The saga continues … as it should and will. A front page article appeared in the May 17, 2016 issue of The New York Times, by Paul Mozur and Jane Perlez, with the title “Chinese Panel Quietly Grills Silicon Valley: Apple and Others Face Security Checks.” It describes the retaliation that was entirely expected. The article opens with:
“Chinese authorities are quietly scrutinizing technology products sold in China by Apple and other big companies, focusing on whether they pose potential security threats to the country and its consumers and opening up a new front in the already tense relationship with Washington over digital security.”
Well it’s not exactly “a new front.” In my October 15, 2013 BlogInfoSec column, “Huawei and National Availability …. Um … Security,” I quote a couple of Wall Street Journal articles that describe a U.S. Congressional “probe” of Huawei based upon a perceived national-security threat and Huawei’s response. This battle has been waging for several years in public and probably was going on much before then.
The above-mentioned NYT article goes on to say:
“While other countries, including the United States and Britain, conduct reviews of some tech products, they usually focus on products that will be used by the military or other parts of the government that are concerned with security, and not on products sold to the general public.
The Chinese reviews stand out because they are being applied more broadly, including to American consumer software and gadgets popular in China … And because Chinese officials have not disclosed the nature of the checks, both the United States government and American tech companies fear that the reviews could be used to extract tech knowledge as well as ensure that the United States was not using the products to spy.”
Now hold on a minute! Is this not a John Oliver moment or am I missing something? It’s okay for the U.S. and the U.K. to examine Chinese products but not the reverse. And who distinguishes between products for consumer and military use? The military likely use millions of iPhones and iPads, as I describe in a CrossTalk journal article “Cybersecurity and Modern Tactical Systems,” (November/December 2015).
As they say: “What’s good for the goose is good for the gander.” There are a variety of reasons why one would want to test embedded software ranging from ensuring that the systems are secure and maintaining privacy to checking for malware and back doors. Given the cost and difficulty of performing such tests, it would seem to make the most sense to test software-intensive systems globally and to share results across countries and between public and private sectors. Perhaps that is wishful thinking, but it would go a long way towards meeting software-security and system-safety assurance requirements. Yes, there is the downside, depending on where you are coming from, that a country’s national security could be compromised because spyware is detected and neutralized. However, there could be significant benefits if defects and vulnerabilities are shared and corrected. It’s the usual tradeoff between the good guys and the bad guys … and which you are depends on who is doing the evaluation and for what purposes. Whether particular malware is good or bad is a matter of what it does and who is using it. Sharing information about unintended vulnerabilities is a controversial topic since hackers could have the advantage if a vulnerability is not generally known or if they can sell that information in the burgeoning vulnerability marketplace.
Determining the preferred approach is complex politically, economically and technically. But, if we are ever to establish and enforce globally-acceptable cybersecurity standards, there has to be good understanding and cooperation among nations, and the software assurance area is a good place to start.