US president Trump has declared a cyber state of emergency that will see firms suspected of colluding with nation state actors punished, and likely banned, from doing business in the world’s biggest tech market.
The executive order effectively bars American companies from using foreign telecommunications equipment where the provider poses a potential threat to national security.
No company or country is named but the targets here are clearly China and Chinese tech giant Huawei. Several countries have raised concerns in recent months that Huawei products may contain surveillance ‘backdoors’ that could be used by China for spying.
The US has been pressuring allies to steer clear of the company as they rollout next generation 5G mobile networks. The UK has so far declined to join Trump’s tech embargo – causing controversy at Westminster and even prompting the departure of the Defence Secretary.
How real is the threat?
Public evidence of Huawei acting on behalf of the Chinese government to facilitate espionage is scarce, but that hasn’t stopped US officials from going on the offensive.
Trump has repeatedly deterred companies and institutions from working with firms like Huawei and ZTE over surveillance worries, and has accused Huawei of being sponsored by Chinese state security. The US has also attempted to prosecute Huawei for violating sanctions and stealing trade secrets.
The timing of the announcement coincides with the escalating American trade war with China, providing a pretext for banning Chinese tech products and restricting China’s ability to benefit from lucrative telecommunications contracts for the rollout of super-fast 5g mobile networks.
But there’s more to the story than geopolitical arguments over balance of trade. Even if Huawei isn’t directly complicit in government-sponsored espionage, the issue of nation states hacking into critical infrastructure, breaching company networks, stealing data, or conducting fishing expeditions to identify vulnerabilities for use in a future conflict – is real, and growing.
Online Surveillance: Everyone’s doing it
We’ve written frequently here about nation state cyber-attacks and the costs and damage they’ve inflicted. From ransomware to industrial espionage, zero-click vulnerabilities and the emergence of cyber threats from foreign governments as a standard business risk.
All of these issues are real and pressing, but putting the wind up people to make them scared of online threats is a cybersecurity tactic with diminishing returns. Fear is effective in political communications, but we take a more balanced view.
The fact is this: online conversations aren’t always private and data isn’t always held in impenetrable vaults. The risk of breach, loss, or being watched is perpetual, and everyone from corporates to individuals should factor that reality in to what they do, create, and store online.
We can and should point the finger at China, Russia, Vietnam, North Korea, Iran and others for violating privacy, disrupting systems or looking to steal sensitive information, but remember that in the cyber surveillance game, pretty much everyone is at it.
- The WannaCry ransomware that exploded on corporate systems in 2017 was created in North Korea, but adapted from powerful spying software developed by (and leaked from) America’s own National Security Agency (NSA).
- The recent WhatsApp zero-click attack against civil rights campaigners was almost certainly conducted by a company that works closely with Israel’s intelligence service.
- In the wake of 9-11, America’s NSA created a programme that’s collected data on millions of Americans.
- Our own GCHQ operates a programme called ‘Tempora’ that taps and monitors the 10 gigabits per second of data travelling over fibre-optic cables in and out of the UK.
That’s the reality. So should we be scared, or simply more prudent in how we use digital services and systems?
Cyber risk is the new normal
The recent IPO filing by technology company Slack shows that online risks and nation-state hacks in particular are starting to be treated as a cost of doing business, rather than an endless series of five-alarm fires.
It’s not a matter of surrendering to hackers, it’s a matter of raising awareness of a complex technological reality, thinking sensibly about how we can defend people and data, and acting accordingly as we go about our day-to-day digital lives.
That can be a simple as treating messaging apps, Facebook, Twitter, etc. as a big open party where you don’t always know who’s been invited, and as such, take care with what you say and who you say it to.
In business terms, in means training people to be on the lookout for cyber attacks and the methods hackers use to try and break in to corporate networks and work devices.
Businesses and end users may find themselves under the scrutiny of state-backed spymasters and that won’t change anytime soon. Until some all-encompassing magic bullet for online security is invented, treating cyber risk as a daily management challenge – and enlisting your own people to help – is the most sensible way to stay secure.
Want to learn more about empowering your employees? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.