Last November in the town of Wuzhen, China hosted its first large international summit on Internet governance and cybersecurity. Many felt the step was long overdue. After all, China has the world’s largest population of Web users—more than 600 million and climbing. Internet players of this stature have a responsibility to shoulder some of the burden of leadership. Right? Apparently not everyone thinks so. One of the major stories surrounding the event was the lack of senior U.S. government presence. While China hosted at the minister and vice minister levels, only a handful of relatively junior (though quite competent) representatives from the American government attended. It was a politically oriented event, and the Chinese perceived the U.S. absence as a snub and a sign of lack of respect. The list of possible reasons for the U.S. government’s minimal participation is long: the unresolved issue of Chinese hacking of U.S. interests, disapproval of Chinese Internet censorship, lingering embarrassment from the Edward Snowden revelations. But the event’s themes—Internet governance and cybersecurity—are central agenda issues for American political leaders. The former topic is on the front burner for the U.S. Congress, and the latter is a staple of the ongoing dialogue between President Barack Obama and President Xi Jinping of China. One U.S. group was well represented in Wuzhen: technology companies. The reason is simple: there is a lot at stake. Trust in American technology is eroding, not only in China but also in economic powerhouses such as Germany, where the government recently ended a contract with a major U.S. network operator over security concerns, and Brazil, where there are plans under way to build a new undersea cable to Europe and deliberately avoid U.S. technology companies. It is easy to see why this trust has eroded. Before the Snowden revelations, Chinese security experts suspected that U.S. technology might have ulterior purposes (that is, spying). In their calculations, those suspicions have now become certainties. A former U.S. spy chief went on record to explain that it is not good national security policy to buy critical-infrastructure technology from a potential adversary. We should not be surprised if China’s Ministry of Industry and Information Technology takes a page from U.S. national security strategy and builds out the world’s largest national Internet infrastructure with systems it knows it can trust—systems that will not necessarily come from U.S. companies. American corporations facing the blacklist in China and elsewhere have a few options. The easiest is to stay the course, but that plan has a very real risk of ending badly. Likewise, marginal efforts to restore confidence will almost certainly fall short. The best option is to commit to building bona fide trust. A report prepared by experts from the U.S. and China and presented at the 2013 cybersecurity summit held by the EastWest Institute, IEEE and Stanford University explains how this could be done. The detailed list of recommendations is long, but the key step American companies would have to take is to state, in clear and certain terms, that they are commercial entities and are not part of any country’s national security apparatus. These assertions could be backed by severe contractual penalties should products or services be found to violate the level of commercial purity claimed. This would be a simple and practical enough commitment—with enough skin in the game to be a game changer. A likely collateral benefit is that American firms would have a business imperative to build more secure products. It is possible that the U.S. government could still covertly compromise products made by an American company, but because doing so would jeopardize the very health and survival of a domestic business, it should be less likely. In any case, American companies might not have much choice. Given the U.S. government’s reluctance to engage, tech companies need to be prepared to go it alone.
Apparently not everyone thinks so. One of the major stories surrounding the event was the lack of senior U.S. government presence. While China hosted at the minister and vice minister levels, only a handful of relatively junior (though quite competent) representatives from the American government attended. It was a politically oriented event, and the Chinese perceived the U.S. absence as a snub and a sign of lack of respect.
The list of possible reasons for the U.S. government’s minimal participation is long: the unresolved issue of Chinese hacking of U.S. interests, disapproval of Chinese Internet censorship, lingering embarrassment from the Edward Snowden revelations. But the event’s themes—Internet governance and cybersecurity—are central agenda issues for American political leaders. The former topic is on the front burner for the U.S. Congress, and the latter is a staple of the ongoing dialogue between President Barack Obama and President Xi Jinping of China.
One U.S. group was well represented in Wuzhen: technology companies. The reason is simple: there is a lot at stake. Trust in American technology is eroding, not only in China but also in economic powerhouses such as Germany, where the government recently ended a contract with a major U.S. network operator over security concerns, and Brazil, where there are plans under way to build a new undersea cable to Europe and deliberately avoid U.S. technology companies.
It is easy to see why this trust has eroded. Before the Snowden revelations, Chinese security experts suspected that U.S. technology might have ulterior purposes (that is, spying). In their calculations, those suspicions have now become certainties. A former U.S. spy chief went on record to explain that it is not good national security policy to buy critical-infrastructure technology from a potential adversary. We should not be surprised if China’s Ministry of Industry and Information Technology takes a page from U.S. national security strategy and builds out the world’s largest national Internet infrastructure with systems it knows it can trust—systems that will not necessarily come from U.S. companies.
American corporations facing the blacklist in China and elsewhere have a few options. The easiest is to stay the course, but that plan has a very real risk of ending badly. Likewise, marginal efforts to restore confidence will almost certainly fall short. The best option is to commit to building bona fide trust. A report prepared by experts from the U.S. and China and presented at the 2013 cybersecurity summit held by the EastWest Institute, IEEE and Stanford University explains how this could be done. The detailed list of recommendations is long, but the key step American companies would have to take is to state, in clear and certain terms, that they are commercial entities and are not part of any country’s national security apparatus. These assertions could be backed by severe contractual penalties should products or services be found to violate the level of commercial purity claimed. This would be a simple and practical enough commitment—with enough skin in the game to be a game changer.
A likely collateral benefit is that American firms would have a business imperative to build more secure products. It is possible that the U.S. government could still covertly compromise products made by an American company, but because doing so would jeopardize the very health and survival of a domestic business, it should be less likely. In any case, American companies might not have much choice. Given the U.S. government’s reluctance to engage, tech companies need to be prepared to go it alone.