To Retain our Sovereignty, Canada Must Control our Technology

If your favourite hat is made of tinfoil, this is a banner week for you.

On Tuesday, the Washington Post and ZDF published a bombshell story detailing how, for nearly half of the 20th century, the CIA owned Swiss cryptography company Crypto AG. Under the CIA’s influence, the company sold compromised cryptography devices to U.S. enemies and allies alike, for the purpose of maintaining intelligence supremacy.

The revelation has prompted experts in the infosec community to question how much influence American spies have over more contemporary information security companies, such as endpoint security software providers and SSL certificate authorities.

A day after the release of the WaPo story, the U.S. government confirmed the suspicions of many and revealed that it had evidence of Chinese backdoors in Huawei’s mobile networking equipment. This revelation comes at a time when Canada and Britain – two close intelligence allies of the U.S. – are considering purchasing Huawei equipment to build out domestic 5G networks.

Many in the social media sphere have pitted the CIA and Huawei stories against each other, taking a reactionary stance about which nation is less trustworthy. But this response somewhat misses the important lessons that can be learned from both stories.

The first point ought to be obvious: a technology company will always be subject to the laws of the nation where it is incorporated. If that nation has a culture of surveillance woven deeply into its institutions – as both the U.S. and China do – then it’s reasonable to expect that any technology from those nations’ companies may inevitably be used to spy on you.

Secondly, it would be a mistake to gloss over how the CIA’s approach to Crypto AG was both flawed and reckless. Secrets – especially big ones involving many people – are hard to keep. People talk, or get suspicious and investigate.

In infosec we refer to this principle as security through obscurity, and mostly treat it as fallacy. In the case of Crypto AG, recall that faulty devices were sold to U.S.-friendly nations, enabling the CIA to spy on all but their closest allies. The WaPo story notes the internal CIA documents take a very self-congratulatory tone on this matter – describing it as “the intelligence coup of the 20th century”.

But it’s easily conceivable that the Soviets – either through intercepted communications, stolen Crypto machines, or a combination of both – were able to uncover the vulnerability that the CIA placed in Crypto’s machines. This would have put the communications of U.S. allies – including some NATO members – at risk of Soviet surveillance.

This concept is, unfortunately, something that governments seem incapable of understanding: compromising information security will always be a double-edged sword. Engineering vulnerabilities into technology so that you can spy on your citizens or allies will always mean that your citizens and allies might in turn be spied upon by enemies.

In the information age, this axiom has been proven again and again. A critical vulnerability in Microsoft Windows known as BlueKeep was hoarded by the NSA for years – for the NSA’s own spying purposes – before the spy agency finally reported the bug to Microsoft. It was only a short time later that criminals used the security hole to deploy the WannaCry ransomware, which wrought havoc worldwide. This included shutting down many hospitals of England’s National Health Service, placing human lives in jeopardy.

Yet, despite the evidence of danger, the U.S. government is demanding that technology companies place backdoors in their software, and design encryption so that it can be easily reversed by U.S. spies and law enforcement. They seem ignorant to the logic that these intentional design flaws would place huge amounts of critical civilian infrastructure at risk. Breakable encryption would be breakable not just by U.S. spies, but by any U.S.-hostile nations, terrorists, or criminals with enough cybersecurity clout to divine the secret backdoors.

So where does this leave Canada?

First and foremost, Canada must face the reality that deployment of any technology made by another country may put our sovereignty at risk. The United States – as a close intelligence partner of the Five Eyes – is right to be critical of Canada and Britain’s deployment of Huawei technologies. However, given the CIA’s propensity for surveillance and trickery, we should perhaps be equally critical of equipment made by American companies.

Canada, home to former telecom giants such as RIM and Nortel – and with the engineering clout of telecoms operating vast, coast-to-coast networks – should seriously consider developing homegrown technologies to build out our telecom infrastructure. Any who doubt our capability should consider not only our history, but also that the current U.S. political climate has meant that some of the world’s best and brightest are flocking to Canada instead.

Next – and this is important – We must reject the idea that vulnerabilities in technology can be used solely for good. We must renounce that encryption and the IT infrastructure that depends upon it can be deliberately broken without doing untold harm. Ask any comp-sci expert or cyber-security researcher and they’ll tell you the same.

This involves tending our own garden as a nation. One of Canada’s spy agencies, the Communications Security Establishment, has been granted the lawful powers both to research and to purchase (from hacking firms) knowledge of software vulnerabilities for the purposes of spying: vulnerabilities which, until fixed, place Canadians and our institutions at risk.

These will be difficult roads to take, but they are utterly essential. The time has come to stop pretending that technology infrastructure is not fundamental to how our society functions. With this revelation should come the stark realization that if another nation controls access to our technology, we have lost a huge portion of our sovereignty.



image: “Listening Heads” by Jesse Schooff