Swati Khandelwal in China Demands Tech Companies to give them Backdoor and Encryption Keys misses a delicious irony she writes:
In May 2014, Chinese government announced that it will roll out a new set of regulations for IT hardware and software being sold to key industries in their country. China have repeatedly blamed U.S. products and criticize that U.S. products are itself threat to national security, as they may also contain NSA backdoors, among other things.
The New York Times article that she quotes, New Rules in China Upset Western Tech Companies by Paul Mozur, points out that:
The United States has made it virtually impossible for Huawei, a major Chinese maker of computer servers and cellphones, to sell its products in the United States, arguing that its equipment could have “back doors” for the Chinese government.
Which is more amazing?
- The U.S. has secretly had and wants to continue to have “backdoors” into software for surveillance purposes and objects to China mandating the existence of such “backdoors” openly. Or,
- It took the Snowden revelations for the Chinese government to realize they used binary software from the U.S. at their peril?
I’m really hard pressed to choose between the two. Most of us have assumed for years (decades?) that binary software of any source was a security risk. Or as Mr. Weasley says to Ginny in Harry Potter and The Chamber of Secrets:
Never trust anything that can think for itself if you can’t see where it keeps its brain. (emphasis added)
Despite my doubt about artificial intelligence, software does perform actions without its users knowledge or permission and binary code makes it impossible for a user to discover those actions. What if an ftp client, upon successful authentication, uploads the same file to two separate locations? One chosen by the user and another in the background? The only notice the user has is of the visible upload and has no easy way to detect the additional upload. On *nix systems it would be easy to detect if the user knew what to look for but the vast majority of handlers of secure data aren’t on *nix systems.
The bottom line on binary files is: you can’t see where it keeps its brain.
At least China, reportedly, no source pointed to the new regulations or other documents, is going to require “backdoors” plus source code. Verifying a vendor installed “backdoor” should not be difficult but knowing whether there are other “backdoors,” requires the source code. So +1 to China for realizing that without source code, conforming software may have one (1) or more “backdoors.”
Swati Khandelwal goes on to quote a communication (no link for the source) from the U.S. Chamber of Commerce and others:
An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice
Sorry, that went by a little quickly, let’s try that again (repeat):
An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice
Even after the third or fourth reading, the U.S. Chamber of Commerce position reads like gibberish.
How requiring “backdoors” and source code is “discriminatory” isn’t clear. Vendors can sell their software with a Chinese “backdoor” built in worldwide. Just as they have done with software with United States “backdoors.”
I suppose there is some additional burden on vendors who have U.S. “backdoors” but not ones for China. But there is some cost to entering any market.
There is a solution that avoids “backdoors” for all, enables better enforcement of intellectual property rights, and results in a better global Internet and ICT products and services market.
The name of that solution is: Public Open Source.
Think about it for a minute. Public open source does not mean that you have a license to compile and run the code. It certainly doesn’t mean that you can sell the code. It does mean you can read the source code. As in create other products that work with that source code.
If a country were to require posting of source code for all products sold in that country, then detection of software piracy would be nearly trivial. The source code of all software products is posted for public searching and analysis. Vendors can run check-sums on software installations to verify that their software key was used to compile software. Software that doesn’t match the check-sum should be presumed to be pirated.
Posting source code for commercial software would enhance the IP protection of software, while at the same time making it possible to avoid U.S., Chinese or any other “backdoors” that may exist in binary software.
Summary:
China requiring public posting of source code results in these benefits:
- Greater IP protection
- Improved software security
- Easier creation of interoperable add-on software products
What is there to not like about a public open source position for China?
PS: Public Open Source doesn’t answer China’s desire for software “backdoors.” I would urge China to pursue “backdoors” on a one-off basis to avoid the big data trap that now mires U.S. security agencies. The NSA has yet to identify a single terrorist from telephone records going back for years. If China has “backdoors” in all software/hardware, it will fall into the same trap.
If something happens and in hind sight a “backdoor” could have found it, the person who could have accessed the “backdoor” will be punished. Best defense, collect all the data from all the “backdoors” so we don’t miss anything.
If we delete any “backdoor” data and it turns out it was important, we will be punished. Best defense, let’s store all the “backdoor” data, forever.
Upon request we have to search the “backdoor” data, etc. You see where this is going. You will have so much data that the number of connections will overwhelm any information system and your ability to make use of the data.
A better solution has two parts. First, using the public open source, design your own “backdoors.” Vendors can’t betray you. Second, use “backdoors” only in cases of ongoing and focused investigations. Requiring current investigations means you will have contextual information to validate and coordinate with the data from “backdoors.”
China can spend its funds on supporting open source projects that create economic opportunity and growth or on bloated and largely ineffectual security apparatus collecting data from “backdoors.” I am confident it will choose wisely.