Cyber Scene #33
Huawei, Encore et Toujours
As the 5G digital Chinese belt expands, some countries (including the US and its executive branch leadership) rather see a tightening noose. In the ongoing US-China trade war volley, the latest shot across the bow, "a straight shot at Huawei's Business" per New York Times Raymond Zhong, is the filing of criminal charges of technology theft. Beyond 5G restrictions, this move responding to economic and technological espionage threats now restricts Huawei's access to US technology overseen by the Department of Commerce. Tech transfer has always been part of Commerce's remit, but the growth of Huawei and its worldwide "Bigfoot" print tinged with reported criminal subversion has upped the ante. Commerce has now placed Huawei on its "entity list" of firms that need a "mother may I" request from Commerce to buy American components and technology. This is a huge issue, given the outsized role of US technology in Huawei's business plan. One former Commerce official likens it to "the trade equivalent of a nuclear bomb." Mr. Zhong underscores how this action speaks to how China's "...growing technological prowess ... built on American now-how."
Barron's Jon Swartz (May 15 "Trump Executive Order Could Lead to Huawei Ban in US") also weighed in, noting that the executive order from the White House that bars US firms from using telecom equipment from manufacturers risky to national security adds more teeth to the restrictions imposed on the Huawei side. Needless to say, this dicey plot thickens.
Globalization linked to supply chain issue--in this case of tightly interwoven technology and trade-- reminds us that no man/country/land mass is an island, not even one as big as Eurasia
Across the Bow but not the Pond
European leaders are splintered in handling these Chinese-origin threats in response to the vibrant execution of "Made in China 2025" strategy. As various countries try to adopt political and economic measures to deal with this, the UK has reconfirmed its strategy to "trust but verify" in dealing with the issue. The 27 April Economist across its Technology and security editorial "The right call on Huawei", "Chinese companies abroad: Dragons, disrupted" and "Briefing Huawei: Communication breakdown" devotes a full eight pages to analysis of the decision to allow Huawei to build next-generation infrastructure in the UK under scrutiny. Also explored are the relationship of this policy to the American view and what other European countries should be doing. Unlike the UK's now former Defence Secretary who was fired after a reported 24 April leak (The Economist, 4 May "A cabinet sacking: Leak, plugged") of the decision to the UK press, the Economist editorial hails Prime Minister Theresa May's decision as "The right call on Huawei" for the UK provided that it and other countries adhere to three principles:
"Dragons, disrupted" (Economist 27 April) discusses what is known as "the Huawei effect" regarding three Chinese companies known as BATS (Baidu, Alibaba and Tencent" hold stakes in 150 companies abroad. These tech behemoths are not flying blind, but using clout to expand, in keeping with "Made in China 2025." The article calls to our minds the two-year old Chinese security law that requires its companies to execute intelligence gathering when asked. Perhaps BATS investments in Snap and Spotify are far less nefarious than Huawei's supply chain, but the scope of investment is chilling. Six years ago many Americans did not foresee where the digital world would be. China had, and has a vision.
"Communications breakdown" (same Economist) explores across four dense pages the view from abroad on how Huawei's "back doors" led to the US decision. It cites cybersecurity firm CrowdStrike as ranking China ahead of Russia as master of cyberattacks against the West. It also notes that Secretary of State Mike Pence said that the US is willing to withhold intelligence sharing from anyone using Huawei's gear for critical networks including Five Eyes (UK, Canada, Australia and New Zealand) partners. Center for Strategic and International Studies' James Lewis points out that sloppy back door coding can impact both China and its customers. But bugs, as viewed by a Cambridge scientist, can be more useful to hackers. GCHQ's National Cyber Security Centre Chief Ciaran Martin said they dealt with 1,200 "significant cybersecurity incidents since the Centre's creation in 2016. Russia is credited with being particularly gifted in this art.
To enlighten the readership on why the US finds the UK policy wanting regarding restraints on Huawei, see Sean Gallagher's Ars Technica of 28 March "UK cyber security officials report Huawei's security practices are a mess". The verdict was issued by an oversight board, Huawei Cyber Security Evaluation Centre (HCSEC) including the above-mentioned National Cyber Security Centre participants s well as (I am not making this up, to quote Dave Barry) a senior executive from Huawei. The board warned that "Huawei had failed to make long-promised changes to its software development and engineering practices needed to improve security." It also was charged with not managing component usage or lifecycle sustainment of products--not exactly a passing grade in American English.
French and Kiwi Calls for Tech Regulation
So how does the world attack this seemingly intractable issue? France joined ranks with Facebook, the terming this "unprecedented collaboration with a private operator" to explore a framework for social network regulation as reported in Lawfareblog. The interim report is in; the final due is 30 June. It focuses on content moderation on social media platforms and instead of blasting the platforms, looks at how to regulate and prevent either lone wolf individuals or organized groups from abusing social media. (For the record, Australia has "criminalized hosting abhorrent violent material," according to Lawfareblog and Australian Harvard Law student Evelyn Douek responsible for this non-US/UK perspective.) The interim French report protects both individual and platform entrepreneurial freedom while creating an independent body to implement the new prescriptive regulation regarding social network accountability related to: algorithmic transparency obligations, Terms of Service transparency obligations, and the obligation to defend user integrity. (Note from your non-Australian-speaking author: it is likely "obligation" should be translated as "requirement" from the French to read: "required to..."). Among other issues, the French government's report calls for European cooperation. Its emphasis is on incentivizing cooperation, rather than a "punitive approach" illustrated by the UK having reportedly called Facebook a "digital gangster."
The Christchurch Call led by New Zealand PM Jacinda Ardern in cooperation with French President Emmanuel Macron, while a quick and less nuanced response to the horrific attack, calls on countries to consider regulations or policy to prevent online dissemination of terrorist and violent extremist content while conserving the importance of "free, open and secure internet and respect for freedom of expression." (The US did not sign the Call due to First Amendment concerns.) While not a panacea by any measure, the Call is a beginning and is on the agenda for the upcoming G-7 and G-20 meetings. Microsoft, Twitter, Facebook, Google and Amazon are all signatories. You will recall Facebook's unsuccessful and frustrated attempts to immediately remove the horrific Christchurch footage. Among other possible implementation tools, the industry-driven and Call-supported Global Internet Forum to Counter Terrorism (GIFCT) will be used to explore a way forward.
Ms. Douek sums up by contrasting the approaches of these two initiatives: while both move toward regulation to online space, the first is bottom up while the second is leadership down. In either direction, there remains a great gap to conquer.
An Exception or the New Rule?
Even as the Call and the French report bring together the public and private sectors, other voices are not as sanguine about the progress made in collaboration on cybersecurity. David Kris, former Assistant Attorney General for National Security at the US National Security Council writes, on Lawfareblog that a robust private-public partnership must evolve even as the thrust of the US Intelligence Community (IC) focuses less on counterterrorism--"a mainly kinetic threat"--and more on cyber. In addition to citing emerging technologies as did the Call, he underscores cyber sabotage, theft of secrets and socio-political disruption with particular emphasis on election interference. He notes that much of the cyber battle space is owned by the private sector, which has much better access in certain circumstances than the IC. The "tremendous innovation" of the private sector was noted by former NSA and CIA Director Mike Hayden in 2005 who Mr. Kris quotes as saying that "... there was no other element out there in American society that is dealing with volumes of data in this dimension."
Mr. Kris opines that this partnership is fundamental to the IC increasing its analytic superiority. But the first move, he says, must come from the US Government at the highest level. The task, since Snowden, is daunting, and the author says that private-public relations are at a low ebb. He wraps up by noting that only a partnership will work; "A unilateralist approach is doomed to fail."
Congressional Voices
As Mr. Kris calls for US leadership, Congress gears up on two fronts where kinetic and digital threats are intertwined. The House Homeland Security Committee met on 16 May to discuss the rise in domestic terrorism and its link to cybersecurity and the House Homeland Security Subcommittee on Cybersecurity, Infrastructure, and Science and Technology to address funding for the recent National Cyber Security Strategy published in September 2018. The House Homeland Security Subcommittee on rolled up its sleeves in a 30 April hearing to work on FY2020 (i.e., beginning 1 October 2019) funding against the backdrop of the increase in election security issues. There was strong bipartisan support at both this subcommittee and the parent Homeland Security committee level. Several Members spoke of the need to coordinate a federal approach since, per subcommittee Chairman Cedric Richmond (D-LA) and Member John Katko (R-NY), there had been no coordination. More importantly, the offered White House budget for cybersecurity and S & T, as noted by both the Members and those testifying, was a cut from the prior year whereas the general consensus called for an increase. The cut was opposed by subcommittee Members and the Chairman of the House Homeland Security Committee, Bennie Thompson (D-MS). The latter said that even level funding for these cybersecurity and related issues, is very dangerous. Testifiers included DHS Undersecretary for Cybersecurity and Infrastructure Christopher Krebs and S & T Director William Bryan who called for a "whole of government" styled collaboration. Director Krebs also testified on 13 February 2019 on this subject before this committee in a hearing entitled "Defending Our Democracy: Building Partnerships to Protect America's Elections".
Homing In
In another instance of bipartisan mirroring, Republican Florida Governor Ron DeSantis announced on 14 May (NYT 15 May "Russians Hacked Voter Systems in 2 Florida Counties. But Which Ones?") that Russians had hacked into voter systems in two Florida counties during the 2016 elections. When grilled on which two, he steadfastly said he was not allowed to reveal that information per the rules of his nondisclosure agreement. Former Senator Bill Nelson (D-FL) had said the same thing, gleaned from his service on the Senate Select Committee on Intelligence, during his unsuccessful run for reelection in the mid-terms, but when challenged by his opponent to substantiate the information, declined to reveal anything as Governor DeSantis had done. Even as the British Defense Secretary is sacked for a reported leak, it is encouraging that some US leaders from both sides of the aisle know when silence is golden, even at a cost. Now to fund cyber!