Concerns related to network- and cyber-security, which have increased rather dramatically in recent years, are reaching an all-new crescendo. Notwithstanding the sometimes-strident nationalist rhetoric of one or another country, what is missing from cyberspace are Geneva Convention-like international rules to standardize (and/or "govern") cyber-behavior.

And, lo (and behold), just over a week ago, on September the 12th, China, Russia, Tajikistan, and Uzbekistan asked the UN Secretary-General to circulate a proposed voluntary International Code of Conduct for Information Security at the 66th session of the General Assembly (taking place this week in NYC), and further called on UN member countries to consider the document as a framework around which to reach a near-term consensus on international norms and rules standardizing national behavior related to information, cyberspace and network security.

Bravo!

...Wait. China, Russia? Really? Aren't these the cyber-bad guys? Or, are they just the ones that get caught more often than others, or, could it be that they're just more regularly on the receiving end of Western-based media attention than other cyber-perps?...

...Ok, ok, leaving that cynical tidbit-for-thought aside for the nonce, what does the proposed Code suggest?

Well, as should be expected of any formal intergovernmental document, the preamble is chock full of "recalling," "reaffirming" and "recognizing" to set the stage for the actual proposals, but it's worthwhile to take note of some (not all) of the lofty and unobjectionable objectives outlined in the lead up to the actual (remarkably brief) proposed code. To wit:

- Recognizing the need to prevent the potential use of information and communication technologies (ICTs) for purposes that are inconsistent with the objectives of maintaining international stability and security, and may adversely affect the integrity of the infrastructure within States, to the detriment of their security...

- Highlighting the importance of the security, continuity and stability of the Internet, and the need to protect the Internet and other ICT networks from threats and vulnerabilities, and reaffirming the need for a common understanding of the issues of Internet security and for further cooperation at national and international level...

- Recognizing that confidence and security in the use of information and communications technologies are among the main pillars of the information society, and that a robust global culture of cyber-security needs to be encouraged, promoted, developed and vigorously implemented...

Good stuff. Good framework. What about the key elements of the proposed Code?

Well, each State voluntarily subscribing to the Code would pledge, among other things not related directly to network/cyber-security:

- Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security;

- Not to proliferate information weapons and related technologies;

- To endeavor to ensure the supply chain security of ICT products and services, prevent other states from using their resources, critical infrastructures, core technologies and other advantages, to undermine the right of the countries...or to threaten other countries' political, economic and social security.

- To lead all elements of society, including its information and communication private sectors, to understand their roles and responsibilities with regard to information security, in order to facilitate the creation of a culture of information security and the protection of critical information infrastructures.

Again, good stuff. Cyber-motherhood and broadband apple pie, as it were...

Hey, I'm the first to admit that rhetoric is little more than nothing in the absence of action and accountability, but that's no reason to look a rhetorical gift horse in the mouth. It is in all of our best interests and the interest of global commerce and security - physical and digital - to address the proliferation of cyber-threats. Any UN member country that rejects or ignores either the call for action or the proposed Code should at the very least be challenged to deliver an alternative.

This should be interesting to watch...

Meanwhile, in other news, Network World reported yesterday on an interview/Q&A with former cyber-security czar Richard Clarke. Clarke, who served in the State Department under Reagan, as chair of the Counter-terrorism Security Group and member of the National Security Council under Bush I, as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism (the chief counter-terrorism adviser on the National Security Council) under Clinton, and Special Advisor to the President on Cyber-security under Bush II, had some interesting answers to some probing questions, including:

If you had the influence, what would you change to improve U.S. cybersecurity?

"...In a regulated industry -- finance, power and telecommunications -- I'd require all the software be vetted for all kinds of mistakes."

When the question of supply-chain security comes up, and with so much manufacturing coming from China, do you think there's reason to be concerned about security of products made in foreign countries where sometimes there are political tensions?

"My attitude is whether it comes from New York state or Shanghai, it probably has the same risk in software. There are people in the U.S. who can be bribed, too."

I think that pretty much sums it up folks: cyber-security is a global issue demanding global solutions - solutions that are agnostic to infrastructure provider and/or geography...

Stay tuned.

** cross-posted to Facebook from www.mbplrcbd.blogspot.com **

While the mainstream dialogue related to “cyber-security” most often focuses on issues related to consumer privacy and identity theft, the more cloistered industry and government debate circulates around espionage and so-called cyber-war. The concerns are legit, but the debate is all-too-often hijacked by political or competitive agendas, undermining progress towards true solutions.

So let’s try and dissect this - what are we talking about when we’re debating non-consumer-oriented cyber security concerns? While there are multiple and competing definitions of cyber security, most would all include at least the following: Network exploitation or attack, including espionage and/or the disruption of networks via software in or for or otherwise through the manufacture of network equipment, including via hardwired backdoors in chipsets, routers or other physical parts of the network.

In terms of potential “cyber weapons,” they might include: Unauthorized access to systems (hacking), viruses, worms, trojans, denial-of-service, distributed denial of service (including using botnets), root-kits and, of course, social engineering. Such tools can be used to compromise confidentiality or otherwise facilitate identity theft, web-defacement, extortion, system hijacking and/or service blockading. Key to note, cyber weapons can be used individually, in combination, and – generally most concerning - blended with conventional kinetic/physical weapons as force multipliers.

Who’s in the game? Pretty much everyone, ranging from the Russians to the Israelis, but the big dogs would be the U.S. and China, both of which have been quite public in communicating their cyber capabilities and intent. Indeed, reported instances of China-based cyber-incursions are significant. A couple of well-publicized examples:

Titan Rain (Government espionage) was a series of coordinated attacks with reported Chinese origin on U.S. Government, defense industrial base and R&D institutions, originally identified in 2003. Among other targets, hackers reportedly gained access to: U.S. Army Information Systems Engineering Command; Defense Information Systems Agency; U.S. Army Space and Strategic Defense Center; NASA; and Sandia Labs.

Night Dragon (industrial espionage), according to a February 2011 report from McAfee, was a coordinated series of cyber attacks which began in November 2009, aimed at global oil, energy, and petrochemical companies to harvest sensitive information on industrial operations in Kazakhstan, Taiwan, Greece, and the U.S. McAfee identified the tools, techniques, and network activities used in these attacks as originating in China.

But China is not alone in terms of being perceived (if not absolutely proven) to be engaged in strategic cyber warfare activities. Other examples, specifically geared to more concerning disruptive activities, include:

Estonia: In April and May of 2007, Estonia experienced a heavy barrage of coordinated cyber attacks against information networks, Government services and news portals. The attacks, which followed a decision to relocate a Soviet-era grave marker, were primarily in the form of distributed denial of services (DDOS), including the remarkably coordinated use of sophisticated botnets. The Russian Government was suspected but has not been proven to be responsible. While there were no long-term consequences from the attacks, short-term impact in terms of unavailability of online services were significant, particularly in a market where 98% of banking transactions take place online.

Georgia: In the weeks leading up to a Russian physical invasion of Georgia in 2008, Georgian communications, Government and financial networks came under significant cyber attack. While the immediate and most public perception of the assault was related to the defacement of Government sites, more impactful was the repeat of a strategic and coordinated DDOS attack which, as a force multiplier, disrupted communications and online activity impairing critical Government and citizen communications before and during the physical attack. While the cyber-attacks are widely believed to have originated in Russia, no Government involvement has been proven.

Iran: Stuxnet, a MS Windows computer worm, was discovered in July and 2010. Designed to target Siemens Supervisory Control and Data Acquisition (SCADA) systems, Stuxnet is the first discovered malware that spies on and subverts industrial systems . It is widely acknowledged that Stuxnet was targeted to disrupt the uranium enrichment infrastructure in Iran, with the U.S. and Israel most regularly referenced as the likely perpetrators, although without any proof having emerged. Notably, computers across the globe have been infected – an early example of cyber collateral damage.

These instances notwithstanding, in the U.S. the spotlight remains fixed on China, and U.S. authorities, politicians, pundits and media, perceiving China through the prism of the all-powerful State-controlled past – which is no longer a universal reality – regularly hand-wring about the potential for independent Chinese companies to do the Government’s bidding.

There are certainly some legitimate concerns to be had, but the legitimacy gets all too easily and quickly lost in fear- or politics- or commercially-competitive-based spin. After all, who’s to say what passes for a “Chinese” company today? If one were to be even marginally intellectually honest, and acknowledging for the sake of argument that the Chinese Government is just as committed to cyber tactics as is the U.S., wouldn’t one acknowledge that any company with a presence in China is vulnerable to Chinese Government manipulation, however well-hidden that might be?

Let’s consider this from the perspective of the information communications technology industry, one which has become utterly globalized, resulting in virtually every major ICT company having significant research and development, production and software coding capabilities in China. Why? Well, among other things, comparatively speaking, China possesses rich resources in available talent and low labor costs. Indeed, in 2010, China's college graduates reached 6.31 million, while in the U.S., the figure was 1.65 million. And, the average salary for an engineer in China remains below $10,000 a year, with the average disposable income per capita resting below $3,000, while in the U.S., it’s around $50,000 (and engineers command salaries many multiples of their Chinese counterparts). All of these – and other- advantages have attracted global ICT companies to move manufacturing bases and significant R&D functions to China.

So what does this mean in practice, in terms of major ICT players that supply the guts and intelligence to cyber-threatened global networks?

Ericsson: Ericsson opened its first office in China in 1985 and as of 2009 had 7,900 employees in China, 27 offices and 10 joint ventures. Ericsson’s second largest global supply hub is in Nanjing, China, producing wireless network equipment - over 50% for export. And, Ericsson has over 1700 R&D personnel in China and an annual R&D investment in excess of $155 million, developing as many as 100-150 products each year for Ericsson’s global markets (indeed, Ericsson’s first “3G” (WCDMA) base station was developed by Ericsson’s China R&D shipped to Europe in 2004). And, finally, Ericsson has a strong China-based service Organization featuring 36 customer network support centers and 5,000 local engineers.

Alcatel-Lucent: Shanghai Bell Telephone Equipment Manufacture dates back to 1983 (pre-Lucent AT&T) and, after uniting with Alcatel’s China-based operations following the Alcatel-Lucent merger in 2006, was ultimately renamed Shanghai Bell Co, Ltd in 2009. Shanghai Bell, employing approximately 10,000, is a 50-50 joint venture between Alcatel-Lucent and China’s State-owned Assets Supervision and Administration Commission of the State Council. Shanghai Bell hosts several China-based global R&D centers employing over 6,000 people, has full access to Alcatel-Lucent’s global technology resource pool and develops technologies that serve all of China and over 50 countries worldwide. And, Shanghai Bell’s two Chinese manufacturing bases generate products for fixed-network, mobile, optical, and multi-media with annual production values of approximately $2.48 billion.

Cisco: Since its entry into China in 1994 and the 1998 establishment of Cisco Systems (China) Network Technologies Co. Ltd., Cisco has promoted the development of Chinese innovation and the Chinese ICT industry. In1998, the Cisco Network Technology College project officially entered China establishing over 220 Cisco Network Technology Colleges that teach comprehensive courses on the latest network technology. In 2005, the Cisco China R&D Center was launched in Shanghai, accompanied by promises to further invest $37.7 million to co-construct 35 model software colleges along with China Ministry of Education. And, in 2007, Cisco announced investments and joint ventures in China totaling $16 billion, committed to expand its Networking Academies to 500 to train an additional 100,000, and to double its manufacturing in China (a production value of as high as $14 billion).

Intellectual honesty would demand an acknowledgment that to the extent that cyber security concerns are real (and they are), then they apply to all of these global companies with operations spread across the globe, including in China. And yet, in the U.S., the focus – for political and competitive reasons – circles around global players with a Chinese heritage, like Huawei, the second largest telecommunications equipment provider on the planet.

Why? Well, Huawei is based in China and the U.S. and Chinese Governments are engaged in competition on multiple fronts, from politics to economics, and beyond. And, well, like the U.S. Government, the Chinese Government has been vocal about its cyber-intent and, certainly more public than any American activities, China-based cyber-incursions into foreign networks are well- and regularly-reported. So, with all of that in mind, ill-founded beliefs that Huawei is somehow state-influenced contribute to ill-founded fears that Huawei might facilitate Chinese Government-endorsed espionage or disruption.

Without getting into the silliness of such concerns in the context of a global leader with a presence in 140+ markets and far more sales outside China than within, intellectual honesty would still demand that any true solution to cyber security concerns would demand agnosticism. Consider:

The quality and integrity of Huawei solutions have been audited and passed the security requirements of 45 of the world’s top 50 global operators and no company or government has found Huawei solutions to vary from international standards in any manner material to security. These are facts. And, given that Huawei’s solutions are built to the same global standards as those of competitors, all of which manufacture product and code software in China and all of which share common potential vulnerabilities in component and code origin, manufacturing, logistics, distribution, installation and support, it is intellectually honest to say that Huawei’s solutions are no less secure than the equipment its ICT peers.

So where does this leave us? Well, if we take a fact-based, intellectually honest and politics-free approach, we should all agree that legislation, regulation or policy intended to address cyber-security concerns based on a company's country of headquarters is akin to throwing a mosquito net over a reservoir to prevent an outbreak of cholera…

…Not only is the prophylactic mis-used (mosquito nets are of course meant to manage the spread of pest-borne malaria), but such measures do nothing to address the true issues of plumbing, sanitation and water supply.

The facts are that true, rational and effective solutions to cyber-security concerns will only emerge from an industry-led, non-politicized, pragmatic process that acknowledges the common vulnerabilities of all ICT companies and addresses the challenges in a manner agnostic to nationality.

Later...