In a letter to China’s Central Leading Small Group for Cyberspace Affairs, dated January 28, the U.S. Chamber of Commerce warned that harm would result from an “overly broad, opaque, discriminatory approach to cybersecurity policy,” according to a Reuters report.
“The domestic purchasing and related requirements proposed recently for China’s banking sector . . . would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” according to the letter, which was also signed by 17 other U.S. business groups. The groups also urged Beijing to postpone the implementation of the new rules.
We caught up with Tim Erlin, director of IT security and risk strategy at advanced threat firm Tripwire, to get his thoughts on the matter. He told us this is just one piece of a complex, far-reaching issue with economics, encryption and assurance.
“While the likes of and Google aren’t willing to simply cede the Chinese market, there can be little doubt that a path that involves sharing source code ends with piracy and ultimately enhances China’s ability to copy what they currently buy,” Erlin said. “On the surface, China is seeking assurance that the products they are purchasing from foreign companies are not already compromised, and the [Edward] Snowden (NSA whistleblower) revelations give them good reason to be suspicious.”
As Erlin sees it, China would obviously prefer not to rely on these vendors at all, but they don’t have the same capabilities domestically. At the same time, China, as a major market, has leverage with major vendors to push for things like source code audits, he said.
“Market issues aside, there are national security implications to China having open access to source code for used by other governments, including the U.S. China’s offensive capabilities would be greatly enhanced with the ‘inside knowledge’ afforded by such access,” Erlin said. “It’s unlikely that the U.S. would stand idly by while China developed an arsenal of zero days behind the guise of source code audits.”
Backdoors Subvert Security
Ken Westin, a security analyst at Tripwire, told us the issue is odd. Considering most of the devices are already manufactured in China, he said it would seem China would know more about American technology than our own government in some respects.
“As governments push for more access and backdoors into technology companies, it’s the consumer who suffers, just as both privacy and security suffers,” Westin said. “The fact that governments are requesting such access is a sign that technology firms are doing a better job of securing customer data, so much so that governments feel they are doing too good of a job and are attempting to insert themselves either through law or technology in the middle to intercept communications as necessary.”
The problem is that this is all happening in public and the bad guys are fully aware of where their communications can be intercepted and have already moved to more clandestine technologies and forms of communication, Westin said. “The end result of all of this is that legitimate uses of encryption, and other security protections, suffer and the backdoors only work to subvert security making everyone less safe,” he added.