Critics say U.S. tech companies could suffer in warning against China-based cloud services

A congressional commission that warned U.S. companies that using China-based cloud services posed a security risk is unfair and could lead to retaliation against American tech companies, critics say.

[SaaS vendors, customers, finding new ways to secure the cloud]

The U.S.-China Economic and Security Review Commission released its annual report to Congress this week, urging lawmakers and the President Barack Obama administration to take action to curtail the Chinese government's "large-scale cyberespionage campaign against the United States."

China-based hackers have "successfully targeted the networks of U.S. government and private organizations," the commission said. Those targets have included the Department of Defense and private companies.

China-based cloud services are a particular threat to U.S. organizations because of the relationship between China's Ministry of State Security (the equivalent of the U.S. National Security Agency) and the Chongqing Special Cloud Computing Zone, the commission said. The ties between the two represent a "potential espionage threat to foreign companies that might use cloud computing services provided from the zone or base operations there."

While acknowledging the risk of doing business in China, Daniel Castro, senior analyst for the Information Technology and Innovation Foundation, a Washington research institution, said the commission's argument could be used to warn against storing data in a cloud service based in any country.

"That same mentality (if exercised by other countries) is destructive to U.S. tech companies because we want to be exporters of data services," Castro told CSOonline Thursday. "If we're saying you can't trust data because of where it's stored, well that message is going to come back and bite us."

Indeed, revelations of massive data gathering on U.S. and foreign citizens by the NSA, which has siphoned user information from major U.S. Internet and telecom companies, has angered many countries, both allies and adversaries.

Media reports based on documents released by former NSA contractor Edward Snowden has had an impact on U.S. companies doing business overseas. Last week, Cisco became the first company to report that NSA activities have hurt its business in China.

Fact is China isn't much different than other countries when it comes to spying, Jim Reavis, executive director of the nonprofit Cloud Security Alliance told Bloomberg.

[Best practices for safely moving data in and out of the cloud]

"Every country is going to seek to use information technology assets for surveillance," Reavis said.

On a technical level, companies can increase security by encrypting data and making sure they are the only ones with the key, Castro said. Beyond that, countries have to get together and place limits on the data collection allowed when it comes to private industry.

"It's very difficult to say that government-mandated disclosure (of customer data from local companies) won't happen, unless you have some kind of international agreement or global compact," Castro said.

While the report was short on details of Chinese activity, the commission did cite as an example of a potential problem Microsoft's plan to link its data centers in other countries with those of China-based 21Vianet. This agreement suggests "the Chinese government one day may be able to access data centers outside China through Chinese data centers," the report said.

Dough Hauger, Microsoft's general manager for China commercial cloud services, told Bloomberg that 21Vianet does not have access to Microsoft-operated data centers outside of China.

The commission said there was an "urgent need" for Washington to take action against China to discourage its stealing of intellectual property through cyberespionage.

Some of the actions currently under consideration by Congress and the administration include legislation, sanctions, counterintelligence tactics, better cooperation between the U.S. government and the private sector, and the formation of a Cabinet-level official to oversee an interagency effort to protect intellectual property.

"These would be more effective if used in combination, as they probably would lead Beijing to make only temporary or minor changes to its cybersespionage activities, if used in isolation," the report said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about BloombergCiscoMicrosoftNational Security AgencyNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place