So, um, well, no surprise really...
Damn. The way things have been developing lately in the
U.S. it must suck to be a mis-informed Sinophobic protectionist masquerading as
a cyber-hero...
(Sorry).
So, what are we talking about here?
Well, way back in October 2011, the U.S. House of
Representatives Energy and Commerce Committee (E&C) tasked the Government
Accountability Office (GAO) – the investigative arm of the US Congress – to
conduct a comprehensive study on supply chain risk associated with the Information
Communications Technology industry.
(Don't nod off just yet folks).
A critical element of the GAO study – titled “COMMUNICATIONS
NETWORKS: Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of
Cybersecurity Efforts” was released publicly this week.
(Hang in there…)
GAO was asked by E&C to (1) identify the roles of and
actions taken by key federal entities to help protect communications networks
from cyber-based threats, (2) assess what is known about the extent to which
cyber incidents affecting the communications networks have been reported to the
FCC and DHS, and (3) determine if Defense’s pilot programs to promote
cybersecurity in the defense industrial base can be used in the communications
sector. To do this, GAO focused on core and access networks that support
communication services, as well as critical components supporting the
Internet. GAO analyzed federal agency
policies, plans, and other documents; interviewed officials; and reviewed
relevant reports.
(Phew… Stay with me please – the good stuff’s coming)
The Report, which provides valuable simple-to-understand
schematics of communications networks, Internet infrastructure and routing
processes, as well as simple and easy-to-understand glossaries of threat
sources and types of exploits, finds that “No cyber-related incidents affecting core
and access networks have been recently reported to FCC and DHS through
established mechanisms…of the over 35,000 outages reported to FCC during this
time period , none were related to traditional
cyber threats (e.g., botnets, spyware, viruses, and worms) .”
What, what, what?
That seems inconsistent with the braying of my favorite Congressional Chairman
(do elephants bray?)
But wait, there’s more…
While the Report is focused on potential disruption (or
the lack thereof), it also casts doubt on allegations of rampant data exfiltration
or commercial espionage by highlighting that networks – core and access – are
the plumbing through which cyber-mischief takes place, not the sources of
mischief themselves: “Officials within FCC and the private sector
attributed the lack of incidents to the fact that the communications
networks provide the medium for direct attacks on consumer, business, and
government systems…,” but do not incite such incidents themselves.
Oh dear… Mr. Chairman?
Look, you marry the GAO study up with the fact that U.S.
industry and the friggin’ White House are now pointing at “geographic exclusions”
as ineffective in terms of cybersecurity and dangerous in terms of trade,
competition and innovation (see my recent post: http://mbplrcbd.blogspot.hk/2013/04/when-worlds-blog-posts-and-head-fakes.html),
and you get reality.
Over the last three years, we have seen the increasing
potential of cyber-threats and the increasing politicization of such
threats.
Cyber-concerns are very real, and they are very
global. They will only be managed
through the development of global standards, disciplines and norms of behavior.
In terms of technology, management, processes and logistics,
industry should focus on ensuring the quality, integrity and security of
processes and products and should strive to implement state-of-the-art disciplines
to meet these objectives, across product life-cycle, administration, human
resources and other operations.
But, no matter the level of security industry might build
into processes and products, malicious cyber-behavior will persist. The time has come for Government to take up
such matters between themselves and to work towards the establishment of global
norms and standards of behavior instead of interfering with matters of
legitimate commerce.
At the very least, Governments around the world should
agree to baseline cyber principles, including:
· Not to use ICTs including networks to carry
out hostile activities or acts of aggression or to pose threats to international
peace and security;
· Not to proliferate information weapons and
related technologies;
· To endeavor to ensure the supply chain
security of ICT products and services.
· To encourage industry and consumers to
understand their roles and responsibilities with regard to information
security in order to facilitate a culture of information security and the
protection of critical information infrastructures.
Cybersecurity is perhaps the foremost challenge presented
by globalization. Addressing this
challenge is critical if markets around the world are to continue to reap the
benefits of globalization.
Companies like my employer Huawei Technologies, sit at
the center of sophisticated global ecosystems in what is essentially a
trans-national industry: The information and communications technology (ICT) industry.
We drive competition and innovation around the world.
We sustain high technology partners and suppliers, inspiring innovation and
co-innovation, lowering the cost and widening the spread of ubiquitous
broadband.
We invest billions of dollars in 100's of global markets, supporting
hundreds of thousands of jobs across the world – directly, and indirectly through
suppliers, partners and customers.
And Huawei is not unique.
We have industry peers that sustain similar and overlapping global
ecosystems - We are many tides that lift many boats.
So what am I getting at?
Short and sweet: Maintaining the distributed economic benefit of
globalization is in all of our best interests – it should not be held hostage
to politics.
Appropriately addressing
global cybersecurity challenges – including at the political level – should be
a globally-shared goal. And government should be held accountable...
No comments:
Post a Comment