|
On 23 February, the U.S. Administration had the chutzpah to file a formal communication to the World Trade Organization (WTO) complaining about “measures adopted and under development by China relating to its cybersecurity law.” However, it is the U.S. complaint that is most troubling. Here is why.
The gist of the U.S. complaint is that China’s newly promulgated directive on the use of VPN (Virtual Private Network) encrypted circuits from foreign nations runs afoul of Article 5(c) of the Annex on Telecommunications of the General Agreement on Trade in Services (GATS). The U.S. alleges that “this provision was designed specifically to ensure access to leased lines and other services (e.g., VPN services…” Apart from the current reality that the U.S. Administration has been attempting to destroy the WTO and its agreements including calling for a Trade War, the complaint is factually wrong, and the notion from a cybersecurity standpoint is simply profoundly wrong-headed.
The complaint is disingenuous
First of all, the WTO Agreement and Annex on Telecommunications being referenced here emerged from negotiations in the 1986-1994 timeframe in conjunction with the ITU 1988 Melbourne Treaty which enabled the use of international leased lines for the first time for services to the public, including datagram internets. The WTO Agreement and Annex are explicitly included in the Melbourne Treaty reference materials.
The implementation of the Art. 5(c) was expressly predicated on nations following ITU-T standards. (I can credibly assert this fact because I was the ITU representative to the GATS meetings who proposed placing the provisions into the draft agreement!) However, several years later, the Clinton Administration, decided to pursue a strategy of unilaterally ignoring the ITU 1988 Melbourne Treaty obligations and the standards that were intended to be used. Today, the U.S. has essentially walked away from their development, while China has continued to invest considerable resources in their continuing evolution and application for uses such as VPNs in conjunction with data centres.
Now that the current U.S. Administration and its president are unceasingly disparaging multilateral trade cooperation and the WTO, as well as unilaterally abrogating its trade agreements, it is well beyond disingenuous to be complaining of another nation that is arguably acting in accordance with them. Trump creates a whiplash transition from WTO cooperation to WTF chaos.
The complaint seeks to impose capabilities that did not exist at the time of the Agreement
VPNs did not even exist at the time the GATS Agreement and the Annex were developed; and to the extent they were even contemplated, the WTO Agreement—like the ITU treaty provisions—has explicit national security exceptions. Indeed, the first apparent reference to the use of the term “encryption” within the WTO did not occur until 1998. Most histories of the origin of the VPN concept did not arise until 1996. Technical standards were not even discussed globally until around 2000; and just began to be discussed in conjunction with data centres in 2011.
The ITU-T itself published multiple international standards for VPN, that include: Rec. ITU-T Y.1311, Network-Based VPNs—Generic architecture and service requirements (03/02); Rec. ITU-T Y.1314, Virtual private network functional decomposition (10/05); Rec. ITU-T Y.2215, Requirements and framework for the support of VPN services in NGN, including the mobile environment (09/06). There are also two relatively recent ITU-T standards: Supp. 30 to Rec. ITU-T X.805, Security guidelines for mobile virtual network operators (17/09). Indeed, the entire ITU-T Y.3500 series which U.S. industry helped develop, cover trusted use of VPN in conjunction with the use of data centres.
The MIIT directive provisions are on their face reasonable
If one actually makes the effort to read the MIIT Telecom directive, it takes a number of sensible steps toward the three stated goals:
investigate and penalize illegal activities in the Internet datacenter (IDC), Internet access service (ISP) and content distribution network (CDN) markets, including business without permit, business beyond permitted scope, layer-by-layer subletting, etc.;
to strengthen the management of business permits and access resources, and harden the management of cybersecurity;
to maintain a fair and orderly market, and promote the healthy development of the sector
The work focuses on three activities:
(I) Strengthening qualification management, investigating and penalizing illegal businesses
(II) Hardening resource management, eliminating irregular usage
(III) Implementing relevant ordinances, consolidating ground for management
The directive is not significantly different than many other telecommunications oversight agencies worldwide in order to focus on the security of its public telecommunications infrastructure, and any concerns over excessive actions and burdens are not supported by multiple published assessments.
Indeed, the United States’ own government body—the U.S.-China Economic and Security Review Commission - recently reviewed the same MIIT regulations and found that “the degree to which the new VPN control measure will target businesses or individuals is not clear” and that “the language of the MIIT statement is ambiguous, citing the necessity of approval for ‘information channels to conduct cross-border business activities.’” In fact, the Commission goes on to extoll an announcement at the same time of considerable further investment in China’s national broadband infrastructure.
A leading international law firm based in the UK, Taylor Wessing, stated “in our view, at least in the context of Circular 32, most companies using VPNs do not need to be overly concerned by either of these issues” and explained in some detail their analysis.
Other media also indicated that the Ministry of Industry and Information Technology has said that authorized VPNs will be authorized to conduct business as usual and that the new restrictions only apply to companies using unauthorized VPNs.
The complaint ignores the severe potential adverse security consequences of transnational VPNs
Perhaps most disconcerting is that the complaint ignores the severe potential adverse consequences of VPNs—which enable a malicious actor in one nation to operate through an encrypted tunnel within the infrastructure of another nation. Indeed, it is exactly this capability that allowed Russian intelligence operatives to engage in cyber warfare operations in the U.S.
With the emergence of new encryption protocols and cloud data centre based services, this national security threat is emerging as one of the leading cybersecurity threats today.
Although the present U.S. Administration may be ignoring the problem, other nations plainly are not. The challenges are complex, and the adverse consequences are significant. The bottom line is that no rational nation is likely to allow unknown and untrusted encrypted tunnels into its national telecommunication and information infrastructure from another nation without a substantial intergovernmental agreement on the associated controls. This is exactly what the MIIT is doing, and the U.S. government should be doing the same.
The U.S. should resume working in ITU-T forums on appropriate standards
The specific MIIT provisions of which the U.S. complains and is attempting to leverage have been the subject for discussions in the WTO and ITU-T for many years. To be fair, there are many factions who have been obstacles to progress. However, the lack of significant U.S. interest—which recently has become dramatically worse—does not help.
When it comes to interconnecting network end-points across borders using encrypted VPN tunnels—especially when the end-points reside in data centres—nations will require verifiable implementation of needed international standards as part of the intergovernmental agreements. Otherwise, the use will be restricted to domestic implementations, and those offering the services will have to replicate their implementations at data centres physically located within every nation. Every new transnational networking technology has faced the same challenge.
Nations who try their hand instead at bilateral bullying may persuade a few nations to go along with them. Wise nations with a global leadership vision will leverage existing multilateral instruments and organizations like the WTO—ITU ensemble. Work already exists in ITU’s Study Groups 13 and 17. The U.S. should try using it again.
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
So, what are the ITU-T standards for customer-equipment-based VPNs? The ones I find are all for network-based VPNs which’ve been pretty much abandoned for failure to meet basic business (not technical) security requirements.
It is not clear that some of the existing Y and X series standards don’t have enough flexibility to accommodate a wide variety of VPN instantiations. The standards were largely developed by U.S. and European providers and equipment vendors.
However, if one is going to be filing complaints to the WTO that are reliant on standards in a particular venue, it might be wise to have the foresight to have ensured those standards exist in that venue. Hence the admonition to engage in SG13 and SG17 at the end of the article. On the other hand, if one is just going to call for trade wars, it is not clear what purpose is being served by filing a complaint at all.
I know they have a certain amount of flexibility. But as far as I can see they don't have the flexibility to prevent the network operator from accessing the data flowing across the VPN (because the network operator is the one operating the VPN and it's endpoints and they have access to all the encryption keys). That's where those standards run headlong into the business security requirement that the data remain secure vs. the network operator who isn't authorized to see it.
The conflicts of law in supporting these services and meeting divergent contractual and regulatory requirements both internationally and domestically are monumental and getting worse.
>conflicts of law I only see only conflicts of trust. Should I choose to use a service providers VPN I am required to trust them. I trust no one. However, they are not required to trust to me and any possibility of having them trust me is removed (by law). They are to be considered good and trustworthy, I am not. I am guilty unit proven innocent. >and getting worse. Of course this will get worse, its based on a double standard.
Tony
I hadn’t known this history. I bumped into this article while researching CJK at standards, something you taught me.
Separately, apologies for not following up on your ISOC history bit. I just never seem to catch up.
Dave