A congressional commission that warned U.S. companies that using China-based cloud services posed a security risk is unfair and could lead to retaliation against American tech companies, critics say.
The U.S.-China Economic and Security Review Commission released its annual report to Congress this week, urging lawmakers and the President Barack Obama administration to take action to curtail the Chinese government's "large-scale cyberespionage campaign against the United States."
China-based hackers have "successfully targeted the networks of U.S. government and private organizations," the commission said. Those targets have included the Department of Defense and private companies.
China-based cloud services are a particular threat to U.S. organizations because of the relationship between China's Ministry of State Security (the equivalent of the U.S. National Security Agency) and the Chongqing Special Cloud Computing Zone, the commission said. The ties between the two represent a "potential espionage threat to foreign companies that might use cloud computing services provided from the zone or base operations there."
While acknowledging the risk of doing business in China, Daniel Castro, senior analyst for the Information Technology and Innovation Foundation, a Washington research institution, said the commission's argument could be used to warn against storing data in a cloud service based in any country.
"That same mentality (if exercised by other countries) is destructive to U.S. tech companies because we want to be exporters of data services," Castro told CSOonline Thursday. "If we're saying you can't trust data because of where it's stored, well that message is going to come back and bite us."
Indeed, revelations of massive data gathering on U.S. and foreign citizens by the NSA, which has siphoned user information from major U.S. Internet and telecom companies, has angered many countries, both allies and adversaries.
Media reports based on documents released by former NSA contractor Edward Snowden has had an impact on U.S. companies doing business overseas. Last week, Cisco became the first company to report that NSA activities have hurt its business in China.
Fact is China isn't much different than other countries when it comes to spying, Jim Reavis, executive director of the nonprofit Cloud Security Alliance told Bloomberg.
"Every country is going to seek to use information technology assets for surveillance," Reavis said.
On a technical level, companies can increase security by encrypting data and making sure they are the only ones with the key, Castro said. Beyond that, countries have to get together and place limits on the data collection allowed when it comes to private industry.
"It's very difficult to say that government-mandated disclosure (of customer data from local companies) won't happen, unless you have some kind of international agreement or global compact," Castro said.
While the report was short on details of Chinese activity, the commission did cite as an example of a potential problem Microsoft's plan to link its data centers in other countries with those of China-based 21Vianet. This agreement suggests "the Chinese government one day may be able to access data centers outside China through Chinese data centers," the report said.
Dough Hauger, Microsoft's general manager for China commercial cloud services, told Bloomberg that 21Vianet does not have access to Microsoft-operated data centers outside of China.
The commission said there was an "urgent need" for Washington to take action against China to discourage its stealing of intellectual property through cyberespionage.
Some of the actions currently under consideration by Congress and the administration include legislation, sanctions, counterintelligence tactics, better cooperation between the U.S. government and the private sector, and the formation of a Cabinet-level official to oversee an interagency effort to protect intellectual property.
"These would be more effective if used in combination, as they probably would lead Beijing to make only temporary or minor changes to its cybersespionage activities, if used in isolation," the report said.