The world needs supplier-blind cybersecurity, including global rules, norms and standards to ensure new technologies work for people and are not weaponized in a new Cold War, argues David Morris of the Sustainable Business Network at the United Nations Economic and Social Commission for Asia and the Pacific, The Australian and US approach, however, has been to demonize China, a strategy that warrants further investigation.
Collaboration not confrontation: The world needs global cybersecurity rules, norms and standards to ensure that technologies work for people and are not weaponized in a US-China Cold War (Credit: BeeBright / Shutterstock.com)
Ever since Australia banned Huawei from its 5G communications network in 2018 and the United States followed the next year, technology has been front and center in the new geopolitical confrontation with China. Yet, the new technologies in contest will be critical to the global economic recovery post-Covid-19 and in future industrial transformations. To be sure, there are risks in how these technologies may be deployed and attacked. To take a proportionate risk-management approach, the world needs supplier-blind cybersecurity, including global rules, norms and standards to ensure that new technologies work for people and are not weaponized in a new Cold War.
The World Economic Forum estimates that opportunities for 5G connectivity to support new smarter autonomous learning and more sustainable technologies could be worth US$13 trillion by 2035. China has become a leader in 5G technology, a strong contender in artificial intelligence thanks to its unrivalled pool of big data, and a major investor in quantum computing and other technologies and applications such as fintech and ecommerce. Nevertheless, the US is a major player in tech innovation and is likely to remain so. That gives it a big stake in either pursuing geopolitical confrontation with China or finding a way to build an inclusive, rules-based order for the coming transformations of the Fourth Industrial Revolution.
Remarkably, few are even considering the latter strategy. The world’s biggest tech firms, mostly from the US, prospered in building the digital economy in recent decades, a time in which it was unfashionable to constrain business with regulation. The regulatory failure in the financial sector that led to the 2007-08 global financial crisis could be regarded as a cautionary tale for efforts to regulate new tech, which has become the focal point of the rapidly deteriorating global political environment, particularly the relationship between the US and China.
To be sure, new technologies generate exponentially more points of risk – for example, a US firm harvesting social-media data, or a Chinese company managing a communications network. With future devices and networks connected at high speed and with more and more decisions made by artificial intelligence, the potential for bad actors to tap into information and, worse, to weaponize systems demands serious consideration about ways to protect networks, systems, corporations and individuals from cyber attacks. Those intrusions could come from anywhere, not just from unfriendly state actors. The Australian and US response, however, has been to blame and demonize China, an approach which warrants further investigation.
In 2018, Australia was the first country to ban Huawei from a 5G rollout. The decision was taken amid a heightened campaign by then prime minister Malcolm Turnbull to “stand up” to China. Turnbull was under siege from the right wing of his own party and was deposed soon after the Huawei move. At the time, the advice from the intelligence services was that Australia lacked the capability to mitigate the elevated risks presented by 5G connectivity. Rather than address Australia’s apparent inadequate preparedness for the new cyber world, it was easier politics (and useful alliance geopolitics) to focus the narrative on security risks from China. The rest, in terms of Australia’s relationship with its major economic partner to the north, is history. The rhetoric out of Canberra about Chinese security threats (topped off by Prime Minister Scott Morrison’s call in April 2020 for an international investigation into the origins of Covid-19) was part of a series of developments that triggered Chinese economic coercive action targeting key Australian exports.
Of global significance, though, were the subsequent decisions by the administration of then US president Donald Trump not just to ban Huawei on (as yet unproven) claims of espionage but to block supplies of advanced semiconductors to a range of Chinese firms and to pursue decoupling from Chinese tech. After taking office in January, President Joe Biden’s government appears to have carried on the confrontational and unrealistic strategy, despite widespread concerns in the tech sector. The unspoken irony of course is that the US and its Five Eyes intelligence network partners (Australia, Canada, New Zealand and the UK) conduct the very same espionage that Washington worries that Huawei systems would enable China to perpetrate.
To be sure, China could require its firms to mount cyber attacks on a rival – just the way the US does, as American intelligence consultant Edward Snowden revealed to the world through documents he leaked and discussed with the media. Yet, cyber attacks are not usually conducted in collaboration with telecommunications carriers but by state agencies hacking into systems without invitation. All of the experts I have interviewed in my research on these issues warn that cyber attacks can come from any direction, underlining why top-to-bottom cybersecurity must be zero trust and supplier blind.
Huawei has fought back against the strident campaign against it with legal action and by opening up its equipment and source codes to scrutiny in testing centers around the world, including in labs in Belgium, Canada, Germany and the UK. It offered one to Australia but was rebuffed. It recently opened a testing facility in Dongguan, China, billed as the world’s largest cybersecurity and privacy-protection transparency center, which claims to share with industry and governments how Huawei prevents backdoors, malware and malicious behavior. But however practical, this provides an engineering answer to a geopolitical question posed by forces that will not be so easily put off their pursuit of their agenda.
The underlying problem is plummeting trust in China, evident in the US and many of its allies, and the apparent abandonment of decades of building constructive interdependence, replaced now by a winner-takes-all binary geopolitical contest. The reasons for this will be debated for years to come. On the one side, a more confident and assertive China is acting more like a traditional major power every day. On the other, concerned that it cannot compete with the Chinese state capitalist model, the US is in a crisis of confidence that has prompted it to take a more confrontational posture towards China in which it has sought to enlist close allies such as Australia.
The case of Huawei presents a stark example of a major power wielding economic coercion to target a private-sector firm in a rival power and using a range of state measures to hobble the firm in international markets, amazingly in the absence of evidence of wrongdoing (at least on the public record). This action sets an alarming precedent. The rollout of transformational new technologies seems to be in for a bumpy ride thanks to this escalating geopolitical confrontation.
But is splitting the world into two rival tech camps sustainable in the long run? Or, are there better ways to build trust and protect against feared cyber attacks?
It is early days in the rollout of the interconnected Internet of Things, but it is high time to get beyond the messy geopolitics and at least have a discussion about more robust cybersecurity and what enforceable global rules might be needed to achieve it.
It’s the technology risks, stupid
Governments, firms and individuals everywhere need to invest much more in cybersecurity. Many countries are strengthening offensive capabilities to mount cyber attacks on governments, firms and individuals. It is also essential to invest in cyber defense. There may never be 100-percent-reliable cybersecurity (just as with any other form of security) but in the 21st century each nation arguably needs a cybersecurity force as an integral part of national defense, ceaselessly scanning for malicious actors and deploying up-to-date technical capabilities to block attacks, including on critical infrastructure.
A cybersecurity force should have the capacity to activate firewalls, inspect equipment and source codes at all times, and even take over a network if a supplier firm refuses to cooperate with a cybersecurity baseline. If an adversary launches an attack, a cybersecurity force may need to threaten or mount a counter-offensive, but such action should be as transparent as a military deployment and subject to the same scrutiny, calling out bad actors with evidence and responding proportionately. The apparent risk-avoidance approach to date, blocking this or that supplier, makes for muscular geopolitics but is not a serious answer to the complex risks of future technology, which will require advanced capabilities with a zero-trust approach.
Even strengthened national cybersecurity will not be enough. At the international level, we are also going to need to stop delaying the development of rigorous and enforceable rules, norms and standards for cybersecurity. Reliable and secure governance will be essential for the safe, cross-border application of artificial intelligence to the Internet of Things. As unpalatable as this may be for some, this is going to mean pragmatically working with China to find areas of common ground, given that it will likely continue to play a central role in global value chains.
The great lost opportunity of the post-Cold War era was the failure of the sole remaining superpower to invest in strengthening the United Nations system, choosing instead to undermine it in key areas. It is time to consider a new multilateral framework to tackle the security and other challenges of new technology. The change of administration in Washington could be the opportunity to bring the US back to the table for pragmatic rule-making at the multilateral level. Just as the Biden administration is engaging with China on climate change and other key global priorities, it is crucial to collaborate to shape a less ideological approach to cyber risks.
The question is whether the world is up to the task – whether countries, particularly the US and China, can find the will to promote global cooperation, or instead descend into a tech Cold War. There is an urgent need for new fit-for-purpose international organizations to address these challenges. Even if geopolitical rivalry worsens, a World Cybersecurity Organization could be established to manage and enforce rules for a safe digital economy. Such an institution could be empowered to develop and consistently enforce proportionate security standards, but only if it remained blind to the country of origin of tech firms. It could establish testing centers as Huawei has done, though not to evaluate only one firm’s products and code but to bring an equal measure of scrutiny to all firms in all countries providing platforms for the management of sensitive personal and commercial data. If the two competing tech powers would agree to that, it would be a major step forward. Without their commitment, of course, it cannot happen.
It may seem unrealistic to take a multilateral approach at this time of confrontation that has been drummed up by hawks on both sides. Rule-making and enforcement also seemed unrealistic in the early years of the geopolitical competition between the US and the Soviet Union, but the International Atomic Energy Agency (IAEA) and a slew of arms-control agreements were essential to building trust and preventing disaster, ultimately playing a role in ending the Cold War. The same pragmatism should apply to new technologies and advanced connectivity, with transparency, accountability and red lines applied to enforce the rules. As Ronald Reagan said, trust but verify.
Instead of a trade war against Chinese technology, countries such as the US and Australia could more usefully invest their diplomacy and funding in developing pragmatic risk management tools for new tech at the global and local levels, as well as cybersecurity infrastructure to enforce rules and protect against cyber attacks. A zero-trust approach to cybersecurity including some carefully developed global governance mechanisms could yet demonstrate that, as in previous eras, it is possible to co-exist, verify and enforce minimum standards to maintain international peace and security. The alternative – autonomous advanced technologies endlessly weaponized and under attack by the most powerful states engaged in a zero-sum war – is unthinkable. But for lack of effort, the world seems to be drifting that way.
Lu, Chuanying. (July 21, 2021) “How to Rebuild Cybertrust”, China-US Focus, Hong Kong.
Morris, David. (September 24, 2020) “The US ‘Clean Network’ Risks Undermining a Rules-Based Tech World”, AsiaGlobal Online, Asia Global Institute, The University of Hong Kong.
Noor, Elina. (January 9, 2020) “Governance and Stability in Cyberspace: What Will it Take?”, AsiaGlobal Online, Asia Global Institute, The University of Hong Kong.
Un, Christy; and Thinyane, Mamello. (July 8, 2021) “Leave No One Behind: How to Include Civil Society in the Cybersecurity Debate”, AsiaGlobal Online, Asia Global Institute, The University of Hong Kong.
Sustainable Business Network, United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP)