The Narrative is a twice-monthly survey of key developments in Internet governance. This time we explain how the American National Defense Authorization Act contains some highly undesirable internet governance measures and survey the geopolitics of 5G.
The Militarization of Everything
The American National Defense Authorization Act (NDAA) authorizes nearly $750 billion in defense spending next year – about the size of the entire GDP of The Netherlands. Since supporting the military is one of the few things that can gain consensus in the U.S.’s political system, putting something in the NDAA and keeping it there means that your program will get through the Congress. Efforts to exploit the “must pass” nature of the NDAA, as well as the growing tendency to militarize cybersecurity and online information exchanges, means that a growing number of internet governance issues are being pushed into the NDAA’s cobweb of programs and expenditures.
Following the recommendations of the Cyberspace Solarium Report, the NDAA takes an important step toward forcing internet operators into centralized sharing of threat intelligence information with the U.S. government. According to an important warning published by Roger Cochetti in The Hill,
The FY21 NDAA House and Senate conferees agreed that …the Secretary of Defense will determine by next October whether a “defense industrial base threat information sharing program” that includes mandatory industry cyber threat reporting, is “feasible and suitable” and if it is, will implement the program. In addition, the CISA Director (the lead official in the Homeland Security Department responsible for infrastructure and cyber security) is given significantly expanded authority to issue administrative subpoenas to internet companies, legally requiring them to provide cyber threat information.
The implications of compulsory information sharing with US defense and intelligence agencies are profound, yet few outside of Washington seem to be aware of it. IGP has been critical of recent government-driven cybersecurity information sharing initiatives, because they would strike at the heart of the internet’s decentralized system of private sector-based, cooperative, networked governance of transnational operational problems. As IGP affiliate Karim Farhat asked in his blog on the Solarium report’s call for information sharing,
“How will every part of the Department of Defense Information Network, the DIB, and the private sector critical infrastructure providers participate in a joint cloud with user-access control policies that map information to the right clearance level while avoiding Snowden-magnitude disasters?”
Further, centralizing and mandating cybersecurity information sharing with a single nation-state ignores the fact that there is already a well-developed and vigorous threat intelligence collection and analysis industry, as well as a longstanding set of sector-based Information Sharing and Analysis Centers (ISACs) in the U.S. based on public-private partnerships. The threat intel industry is not perfect, but on the whole does a fast and efficient job of collecting and identifying cybersecurity indicators, clustering them into known threat actors, and figuring out how to recognize and defend against them. There are already extensive forms of information sharing within this industry across vendors.
The recent hack of FireEye, allegedly by Russian state actors, might be seen as a strike against these private actors, but we interpret it in exactly the opposite way. First, the Russians, and others, have hacked dozens of U.S. government agencies, including the NSA, which coughed up some dangerous cyber tools such as EternalBlue. More importantly, if the Russian government is devoting resources to hacking FireEye it is testimony to the fact that FireEye must be effectively doing something the Russian state doesn’t want done.
The cybersecurity industry in the U.S., of which FireEye is but one of hundreds of players, is a highly competitive source of global expertise about threats in the cyber domain. But the 2021 NDAA seeks to force corporations to deliver highly sensitive information about the functioning of their networks to a government agency, the Defense Department, which has no idea what to do with it. Centralizing the collection of this information in the hands of the federal government seems pointless, as the enterprises with networks and the cybersecurity service providers are already incentivized to collect that data and put it to use. While DoD and DHS can help manage government-run networks, neither are in a position to implement policies or controls that can protect against threats to private networks and data. Only the corporate IT managers who implement cybersecurity services can do that. They, not the state, manage the networks and devices at risk. Either the federal government wants this information so it can spy on us more comprehensively, or it is trying to compete with private businesses in a competitive, dynamic industry where it is unlikely to make any improvements. Either way, the studies authorized by NDAA should not lead us in the wrong direction. It is not just “cyber threats“ info that is at issue here, it basically means almost any information that passes over the internet. One can monitor cyber threats only if one is monitoring any and all behavior on the internet.
There may be another surprise in the NDAA. President Trump, now a lame duck, has hurled the political equivalent of a hail Mary pass (it’s American football slang) in an attempt to get rid of Section 230 of the Communications Decency Act. Section 230 shields platforms from legal liability for the speech of their users and, as we reported earlier, the American right hates it because they think the platforms are biased against them. Trump said he will veto the NDAA if a provision repealing 230 is not put into it. This probably won’t work, but some Republicans who will vote for the NDAA have indicated they might not vote to override a Trump veto. In other words, a law underpinning a free market of ideas in global cyberspace is linked to the fate of an American defense funding bill.
Geopolitics of 5G Intensify
Reuters reports Brazil’s national security adviser and Ministry of Communications are reviewing security provisions for telecom operators or suppliers and a presidential decree to exclude Huawei from 5G networks might be in the offing. Most Brazilian telcos use Huawei equipment on their 3G and 4G networks and an outright ban could lead to a legal challenge from these companies. As China is Brazil’s biggest trading partner, a decision to ban Huawei is likely to face resistance from within the government. On 9 Dec. a working group set up in the lower house of the national congress to monitor the 5G discussions indicated that they will oppose a ban on network providers if such a veto is founded on political or ideological rather than technical grounds. A draft decree is also being discussed by the congress to suspend the cybersecurity standards for 5G networks issued by the government in March.
In India, the Department of Telecommunications (DoT) has constituted eight working groups to create a roadmap for 5G deployment across different sectors and Huawei will be part of the groups working on 5G roll-out in finance, technology, healthcare. Huawei’s inclusion comes amidst a border stand-off between the two countries which is now in its seventh month. The decision has opened the door for Chinese vendors although it remains to be seen if this changes anything in the long-term.
Finland, home to Nokia – one of Huawei’s main rival suppliers, has taken a more balanced approach to the 5G debate, focusing on network security rather than banning vendors based on their country of origin. Finland’s parliament has approved a law that would allow authorities to ban the use of telecom network equipment when they have “serious grounds for suspecting that the use of the device endangers national security or national defense.” The new law only applies to the critical parts of the network but the provisions can be applied retroactively. The EU’s Agency for Cybersecurity (ENISA) has issued new guidelines on telecom network security for national authorities and operators incorporating the elements from the new European Electronics Communications Code, and the latest recommendations on 5G network security.
Worried about the lack of vendor diversity in the 5G, the UK government has assembled a task force to advise on diversifying the UK’s telecoms supply chain and reduce reliance on a few vendors. In July the government reversed a plan to let Huawei be a controlled 5G supplier, instead ordering Huawei equipment to be stripped out of the country’s 5G networks by 2027. The decision has left the UK reliant on just two mobile access network equipment suppliers – Nokia and Ericsson. As the 5G Diversification Strategy published last month notes, this outcome “represents an intolerable resilience risk and absent intervention it is unlikely that the market will diversify.” In an interview with the Guardian, Victor Zhang, the vice-president of Huawei, has urged the UK to revisit the ban which he labelled a political decision driven by geopolitical conflict and the trade war between the US and China rather than cybersecurity concerns.
As this happens, O-RAN, the attempt to define a nonproprietary interface to the radio access network, is gaining traction as an idea if not as an operational reality. Several new companies have joined the O-RAN alliance and it is being touted by many of Huawei’s opponents and competitors as a solution to its dominance. O-RAN adopts the same strategy as prior U.S. efforts to unbundle the components of the telephone system to facilitate competition with the AT&T monopoly. The open-architecture model would allow competing vendors to enter the market for specific network components rather than having to compete with Huawei end to end. U.S. experience with telecom unbundling achieved mixed results; unbundling terminal equipment was a total success, long distance unbundling was successful but required heavy regulatory intervention to facilitate equal access to the local exchange, and attempts to fully unbundle the local network did not achieve much success.