While the President Campaigns ...
2 Vital Cybersecurity Issues that Aren't being Debated on the TrailWith President Obama on the hustings, his national security staff back at the White House is busily addressing cybersecurity matters that should, but aren't, making it to the presidential campaign.
See Also: How to Take the Complexity Out of Cybersecurity
The first issue: A House intelligence panel report warning that telecom components manufactured by two companies in China could be programmed to allow the Chinese government to spy on sensitive information stored in American government and industrial computers. The second one: Addressing the role the government should play in protecting the nation's critical IT infrastructure.
A potential showdown looms with China over blocking the importation of wares manufactured by two Chinese companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively. The House Permanent Select Committee on Intelligence earlier this week issued an investigation report recommending that U.S. government systems, particularly sensitive IT systems, should refrain from using equipment and component parts manufactured by Huawei and ZTE because the wares could act as "bug, beacon or backdoor put into our critical systems [that] could allow for a catastrophic and devastating domino effect of failures throughout our networks," as panel chairman Mike Rogers puts it [see House Panel: 2 Chinese Firms Pose IT Security Risks].
I queried the White House to find out what it thought of the panel's report, and spokeswoman Caitlin Hayden e-mailed me a response that says the administration is reviewing the committee's report, adding that it "raises sensitive national security issues."
"The administration has been working closely with the telecommunications industry to identify national security risks and we are consistently developing strategies to mitigate against those risks, bringing to bear the tools of all the relevant U.S. departments and agencies," Hayden says. "We are committed to being vigilant to ensure that our national security interests are protected."
Morton's Fork in the Road
The administration faces a Morton's Fork, of sorts, a choice between two equally unattractive solutions: banning telecom and computer wares containing components from the two Chinese manufacturers or coming up with alternative ways to safeguard sensitive data on American computers. Neither choice is appealing.
If the U.S. government bans products from Huawei and ZTE to be imported into the United States, the Chinese could retaliate by blocking imports of American technology products, citing the Patriot Act that requires U.S. telecommunications product makers to build backdoors into networks to let authorities intercept messages. Zeus Kerravala, principal analyst with ZK Research, tells the website NextGov that the Chinese could view U.S. wiretap rules as a clandestine way of American officials spying on foreigners. "What if the Chinese government had accused us of this?" Kerravala asks. "Wouldn't we be in an uproar?"
Indeed, we would, even if we perceive the objective of the Patriot Act as something good - protecting our society - and the goal of the Chinese as something evil - stealing our secrets. Still, would banning the import of suspected telecom wares that could ignite a trade war be in the best interest of the United States? It might, but it could prove to be more harmful than beneficial. Such a trade barrier could be hard to enforce, as Zhu Jinyn, ZTE's senior vice president for North America and Europe, told Congress last month [see Ban Won't Rid Perceived Chinese Threat]:
"Your committee has suggested there are risks in U.S. network carriers' purchases of telecom operating equipment from foreign vendors, particularly vendors in China. As the committee undoubtedly understands, virtually all of the telecom equipment now sold in the United States and throughout the world contains components made, in whole or in part, in China. That includes the equipment manufactured and sold by every Western vendor, much of which is made by Chinese joint venture partners and suppliers."
Perhaps we should think of this challenge a different way. A growing number of IT security experts accept the fact that systems will be breached, so they advocate intensified efforts to secure the data. That notion can be extended. Accept the fact that components will be built into system to allow others - whether governments like China or business competitors - to spy on sensitive data. In response, the government and Industry should develop solutions and identify technologies like encryption to protect each bit and byte.
Seeking Bipartisan Cooperation
Word is out that the White House and representatives from both parties in Congress are meeting to address the stalemate that has blocked Congress from enacting comprehensive cybersecurity legislation. The discussions are focusing on provisions defining the role the federal government should play in protecting the mostly privately owned critical IT infrastructure.
Last Friday, Oct. 5, an interagency team led by the White House national security staff met with bipartisan Senate leaders and senior committee staffers to discuss how to improve cybersecurity, particularly critical infrastructure, under existing laws. "We will be holding a similar session with the House in the near future," Hayden says in response to my inquiry. "The administration is continuing to explore improvements both through the promotion of cybersecurity best practices and increased cybersecurity information sharing. Issuing an executive order is one - though certainly not the only - vehicle we are considering."
Hayden announced last week that White House isn't rushing to issue an executive order that would create a process to identify best IT security practices the mostly private owners of the nation's critical infrastructure could voluntarily adopt [see White House: No Rush on Executive Order]. Most of the prime sponsors of the Cybersecurity Act of 2012, which would provide for voluntary IT security standards, have asked the president to issue an executive order after GOP senators led a filibuster that blocked a vote on the bill in August [see Lieberman's Last Harrah on Cybersecurity].
A group of Republican senators last week called on Obama to discuss the differences they have over the government's role in establishing IT security practices, contending unilateral action by the president would widen the partisan divide over cybersecurity [see GOP Senators Warn Obama on Executive Order].
It's good that both sides are talking; cybersecurity is vital to our national well-being, perhaps as important as any topic being debated by Obama and Mitt Romney. If our systems don't function, out economy won't function.
The threat Chinese telecommunication products pose to our vital IT systems and the role of government in defining critical infrastructure protection are topics worthy of debate, but it's unlikely the candidates will even mention them in passing. It's not their fault. The public has yet to recognize the importance of cybersecurity, at least in their gut. Until they do, we won't be hearing much about it from the campaign trail.