As often happens, a confluence of news events should be raising concern about our long term information security posture as a country. In China, the World Internet Conference is providing a forum for the Cyberspace Administration of China to push its goals around internet governance and control, while at the same time shutting down yet another service provider (EdgeCast, an affiliate of Verizon) who may not have conformed to strict Chinese censorship rules. Meanwhile in the U.S. Senate, the Senate voted 58-42 against the USA Freedom Act, which would have limited the NSA bulk collection of phone metadata. All of which leads to the conclusion that we’re fighting against ourselves in a battle that may well be irrelevant to our information security future, fighting the last war when the next war is already under way.
U.S. national security depends on a strong industrial base, which in turn depends on strong commercial markets to drive sales and innovation. In the world of the internet however, we cannot be isolationist or we will lose. China has one quarter of the world’s internet users, 600 million, and a robust internal market. On the international governance side, left to their own devices the Chinese government and others, probably acting through domestic Chinese businesses, can dominate the governance functions in ways that drive business to their industries and hurt U.S. market share. Sophisticated exploitation of embarrassing revelations from the Snowden affair have already hurt U.S. internet equipment sales internationally. And when we’re not shooting ourselves in the foot, one could speculate about the possibility of bad actors remotely manipulating internet equipment to reduce reliability and give other chosen competitors the edge.
Let’s do the thought experiment: what would a Chinese-dominated internet Governance environment look like? It’s fairly easy to extrapolate from their current behavior. Extensive monitoring of sites and content by both technical and human monitors leads directly to censorship and suppression of “unacceptable” content, and often arrest of the perpetrators. According to news reports, “China’s top Internet regulator, Lu Wei, minister of the State Council’s Cyberspace Administration of China, … reiterated that Internet controls are a sovereign issue and that his government views the online arena as one that should be a ‘free and open place, with rules to follow’.” China has a model for how to set the rules, and there are certainly large parts of the international market that would be inclined to follow.
BBC News China now asks: “Is there a moral difference between what the US government does and what the Chinese government does? Is there a moral difference between the filtering systems of the big internet companies and the manipulation of internet results through censorship?” In tennis, the term “no man’s land” refers to that place in the middle of the court where a player is most vulnerable. As the rules change, we are finding ourselves in no man’s land…too far from the net to swat down what comes across like the Chinese do, not far enough to play a strong baseline game.
So how should we look at our international competitive market positioning relative to China? A position where we support Government surveillance but just don’t do it as well as the Chinese due to some domestic laws (you know, the Constitution and all that) hardly seems like a strong competitive position. Nor does a position that says we are morally equivalent to China in terms of behavior but a lot more friendly while we listen over your shoulder. Remaining in no man’s land seems like a sure recipe to concede half the world market to Chinese industry, and fight toe-to-toe with them over the remaining half.
What could a “strong baseline game” look like? How about a technology base that guarantees freedom of expression by guaranteeing security, privacy and anonymity in transactions, metadata and content. Features that stop the commercial trafficking of personal data. Supporting legal structures that permit service consumers to make actual choices (not 40-page click-throughs) about whether to give up information and the value they receive in return.
There are of course Law Enforcement and Intelligence concerns about these approaches; can they also be addressed? Strong identity management so that public actors are correctly identified could help, to the extent this technology could be reconciled with privacy and anonymity. Existing security paradigms built around trust established through a record of behavior (like peer ratings or credit scores) might provide a workable alternative.
The technology details will evolve of course. For U.S. internet equipment providers however it is very clear that remaining in no man’s land is a losing proposition for the long term. The Chinese are ahead and moving aggressively on solutions built around surveillance and censorship in a game we’d actually prefer not to win. Maybe changing the rules of the game could work to our advantage.