For those who have been following, the news that Chinese telecommunication companies pose a potential threat to national security is nothing new. A House Permanent Select Committee on Intelligence report from October 2012 outlined that threat quite extensively, singling out Huawei and ZTE for their supposed ties to the Chinese government and military. The report made some important recommendations, summarized as:
- The United States should view with suspicion the continued penetration of the U.S. telecommunications market by Chinese telecommunications companies.
- The private sector should consider the long-term security risks of doing business with Huawei and ZTE, including the use of their equipment.
- Congress and the Executive Branch should investigate unfair trade practices of the Chinese telecommunications sector, with particular attention to China’s financial support of key companies.
- Chinese companies should become more transparent through listing on a Western stock exchange, independent evaluation of financial information and cybersecurity processes, and compliance with U.S. legal standards and obligations.
- Committees of jurisdiction within Congress should consider potential legislation to better address the risks posed by telecommunication companies with nation-state ties, including an expanded role for the CFIUS process to include purchasing agreements.
Based on the above, only one question really needs to be asked: What’s taking so long? It’s understandable – even expected – that Washington moves slowly, but over six years after this report was tabled, even this pace is mind-numbingly slow for such a critically important national security issue.
I can only speculate why there was has been some feet-dragging (so I will) and assume that politics and money has played a role.
But, with that said, we’re starting to see some movement now. In late 2018 and right into 2019, we’re seeing the pressure applied on Huawei and ZTE, right when the rollout of 5G networks is beginning. The European Union is the latest entity to eye tougher scrutiny of Chinese technology companies. We are at a critical juncture in telecommunications history as 5G will be a generational leap that will impact our daily lives for the foreseeable future. Said differently: the decisions we make regarding 5G will have a long-term impact.
And with that, we may be reaching a tipping point and begin to see a shift in both practice and behavior. Pressure on Chinese telecommunications companies from various actors is definitely a sign that something is going on. As I’ve mentioned elsewhere, the December 2018 arrest of Huawei CFO Meng Wanzhou should be closely watched, as that act alone may do more “for cybersecurity” than any other in 2019.
I still believe it’s far too early to make any conclusions about how the scrutiny of Chinese telecommunications companies will play out, and we’re certainly in a “wait and see” phase, but right now in 2019, politics, above all else, has put “the cybersecurity issue” in a position to be addressed in a truly tangible manner, instead of it merely being talked about. Or worse, being produced by some magic piece of technology that will solve all our problems.
Make no mistake, the powers and the minds behind this push to scrutinize Chinese telecommunications companies – and this push is primarily a U.S. initiative, using its economic leverage – have understood the inextricable link between national security and economic security.
I’m making a 2019 prediction: economic leverage will do more to fix “the cybersecurity issue” than any technology or similar remedy. Here’s why: fear of consequence, specifically through economic pain and accountability.
The reason why I believe this approach will make a greater difference than any defensive, or even offensive, technological measure is because economic leverage targets the source directly. Put another way, you’re addressing the cause, not the symptom, and you’re holding actors, either directly or through their influence agents, accountable. (Note: I do not expect defensive or offensive measures to stop in the interim. In fact, they may even ramp up while this is going on.)
So what does all this economic leveraging mean? Simple: behavioral change. And ultimately, that’s what you want, especially when it’s too darn expensive to fight wars on all fronts, known and unknown. At some point, you just want the other person to stop stealing and breaking your stuff.
Remember, if somebody is sucking you into endless battles or wars, there is only one termination point: to break your will to fight. Translation: you lose and to the victor go the spoils.
Therefore, as we enter 2019, if you’re not looking at the cybersecurity issue through the larger domain of trade negotiations, you’re not following what’s going on or your head is buried too deep into code, AI or some other technology tantalizing you with thoughts of the Cyber Utopia.
So with that backdrop, I see two possible outcomes in the near- and mid-term – and they are directly opposed – as the economic squeeze and scrutiny of practices by more and more continues.
Option 1: Certain actors begin to change their behavior because the economic pain they have been suffering is not only beginning to hurt, but these same actors recognize it is about to really hurt. Unless you have some strange desire for pain, at some point you give up and you say the bad behavior is not worth it. Ultimately, this course of action will lead to some sort of truce that buys some time for the major powers to figure out the rules – and consequences for breaking those rules – for the cybersecurity domain. The delicate dance here will be one of politics and deception, namely, is behavior change genuine and will it last (or it is all just a ruse until somebody weaker comes along). Economic incentive – and consequence – will be hard-wired into any long-term solution.
Option 2: Business as usual with bad behavior increasing. In other words, doubling down on the current approach in the hopes certain actors can outlast the squeeze. The interesting dynamic here is that all actors have different time periods in which they operate. Some operate in quarters, others in four-year cycles, others in 5-, 10-, 15-year phases, and others – quite candidly – over 100 years. That’s definitely going to have an impact on decision making.
Note: I leave it entirely up to you to decide who is operating with “good” or “bad” behavior, as depending on your perspective that changes.
In closing, outside of a nice audience and customer-base, security is a hard sell. It’s generally seen as a tax, instead of something that provides a return on investment. Simple reason why: “good security” doesn’t have any success stories, as “success” is “ensuring everything runs smoothly.”
But with dollars and cents becoming a real issue on the cybersecurity front, especially when viewed through the perspective of liability and national security exposure, some wholesale changes may be on the way, if of course the problem is approached from a different manner (that means a shift away from the traditional tech-based solutions). Tying security and economic success – not necessarily a new concept, but one that you can make an argument has been overlooked over the last generation – may be the trick to get some behavioral change in cyberspace in the near-term. And we should hope it does, because playing out Option 2 to the end doesn’t look to have a happy ending.