US President Donald Trump’s recent Executive Order and the placement of Huawei on the US Department of Commerce’s Bureau of Industry and Security Entity List is the latest development of ongoing trade tensions between US and China. The Executive Order on Securing the Information and Communications Technology and Services Supply Chain released on May 15 highlighted the state’s concern with the exploitation of vulnerabilities in ICT and services by foreign adversaries. If the Executive Order is maintained, the list of foreign adversaries and mechanisms of compliance will be announced in the next five months.
At the same time, Huawei is placed in the Entity List due to a violation for providing prohibited financial services to Iran alongside obstruction of justice. The move resulted in Google suspending business activity with Huawei and even UK chip designer ARM complying with the regulations.
The recent actions by the US can be articulated as means for negotiation while the US grapples with a China growing in power. President Trump did come into the office speaking of a trade deficit and many tariffs were imposed to address unfair trade practices such as China’s protectionist environment. Initiatives such as the retconned Made in China 2025 and AI Development Plan were scrutinised for its high-tech low-cost alternatives to components in the ICT value chain. These initiatives are translated into power as China exports and provides technological parts in information networks to other countries.
The position can place China in control of information flows. While thinking that controlling the flow of information is unique to China, the doctrine to gain superiority over information has existed since the end of the Cold War. Official documents such as the US Joint Chiefs of Staff Joint Doctrine for Information Operations published in 1998 and Russia’s 1993 Basic Provisions of the Military Doctrine of the Russian Federation indicated the interest to control the transmission flows of information though these early doctrines were parked in military considerations. However, the proliferation of information technology and loose international regulations opened possibilities for exploitations of information pathways. An early 2018 US Senate Select Committee on Intelligence hearing on Worldwide Threats articulated concerns of China and Russia’s all-of-society approach to influence US systems and decisions.
Malaysia is expected to launch a National Cyber Security Strategy in July where Deputy Prime Minister Wan Azizah mentioned the purpose of the strategy is to protect critical systems in the country, regardless if they belong to the public and private sectors, business entities or the people. The critical systems are in ten sectors such as defence and security, banking as well as food and agriculture. Nonetheless it is inclusive of information and communications assets, be it if the assets are real or virtual.
President Trump’s Executive Order’s definition of an information ecosystem has a wide scope for protection that it is inclusive of anything manufactured or designed for information and data. This can mean anything from telco towers to handheld devices, or even apps designed by the foreign adversaries. The wide definition is indicative of the flow of information which like electrical currents or rivers would pass through interconnected ICT components. The vulnerability at any part is seen as an appliance or application that can collect data to be transmitted elsewhere. Thus the Executive Order scrutinises every component or product in the information network made by to-be-listed foreign adversaries.
Malaysia’s stance on 5G and security is still unfolding while Maxis and U Mobile are exploring implementations with partners such as Huawei, ZTE and Nokia. The approach of total protection for the ecosystem is also nuanced in places such as UK that opted for a partial ban of Huawei from non-core 5G networks, mainly due to the resources needed for infrastructure upgrades.
In the region, Vietnam has also chosen to explore options other than China’s 5G kit. Vietnam’s Viettel Group is attempting to launch their own 5G network by 2021 while other telcos in Vietnam are seeking partnership with companies such as Samsung Electronics and Nokia.
Inherently, the digital ecosystem is based on trust, be it if this trust is safeguarded by law or if it is political trust between states.
Designating a foreign adversary list means agencies would have to build a case for attribution. Thus there has to be evidence which links threats to states or persons. In some legislations around the world, proof has to be obtained placing an individual behind a computer before it can be considered as evidence. In cyberspace, signals can be directed and redirected between infrastructure and states, the evidence for a case can be difficult to gather as data crosses different jurisdictions. In this space where international rules and regulations for cyber engagements are still in its nascent phases, states with power and political clout would opt for unilateral responses to address these new challenges.
The US and China have traded barbs which warrants the need for such responses. FireEye, a cybersecurity firm’s first report in 2013 collected evidence of corporate intellectual property theft of US firms attributed to the PLA. In the same year, Edward Snowden leaked a series of documents, which was also inclusive of activities in Hong Kong and mainland China. In response, in May 2014, the US Department of Justice indicted five PLA officers while in the year after, President Obama presented sanctions as viable responses for cyber activities. The Executive Order can be seen as a development in securing the US cyber space.
For other states, these steps may be difficult as resources and existing regulations may be inadequate. Additionally, as political clout has to consider domestic technical capacity and development needs, the evidence to build a list of foreign adversaries can be hard to justify and muster.
Thus, while competitive states can view the ecosystem as adversarial spaces, nations in phases of development may not have the same option. This technological age is driven by companies in the US and China where any listing of global digital companies by market capitalisation would be led by Apple, Amazon.com, Alphabet, Microsoft and Facebook from the US while Tencent and Alibaba are renowned companies from China. This means that servers are in these nations and innovation are stimulated by these nations.
In a world where systems can’t migrate and may be incompatible with the other, the usage of technology will deepen along the lines of products and services produced by companies be it for the sake of convenience or market monopolies. Trade secrets can result in blackboxes that limit competition in the market and may carry security implications, particularly if a nation-state is unable to decipher the programmes, codes or algorithms within. On one hand, a nation has to consider developments in manufacturing to compete with Big Tech. On the other, the nation needs to have the skill and talent to decrypt the puzzles of cybersecurity.
Malaysia’s coming National Cybersecurity Strategy will be the successor of the National Cyber Security Policy (NCSP). Political and technical usage of cyberspace today differs greatly from the NCSP adopted and implemented in 2006.
Led by the National Cyber Security Agency (NACSA), the strategy will reportedly list 37 action plans to strengthen national cyber security. Something to consider in defending an open ecosystem is to draw on existing players who will strengthen the resilience of the ecosystem. In such a situation, every user is a player, be it if they are the government, the private sector, industry of the individual. If the wording of the Executive Order is indicative of the magnitude in vulnerabilities, more can be done for Malaysia’s cybersecurity ecosystem.
This article first appeared in the New Straits Times on May 28, 2019
