What Do You Think?

[strawberry]

Oh . . . What a tangled web we weave . . . . .


copied from:
Http://atimes.com/atimes/China_Business/CBIZ-01-231213.html

SPEAKING FREELY
NSA leaks sink US business deals
By Andrew M Johnson

Speaking Freely is an Asia Times Online feature that allows guest writers to have their say. Please click here if you are interested in contributing.

The United States' National Security Agency (NSA) and Central Intelligence Agency operate Special Collecting Services (SCS) "listening posts" in more than 80 cities worldwide, including Beijing, Shanghai, and Hong Kong. [1] In recent months, the NSA's extensive electronic eavesdropping
programs have prompted the world to take a new look at US national security interests. With such wide access to the sensitive information of companies, governments and individuals worldwide, the NSA has emerged as the enemy of cyber-security.

Only a year ago, US intelligence officials were holding China's feet to the fire over matters of cyber-espionage. A year later, it seems that the tables have turned. But in order to glimpse the hypocrisy of the US intelligence community, we must start in late 2012, when the US House Intelligence Committee first condemned two Chinese telecommunications companies, Huawei and ZTE, for alleged ties to the Chinese government.

An unsuccessful witch hunt
In 2012, a congressional investigation concluded that hardware from Huawei and ZTE "pose security risks to the US" because their equipment could be leveraged by the Chinese government to spy on Americans. [2] The 70-page report, titled "Investigative Report on the US National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE" is far from a conclusive demonstration of the allegations.

The report's contents include information on everything from the shareholder process and corporate structure of the companies to their personnel and historical backgrounds as it seeks to justify the aggressive (and unlikely) thesis that "Chinese telecommunications companies provide an opportunity for the Chinese government to tamper with the United States telecommunications supply chain." [2]

Recently, British national security officials took an extensive look into Huawei's connection to the Chinese government and their investigation found "no evidence of wrongdoing by the company". [5] This is no surprise, considering a 2012 statement from the Cabinet Office in London in which officials said, "We recognize, of course, that no systems can be completely invulnerable, but by working together we can mitigate some of the risks." [4] One of Huawei's main customers - BT Group Plc - has called the company a "trusted equipment supplier", pointing out that "We find them to be good value and high quality - that's why they have been chosen as a supplier in a fiercely competitive international market." [4]

Nevertheless, the US Intelligence community continues to warn of the risks of doing business with Huawei and ZTE, maintaining that such collaboration exposes American consumers to cyber-security risks. But more than a year has past since the 70-page report was released and no substantial evidence has surfaced to support its claims.

To the contrary, Huawei has consolidated ties with many of its closest customers, which include British telecom giant Vodafone PLC and several other European companies such as Telefonica, Deutsche Telekom, and France Telecom. It seems that the report emerged from nothing more than a cognitive itch that has resulted in a witch hunt for Chinese hackers with government ties.

Needless to say, Huawei has firmly rejected the claims of US officials. In a white paper on cyber-security, Huawei deputy chairman Ken Hu stated, "We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any government, or their agencies." [3]

It is important to note that the assertion that Beijing supports (or directly sponsors) cyber-attacks is not supported by any substantial evidence. The only serious evidence put forth in support of this thesis is included in a report released by security firm Mandiat in 2012. On page 9 of its report, it is stated that, "Our research and observations indicate that the Communist Party of China is tasking the Chinese People's Liberation Army to commit systematic cyber-espionage and data theft against organizations around the world." [6]

Mandiat's claims offered a comprehensive analysis of a particular hacker group called "Unit 61398", which the firm tracked to a particular building in Shanghai related to the People's Liberation Army.

Not everyone in the cyber security community is convinced by the Mandiat report and some have asserted that it has some "serious analytical flaws". [16] The document poses some compelling ties, but is far from a silver bullet. The report has nothing to do with Huawei or ZTE, which suggests that even if its claims are true, they would not demonstrate the relationship between private companies and the government that the House Intelligence Committee's report puts forth.

All in all, "alleged ties" to the Chinese government are very different from "clear evidence of ties" to the Chinese government. Indeed, corporate cyber-theft could be perpetrated by any number of sufficiently skilled hackers. To this point, Symantex Corp released a 28-page report about a group it calls "Hidden Lynx" - a private Chinese hacking syndicate that has targeted hundreds of different organizations all over the world, including companies in both the US and China.

Regardless of the frail support for what has become a telling foreign relations blunder, US politicians have continued to play the moral high ground. Speaking on the matter of cyber-espionage in spring of 2013, Treasury Secretary Jack Lew stated that "the basic lever we have is that they [the Chinese] very much want a different relationship going forward." Lew claims that China wants "a seat at the table where countries establish rules of the international economy". Atop the white horse of US hegemony, Lew goes on to say "that means they also have to live by the rules." [7]

This rhetoric is maintained by all politicians. At an informal meeting in June at Sunnylands Ranch in California, US President Barack Obama told Chinese President Xi Jinping that "Governments are responsible for cyber-attacks that take place from within their borders." [8] Lew and President Obama must certainly have been blindsided in June when whistle-blower Ed Snowden leaked documents revealing to the world the extent to which the United States' very own National Security Agency has extended its mandate beyond the boundaries of "international rule".

The classified documents provided by Snowden have since been the object of countless articles and analyses from the resulting diplomatic tensions between the US and its allies and the revelation of a massive domestic spying effort. Since no shortage of ink has been spilled on the subject, here I offer a slightly different criticism of the programs and put the situation into context.

It is often argued that these programs are necessary because they help crack down on terrorists. On the surface, that may sound logical - after all, we need to collect communications to know their next move - but, upon examination, this turns out to be a very weak approach to stopping terror attacks.

First, it remains to be seen whether the blind collection of unprecedented amounts of meta-data is actually an effective means of defense against terror attacks. Secondly, a simple analysis by experts familiar with the process (using rough estimates and Bayesian statistics) reveals that "whenever the rate of an event of interest is extremely low, even a very accurate test will fail very often". [9] In other words, a test that hunts for rare traits in a population (terrorists) will turn up false positives that will vastly outnumber correct hits regardless of how efficient the test for the traits.

This means that - in addition to spawning international outrage and infuriating American (and international) citizens - the NSA's PRISM program may suffer from some critical design flaws. The jury is still out on that one, but nevertheless, the ineffectiveness of PRISM is supported by the fact that to date the program has only succeeded in preventing one terror-related attack. [10]

In this example, the PRISM program prevented what appeared to be an attack on the New York subway system. But there is no reason to believe that conventional security techniques would have failed in preventing this attack - they have successfully prevented similar attacks many times over.

Regardless of these objections and many others on more sophisticated grounds, US officials have insisted on maintaining their default justification: these programs prevent terror attacks.

Revelations of the closely knit relationship between private US technology corporations and the NSA's data mining efforts have not only brought Washington into the spotlight, but have had the same effect on US tech companies operating abroad.

As a result of Snowden's disclosures, government offices, tech companies, educational and financial institutions all over the world are relinquishing their dependence on US-made network and Internet equipment. Nowhere is this trend more pronounced than in China.

[strawberry]

http://atimes.com/atimes/China_Business/CBIZ-02-231213.html

Page 2 of 2
SPEAKING FREELY
NSA leaks sink US business deals
By Andrew M Johnson

As the world's fastest-growing market for high-tech products, China is a significant player in the business models of US tech companies. But Chinese customers don't want to do business with providers that could compromise the security of their sensitive information.

US tech titans face tough times in China
NSA spying has sent chills across the ranks of US technology companies operating abroad. From Brazil, Russia, and China to Germany and the Middle East, US tech giants are feeling the pain from a slimmed customer base and the prospect of new regulatory compliance costs that may squeeze profit margins.

(Indeed, that concern is expanding beyond information technology companies. Saab of Sweden this month won a US$4.5 billion order to supply 36 jet fighters to Brazil, beating Boeing of the United States for the deal, just a few weeks after President Dilma Rousseff said that alleged US spying on her government was an affront to her country.

"Boeing only didn't win the deal because of the lack of trust created by the spying incident, Welber Barral, Brazil's trade secretary from 2007 to 2011, told Bloomberg. "Had the decision been last year, Boeing would have won.")

With over an 80% share of the non-US cloud-computing market, US companies have dominated the industry since its inception in
the late 1990s. But a recent report published by the Washington-based Information Technology and Innovation Foundation (ITIF) estimates that the revenue losses facing US cloud providers will reach anywhere from $21 billion as a low estimate to $35 billion as a high estimate by 2016. [11] In addition to this report, the Cloud Security Alliance recently estimated that 10% of non-US companies have canceled their contracts with US-based providers since May. [12]

Google: The ongoing battle between the US intelligence community and US Internet companies is exemplified by the relationship between Google and the NSA. While Google plays a key role in the NSA's collection scheme, the company is beginning to voice its complaints with the agency. When asked recently why the company is tightening the encryption of data flowing between its processing centers, chairman Eric Schmidt stated that the improvements would "block alleged interception by the NSA". [13]

Google's move to route mainland China's users to the uncensored Chinese-language version of its service hosted in Hong Kong in 2010 brought the company into a less-than friendly spotlight. But Google's security woes reach far beyond the US or China. Brazilian legislation requiring Google to build data centers and cloud infrastructure within the country's borders may cost the company billions in the coming years.

Recently, Richard Salgado - Google's director for law enforcement and information security - stated that efforts from governments to limit the cross-border flows of information "could have severe unintended consequences, such as a reduction in data security, increased cost, decreased competitiveness, and harm to consumers". [14] It turns out that the NSA's actions have resulted in quite a few unintended consequences since the Snowden leaks started. The backlash from US surveillance has impacted several large US tech firms like Google, Cisco Systems, IBM, HP and Microsoft.

Cisco Systems: "I've never seen this before." Those were the words of Cisco Systems CEO John Chambers on a conference call to analysts in November this year as he sought an explanation for the company's sudden drop in emerging market networking gear sales. First quarter orders in China plunged 18% from a year earlier. Q1 2014 orders in Russia tumbled 30% and in Brazil 25%.

As the world's largest provider of computer networking equipment, Cisco represents a vital player in the United States' dominant position in the technology market. In a November conference call, Chambers warned of the threat of further "challenging political dynamics" in China.

International Business Machines (IBM), a global supplier of networking equipment and services, saw its third-quarter 2013 revenue in China plunge 22%.

Microsoft and Hewlett-Packard also reported a drop in Q3 revenue from China, but the companies have been less vocal about the particular details of these declines.

Other companies are also very vulnerable to the sentiments of Chinese customers. Take Qualcomm. The smart-phone chip maker derives about half of its annual revenue from China - or $12.3 billion in 2012. Significant exposure to the Chinese market makes Qualcomm (and others like it) increasingly sensitive to volatility that may result from the ongoing political tension between the US and China.

US tech companies are likely to experience continued decreases in market share, sales and a heightened degree of tension that may accompany their operations in China. This is an unfortunate reality for US tech giants, which are essentially being punished for the regulatory overreach of the US intelligence community. The lesson from this ongoing situation should be clear: the world must work to de-politicize the interplay between technology companies and governments.

A recent letter [ http://dq99alanzv66m.cloudfront.net/sopa/img/12-14-letter.pdf ] from US Internet companies to the Obama Administration highlights the growing divergence in perspective maintained between the two sides. The letter - released to the public on December 9 from AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo to the Intelligence Community - states, "We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight."

Last week, a report was released following a probe by a White House panel into the NSA's activities. It listed 46 recommendations for an overhaul of NSA activity, the most significant being a call for the NSA to shift their innumerable bits of stored data back to the private sector. The panel also (surprisingly) admits that there is no evidence that the mass collection of citizens' data is an effective means of preventing terrorism. This comes on the heels of a US court ruling that the NSA's collection efforts were unconstitutional.

Meanwhile, the recent fallout may prompt Beijing to take a more active role in promoting the development of China's indigenous software and hardware industry. [15] While not prohibited from purchasing Western-made technology services and equipment, Chinese firms will likely rely increasingly on domestic providers of technology equipment and services such as Lenovo, Huawei and ZTE. Ironically, the US intelligence community may have sown the seeds of the very relationship it sought to prevent.

Notes
1. Spiegel Staff. "Embassy Espionage: The NSA's Secret Spy Hub in Berlin" Spiegel Online International, October 27, 2013.
2. House Intelligence Committee. "Investigative Report on the US National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE".
3. Suffolk, John. "Huawei Cybersecurity White Paper" October 2013.
4. "Playing Down a US View, Britain Welcomes 2 Chinese Telecom Suppliers". New York Times, October 12, 2012.
5. Hutton, Robert. "British Probe Set to Clear Huawei of Allowing Spying" Bloomberg News, December 4, 2013.
6. Mandiat Security. "Exposing One of China's Cyber Espionage Units".
7. Gorman, Siobhan & Yadron, Danny. "US Presses Beijing on Cyberespionage" WSJ, June 7, 2013.
8. "Obama to press China's Xi to act against cyber spying", Reuters, June 4, 2013.
9. Chivers, Cory. "How likely is the NSA PRISM program to catch a terrorist?" June 6, 2013, and The Numbers Guy, "Ethics Aside, Is NSA's Spy Tool Efficient?" WSJ, June 14, 2013.
10. Mueller, John & Stewart, Mark G. "3 Questions About NSA Surveillance", The Chronicle of Higher Education, July 13, 2013.
11. "How Much Will PRISM Cost the US Cloud Computing Industry", Information Technology and Innovation Foundation.
12. "Vijayan, Jaikumar. "US cloud firms face backlash from NSA spy programs", Computer World, July 23, 2013.
13. Schecner, Sam. "Google Acts to Prevent Snooping by NSA", WSJ, November 26, 2013.
14. Gaouette, Nicole. "NSA Spying Risks $35 Billion in US Technology Sales", Bloomberg News, November 26, 2013.
15. Xiang, Zhang. "Domestic software sees opportunity in PRISM", China Daily, July 4, 2013.
16. Carr, Jeffrey. Mandiat APT1 Report Has Critical Analytic Flaws, February 19, 2013. http://jeffreycarr.blogspot.com/2013/02/mandiant-apt1-report-has-critical.html