Season 3 / Episode 134
Every year, seemingly, there’s a new story of some software - like 'Tik Tok' or 'FaceApp' - from a hostile country that may or may not be a security threat to us in the west. So what should be done in cases like this? What if the U.S. just banned all technology from Russia and China? Is it a good idea? Is it even possible?
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Award winning CISO, top-rated keynote speaker, bestselling author, but really just trying to leave the world more secure than how I found it.
Ira Winkler, CISSP is Lead Security Principal at Trustwave and author of Advanced Persistent Security and the forthcoming You Can Stop Stupid. He is considered one of the world's most influential security professionals, and has been named a “Modern Day James Bond” by the media.
Should The U.S. Ban Chinese and Russian Technology?
Ah, 2019. What a time to be alive. Remember? When you could, you know, go places. And do things. When our big problems were college admissions scandals, and what Harry and Megan were going to name their baby.
One of the little things I remember from 2019 was a trend–I’m sure most of you out there did it yourselves–where you’d take a picture of yourself, and then your phone would make you look like the opposite gender. Or much older. My kids were into that; I wasn’t, really…
[Nate] To be fair, Ran, it only works if your face doesn’t already look extremely old.
For your information, Nate – I had several people tell me I’d be very attractive as a woman! If it wasn’t for the beard, that is.
Anyway, The most famous of those gimmicky apps was called “FaceApp.” It was popular worldwide–more so than you even remember. There was a period, right around the middle of the year, when literally hundreds of millions of people were taking selfies on FaceApp every week. Not even the dancing Snapchat hot dog could touch those numbers.
There were a few stragglers, here and there, who weren’t into FaceApp. For example: some of you might have had concerns about privacy. Who were you handing your pictures to? What happened to them after you got bored and stopped playing with the filters? If you read the app’s terms and conditions you wouldn’t have felt any better about it.
Still, security and privacy concerns rarely become viral. Most people didn’t worry about such things, until one, key fact broke open the floodgates.
On July 17th, 2019, U.S. Senator Chuck Schumer wrote a letter to the Chairman of the U.S. Federal Trade Commission, and the Director of the Federal Bureau of Investigation. It began:
“Dear Director Wrap and Chairman Simons: I write today to express my concerns regarding FaceApp, a mobile software application headquartered in Saint Petersburg, Russia, that could pose national security and privacy risks for millions of U.S. citizens.”
The letter went on, but all you need is that first sentence. The Senate Minority Leader spent no time at all getting to the crux of the point: FaceApp was Russian, therefore it was a national security threat. Was that a fair accusation? FaceApp had no known ties to the Kremlin. According to its founder, the images it collected were stored on servers controlled by Amazon and Google. In short, there was no evidence to suggest that the developers were anything other than an honest, private company.
But in Russia, independent companies can be made…not independent. If the CEO of FaceApp gets a text from 1-800-KRE-MLIN, and it says “u up?”, he couldn’t just ghost the president. Putin has ways of making people comply.
That puts the U.S. in an awkward position, right? On one hand, FaceApp is probably innocent of any wrongdoing. On the other hand, we can’t be certain, and whatever is the case now may not remain so forever.
Of course, while FaceApp may be a particularly silly example, it’s certainly not the only product that has raised such questions. Every year, seemingly, there’s a new story like it, of some software from a hostile country that may or may not be a security threat to us in the west. So what should be done in cases like this? Should we go by that time-honored principle: innocent until proven guilty? Or, here’s another possibility: what if the U.S. just banned all technology from Russia and China?
I mean, wouldn’t that solve the problem? Is it a good idea? Is it even possible?
BANNING HARDWARE: EASY
Before we get into should, we have to answer could. Even if they wanted to, would the United States be capable of banning a foreign technology from entering its borders?
That answer, it turns out, depends on what kind of technology you’re talking about.
[Ira] So let’s put it this way.
That’s Ira Winkler: former NSA, former defense contractor, now a CISO and author of the book “You Can Stop Stupid.”
[Ira] There’s hardware and there’s software. [. . .] It’s easier to ban hardware. That’s a given.
It’s much, much easier to restrict the movement of hardware than software. For example, imagine some kind of malicious computer part developed by a company in Iran. It would be very simple for elected officials in America to pass legislation banning the import of that particular item, and very simple to enforce such a ban. Have you ever tried sneaking booze onto a plane? Take that experience and, instead of a mini bar-sized Jagermister, try stuffing thousands of machine parts into your luggage.
[Ira] I’m not going to say that it is going to be, you know, that it’s gonna, it will never happen that some company will find a way to buy some box such as buying it third hand off of eBay, for example, but in general, you can stop the wholesale purchase of certain types of equipment from certain manufacturers if you choose to.
Countries can also prevent foreign companies from setting up infrastructure within their borders. Take telecommunications companies: you can’t just build a network wherever you want. You first have to apply and go through legal hoops and beat out competition. That makes it very easy to, say, prevent Huawei from building 5G within your borders.
BANNING SOFTWARE: TRICKY
Software, though, is a very different story.
Just think about your own experience. Have you ever pirated music or movies? It probably wasn’t very difficult. If it was, you were doing it wrong.
To totally prevent software from entering into a country’s borders, that country would need some kind of a…firewall. A great firewall, even. I wonder if anyone’s thought of that before…
With complete control over the data flowing in and out of the country, law enforcement officials can apply preventative measures by telling such a firewall what to look for, and blocking it from reaching its destination whenever the profile is matched. Short of such a great firewall, you can’t really block data from crossing over internet wires. What can be done, instead, is to target not the data itself but the companies that host it.
[Ira] it’s easier for example, on apple, you know, where there is control of the device, where theoretically the operating system can stop it from running, you know, assuming of course you don’t jail break it
It’s difficult to download software onto an iPhone if it’s not in the App Store. (The same is somewhat less true of Androids.) But there are also other parties, along the chain of responsibility, that can be used as roadblocks.
[Ira] For example, a lot of apps rely on in app purchases in order to do that, you have financial transactions that somehow have to be routed to the software company.
The institutions that you use to move money have all kinds of filters in place to make sure you aren’t, say, committing fraud, or funding terrorists. Those same filters could, theoretically, be made to prevent you from buying a particular software product. So it’s possible that Bank of America would be just as useful in implementing a software ban as would Apple.
So banning a piece of software from entering a country is theoretically possible – although certainly not easy. Except there’s one, major problem that we still haven’t solved. You see, it’s one thing to prevent people from downloading software. It’s an entirely other matter to get software they already have downloaded off of their computers.
That is a much more difficult task, for two reasons. Firstly, because we live in a free country. The government doesn’t, in all likelihood, know what’s on your computer, and they can’t force you to do anything in particular with it that you don’t want to do.
Secondly, even if you want to, it’s actually surprisingly hard to get certain kinds of software off of certain computers. It sounds ridiculous–why would that be the case?–so let’s look at an example.
Kaspersky Lab is one of the most successful cybersecurity companies in the world. They’re responsible for some of the biggest discoveries in recent cybersecurity history, like the Flame malware, and Red October, and they were the first to identify Equation Group, the heart of the NSA’s international cyberspying operation. They’re one of the top five most profitable cybersecurity companies worldwide, one of the 100 most profitable software companies worldwide, and, as of 2016 at least, their products were being used by around 400 million people. Among those 400 million, for many years, were members of the United States government. Kaspersky software could be found in Washington D.C., in military networks abroad, and most places in between.
But Kaspersky is based in Moscow so, of course, there have been suspicions. Was it safe for U.S. government officials to be trafficking sensitive information on computers carrying Russian software? Not to mention: antivirus software. Most programs on a computer are limited in scope but, in order to do its job properly, antivirus requires complete access to every nook and cranny of a machine. It’s the very last thing you’d want to be compromised, if you were forced to choose.
Suspicions are suspicions, and Kaspersky always had a good reputation to back them up. But then something happened.
On June 10th, 2015, they announced one of their biggest discoveries ever: a malware campaign being conducted by one of the most powerful, mysterious APTs in the world. Commonly referred to as “Duqu,” the group is most famous through their connection to Stuxnet. In 2015, years after Stuxnet, they were after a new target. And that target was Kaspersky itself. The cybersecurity company found the attackers digging around on their own networks.
It was remarkable, really. Duqu had exploited a zero-day vulnerability–possibly up to three–in no less than the Windows kernel. Cyber attacks don’t get any more sophisticated than that. Still, it was inexplicable that they would target a cybersecurity company–probably the toughest target you could think of. In a press release, Kaspersky noted how odd it was:
“[T]he targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.”
Kaspersky fixed the issue, but they got one thing wrong: Duqu hadn’t lost.
Only two years later did the world learn the real story.
According to The New York Times, Duqu was Israeli intelligence. They were spying on Kaspersky to see, for themselves, whether those long standing suspicions about Kremlin backdoors were true. And what did they find? Exactly what they were looking for. They watched as Russian intelligence agents used Kaspersky’s flagship antivirus to spy on American intelligence operations.
The full details of how long Russia was using Kaspersky, and what they were able to glean by doing it, weren’t revealed publicly. But we know that Kaspersky software was installed on computers throughout Washington D.C., and the U.S. military. Russia even managed to get sensitive information out of the NSA. NSA had no Kaspersky in their network, to be sure, but at one point an employee had improperly ported sensitive documents to their Moscow-protected home computer.
KASPERSKY SUPPLY CHAIN
Kaspersky Lab, for the record, has argued its innocence all along. That the story is just not true, and probably maliciously faked. It’s even possible that, if the story was true, they didn’t realize that they were being exploited by their government. Who knows? Whatever the case may be, for the United States, it was damning evidence. In 2017, congress signed their annual defense bill–the Fiscal 2018 National Defense Authorization Act–into law, Section 1634 of which detailed a ban on any use of Kaspersky software within the government. All traces of anything Kaspersky were to be wiped from Washington D.C., within 90 days’ time.
And you’d think that that would be the end of it. But it wasn’t.
In 2019–a full two years later–a research firm called “Expanse” investigated the government and military. They found Kaspersky products running on networks belonging to 14 defense contractors, eight government entities, and two military networks, not to mention dozens of organizations in critical industries like healthcare.
What happened? Why couldn’t the government get their own agencies and partners to uninstall the software? There are a few possible explanations.
[Ira] A lot has to do in many cases with rogue IT where the–it is not necessarily under the centralized control of the organization
Contractors don’t always follow the rules as closely as they’re supposed to.
[Ira] They could go online and proceed outside of normal purchase channels. […] They need software. So they go ahead or they need antivirus software. They get a free license at a conference for Kaspersky. So they go ahead and just say, Hey, I’m doing the company a favor, I’m using a free license. I got who, you know, what’s to be about. And so these things happen on a regular basis.
The bigger problem, however, is with organizations that already had Kaspersky installed on their networks or, more accurately, embedded within their networks, before the bill passed.
Finished, manufactured products tend to combine all kinds of different component parts. Like your car, for example: the engine and the tires and the body of the vehicle may have come from unrelated companies in different parts of the world. The problem for a government network is that, even if you right-click “uninstall” on Kaspersky Antivirus, it may already be a built-in component of an entirely different security appliance you rely on. Maybe that appliance was manufactured by a totally trustworthy American supplier, so you don’t give it much thought.
[Ira] you might, for example, buy a laptop and then you buy the security bundle that goes with it. And the security bundle that goes with it just happens to be Kaspersky as an example. So you purchase that and the centralized security organization or whoever else is responsible for performing an inventory, doesn’t know about those systems.
Even once you’ve spotted the problem, actually rooting it out can be a challenge. You’re not just uninstalling a piece of software, now, you’re potentially having to scrap a bigger, more central component of your computer network–perhaps a component which other components rely on. You can’t just pull the bottom brick out of the Jenga tower.
So when we talk about banning technologies, it’s not that simple as: pass a law, everything disappears. In fact, even in cases where a ban is successful–like, the government is able to prevent it from entering its sovereign territory–the actual effects of the ban can be vastly more complicated than you’d think. For better and for worse. Take, for instance, another story you might have heard of.
HUAWEI: IMPACT OF BANS
A year after banning Kaspersky, in the next defense bill, congress wrote up a ban on Huawei Technologies (also ZTE, a state-controlled telecom). If you heard our episodes on Huawei, or read any of the news about it in 2018 and 2019, you might even be tired of hearing about it.
The government has taken all kinds of measures to curtail Huawei’s reach in the West. In 2010, then 2013, the Obama administration stepped in to block Huawei infrastructure from being built in allied nations–Australia and Korea, to be exact. They took similar actions with European nations in the years that followed. In 2008 the government stepped in to stop Huawei from purchasing Massachusetts-based 3Com and, in 2013, a takeover of Sprint by the Softbank Corporation was allowed only under the condition that Huawei equipment be excluded from Sprint networks.
You might call these “soft” bans. Even when congress did formally ban Huawei technology within the government, the legislation itself arguably wasn’t really the point. The much larger matter was the precedent that it set.
Formally recognizing Huawei as a threat opened the door to much more serious action. On the 15th of May, 2019, the U.S. Department of Commerce added Huawei, its subsidiaries, and its affiliates, to its “Export Administration Regulations” list. Doing so meant that, from that point on, any company doing business in America would have to apply to work with Huawei. Technically, any company anywhere in the world today has to go through the same process, if their business relies on American supplies.
That kind of thing is far, far more serious than a government ban. Immediately after it was enacted, Google was forced to end its support for Huawei phones, which run on Android. Some features would remain, sure, but it meant that important Google apps and any future updates to the Android OS would be unavailable to all Huawei smartphones.
The same story goes for companies that supply all kinds of other parts for Huawei. Huawei touch screens use American-made glass, and their chips come from companies like Intel and Qualcomm. Just imagine if the next iPhone had to rely on entirely different, second-rate parts from less technologically advanced countries. You’d probably just stick with your old phone, or buy from some other company.
The point here is this: technology bans rarely have the straightforward consequences you and I might assume they would. With Kaspersky, it turned out to be difficult to actually implement a ban. With Huawei, the ban itself was utterly insignificant compared with what followed from it–the much more effective supply chain restrictions.
SHOULD THE US BAN TECH?
So now you know how technology bans can work. But, at this point, it’s worth asking whether the benefits outweigh the costs. Should America ban foreign technologies, like Kaspersky Antivirus and Huawei telecom equipment? What about FaceApp? WeChat? Tik Tok?
It’s a tricky thing. Banning, say, Huawei, might hurt Huawei, but it could also backfire and hurt the United States. Here’s a part of that story you probably don’t know, which might color your view on how “successful” that ban really was:
A full decade before there was any talk of a Huawei ban, the United States was already taking other, arguably more drastic measures to try and stop the company’s slow progress to the top. In 2005, a year after Cisco sued Huawei for stealing their router technology, the U.S. Air Force hired the RAND Corporation to investigate the relationship between Chinese networking companies and China’s government. Their conclusion seems obvious to us today: that Huawei, ZTE and companies like it operate in a kind of “digital triangle,” with the government and military.
In 2009 the NSA took matters into their own hands, with a project codenamed “Shotgiant.” The goal, according to documents revealed to The New York Times and Der Spiegel, was to find any possible backdoors built into Huawei products–in order to protect Americans, obviously, but also for another reason:
Many of our targets communicate over Huawei-produced products [. . .] We want to make sure that we know how to exploit these products [to] gain access to networks of interest[.]
If the CCP was hacking Huawei, the NSA wanted to know. And they wanted in on the action.
By 2010, NSA’s premier unit–the Office of Tailored Access Operations, or “TAO” for short–got what they wanted. They breached Huawei’s network, and copied their internal files right down to their source code. One agent put it best, in an internal communication that was included in the uncovered documents. Quote: “We currently have good access and so much data that we don’t know what to do with it.” .
And that’s what makes the Huawei story so confounding. The United States government knew, probably, every single thing there was to know about Huawei as early as 2010. And yet, it took eight years before they officially banned Huawei, and even then it only applied within the government.
That raises the question: was Huawei dangerous, and the government didn’t ban it for eight years? Or was it not dangerous, and the government eventually banned it anyway?
It’s suspicious either way. Makes you wonder about the government’s intentions, and what they’ve actually known without telling us.
[Ira] I really would want to see the U S government, British government or whoever else, which is criticizing this really go in and kind of have a tangible show of finding what the concerns are. [. . .] people should come out with legitimate findings or else it’s the boy who cried Wolf.
Maybe you don’t hear about stories like Shotgiant much, because you’re over here. But the effect of banning a company without public evidence causes all kinds of suspicions not against Huawei but against the U.S. government. China’s government can use American hypocrisy as propaganda, and Chinese citizens will be less receptive to future stories about other Chinese companies. It is the boy who cried wolf.
In fact, you could make an argument that, by banning Huawei, America has actually hurt itself and made China even stronger.
You see, the Huawei story doesn’t end where we left it–it just keeps getting more and more complicated.
Maybe you think it was a good thing, in the end, that Huawei won’t be getting any business in the United States, and that they have to buy all new parts from lesser manufacturers in other countries. Their business has, genuinely, suffered. And yet, there’s a silver lining. Dan Wang–a writer and, formerly, one of the leaders of the Tiananmen Square protests–wrote in his annual letter how supply chain restrictions threaten American businesses, too:
“By withholding components that Chinese companies have relied upon, the US government has turned American firms into unreliable suppliers. [. . .] even poultry farmers in China are wondering if they’ll be able to import baby chicks from the US. And there are now multiple reported instances of Japanese companies marketing themselves as more reliable than their American competitors. Moreover, I hear growing unease from companies in the rest of Asia and Europe on buying American.”
As China is barred from using American technologies, American businesses have one less nation to sell to–and a pretty big nation, at that. Plus, those companies leave a gap behind that needs to be filled–probably by Chinese companies that previously had trouble competing against Google, Qualcomm and Intel:
Thus the US government has aligned the interests of China’s leading tech companies with the state’s interest in self-sufficiency and technological greatness. Huawei, the greatest victim of US actions, is now in the position of NASA in the 1960s when it comes to chips: a cash-rich entity willing to purchase on the basis of performance, not cost. Access to leading and demanding customers can give a chance to local suppliers who never would have had a shot competing against well-established American firms.
The global marketplace is rich and complex: once you start setting rules about who can be where and do what, it’s hard to figure what will result.
And you know what? Even if everything works out perfectly, it doesn’t mean that foreign countries can’t spy on us in any number of other ways.
[Ira] So just because you’re not using Huawei or Kaspersky, it doesn’t mean that the Russians or Chinese or whoever else, aren’t already found a way to be embedded in that software.
So does that mean the United States shouldn’t ban technologies from hostile foreign powers? Well, no matter the cost, you’d have to argue that the security of the government, and its citizens, should be paramount. So, if a ban might in any way towards keeping foreign spies out of America, then it’s worth considering.
But, as we’ve seen, it’s rarely that black and white. These laws are unwieldy, difficult to implement, not always effective, and they lead to unpredictable consequences. And even more problematic, such bans come with quite a hefty price tag – because in order to implement them, especially a ban on software – governments need to strengthen their grip and control on their citizens: with country-wide censorship infrastructure such as the Chinese Great Firewall, stronger control over private companies such as Google and Apple and even stronger regulation of financial institutions. One can argue that allowing governments to become so authoritarian might pose a real threat to democracy. Is it a price we are willing to pay?