There has been a ton of press over recent months about information security, in particular concerns around Huawei products in 5G networks. When it comes to 5G, Canada is the only “Five Eyes” member not to ban or restrict Huawei products in national 5G networks, and there is plenty of other rumblings in other states and large corporates around the world that are concerned about Huawei.
In similar news stories, some states have been warning about the use of TikTok, and some companies have been banning employees from installing it on their phones. It is rumoured that a US ban of TikTok is on the way, it’s already banned in India, and the Wells Fargo bank in the US recently told employees the application is verboten. One security researcher described the TikTok app as a “data collection service thinly-veiled as a social network”, and the Peterson Institute for International Economics describe TikTok as a “Huawei-sized problem”.
The issue appears to be that Huawei and TikTok are both Chinese-owned businesses, and the allegations is that these technology platforms are being used to support Chinese spying activities. Rather than digging into that particular point – what does this mean for information security and cybersecurity in general?
There is a maxim in the IT industry and “information wants to be free” – and whilst this phrase has a number of interpretations, one way to look at it is that information doesn’t like to just “sit” where it is put. Information has a tendency to leak, and spread – once you lose control of it, there is no saying where it will end up. Information storage is virtually free, and information transmission and duplication is virtually instant.
There is also a truism in that information always has an inherent value. That value can be expressed as a minimum as very small quantity – just what is the “dollar value” of my email address, or the fact that I went to Starbucks this morning? Or, that value can be expressed as a huge amount. For example, how much value can be attributed of a coronavirus vaccine hacked from a particular state’s researchers, or how much value can be attributed to information that leads to an insider trading deal?
Given that all information has some value – i.e. it’s always non-zero – it follows that if you can gather a lot of information, you are likely to get a some return on your investment. This is why we see “industrialisation” of information security vectors across all sectors of industry. There are hackers at state level, there are hackers at a “small business” level (small hacking groups trying to make a quick buck), and at every place in-between. You could even argue that some hacker activity is “third sector” in nature – e.g. hacks against the NHS that purport to be about highlighting information security issues for the “benefit” of the service, as opposed to looking to extract money.
One issue here is that, at the state level, it was ever thus. It has always been the case that so long as international telecommunication lines exist, where those lines cross a border the states at either side have had motive and capability to collect the information that flows over those lines. What’s happening now is that because the volume and nature of those communications has become so much more complex – go back 50 years “plain” phone calls were all you had going across those lines – that states are finding new ways to gather information. Why not build a massively popular app that half the population of your enemy install? Why not make networking products so compelling that your enemy ends up paying you to install in their network? If information wants to badly to be free, why not lean into that and make sure that as much data as possible happens to pass by close enough for you to grab a copy?
Keeping this focused on my area – helping SMEs with their IT – what does all this mean?