Tag: cybersecurity

Bandying “Terrorism”

George Clooney has now joined North Korea’s United Nations ambassador Ja Song Nam in bandying charges of “terrorism” against a foe. North Korea’s emissary in New York complained in July that the production of Sony’s film, The Interview, was “the most undisguised sponsoring of terrorism as well as an act of war.”

So, too, according to Clooney, was the threat leveled by unknown persons against theaters that might show the film: “Then, to turn around and threaten to blow people up and kill people, and just by that threat alone we change what we do for a living, that’s the actual definition of terrorism,” he said.

We don’t know more about the definition, but the ambassador and Mr. Clooney do teach us about usage. “Terrorism” is a debased, all-purpose charge anyone can use against anyone. There is a special variant of the word in which the results of an action provide conclusive evidence of the motive behind it. Because U.S. theaters yanked The Interview from their Christmas Day schedules, Clooney can plausibly call the threat “terrorism.” Had most people, like me, assumed the threat to be an idle prank, it would not have been terrorism.

I remain unpersuaded of a North Korean connection or anyone’s meaningful capacity or willingness to attack theaters. The most proximate cause of The Interview’s cancellation, it seems to me, is risk aversion on the part of theater owners’ lawyers. They apparently concluded that an attack could be a foreseeable cause of death and injury, for which owners could be liable. (Go ahead, reformers. Call trial lawyers “terrorists.”)

Subject matter expert Paddy Hillyard, a professor of sociology at Queen’s University, Belfast, eschews the term “terrorism” for reasons he articulated in a 2010 Cato Unbound. He participated in Cato’s study of terrorism and counterterrorism (conference, forum, book). I’m one of many who don’t believe that “cyberterrorism” even exists.

The greatest risk in all this is that loose talk of terrorism and “cyberwar” lead nations closer to actual war. Having failed to secure its systems, Sony has certainly lost a lot of money and reputation, but for actual damage to life and limb, you ain’t seen nothing like real war. It is not within well-drawn boundaries of U.S. national security interests to avenge wrongs to U.S. subsidiaries of Japanese corporations. Governments in the United States should respond to the Sony hack with nothing more than ordinary policing and diplomacy.

Cyber-Espionage (Not Necessarily Implicating U.S. Agencies) Returns to the Headlines

The Washington Post reported this morning that the U.S. government is “charging members of the Chinese military with conducting economic cyber-espionage against American companies.”  According to the story, Attorney General Eric Holder will “announce a criminal indictment in a national security case,” naming members of the People’s Liberation Army.

If you will recall, cyber-security, cyber-espionage, and cyber-theft of trade secrets and other intellectual property belonging to American businesses started becoming prominent sources of friction in the U.S.-China relationship about 18 months ago before suddenly dropping off the front pages 11 months ago to make way for revelations of domestic spying by the U.S. National Security Agency.  Somehow, the notion that Chinese government-sponsored cyber-theft broached a red line lost some of its luster after Americans learned what Edward Snowden had to share about their own government.

But today the issue of Chinese cyber-transgression is back on the front pages.  Never before – according to the Washington Post – has the U.S. government leveled such criminal charges against a foreign government.  The U.S. rhetoric has been heated and, just this afternoon, the Chinese government responded by characterizing the claims as “ungrounded,” “absurd,”  “a pure fabrication,” and “hypocritical.”

While the U.S. allegations may be true, given well-publicized U.S. cyber-intrusions, it isn’t too difficult to agree with the “hypocritical” characterization either.  Perhaps that’s why the U.S. government is attempting to distinguish between cyber-espionage, which is conducted by states to discern the intentions of other governments – and is, from the U.S. perspective, fair play – from “economic” cyber-espionage, which is perpetrated by states or other actors against private businesses and is, from the U.S. perspective, completely unacceptable.  It’s not too difficult to understand why the United States has adopted that bifurcated position. The Washington Post quotes a U.S. government estimate of annual losses due to economic cyber espionage at $24-$120 billion.

Do New Cybersecurity Restrictions Amount to Regulatory Protectionism?

Protectionism masquerading as regulation in the public interest is the subject of an excellent new paper by my colleagues Bill Watson and Sallie James.  As tariffs and other border barriers to trade have declined, rent-seeking domestic interests have turned increasingly to regulations with noble sounding purposes – protecting Flipper from the indiscriminating nets of tuna fishermen, fighting the tobacco industry’s efforts to entice children with grape-flavored cigarettes, keeping U.S. highways safe from recklessly-driven, dilapidated, smoke-emitting Mexican trucks, and so on – in order to reduce competition and secure artificial market advantages over you, the consumer.

The paper documents numerous examples of this “bootleggers and Baptists” phenomenon, where the causes of perhaps well-intentioned advocates of health and safety regulation were infiltrated or commandeered by domestic producer interests with more nefarious, protectionist motives, and advises policymakers to:

be skeptical of regulatory proposals backed by the target domestic industry and of proposals that lack a plausible theory of market failure. These are red flags that the proposal is the product of privilege-seeking special interests disguised as altruistic consumer advocates.

After reading this incisive paper, you might consider whether a new law restricting U.S. government purchases of Chinese-produced information technology systems in the name of cybersecurity fits the profile of regulatory protectionism.  A two paragraph section of the 574-page “Consolidated and Further Continuing Appropriations Act of 2013,” signed into law last week, prohibits federal agency purchases of IT equipment “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People’s Republic of China” unless the head of the purchasing agency consults with the FBI and determines that the purchase is “in the national interest of the United States” and then conveys that determination in writing to the House and Senate Appropriations Committees.

Why You Shouldn’t Believe the Cyber-War Hype

Constantine von Hoffman explains it on CIO.com:

Cyber war is not what the Chinese currently appear to be up to. That’s called spying. If you doubt it consider what Rep. Mike Rogers, chair of the House Intelligence Committee, said Sunday on one of those talk shows that no one outside of D.C. watches:

“They use their military and intelligence structure to [steal] intellectual property from American businesses, and European businesses, and Asian businesses, repurpose it and then compete in the international market against the United States.”

If stealing secrets is an act of war then America is currently at war with all of its allies.

That’s some crisp contrarianism, and I like the dig at D.C.’s self-importance.

At around the time I was reading this article yesterday, an email arrived in my inbox touting an upcoming book event on “Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World.”

Oh, there’s no shortage of challenges laid before all actors trying to secure computers, networks, and data, but don’t mistake the number of vulnerabilities or threats with the likelihood they will manifest themselves, or the consequence if they do. The “cyberwar” frame is inapt, and looking at cybersecurity through a geopolitical lens is not likely to produce policies that cost-effectively protect our wealth and values.

Huawei, ZTE, and the Slippery Slope of Excusing Protectionism on National Security Grounds

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. —Benjamin Franklin

Chinese telecommunications companies Huawei and ZTE long have been in the crosshairs of U.S. policymakers. Rumors that the telecoms are or could become conduits for Chinese government-sponsored cyber espionage or cyber attacks on so-called critical infrastructure in the United States have been swirling around Washington for a few years. Concerns about Huawei’s alleged ties to the People’s Liberation Army were plausible enough to cause the U.S. Committee on Foreign Investment in the United States (CFIUS) to recommend that President Bush block a proposed acquisition by Huawei of 3Com in 2008. Subsequent attempts by Huawei to expand in the United States have also failed for similar reasons, and because of Huawei’s ham-fisted, amateurish public relations efforts.

So it’s not at all surprising that yesterday the House Permanent Select Committee on Intelligence, yesterday, following a nearly year-long investigation, issued its “Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE,” along with recommendations that U.S. companies avoid doing business with these firms.

But there is no smoking gun in the report, only innuendo sold as something more definitive. The most damning evidence against Huawei and ZTE is that the companies were evasive or incomplete when it came to providing answers to questions that would have revealed strategic information that the companies understandably might not want to share with U.S. policymakers, who may have the interests of their own favored U.S. telecoms in mind.

Again, what I see revealed here is inexperience and lack of political sophistication on the part of the Chinese telecoms. It was Huawei—seeking to repair its sullied name and overcome the numerous obstacles it continues to face in its efforts to expand its business in the United States—that requested the full investigation of its operations and ties, not anticipating adequately that the inquiries would put them on the spot. What they got from the investigation was an ultimatum: share strategic information about the company and its plans with U.S. policymakers or be deemed a threat to U.S. national security.

Now we have the House report—publicly fortified by a severely unbalanced 60 Minutes segment this past Sunday—to ratchet up the pressure for a more comprehensive solution. We’ve seen this pattern before: zealous lawmakers identifying imminent threats or gathering storms and then convincing the public that there are no alternatives to their excessive solutions. The public should note that fear imperils our freedoms and bestows greater powers on policymakers with their own agendas.

Granted, I’m no expert in cyber espionage or cyber security and one or both of these Chinese companies may be bad actors. But the House report falls well short of convincing me that either possesses or will deploy cyber weapons of mass destruction against critical U.S. infrastructure or that they are any more hazardous than Western companies utilizing the same or similar supply chains that traverse China or any other country for that matter. And the previous CFIUS recommendtions to the president to block Huawei acquisitions are classified.

Vulnerabilities in communications networks are ever-present and susceptible to insidious code, back doors, and malicious spyware regardless of where the components are manufactured. At best, shunning these two companies will provide a false sense of security.

What should raise red flags is that none of the findings in the House report have anything to do with specific cyber threats or cyber security, but merely reinforce what we already know about China: that its economy operates under a system of state-sponsored capitalism and that intellectual property theft is a larger problem there than it is in the United States.

And the report’s recommendations reveal more of a trade protectionist agenda than a critical infrastructure protection agenda. It states that CFIUS “must block acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests.” (Emphasis added.) What threat? It is not documented in the report.

The report recommends that government contractors “exclude ZTE or Huawei equipment in their systems.” U.S. network providers and systems developers are “strongly encouraged to seek other vendors for their projects.” And it recommends that Congress and the executive branch enforcement agencies “investigate the unfair trade practices of the Chinese telecommunications sector, paying particular attention to China’s continued financial support for key companies.” (Emphasis added.) Talk about the pot calling the kettle black!

Though not made explicit in the report, some U.S. telecom carriers allegedly were warned by U.S. policymakers that purchasing routers and other equipment for their networks from Huawei or ZTE would disqualify them from participating in the massive U.S. government procurement market for telecom services. If true, that is not only heavy-handed, but seemingly strong grounds for a Chinese WTO challenge on the grounds of discriminatory treatment.

Before taking protectionist, WTO-illegal actions—such as banning transactions with certain foreign companies or even “recommending” forgoing such transactions—that would likely cause U.S. companies to lose business in China, the onus is on policymakers, the intelligence committees, and those otherwise in the know to demonstrate that there is a real threat from these companies and that they—U.S. policymakers—are not simply trying to advance the fortunes of their own constituent companies through a particularly insidious brand of industrial policy.

How Much Power Will the Obama Administration Seize in the Name of “Cybersecurity”?

If you’re not at the table, you’re on the menu.

That aphorism about Washington, D.C. power games certainly applies to the “cybersecurity council” that a draft Obama Administration executive order would create.

The failure of cybersecurity legislation in Congress was regarded as “a blow to the White House“—heaven knows why—so the plan appears to be to go ahead and regulate without congressional approval. Under the draft EO, a Department of Homeland Security-led cybersecurity council will develop a report to determine which agencies should regulate which parts of the nation’s “critical infrastructure.”

Keep an eye on that phrase, “critical infrastructure,” because it’s a notorious weasel-word. I argued in 2009 congressional testimony that something might be critical if “compromise of the resource would immediately and proximately endanger life and health.” But the CSIS report—the prominence of which is matched only by its lack of rigor—said, “[C]ritical means that, if the function or service is disrupted, there is immediate and serious damage to key national functions such as U.S. military capabilities or economic performance.”

When hungry bureaucrats are doing the interpreting, economic performance means “anything.” The subjectivity of “immediate” and “serious” don’t change that.

So the “cybersecurity council” will sit down at a table and carve up the economy to determine which agency regulates what industry in the name of “cybersecurity.” They’ll wheel and deal amongst themselves over everything that might fail with imagined “critical” consequences—nevermind that they have no idea what to do about it.

Then it’s fake it ‘til you make it. Though they haven’t got authority from Congress, these agencies will act as though they do. Businesses that don’t participate in government standard-setting will risk having the standards used against them in liability actions. Companies that don’t participate in “voluntary” information-sharing will see their ability to win government contracts erode.

Again, I don’t see why the Obama administration thinks it matters so much to seize power under the “cyber” banner. Perhaps they’re taken in by the gross threat-exaggeration that pervades in this area. But Steven Bucci of the Heritage Foundation has it right:

The President should resist the temptation to ladle on a new regulatory bureaucracy (or bureaucracies) simply to satisfy the need to “do something.” If it is not done right, it will do damage. Let the debate continue until it is done right, Mr. President. It’s called the democratic process, and it invariably provides the best answers, even if it takes awhile.

Cybersecurity Improves No Matter What Congress Does

The Hill’s “Hillicon Valley” blog reported late Wednesday that cybersecurity legislation was likely to fail in the Senate today.

The post, originally titled “Cybersecurity Act Expected to Crash and Burn in Senate,” indulged in some typical Washington, D.C. conceit: “The Senate’s cybersecurity bill is likely to go down in defeat on Thursday,” it said, “ending any hope of passing a measure by the end of the year to protect America’s networks.”

It is highly arguable, the question whether cybersecurity legislation would protect America’s networks. Doing so is the responsibility of the owners and operators of those networks (and all other communications and computing infrastructure). They are working all the time on protecting their assets, and their capacities to do so are constantly improving.

Yes, attacks on computing are improving, too, but there is little substantiated evidence (the fear-mongering of government officials and contractors is not substantiated) that the bad guys are getting the upper hand.

The Scylla and Charybdis Senate leaders appear to have been navigating was between a bill that was too regulatory, swamping American tech companies and “critical infrastructure” providers with deadening regulation, and, on the other hand, a bill that tapped too deeply into Americans’ communications and data. I’m happy—and feel quite safe—with cybersecurity legislation breaking up on the shoals or getting sucked down into a whirlpool, either one.

It’s possible, of course, that Senate leaders could arrive at a last-minute compromise—they’ll come forth extolling their own heroism for doing so. It’s very likely that the next Congress will return with undiminished hubris to the idea that the federal government can and should secure our computers, networks, and data. But it’s not true. That is the responsibility, and far more within the capability, of the private-sector owners of the nation’s digital infrastructure.

Nothing in this post should diminish the importance of cybersecurity. It is indeed hundreds or thousands of different problems that will be addressed by manifold actors various ways over coming decades. The government has a role in cybersecurity: getting and keeping its own house in order. But the majority of the problem is ours, not the government’s, and we are slowly, surely taking care of it.

Pages