Cyberspace Cooperation

McConnell said that some countries have made attempts to enact nationalist regulatory policies to varying degrees. Attempts by India to enact similar policies were found to have “many unintended policies, including a negative effect on GDP,” he said.

He was commenting on a recent report by the U.S. Chamber of Commerce that estimated China will experience a loss of GDP as a result of China's information communications technology policies.

The full article can be accessed here.

A year ago, Hewlett-Packard Co.’s enterprise business head Bill Veghte sat at China’s elite Tsinghua University, a bowl of hydrangea arranged before him in keeping with Chinese meeting style. Against a purple backdrop announcing the arrival of a “Chinese Technology Powerhouse,” Mr. Veghte said, “Today we start the next chapter.” And with that, an American business became a Chinese one. Since H-P sold 51% of its China networking business to Tsinghua Unigroup, sales have revived. They’re up 40% in the first four months of this year, compared with a 1% decline last year, said Tony Yu, chief executive of the unit’s reincarnation, the New H3C Group. “Once we became Chinese, some hurdles were gone,” Mr. Yu said in an interview. Western companies have struggled with China’s increasingly stiff cybersecurity regulations and many U.S. tech firms are now finding that their best way to go forward in China is by strengthening joint ventures and conducting more of their business through Chinese partners.

Microsoft Corp., Qualcomm Inc. and Cisco Systems Inc.—which all have faced headwinds in China from antitrust probes to espionage accusations—have formed new Chinese joint ventures in the past year tailored to meet Chinese security requirements. Newer companies like Uber Technologies Co. have chosen to enter China through purely Chinese ventures with all their data stored in the country. Beijing has recently shifted to a softer sell. At a tech meeting last week in China’s south, Premier Li Keqiang reiterated that security rules apply equally to all companies registered in China and pledged “a more fair, transparent and predictable investment environment.”

In practice, China has shown little sign of letting up; earlier this year it further tightened restrictions on online publishing by foreign companies. In April, Chinese regulators blocked Apple Inc.’s iBook and iMovie services. New technologies have connected the world more than ever, but in something of a paradox they grow increasingly dissimilar between regions as governments dictate local terms. In Europe, websites like Google and Wikipedia increasingly diverge from their U.S. versions as European courts uphold individuals’ “right to be forgotten.” The same model of a smartphone bought in India and Indonesia will likely soon contain different components due to local sourcing regulations. Following Edward Snowden’s revelations about U.S. government spying in 2013, Chinese regulators have used both carrots and sticks to push foreign tech suppliers to localize product development and data.

A slate of new cybersecurity laws requires technology companies to store their data in China, submit to security checks and help the government with decryption if requested. Government agencies and key industries have been urged to adopt “secure and controllable” technologies, a term widely interpreted to mean Chinese products.

Companies have also been prodded individually: Last month after a visit from Apple Chief Executive Tim Cook, China’s technology ministry urged the iPhone maker to deepen its local partnerships and provide a “more secure user experience” to Chinese customers.

Qualcomm President Derek Aberle said in a recent interview in Beijing that its new China-controlled joint-venture for server chips would likely develop “something very specific to China” in the security area.

“They can take our platform and innovate on top of it and provide those components that wouldn’t necessarily be coming from us,” he said.

Qualcomm announced several new investments in China after it agreed to pay a roughly $1 billion antitrust fine and renegotiate its licensing agreements with Chinese companies.

Foreign trade groups say China’s cybersecurity rules make it difficult to do business except through a Chinese company. More than 20 American and international associations signed a letter to China’s insurance regulator on Wednesday to protest draft security rules with data provisions and other requirements for the sector that they said would be an obstacle to trade.

Neither the insurance regulator nor the commerce ministry responded to requests for comment on the letter.

While big firms have moved forward with joint ventures, the obstacles have put a damper on deals overall. The number of investments where a U.S. tech company acquired more than 50% in a Chinese firm fell from 15 in 2011 to only one in 2015, according to research firm Dealogic.

To be sure, mistrust goes both ways. Huawei Technologies Co., in particular, has been virtually shut out of the U.S. telecommunications sector after a U.S. congressional report in 2012 suggested Beijing could use the company’s equipment for spying.

Huawei has repeatedly said it doesn’t assist China’s government in espionage and has aligned itself with U.S. companies on security issues as it expands internationally. Huawei’s rotating chief executive took the unusual step last year of publicly urging Beijing to stay open to the best global technology.

In an effort to stem the two-way damage, Huawei and Microsoft—which faces an ongoing antitrust investigation in China—are partners in a “Breakthrough Group” that is writing a “buyer’s guide” for commercial enterprises to help them evaluate potential risks of various technology products, said the project coordinator, Bruce McConnell, a former U.S. Department of Homeland Security cyberspace expert who is now vice president at New York-based advisory EastWest Institute.

U.S. trade lobbyists say the global supply-chain fragmentation increases cost and vulnerability. “By trying to wall off your network, you have untested systems and that increases the risk of security flaws,” said Erin Ennis, senior vice president of the U.S.-China Business Council.

China’s officials have acknowledged the need to balance security imperatives with the economic value generated from open information flow.

“We must strictly control data flow across borders,” said Liu Yong, a tech-industry researcher with China’s main economic planning agency at a recent conference. “But at the same time, we must be aware that data can only reach its greatest value through its flow.”

At New H3C, Mr. Yu said the company is better poised to land orders from China’s government and other sensitive sectors under local ownership. “The fields we can plow have broadened,” he said.

To read the article on the Wall Street Journal, click here (paywall).

At the 2016 Munich Security Conference of world leaders, the overriding mood was reflected in the title of MSC’s security report, “Boundless Crises, Reckless Spoilers, Helpless Guardians.” Concern about the continued ability of the Western alliance, and of Europe in particular, to maintain unity in the face of the Syrian crisis and the attendant refugee exodus into Europe was at the forefront.  

Yet, the mood among participants was slightly more optimistic when discussing cyberspace. A discussion session reflected that in cyberspace, power is held by corporations as well as States. Western technology companies are major powers in cyberspace, comparable in their overall influence to the governments of China, India, Russia, and the United States. At the meeting, both company and country representatives called for agreement on norms of behavior in cyberspace. 

What does responsible cyber behavior by countries and by companies look like? 

There is considerable progress—for example, over 20 countries already agree that they should not attack each other’s critical infrastructure during peacetime. Company norms are more nascent, but may come to include not withholding security patches from any customer, no matter where they are based. 

Nevertheless, cooperation between governments and companies is far from frictionless. 

Cyberspace is now at the leading edge of the fight against violent extremism, as governments pressure social media platforms to screen for terrorist content. However, companies are uneasy taking on an increased, quasi-judicial role in filtering speech, beyond the globally supported efforts against child abuse content and spam. This can be seen in the growing debate between government and industry about privacy, security, and cybersecurity, with the FBI’s case against the Apple iPhone a leading example.

In this way, the Internet has become a proxy, and a catalyst, for a larger global conversation and disagreement around political, cultural and social values. Cyberspace is at the leading edge of a set of global problems that require urgent solution. As Obama’s national security advisor Susan Rice commented last year in an address entitled America’s Future in Asia, today’s “most vexing security challenges are transnational security threats that transcend borders: climate change, piracy, infectious disease, transnational crime, cyber theft, and the modern-day slavery of human trafficking.” This year’s list would have to include migration and violent extremism. 

Today, patchworks of formal and ad hoc arrangements struggle to address the risks. It is not obvious they are up to the task. The current situation has perhaps been aptly characterized in the words of Italian revolutionary Antonio Gramsci writing 100 years ago that, “The crisis comes when the old order is dying and the new order is not yet ready to be born. In this period, many toxic forms arise.” More broadly there is an emergent, non-Western, reformist point of view, as Indonesian President Joko Widodo told several dozen heads of state last year, “We, the nations of Asia and Africa, demand UN reform, so that it could function better as a world body that puts justice for all of us before anything else.”

Yet, the ponderous motions of states and the glacial movements of international organizations are neither agile nor creative enough to respond in a timely manner. This is the real old order that is dying. That is, merely adjusting the composition of the United Nations Security Council or altering the capital allocations of the International Monetary Fund and the World Bank, while critically important interim steps, will not be enough. 

What is needed includes deep structural adjustments and shifts in the relative power of the individual and collective, and in the intermediating roles of institutions and organizations of all types, in surprising ways.. The Cyberspace arena in general provides some potential models, including ICANN and FIRST. Broader adjustments will take several decades to emerge, as I recently wrote more extensively for the Valdai Discussion Club. 

Munich Security Conference was an opportunity for EWI to promote its leadership role in creating platform for dialogue between public, private and civil sector on the global level.  We were pleased to realize that European leaders were receptive for the key message delivered by EWI on the urgency of working in synergy to address countless and unimaginable challenges the world is facing today and will face tomorrow.

To read this article on The Diplomat, click here. 

--

POLICY INNOVATION HOME | WRITE FOR US

Last week, the European Commission and the U.S. concluded tough negotiations to reach an important new agreement regarding cross-border data transfers, the so-called “E.U.-U.S. Privacy Shield,” which replaces the 15-year-old Safe Harbor compact. We also learned the U.S. and the U.K. began negotiations regarding a new data-sharing agreement that shows great promise to establish a basis for other like-minded democracies to develop a more modern and workable legal framework for government access to citizens’ data.

In recent years, major advances in technology and the globalization of electronic communications have rendered much of our existing regulatory framework obsolete. As a result, digital privacy issues have increasingly become regulated through a series of outdated statutes and regulations that are updated through “band-aids and paper clips” rather than comprehensive solutions.

These agreements are an important step, but far more work still needs to be done, in both the E.U. and the U.S.

For many years, U.S. law enforcement officials’ ability to access consumers’ private communications was governed by comprehensive legislation that Congress would periodically update in response to judicial decisions and new developments in technology. In 1968, Congress enacted the Wiretap Act to regulate the use of wiretaps by law enforcement officials and restrict the disclosure and use of information obtained through wiretaps. In 1986, Congress enacted the Electronic Communications Privacy Act and Stored Communications Act to regulate government access to new communications technologies, such as email correspondence. And in 2001, while we were serving as U.S. Assistant Attorneys General, Congress enacted the USA Patriot Act, which comprehensively strengthened and clarified the legal tools for protecting the country against terrorism.

Today, however, many of those laws have become outdated in light of new technologies, and there are several pressing issues that cry out for comprehensive solutions through legislation or international agreements. For example, consumers, Internet providers and law enforcement officials need clear guidance from Congress about when a warrant is required to compel disclosure of a customer’s email correspondence. At least one federal court has held that a warrant is always needed to require an email provider to disclose its customers’ private communications, and all major providers insist upon a warrant before making such disclosures. Yet some government agencies continue to take the position that private communications can be disclosed through a much-less-formal process, such as a subpoena. It is untenable for this critical issue to be governed by a patchwork of inconsistent rules rather than a uniform, nationwide legal standard. Congress should make clear through legislation that a search warrant is always required for law enforcement officials to compel the disclosure of a person’s private email communications.

There have also been heated disputes over whether a U.S. court can compel an American company to produce customer data—such as e-mail communications—stored on servers located in a foreign country. This creates a problem for all entities involved. Despite being headquartered in the U.S., American companies serve a global customer base and therefore, must adhere to laws of individual nations whose citizen’s data they possess. When they do, they often find themselves at risk of violating one nation’s laws in order to comply with another. Law enforcement is equally challenged in this global digital environment having to rely on an antiquated system to fulfill requests for information or evidence they are seeking from foreign partners, a process which can take 10 months on average according to the President’s Review Group on Intelligence and Communications Technology.

The statute currently governing these issues—which was enacted more than 30 years ago, at a time when email was still in its infancy—says nothing about how to resolve these inter-jurisdictional disputes. As a result, law enforcement officials, Internet companies, consumers, and other stakeholders are forced to muddle through under a set of outdated rules that no longer match the practical reality on the ground. And this uncertainty about the rules of the road simultaneously undermines both consumer privacy interests and the needs of law enforcement.

Building on the E.U.-U.S. Privacy Shield and the U.S.-U.K. negotiations, we must continue to move beyond a system in which critical digital privacy issues are governed in an ad hoc manner. This system is broken. The time is ripe for a comprehensive legislative overhaul of the antiquated laws that currently govern when and how law enforcement officials may access citizens’ private electronic communications.

Click here to read the article on Time.

Five Ways to Increase the Security of Cyber Products and Services, summarizes the 2015 progress of EWI's breakthrough group on Increasing the Global Availability and Use of Secure ICT Products and Services. The report recognizes that government and industry act in multiple roles in the ICT marketplace. The government acts as a policymaker; industry provides ICT products and services; and, both parties buy ICT products and services. 

These shared responsibilities include: maintaining an open market that fosters innovation and competition and creates a level playing field for ICT providers; creating procurement practices that utilize fact-driven, risk informed, and transparent requirements based on international standards and approaches; and avoiding requirements or behavior that undermines trust in ICT (e.g., by installing back doors).

The group will continue its work in 2016, creating a handbook that will help inform buyers.