Are we using a double standard in IT security?
In the last years Cyber Security has raised as a major concern in any sector of our lives, from government to business and even at private and personal level. But I am wondering if there is a sort of double standard when we judge facts happening when they are related to cybersecurity.
Let’s make some example:
We all have read concerns rising form the rumoured new rules that china will impose to companies selling IT equipments in some sensitive sector like financial, western expert have raised all so of questions pointing out that this will damage western IT companies and claim this will be a protectionist move. So let us think a little bit about this. The new China rules are not clear right now, there are rumours that it will impose to release source code to the Chinese government and the same will impose back-door to the equipments.
The claimed reason is that it is to protect key assets in China, because government cannot trust vendors. The western answer is that this is pure speculation and a move to rise protectionist barriers against foreign IT competitors.
What is lacking in those analysis is that if those rules will be as rumours claims they will have a negative impacts on Chinese companies too.
In order to be able to sell their equipment abroad Chinese IT companies will have to, literally, duplicate their line products one for China and one for the rest of the world. Different codes will be a mandatory need to be able to sell their equipment outside the country, and they will find a competitive landscape that would be even more hostile than the one we have now, dramatically rising costs.
At the same time is interesting to note how in some western countries, take USA as an example, the fact to be a Chinese company is enough to be banned from federal tenders just because they “could” contain back-doors used by Chinese government, companies like Huawei and ZTE are facing this sort of fate in USA. No proves or facts have to be presented, the suspect is enough. The Rogers committee voiced fears that the two companies were enabling Chinese state surveillance, although it acknowledged that it had obtained no real evidence that the firms had implanted their routers and other systems with surveillance devices. Nonetheless, it cited the failure of those companies to coöperate and urged US firms to avoid purchasing their products: “Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services. US network providers and systems developers are strongly encouraged to seek other vendors for their projects. Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”
I wonder why nobody rise the protectionist flag in this case, probably because suspects are credible?
So while upon suspects of working for a government we are allowed to ban a company, in front of solid facts as
- the NSA activities of espionage (see Edward Snowden revelations and Greenwald articles),
- back-door implanted by companies upon state requests (think of the RSA BSAFE default crypto algorithm DUAL_EC_DRBG affair or the old FBI magic lantern trojan not detected by Norton and other antivirus)
- Backdoors implanted modifying HWSW by NSA on major IT vendors intercepting the equipment before they reach the customers (ANT programs) without vendors agreement or knowledge see also:
https://nex.sx/blog/2015-01-27-everything-we-know-of-nsa-and-five-eyes-malware.html
http://blog.thinkst.com/p/if-nsa-has-been-hacking-everything-how.html
we consider it normal and trust USA equipment.
Still wondering why Chinese government do not trust western stuffs for key areas?
Another interesting example of dual behavior when talking about cyber-security is the well-known recent Sony pictures Hack. No doubt on the media has been done about the North Korean identity of the attackers, but a few solid facts (actually no one) have been presented to sustain it. On the other side Cyber-security experts have tried to rise some perplexity on this quick attribution. Sony has a long story of failed cyber security protections and successful hacks, I wrote on this since the first PSN network problem, but at those times nobody were pointing so easily to a suspect. So why media have identified this time the bad guys while cyber-security expert sill have concerns? Taia global was probably the first company to rise public concerns about this too quick attribution, followed by other serious sources, companies and researchers. If you read the news now doubts on North Korea attribution is widely accepted but in the public opinion the guilt is clear.
We could continue to show other examples, it’s common to find statistics showing that the major source of cyber attack is China, but forgetting to mentions what is the rate of attack that China face or a minimum explanation of why could there be so many sources to be used. May be if you visit China you would find out that mobile internet is so widely common that would not be a surprise to imagine how easy should be to install botnets here. Just walk on the street, you’ll see an incredible number of people walking and playing with their smart phone (there 4G connection are normal) and then using the computer at home. And where there are home users and bandwidth there you have botnets.
We should probably change the dual standard mode and start to consider CyberSecurity as a worldwide complex problem that need neutral metric to be correctly evaluated otherwise we will base our decision on prejudices and not facts.