There will be more and more investigations into technology originating in undemocratic states
The need for greater oversight and accountability in our rapidly expanding digital world has acquired a relatively new angle thanks to globalization and geopolitics. In the rush to create market efficiencies, we usually don’t know or care where our oil and natural gas come from, where our food is grown, or where our phones are made—as long as the price is right. The benefits of this have been tremendous, with the latest smartphones, these hand-held supercomputers that only hit center stage in 2007, accessible to all.
One side-effect of this trend is only coming to the fore today. You cannot look around you today without seeing countless items that are “Made in China,” especially electronics. Inexpensive Chinese manufacturing at massive scale—and low-cost global shipping powered by cheap oil—has been a boon for companies around the world. It has also put an authoritarian Chinese regime with no transparency regarding separation between its government and its companies in the position to influence key elements of our digital world.
Rising global tensions are also raising Western scrutiny of Chinese companies. The example currently making big news is the giant multinational Huawei, China’s largest smartphone maker and the world’s third-largest, after Apple and Samsung. Huawei is facing allegations of spying, intellectual property theft, and dumping below-cost phones on the market with the government’s backing. Beyond phones, the UK government is dealing with a scandal over whether Huawei should be allowed to build state-of-the art 5G networks in the country due to the potential security risks. A recent article called security holes in Huawei routers “a smoking gun.”
American tech giants like Facebook watch what we do online as a part of their advertising business model. But they are also visibly separated from the government and are often in conflict with it over regulations. As I’ve often said, what matters is what happens to the people whose data is collected. Google’s data collection isn’t the same as data collection by the “KGBs” of the world that use that data to intimidate, control, and repress.
Perhaps the average consumer in the West doesn’t care what information their Chinese phone is collecting. It won’t be used to oppress them the way China uses its macabre “personal credit score” and tech like facial recognition to make its totalitarian state more efficient. Governments cannot be so casual about security, and there will be more and more investigations into technology originating in undemocratic states. If these companies hope to quell these suspicions, they must work very hard to build a record level of transparency into their products and engage oversight of their activities with trusted third-party companies and agencies that can hold them accountable.
Otherwise, the potential consequences cannot be ignored. An exploit in a router made in Taiwan isn’t the same as in one built in China. If a company that makes voting machines used in American elections is bought by a German or Brazilian multinational, it’s not the same as if it’s bought by one with connections to a Russian oligarch. The dangers are multiplied by the complex web of international finance and the ease with which money is moved and ownership obscured.
The last thing users and companies need is another layer of security concerns to worry about. iPhones are made in China, is there a risk? Cars with dangerous flaws are recalled and the manufacturers punished, but such oversight and punitive actions are rare for poor security practices or tech devices despite a much inferior safety record. As concerned as I am about foreign espionage, the dismal state of tech security in general makes it very hard to fight. A security flaw in a Chinese device is hardly a smoking gun when similar exploits are found in practically every similar device on the market, regardless of origin. Companies pass these headaches to their customers and consumers. They rely on the next exploit or hack distracting the public from the last one. Outrage is a healthy response, and one of the few ways consumers have to press for change.
The ability to publish and promote anonymously on a global scale has tended to expose our worst impulses and beliefs and to facilitate malign influences. But those impulses are still human ones and aren’t created by the tools we use to act on them. Anonymous comments are so often worse than those made openly because the people who post them are terrible humans, not because the technology that enables them is malicious or poorly designed.
This does not mean we should live in a world without regulation of these powerful new technologies. A similar argument is made by American gun advocates with their mantra “guns don’t kill people, people do,” but even most of them acknowledge that rocket launchers and tanks shouldn’t be available to the public. If the lines aren’t clear even with weapons, how can they be drawn in cyberspace?
Anti-regulation arguments with digital technology are further complicated by the obvious benefits these tools provide. Few people can argue why they really need to own a machine gun, but everyone loves to use social media, buy internet-connected home devices, and get the newest phones and other gadgets that are now essential to modern life. That these technologies can, in the wrong hands, become “weapons of mass amplification” that enable misinformation networks, privacy abuses, and security catastrophes does not make them evil. My argument has always been that we need better people, not just smarter machines.
The point of regulations and laws is to acknowledge that human nature isn’t what we might hope it to be and to push people toward behavior that is healthier for society, and, when absolutely necessary, to coerce them. Of course, the people writing the laws aren’t angels either, so we rely on a process of trial and error for the evolution of norms, procedures, and regulations that work for the greater good. This is a very slow process, while technological change and its adoption are more rapid all the time.
The fights may be old ones, but these new battlefields are tilted in favor of the bad guys because they don’t have to play by the rules. As long as that remains the case, individuals need to stay vigilant.
When examining where along the supply chain a breach happened, we can almost always point to users practicing poor security. Here's how we can prevent user error much earlier in the process.
Many companies already have their hands full trying to improve their security posture as they migrate their IT systems to the cloud. IoT risks have been a subset concern. But now, Covid-19 has shoved IoT exposures to the front burner.