cover the Core, or containing Indentations,” which called for signatories not to use such munitions.

As a historical note, only the U.S. (joined by the UK in terms of the “bombs from balloons” prohibition) failed to ratify these Conventions – but that is not the point of this post).

From our current vantage point and era of inconceivably rapid technological development, it is perhaps naïve, even quaint, to imagine such Conventions, which in effect were intended to somehow “govern” progress.  (In fairness, any modern day perception of naïveté is arguably unfair, given that the Conference attendees were dealing with advanced warfare that was in some cases prospective and unproven, yet all the more fearsome in its strangeness).

Notwithstanding the fact that the second Hague Conference in 1907 was an abysmal failure, and the yet-more-painful fact that some of the 1899 Conventions were tossed aside once WW1 kicked off, the Hague Conference(s) and Conventions and their impetus present an interesting analogy for the not-so-dissimilar situation we face in today’s world when it comes to the militarization of cyberspace.

Without a doubt, today’s powers that be have a pretty solid understanding of the havoc they can (and do) wreak in the realm of cyber, from espionage (pick your favorite Snowden Revelation or Mandiant Report) to disruption (ala Stuxnet).  At the same time, there is growing angst about the über-threat of some sort of “cyber-Pearl Harbor” or “cyber-911” or “cyber-[insert alternative bogeymonster here].”

These are very real concerns about very not-yet-fully-real cyber threats, like enemies shutting down electricity grids, crashing stock markets, crippling critical infrastructure, etc.  Indeed, these are modern-day concerns quite akin to the late 19th century worries about bombs dropped from balloons, or projectiles designed to deliver poison gas, or dum dum bullets in the battlefield (all of which came to pass).

Czar Nicholas’s initiative failed.  But the model is not a bad one, in terms of managing tensions.  The cyber-stage is only getting more crowded, by State and non-State players alike.  To the extent that some of the tension can be defused through multilateral agreement between States, why not go there, and in an accelerated fashion as opposed to what seems a pattern of politically-gamed fits and starts.

If governments can take cyber-Armageddon off the table, then industry can more effectively (hopefully with less nonsensical political interference in what should be – largely - a technical and commercial process) work towards the more pedestrian restoration of trust and confidence in the networks that power our digital lives, and in the integrity of the data that flows through them.

If this is cyber-1899, or anything like it, then let’s get it right this time.  

Let’s work to ratchet down the tension and set the right rules and limits so that if or when some latter day Gavrilo Princip hacks the National Bank of Austria we don’t find ourselves sucked into a global cyber-maelstrom from which we cannot extricate ourselves, a frightening blend of digital and physical devastation unlike anything the world has heretofore witnessed.

January 19, 2015

The President Wants Competitive Broadband. Good.

Over the last year, the “network neutrality” debate has re-emerged with a vigor reminiscent of the fiery rhetoric of 2010. 

While the FCC dithers on definition and incumbents battle to maintain either their freedom to tier or their freedom to “ride” (depending on the nature of the incumbent), the President last week entered the fray in a related call for more broadband competition and coverage, particularly in rural and underserved areas.

Summing up the President’s proposed initiatives, The Financial Times quoted the White House: “Every American should have options for better, faster broadband…Broadband is no longer a luxury. It’s a necessity. It’s a necessity for businesses, for families, and for our national competitiveness.”

True.  Very true.

Indeed, in 2012, 2013 and 2014, the New America Foundation’s Open Technology Institute released sequential ”Cost of Connectivity” studies, reviewing the cost of consumer broadband services in 24 cities around the world.  In each year, the results showed that, in comparison to their international peers, Americans in major cities such as New York, LA, and DC pay higher prices for slower Internet service.  

Reports from the Organization of Economic Cooperation and Development (OECD), the International Telecommunications Union (ITU) and other public and private or public-private organizations have made similar findings.

It is widely anticipated that we will hear more about the President’s broadband initiatives in his State of the Union speech tomorrow.  But, in short, what he proposed last week, with a special focus on local and community broadband, includes: Eliminating State laws which stymie local broadband competition; Expanding local public-private and R&D-oriented partnerships focused on broadband; Launching a new Commerce Department initiative called BroadbandUSA to promote deployment and adoption; Unveiling new grant and loan opportunities for rural providers; and Removing regulatory barriers and improving investment incentives.

That’s a whole lotta motherhood and apple pie.  Don’t get me wrong, I’m all for it.  There is no acceptable reason that the nation that once occupied the cradle of the Internet should now be camped out in a lean-to.

But let’s take a closer look at that last one: Removing Regulatory Barriers and Improving Investment Incentives

According to the White House Fact Sheet on the President’s Broadband plans announced last week, “The President is calling for the Federal Government to remove all unnecessary regulatory and policy barriers to broadband build-out and competition, and is establishing a new Broadband Opportunity Council of over a dozen government agencies with the singular goal of speeding up broadband deployment and promoting adoption for our citizens.

To these points, speaking in Cedar Falls, Iowa last week at the unveiling of his suite of broadband initiatives, the President said: "In too many places across America, some big companies are doing everything they can to keep out competitors…Today, I'm saying we're going to change that. Enough's enough."

True.  Quite true.

Now, let’s take a moment to ensure contextual clarity: The President’s comments about competition, as well as the focus of the broadband agenda he outlined last week, as well as the general gist of the ongoing network neutrality debate at the FCC, are about the provisioning of Internet services and content.

But broadband competition takes place on multiple levels.

Last week I posted on a separate laundry list of Presidential initiatives unveiled last week (it’s that time of year) - a suite of cybersecurity-related policy and legislative proposals.  The gist of my January 14 post (linked) was that the success of the proposed activities – all domestically-focused - might be limited in the absence of broader global initiatives to address truly fundamental and global challenges.

Similarly, the President’s broadband initiatives, at least as outlined last week, are also, um, “half-fast” (thanks Verizon – clever campaign, by the way), at least in terms of addressing the establishment of a more competitive market environment for American broadband.

(Regular readers, you know where this is going).

The New American Foundation, OECD, ITU and other reports on the relative cost of broadband across markets at some point or another – conscious or not – end up depicting some sort of juxtaposition of the European situation vs. the American situation.

It seems, fixed data-speeds and 4G wireless deployment schedules notwithstanding, that Europe has the lead over the U.S. in terms of the average cost of broadband to the average consumer.  One reason, it would seem, is the fact that consumers, even in rural or far-flung areas, have the option to choose among broadband suppliers, which in turn forces those service providers to competitively price their offerings.

In contrast, as the President said in Iowa last week: "Tens of millions of Americans have only one choice for that next-generation broadband. So, they're pretty much at the whim of whatever Internet provider is around.”

But Europe has had the benefit of other competitive pressures as well, pressures that have had not just an impact in terms of lower cost broadband, but also in terms of more innovative broadband. 

In short, Europe has been open to investment and innovative new technologies on a market-based basis, including solutions from world-leading Huawei Technologies, a $47 billion company doing business in over 170 countries, which happens to be headquartered in China.  

Such competition has driven innovation and more rational, market-based pricing of telecommunications equipment across Europe, driving down costs and extending broadband to everyday consumers.

(Perfunctory disclaimer, again: Huawei is my employer, but this blog is my own, the content unvetted, uncleared by any third party).

U.S. Internet and telecommunications service providers have been routinely pressured by the U.S. Government to eschew Huawei gear, based on never-substantiated concerns associated with the company’s heritage in China, concerns which fly in the face of a very important pair of facts: 1) Huawei is deployed by nationwide service providers in virtually every OECD country without incident; 2) All of Huawei’s “Western” competitors are, like Huawei, conducting R&D, building and coding on a global basis, including in China.  To the extent that such presents potential vulnerabilities, they are commonly shared across the industry.

Now, let’s look at a case study that would seem relevant to the President’s initiative to introduce more competition and more broadband in rural markets:

In October of 2012, 60 Minutes profiled Huawei (not terribly accurate, balanced or even responsible journalism, but I guess that’s a matter of one’s perspective). 

During the program, the 60 Minutes correspondent interviewed the President and General Manager of a small local telecommunications carrier who communicated his goal of reaching as far as possible into rural areas, and his observation that “the new Huawei network delivers some of the fastest Internet speeds in the country.”

The carrier President told 60 Minutes that he had been pressured by “federal agents” about Huawei, pressured to buy from someone else. 

In answer to a subsequent question from the 60 Minutes correspondent, the carrier President said he was upset by the visit because he “saw it as interference in our operations. If we're not able to buy the very best equipment and deploy it in an efficient manner, then everybody suffers.” 

Notably, 60 Minutes concluded this segment of its program asking the obligatory question about American bidders on the project, to which the carrier President replied: “I don't know of any American companies that makes this equipment.”

The intervention featured on this particular news program was not an isolated incident.  Indeed, it was an example of a pattern of behavior.  It was indicative of a “policy.”

So yes, Mr. President, by all means, and in the words of the White House, let’s call “for the Federal Government to remove all unnecessary regulatory and policy barriers to broadband build-out and competition.”

All of them. 

And, if for whatever reason there is someone somewhere within the Administration or otherwise that would purport that market-distorting barriers to preclude competition from select companies based on their country of heritage - in an industry that has eclipsed national borders – is “necessary,” then, in the name of the very competition the President seeks, they should be compelled to justify that finding, and publicly.

January 14, 2015

Cyber-curing what ails us will demand global remedies

Earlier this week (January 13, 2015), President Obama unveiled a slew of proposed cybersecurity-related initiatives, ranging from updated cyber-information sharing legislation to empowering and re-tooling law enforcement to battle cyber-crime; from new data breach reporting requirements to a February 2015 White House Summit on protecting consumers online.

These are all laudable initiatives, indeed, necessary initiatives (although, in light of countless Snowden-unveiled tidbits over the last couple of years, I have my worries about overly-broadly better-empowering law enforcement which, in cahoots with U.S. intelligence agencies, seems to have demonstrated a frighteningly consistent pattern of abuse of such power).

But, to some extent, these proposed initiatives all miss the broader and more critical point: Cyberspace is global, borderless. And, so too, is cyber-malice.  Thus, until and unless the Administration devotes similar – indeed, more forceful - attention to identifying and agreeing globally-applicable disciplines, domestic remedies such as proposed may be challenged to succeed, at least in the grand cyber-scale of things.

Yes, the proposed information sharing legislation would enable the public and private sector to better exchange information about and better analyze, understand and effectively address cyber threats, as well as better safeguard Americans’ personal privacy through the institution of stricter requirements for private companies that collect or use personal data.

Yes, modernizing the legal ecosystem to allow for the prosecution of the sale of things like spyware used to stalk or commit ID theft, as well as the criminalization of the overseas sale of stolen U.S credit card and bank account numbers, and the granting of authority to courts to shut down botnets engaged in DDOS attacks and other criminal activity, are all good and necessary things.

Yes, simplifying and standardizing existing State laws that require businesses to notify consumers of data breaches and corralling them into one Federal statute should indeed serve to both better incent businesses to upgrade their cybersecurity and, thus, better stem the tide of identity theft, financial compromise, etc. 

And, yes, the proposed February 13 “White House Summit on Cybersecurity and Consumer Protection” at Stanford - which will include Administration leaders, CEOs from a range of industries, law enforcement representatives, consumer advocates and technical experts – cannot help but contribute constructively to better educating and protecting American consumers and companies.

These initiatives all seem to acknowledge the need to restore consumer and corporate trust in the networks that power our digital lives and livelihoods, as well as the integrity of the data that funnels through or resides in such networks.  This is a good thing (notwithstanding that the initiatives seem to utterly ignore widespread concerns related to U.S. Government domestic surveillance, espionage, etc.).

While a “fortress America” approach to cybersecurity might be a welcome panacea for the masses, it is insufficient to deal with more global and more potentially devastating cyber-threats, whether Government-spawned malware like Stuxnet, massive-scale DDOS attacks, the theft of billions in intellectual property, or, the big fear, the disruption or destruction of critical infrastructure.

Pre-Snowden, the Administration was quite bullish on setting and enforcing global cyber norms and standards.  As Snowden’s Revelations have wreaked havoc on America’s cyber credibility, the U.S. seems to have hunkered down, shying away from the lead on global solutions, and, by virtue of that seeming withdrawal, to some extent actually perpetuating global insecurities and vulnerabilities.

This week’s White House announcements were heartening, and, hopefully, will lead to an improved State of the cyber-Union, as well as some level of restored confidence in the integrity of networks and data.  However, these initiatives are but domestic pieces of a much bigger global puzzle, the completion of which should remain of the highest priority to U.S. authorities if the domestic initiatives are to be truly meaningful in the long-term.