The Law Of Expected Consequences – China Reacts To CISA
In the last weeks of the year, Congress did what Congress does and took a controversial bill, CISA, which experts say expands government spying on citizens in the name of protecting them, and stuck it inside a must pass bill – in this case the omnibus spending bill – at the last minute.
Since Congress has been unable to muster the votes to pass this bill as a standalone bill for several years, this seemed like an expedient way for Congress to get it passed. And, while it worked, as many people predicted, it has already had unintended consequences.
China has announced that since it is now OK for the U.S. government to increase the level of spying on Internet traffic, China will do the same.
The draft legislation would require companies to install “back doors” or hand over encryption keys to the Chinese government. Not only that, but they would be required to hand over user information to the Chinese government as well. In the name of countering terrorism.
This includes Financial institutions and manufacturing companies.
China actually said that they looked at U.S. law, along with other countries, when drafting this legislation.
Of course the recent announcement that the NSA may have been bugging Juniper routers for years likely did not make the Chinese any happier.
Apparently, things move a little quicker in China than in the U.S. – China, on the same day that the draft legislation was proposed, passed that legislation into law. Among other things, that law requires “ISPs and telecomm providers “shall provide technical interfaces, decryption and other technical support and assistance to public security and state security agencies”.
Now we have to see what China actually demands.
The challenge is that for many companies, China is a significant market and walking away from China will cost them money. On the other hand, if they do not turn over their encryption keys, they could see their sites blocked by The Great Firewall.
It looks like the Cold War is heating up – this time in cyber space. Other countries, such as France and England, are considering similar laws. Will every country now demand the encryption keys from every company?
If so, I give it about a week before those keys are leaked to the hacker community.
Companies will be forced to make hard decisions. Do we allow governments across the globe to paw through our users’ traffic or do we stop doing business in certain countries.
And, from the user’s standpoint, they now have total plausible deniability for any cyber crime that they are charged with. “Your Honor, as you already know, the French, English, Chinese, U.S. and other governments all have my encryption keys. Given that, and the fact that, at least, the U.S. Government has a bad track record for keeping keys secret – after all, we just have to look as far as the TSA and OPM to see that – it is likely that hackers have my keys as well. Since I have no ability to control who has my keys, it is just as likely that a hacker in China committed this crime. While I don’t have the resources to prove this, you cannot deny this is possible. I submit that the government cannot, beyond a reasonable doubt, prove that it was me who did this. I request that the charges against me be dropped.” This may seem far fetched, but it isn’t.
This has certainly NOT played out yet – stay tuned.
Information for this post came from SC Magazine .
There is another article in SC Magazine with an update.