Fear the cyber enemy within or without?
- Published
- comments
What is more troubling - governments that apparently disregard the privacy of our phone calls and online activity in the interests of national security, or governments that seem to put a higher priority on hi-tech inward investment than on protecting national security?
In the past 24 hours, we have had alleged examples of both.
There have been the reports in the Guardian, external that America's National Security Agency (NSA) has been secretly collecting customer phone records by the million from the telecoms giant Verizon and that it has direct access to the systems of Google, Microsoft, Apple, Skype, Facebook and YouTube, inter alia. (More on this from technology correspondent Rory Cellan-Jones.)
Although many are outraged by what they see as a Big Brother impingement on citizens' right to privacy, for others it is a "dog bites man" story.
We might loathe the idea, but we probably expect our security services to be eavesdropping and trampling on our civil liberties.
Which is certainly not to downplay the significance of the NSA trawling through big data on all of us. There is an important question about whether fundamental freedoms are threatened (though no one seems to be suggesting that the US government is breaking the law).
Perhaps the more surprising revelation on Thursday was by the UK's Intelligence and Security Committee, chaired by the former foreign secretary Sir Malcolm Rifkind - because it revealed a mixture of complacency and extraordinary bungling by the British government over the purchasing of what the committee calls "critical national infrastructure" from a Chinese telecoms giant with "perceived links to the Chinese state".
The infrastructure is BT's telecoms network, which was upgraded a few years ago as part of what was called the 21st Century Network Project. As part of this massive investment, BT bought transmission and access equipment, including routers, from China's Huawei, the world's second largest telecoms equipment company.
As the committee says, it is the alleged links between Huawei and the Chinese state that are "concerning", as they "generate suspicion as to whether Huawei's intentions are strictly commercial or are more political".
The committee also points out that "20% of detected cyber attacks against UK interests demonstrate levels of sophistication which indicate they are more likely to be state-sponsored" and "China is suspected of being one of the main perpetrators of state-sponsored attacks".
Now the committee does not prove that Huawei has unhealthy links to the Chinese government. It points out that Huawei itself categorically denies direct links with China's government or military. But the committee regards these denials as surprising and can't verify them, so says that the British government should be vigilant, in case the links are real.
What the committee argues is that the UK government has been anything but vigilant.
Although BT first told government officials in 2003 of Huawei's interest in the network contract, it wasn't till 2006 that civil servants informed ministers - and that was a year after the contract had been signed.
As the committee says, "there is no proper process of ensuring ministers are informed or consulted" which is "extraordinary given the seriousness of the issue".
And, the committee adds, there is "a surprising lack of clarity as to which minister would be responsible for such decisions".
In the event, the Home Secretary was eventually informed about the security implications, although the body that provided technical advice reports to the foreign secretary and the formal powers seem to rest with the culture media and sport secretary. It is a muddle.
Nor is it clear whether the government has the formal power to intervene, should it choose to do so.
Anyway, what's done is done. The provision of equipment by Huawei has been made.
And, what's more, it seems to have been a stepping stone to a significant £1.2bn research investment by Huawei in the UK - which, in the light of Britain's economic woes, has been welcomed by the government.
But the question remains whether British national security is at risk as a consequence of the Huawei contributions to BT's network.
Again, the committee is not reassured or reassuring - even though one of Britain's intelligence agencies, GCHQ, said that it has confidence in BT's management of the network.
The committee said: "The software that is embedded in telecommunications equipment consist of 'over a million lines of code' and GCHQ has been clear from the outset that 'it is just impossible to go through that much code and be absolutely confident you have found everything'."
In 2010, the UK government raised its security concerns with Huawei, which agreed to establish a Cyber Security Evaluation Centre, called the Cell - which is supposed to verify that there are no security risks when Huawei equipment is sold to British businesses.
However, the committee has a number of concerns about the Cell, namely that it has taken too long to be fully functional, that it is run by Huawei and it is staffed by Huawei people, albeit vetted by the British security services.
The committee says "we remain concerned that a Huawei-run Cell is responsible for providing assurance about the security of Huawei products... A self-policing arrangement is highly unlikely to provide, or to be seen to be providing, the required levels of security assurance".
There is a wider issue here for the committee, which is that there have not existed robust arrangements in government to vet procurement by private sector companies of all manner of equipment relating to critical national infrastructure projects.
As the committee puts it, "where there is a privately owned company answerable to shareholders, many of whom may be based abroad, there will almost certainly be a tension with national security concerns".
Or to put it another way, the imperative for a British public company will be to buy the best equipment at the lowest price. But the cheapest equipment may be the kit that is most vulnerable to cynical exploitation by a foreign government or other overseas interests with malign intentions.
So the committee calls on the government to set up an effective early warning system for when there is foreign investment in critical national infrastructure and a procedure for assessing the immediate and longer term risks,
As it happens, the government claims it has now developed just such a set of processes. But the committee caustically concludes that "whether these processes are sufficiently robust remains to be seen".