Using homegrown tech to quell cyberespionage can backfire

[UPDATE] Governments that shun foreign-made IT products as way to curb cyberespionage can incur higher cost and miss out on latest available technology in market.

Governments that choose to use only locally developed technology as a way to eliminate foreign cyberespionage must realize the tradeoffs in doing so, and should consider other ways to allay such worries.

Ng Kai Koon, senior manager for legal and public affairs at Symantec Asia-Pacific, noted that in the ever-changing techology landscape, keeping pace with cybersecurity is a continuous challenge even for established market players such as Symantec.

Countries that decide to build their own technology from scratch need to be aware they may not be able to provide the best security environment, at a cost-effective price, for its citizens or government agencies, said Ng.

Countries also run the risk of excluding itself from the "best technology" in the market should it decide to use only homemade products, he added.

James Lyne, director of technology strategy at Sophos, agreed. "Entirely developing your own security solutions and being in control of all assets is incredibly expensive and difficult. It also puts you significantly behind the curve of innovation," he said.

The industry players' comments were in response to a comment by a cybersecurity analyst  earlier this week who suggested the Indian government use only homegrown technology to reduce spying by foreign countries.

Ng noted that cyberespionage tools can be embedded into foreign IT tools, and some governments offer subsidies to domestic technology companies which sell products abroad to use these IT products for cyberespionage purposes.

A Malaysian professor expressed similar sentiments last year when he said there was no way of checking the source code of a piece of software to confirm it was safe for use. He then urged the Malaysian government to develop its own IT security software to reduce data leaks from deploying foreign products.

Chinese networking vendors, Huawei and ZTE, earlier this year were accused of receiving illegal subsidies from their government and providing opportunities for foreign and economic espionage . Both companies denied any truth in the allegations.

Quality of local tech matters, too
According to Lyne, making technology that is commercially viable and better than commercial off the shelf technology will be extremely difficult even though it makes sense to make-to-order technology for unique needs of governments.

Adrianna Tan, a student living in Singapore, said she is worried about cyberespionage threats in the city-state as the potential for such attacks "is everywhere" and Singapore is not excluded .

However, Tan does not think the country should rely exclusively on its own technology. She underscored the need for quality products.

"Even though Singapore is quite a tech hub, I don't really trust the tech bred here," she said, adding that she would feel "safer" if the government uses technology from more established markets such as Silicon Valley.

Debbie Yong, a clinic administrator, added that countries which build their own IT would isolate themselves from the world, which is "generally bad".

Allaying cyberespionage fears
Ng said it is natural for governments to want to ensure their country's cybersecurity well-being.

"We recognize that every country in the world has ambitions of its own in terms of developing cybersecurity industry in its own borders," he said, noting that Symantec implemented several measures to allay a government's fears of cyberespionage.

"We subject our products to third-party testings that are internationally recognized as an added layer of security for these governments," he said, and pointed to the Common Criteria  testing and certification as an example.

Adopted by governments and organizations worldwide, common criteria is an international standard for the assessment and certification of security components in an IT product or system.

Lyne added that in many cases, commercially off-the-shelf technology that is certified to be trustworthy will be more cost effective and efficient from a protection standpoint.

According to Ng, Symantec also helps countries such as Singapore develop local cybersecurity capabilities through the its security response centers . Such facilities can develop the country's ability to gather intelligence as well as understand and analyze the security threats landscape.