Techno-nationalism isn’t going to solve our cyber vulnerability problem
Against the backdrop of intensifying cyber conflicts and the rapidly evolving threat landscape, a new wave of techno-nationalism is being trumpeted from almost every corner of the world.
The U.K. just announced it will ban the installation of Huawei 5G gear by the end of September 2021 and the FCC rejected a petition from ZTE asking for reconsideration of their finding that the Chinese company is a national security threat to communications networks. Meanwhile, ByteDance is trying to meet the requirements of both the U.S. government and China’s new Export Control Law so that TikTok can continue to exist in the U.S.
The U.S. is also pushing to persuade countries like Brazil to shun Chinese equipment as they develop their digital infrastructures, offering financial assistance to use Washington-approved alternatives. This led to Brazil’s top four telecom companies refusing to meet with a senior U.S. official advocating for exclusion of Huawei from the Brazilian 5G market. In their home country of China, Huawei and other tech companies are grumbling about Nvidia’s acquisition of U.K. chip designer Arm (the deal is still awaiting regulatory approval).
Across the world today, people are using smartphones made in China, and have personal information scattered around various data centers in India or the Philippines, via hosted service providers and call centers. Data is now fluid, mobile and global – that genie is out of the bottle and embargos against specific companies’ or countries’ technologies will ultimately have limited impact from a security perspective.
A false sense of security
Techno-nationalism is fueled by a complex web of justified economic, political and national security concerns. Countries engaging in “protectionist” practices essentially ban or embargo specific technologies, companies, or digital platforms under the banner of national security, but we are seeing it used more often to send geopolitical messages, punish adversary countries, and/or prop up domestic industries.
Blanket bans give us a false sense of security. At the same time, when any hardware or software supplier is embedded within critical infrastructure – or on almost every citizen’s phone – we absolutely need to recognize the risk.
We need to take seriously the concern that their kit could contain backdoors that could allow that supplier to be privy to sensitive data or facilitate a broader cyberattack. Or, as is the lingering case with TikTok, the concern is whether the collection of data on U.S. citizens via an entertainment app could be forcibly seized under Chinese law and enable state-backed cyber actors to then target and track federal employees or conduct corporate espionage.
We cannot ignore that nation states around the world are increasingly turning to cyber operations to gather intelligence, wield influence, and disrupt their adversaries. But we must remember that technology made by those close to home, in proximity or ideology, does not put them out of reach of compromise or automatically make it more secure.
Digital deception and trust
Trust alone is never a sound security strategy. To echo the words of former U.S. President Reagan (who was, appropriately enough, quoting a Russian proverb): “Trust, but verify.” In cybersecurity, “verify” means not blindly trusting the technology you are leveraging, but instead taking the actions needed to monitor and audit in real-time.
Trust is a tool itself that attackers commonly employ in methods of digital deception. Indeed, spoofed login pages from reputable SaaS platforms have been used as a means of harvesting compromised credentials from unwitting victims.
Regardless of whether a cloud provider is based in the U.S., China, or elsewhere, attackers will still seek creative means to exploit both the vulnerabilities in these technologies and the ever-present threat of human error. For example, foreign actors will attempt to infiltrate the supply chains of hardware or software tools, sometimes by simply paying an insider to do the job for them.
In other words: purchasing decisions rooted in techno-nationalism, or, conversely, techno-globalism, are both essentially susceptible to the same security threats. And so, when we target a specific company or technology, rather than critically evaluate our underlying security strategy and defensive technologies, we do not actually strengthen our security posture, but instead chase a red herring.
National security is about much more than blanket bans on specific organizations and technologies. Rather, it is about cybersecurity and operations resilience against the ever-present reality of threats in cyber space—crucially, regardless of where the attacks come from or what technology attackers are targeting.
Building resilience moving forward
Nowadays, cyber-attacks are advancing at a rate that outpaces attempts to define indicators of threat in advance. The strength of any cyber-security stance accordingly lies in its ability to understand and maintain normal conditions internally, not in its attempts to predict the nature of future external threats. This truth holds regardless of whether the threat actor is motivated by financial, strategic or political concerns.
The focus on individual companies distracts from the realities of cyber-defense. Rather than decreasing or restricting the technology ecosystem, national security concerns can actually be advanced by gaining further visibility into critical digital environments. By gaining an in-depth understanding of these environments, we can manage risk in our complex landscape.
Historically, this level and scale of understanding into the ever-growing complexity of digital environments would have been at the limits of a human security team, more likely beyond. However, it is not beyond those teams leveraging AI and machine learning. These technologies excel at achieving a comprehensive and granular understanding of the behaviors and technologies that comprise a technology ecosystem.
Today’s techno-nationalism is taking off and will probably continue to do so because it is responding to real issues in a very observable way, even though it is ultimately ineffective. And so, the stakes remain high. Hidden backdoors in component parts and supply side technologies are used as an entry point for foreign malicious actors. Once attackers gain entry, economic espionage can lead to incalculable financial damage. Further, disrupted critical national infrastructure, such as power grids and gas lines, can lead to devastating costs for a nation.
The persistence of these threats calls for a practical response. Techno-nationalism, though rising in popularity, simply does not rise to the greater security challenge. Rather than blocking access to foreign technologies in a great game of whack-a-mole, national security can actually be advanced by implementing AI enabled digital understanding. The rigid scrutiny and real time attack disruption achieved by AI’s wholistic approach provides robust cyber defense across the full range of technologies that can be implemented, regardless of the attack’s origin.