1 00:00:01,980 --> 00:00:05,610 ARI: Hello, I'm Ari. [CLAUDINE: And I'm Claudine] Welcome to Proving the Negative. 2 00:00:05,610 --> 00:00:09,490 ARI: We're a podcast all about exploring the different sides of cybersecurity, 3 00:00:09,490 --> 00:00:13,770 from political to computer science, international relations to mathematics. 4 00:00:13,770 --> 00:00:16,300 Join us as we talk to our friends about the work they do. 5 00:00:16,300 --> 00:00:19,000 We have a treat for you, listeners! Today, we're talking about, 6 00:00:19,000 --> 00:00:22,350 the supply and demand of surveillance technology across the world. 7 00:00:22,350 --> 00:00:28,320 We're talking about spheres of influence, technospheres, and how it all comes together. 8 00:00:28,320 --> 00:00:33,320 VALENTIN: Hey I'm Valentin Weber. I'm a fifth year PhD. student in cyber security, 9 00:00:33,320 --> 00:00:37,500 and international relations at the Centre for Doctoral Training in Cyber Security, 10 00:00:37,500 --> 00:00:43,110 as well as the Department of International Relations. 11 00:00:43,110 --> 00:00:46,710 CLAUDINE: Could you give us an elevator pitch about the work that you've been doing? 12 00:00:46,710 --> 00:00:53,430 VALENTIN: The proliferation of surveillance technology, 13 00:00:53,430 --> 00:00:57,270 which we have seen taking off in the last couple of years. 14 00:00:57,270 --> 00:01:04,170 It's about the increase of deployment of CCTV cameras with facial recognition. 15 00:01:04,170 --> 00:01:09,479 It's about journalists being targeted by spyware. I really wanted to understand, 16 00:01:09,479 --> 00:01:14,010 what's driving the demand, but also what's driving the supply. 17 00:01:14,010 --> 00:01:18,500 Suppliers of surveillance technologies are China and Russia and Western countries, 18 00:01:18,500 --> 00:01:23,970 such as Italy, UK, US who are also exporting that surveillance gear. 19 00:01:23,970 --> 00:01:29,166 I was interested in the Chinese and Russian models of surveillance, 20 00:01:29,166 --> 00:01:34,440 information control, censorship, self-censorship and comparing the two. 21 00:01:34,440 --> 00:01:39,870 Also how 'norms' go from these two countries abroad. 22 00:01:39,870 --> 00:01:45,420 Diffusion of technology, but also the norms that come ingrained in that gear. 23 00:01:45,420 --> 00:01:52,680 I was interested in the countries buying that surveillance technology, 24 00:01:52,680 --> 00:01:58,620 if they're relying on China or Russia, are being drawn into spheres of influence. 25 00:01:58,620 --> 00:02:03,570 Are countries still maintaining access to technology afterwards. 26 00:02:03,570 --> 00:02:07,380 Have we seen any evidence? What are the ways that they would do it? 27 00:02:07,380 --> 00:02:13,470 What's their interest in maintaining access? In selling that technology? 28 00:02:13,470 --> 00:02:19,860 CLAUDINE: What do you mean by "proliferation"? 29 00:02:19,860 --> 00:02:28,110 By proliferation, I mean specific events in recent history where there was a coup d'etat, 30 00:02:28,110 --> 00:02:36,510 let's say, in Egypt. After that, Egypt turned towards a major supplier (China), 31 00:02:36,510 --> 00:02:43,860 they engaged in a contractual relationship importing [technology] 32 00:02:43,860 --> 00:02:49,000 geared towards maintaining public security, (e.g., surveillance cameras) 33 00:02:49,000 --> 00:02:51,510 or getting ideas from those countries. 34 00:02:51,510 --> 00:02:54,840 One Egyptian parliamentarian said they want their own Facebook, 35 00:02:54,840 --> 00:02:58,110 to better control the information environment at home. 36 00:02:58,110 --> 00:03:05,070 So it's really about a bilateral relationship between two countries. 37 00:03:05,070 --> 00:03:13,370 Technology transfer, but also a transfer of ideas and training. 38 00:03:13,370 --> 00:03:19,350 Training for how to access citizens phones for law enforcement officials, 39 00:03:19,350 --> 00:03:24,840 they would have specific gear for accessing your phone or computer. 40 00:03:24,840 --> 00:03:31,920 CLAUDINE: Why has there been proliferation of surveillance tech and trade relationships? 41 00:03:31,920 --> 00:03:36,270 Are there specific events that you could point to? VALENTIN: There were specific events. 42 00:03:36,270 --> 00:03:42,840 Russia and China promoted it to certain regions. All countries have their specific interests, 43 00:03:42,840 --> 00:03:47,730 whether that's trade, whether that's political interests, security interests. 44 00:03:47,730 --> 00:03:50,101 China and Russia have identified their regions 45 00:03:50,101 --> 00:03:55,250 Chine - the Belt and Road Initiative, which Egypt is part of. 46 00:03:55,250 --> 00:03:56,400 The ancient Silk Roads, 47 00:03:56,400 --> 00:04:05,310 the idea is to revive the Silk Road and declaring countries a strategic priority. 48 00:04:05,310 --> 00:04:11,500 There has been a push coming from China to export to those regions. 49 00:04:11,500 --> 00:04:13,740 For Russia, mostly post-Soviet countries, 50 00:04:13,740 --> 00:04:22,770 where there is a quid pro quo - Russia is supplying military equipment, 51 00:04:22,770 --> 00:04:28,390 also technology to surveil the Internet infrastructure that is then deployed, 52 00:04:28,390 --> 00:04:33,130 in telecommunications companies that run the Internet domestically. 53 00:04:33,130 --> 00:04:36,500 I've looked at countries where I would have expected them to have a demand 54 00:04:36,500 --> 00:04:39,360 for that technology because they had a lot of protests, 55 00:04:39,360 --> 00:04:43,740 they had a really unstable political environment. 56 00:04:43,740 --> 00:04:50,860 Zimbabwe was interesting. I interviewed government officials asking why they bought the technology. 57 00:04:50,860 --> 00:04:57,840 What was their interest? Why from China? Primary evidence of why contracts happen. 58 00:04:57,840 --> 00:05:09,000 [It was] A fun part of the research, to get so close. I did this in Zimbabwe, in 59 00:05:09,000 --> 00:05:15,180 Thailand, Zambia. I got primary sources to understand specific periods in time. 60 00:05:15,180 --> 00:05:20,370 Government officials in charge at the time. ARI: When we say primary sources... 61 00:05:20,370 --> 00:05:25,170 What is a primary source? VALENTIN: Specifically to my project, 62 00:05:25,170 --> 00:05:30,700 I categorise those government official interviews as primary sources. 63 00:05:30,700 --> 00:05:33,800 It was really difficult to get a hold of them, so I had to 64 00:05:33,800 --> 00:05:41,260 reach out to my network and snowball - start from a colleague and go from there. 65 00:05:41,260 --> 00:05:48,670 And then I would go from one country to where another diaspora is located. 66 00:05:48,670 --> 00:05:53,230 Then it was really interesting to uncover those networks of people. 67 00:05:53,230 --> 00:05:57,430 That was difficult because a lot of these people are very busy. 68 00:05:57,430 --> 00:06:02,680 Another [primary source] was network measurements of Internet infrastructure. 69 00:06:02,680 --> 00:06:06,250 We tried to discover surveillance middle-boxes, which are 70 00:06:06,250 --> 00:06:12,520 deployed at various points in a country where lot of data flows through. 71 00:06:12,520 --> 00:06:19,600 These are used to monitor content, filter spam and to slow down your data, 72 00:06:19,600 --> 00:06:23,560 (if they've monitored your traffic and you've used too much). 73 00:06:23,560 --> 00:06:27,700 It's used for censorship - we covered Huawei in different countries. 74 00:06:27,700 --> 00:06:32,740 We found them in several, and 75 00:06:32,740 --> 00:06:38,980 we found even more, thousands, across the world, deployed by the UK by 76 00:06:38,980 --> 00:06:44,110 over 80 countries or so, deployed even more widely. 77 00:06:44,110 --> 00:06:50,440 That's also a primary source - where we saw a geographic location. 78 00:06:50,440 --> 00:06:53,659 Another [primary source] would be corporate documents, 79 00:06:53,659 --> 00:06:58,990 websites of Russian companies where they would say "we sell to country x", 80 00:06:58,990 --> 00:07:03,640 I would take that as a primary source. You could argue that it's less reliable. 81 00:07:03,640 --> 00:07:11,350 That's how I measured and tracked the export of surveillance gear. 82 00:07:11,350 --> 00:07:17,380 That's a primary source of their activities. CLAUDINE: The subversion of cyber security, 83 00:07:17,380 --> 00:07:20,470 Could you just explain a little bit what that means? 84 00:07:20,470 --> 00:07:27,700 VALENTIN: Surveillance is about the subversion of cyber security. 85 00:07:27,700 --> 00:07:37,450 If you want to do large-scale surveillance, you have to weaken systems. 86 00:07:37,450 --> 00:07:41,590 You have to weaken end-to-end encryption, you have to weaken, 87 00:07:41,590 --> 00:07:49,810 communication that happens between a website and your computer. 88 00:07:49,810 --> 00:07:55,210 I looked at Chinese government websites and found that they're really insecure. 89 00:07:55,210 --> 00:08:04,830 A lot of them don't deploy HTTPS on login portals. Security practices are not up to standard. 90 00:08:04,830 --> 00:08:12,730 Intentionally subverting cyber security in order to do surveillance, 91 00:08:12,730 --> 00:08:16,120 that's what I mean by the subversion of cyber security. 92 00:08:16,120 --> 00:08:25,030 There's discussion in the EU and US to weaken encryption for various purposes, 93 00:08:25,030 --> 00:08:31,140 whether that is terrorism or (what law enforcement would consider) criminal behaviour, 94 00:08:31,140 --> 00:08:36,610 that would be another way subverting cyber security. That' where my interest comes in, 95 00:08:36,610 --> 00:08:43,210 It's a paradox where countries are intentionally moving into that direction 96 00:08:43,210 --> 00:08:51,610 looking into the details of how you'd build a backdoor to maintain access. 97 00:08:51,610 --> 00:08:55,510 You wouldn't design a back door and make it look like a back door. 98 00:08:55,510 --> 00:09:02,380 You want it to look like a bug. You can subvert cyber security in a subtle way. 99 00:09:02,380 --> 00:09:06,490 CLAUDINE: How do countries deal with using surveillance equipment, or 100 00:09:06,490 --> 00:09:09,940 surveillance models that are imported from countries such as 101 00:09:09,940 --> 00:09:16,320 China and Russia, which Western democracies might view as antagonistic? 102 00:09:16,320 --> 00:09:19,540 VALENTIN: Some surveillance concepts were actually brought to China. 103 00:09:19,540 --> 00:09:26,000 IBM was one of the major thinkers behind smart cities (digitising the city), 104 00:09:26,000 --> 00:09:30,520 and that was really welcomed in China. 105 00:09:30,520 --> 00:09:35,440 They adopted that concept and developed it further. China and Russia 106 00:09:35,440 --> 00:09:39,680 have learned from Western concepts of law enforcement operations. 107 00:09:39,680 --> 00:09:43,420 Outside Europe and America, 108 00:09:43,420 --> 00:09:49,330 it was difficult to actually put those systems in place. Within China, 109 00:09:49,330 --> 00:09:56,320 you have a government which has a strong capacity to buy the equipment, 110 00:09:56,320 --> 00:10:03,220 they have a lot of data on citizens already, gathered throughout the years. 111 00:10:03,220 --> 00:10:07,030 They have a really strong surveillance infrastructure in place. 112 00:10:07,030 --> 00:10:12,970 A country like Zimbabwe would love to have such a system in place. 113 00:10:12,970 --> 00:10:20,200 But for them, it's difficult to: get citizen fingerprints, install facial recognition, 114 00:10:20,200 --> 00:10:24,580 to actually make it work and keep it operational. 115 00:10:24,580 --> 00:10:30,440 If someone has an interest in keeping human rights alive, 116 00:10:30,440 --> 00:10:37,190 that's a good sign. That those countries are not able to easily do [surveillance], 117 00:10:37,190 --> 00:10:44,870 CLAUDINE: How did the officials you spoke to grapple 118 00:10:44,870 --> 00:10:50,930 with that paradox between security and freedom? 119 00:10:50,930 --> 00:10:58,970 VALENTIN: The government officials I spoke were in favour of freedom of expression, 120 00:10:58,970 --> 00:11:05,840 upholding privacy of citizens. They managed to be part of the opposition. 121 00:11:05,840 --> 00:11:11,030 For them, it was interesting to explain what was happening. 122 00:11:11,030 --> 00:11:20,390 They were in favour of of not pursuing political dissidents/targeting groups. 123 00:11:20,390 --> 00:11:28,460 They explained how governments decided to buy technology and go forward. 124 00:11:28,460 --> 00:11:31,580 So I didn't talk to any hardcore autocrats. 125 00:11:31,580 --> 00:11:35,632 The people I talked to were willing to share what was going on 126 00:11:35,632 --> 00:11:37,790 under the condition of anonymity. 127 00:11:37,790 --> 00:11:44,172 Traditionally, a sphere of influence would be defined by one country's influence 128 00:11:44,172 --> 00:11:47,830 over another country, which would mean, at the same time, 129 00:11:47,830 --> 00:11:51,110 the exclusion of other countries having influence in that country as well. 130 00:11:51,110 --> 00:11:52,370 During the Cold War, 131 00:11:52,370 --> 00:11:56,270 Eastern Europe being a sphere of influence of the Soviet Union 132 00:11:56,270 --> 00:12:00,500 and the Americas being a sphere of influence of the US during the Cold War, 133 00:12:00,500 --> 00:12:02,360 Countries would know - "okay, 134 00:12:02,360 --> 00:12:07,301 we're not going to interfere within those spheres of influence". 135 00:12:07,301 --> 00:12:12,410 Today in a technological sphere of influence, 136 00:12:12,410 --> 00:12:16,310 It's really difficult to say you can exclude anyone from that sphere of influence. 137 00:12:16,310 --> 00:12:26,090 If you're China and export technology to Egypt and subvert the technology, 138 00:12:26,090 --> 00:12:30,350 it means that you have a privileged capability to access that technology. 139 00:12:30,350 --> 00:12:33,350 It doesn't prevent other countries from access. 140 00:12:33,350 --> 00:12:40,730 Influence on a country's governance (how they perceive technology), 141 00:12:40,730 --> 00:12:47,570 if they can shape ideas... e.g., the US within the Freedom Online Coalition. 142 00:12:47,570 --> 00:12:52,220 The US has a strong influence on how those countries perceive technology. 143 00:12:52,220 --> 00:13:00,410 You have that vision of the Internet, and you shape the norms that control technology. 144 00:13:00,410 --> 00:13:04,872 That's technological spheres of influence, 'technospheres' for short. 145 00:13:04,872 --> 00:13:07,340 ARI: Take us through technospheres! 146 00:13:07,340 --> 00:13:09,890 Technospheres is a term that I coined. 147 00:13:09,890 --> 00:13:18,380 China supplies of a lot of technology to Zimbabwe, Egypt, 148 00:13:18,380 --> 00:13:26,390 Thailand... that means that [China] can build back doors if they want to. 149 00:13:26,390 --> 00:13:31,460 That means it has a privileged capability to control technology in these countries. 150 00:13:31,460 --> 00:13:40,580 It has a strong influence on how those countries perceive and use technology. 151 00:13:40,580 --> 00:13:45,300 [Egypt might say] "We love what China is doing in terms of surveillance and... 152 00:13:45,300 --> 00:13:49,970 "... censorship", and they'll do it in a similar way. 153 00:13:49,970 --> 00:13:51,890 And that's what a technosphere is. 154 00:13:51,890 --> 00:13:55,649 We can see those technospheres now emerging within the world, 155 00:13:55,649 --> 00:14:01,790 and those technospheres usually entail major hegemon, whether Russia, 156 00:14:01,790 --> 00:14:10,920 China, the US, but also the EU, through their ability to shape privacy regulations. 157 00:14:10,920 --> 00:14:15,830 In all these layers and ways in different countries, technospheres 158 00:14:15,830 --> 00:14:19,820 emerging [means] smaller countries will be drawn into spheres of influence, 159 00:14:19,820 --> 00:14:23,496 where they will be pushed by major countries to take sides. 160 00:14:23,496 --> 00:14:27,260 A technosphere is a privileged capability 161 00:14:27,260 --> 00:14:34,640 by a major hegemon to access or control technology within another country. 162 00:14:34,640 --> 00:14:44,120 It's also the ability of that hegemon to influence the governance of technology. 163 00:14:44,120 --> 00:14:48,540 ARI: I don't know what a hegemon is, and I'm really curious...? 164 00:14:48,540 --> 00:14:53,830 VALENTIN: A hegemon is a very powerful country that has a lot of 165 00:14:53,830 --> 00:14:59,690 influence over smaller countries (referred to as 'vassal' countries). 166 00:14:59,690 --> 00:15:04,260 There is a strong hierarchical nature between two countries where a 167 00:15:04,260 --> 00:15:11,120 hegemon can direct or influence what's happening in a less powerful country. 168 00:15:11,120 --> 00:15:16,610 Examples are: US, China, Russia. Regional hegemon: Iran, Saudi Arabia. 169 00:15:16,610 --> 00:15:18,470 CLAUDINE: So what's next for you? 170 00:15:18,470 --> 00:15:22,982 VALENTIN: I was always drawn towards think tanks, they provide a mixture 171 00:15:22,982 --> 00:15:27,220 between being able to do research and also organising 172 00:15:27,220 --> 00:15:33,540 events and being plugged into the policy world. I'll be joining one in Berlin. 173 00:15:33,540 --> 00:15:38,230 I'm very much looking forward to it. That's next for me. 174 00:15:38,230 --> 00:15:41,245 CLAUDINE: Where can people find you on the interwebs? 175 00:15:41,245 --> 00:15:43,420 VALENTIN: I have a website... 176 00:15:43,420 --> 00:15:49,840 https://valentinweber.com - I'm also on Twitter @weberv_ 177 00:15:49,840 --> 00:15:52,506 Also on LinkedIn. CLAUDINE: The last question, which we ask all of our guests: 178 00:15:52,506 --> 00:15:56,290 What is cyber security to you, Valentin? 179 00:15:56,290 --> 00:16:01,750 VALENTIN: Probably 80% of my day. You know, it's work, 180 00:16:01,750 --> 00:16:06,000 it's my friends, it's many things and 181 00:16:06,000 --> 00:16:14,890 it's been part of the last five years of my life, starting with the PhD at the CDT. 182 00:16:14,890 --> 00:16:22,000 Cyber security has so many categories that you can't be an expert in even two 183 00:16:22,000 --> 00:16:25,570 App[lication] security or supply chain security, hardware security. 184 00:16:25,570 --> 00:16:32,020 We continuously understand what it isn't. We're all plugged into cyberspace, 185 00:16:32,020 --> 00:16:35,890 everything's connected, the term is evolving every day. 186 00:16:35,890 --> 00:16:41,500 I can't give you a really good definition - the absence of surveillance, perhaps. 187 00:16:41,500 --> 00:16:43,270 CLAUDINE: That was our interview with Valentin. 188 00:16:43,270 --> 00:16:46,000 Join us next week for another fascinating conversation. 189 00:16:46,000 --> 00:16:50,440 In the meantime, you can tweet at us @HelloPTNPod 190 00:16:50,440 --> 00:16:54,730 And you can subscribe on Apple Podcasts or wherever you listen to podcasts. 191 00:16:54,730 --> 00:17:00,640 The title there is PTNPod. See you next week. ARI: Bye! 192 00:17:00,640 --> 00:17:05,810 CLAUDINE: This has been a podcast from the Centre for Doctoral Training in Cybersecurity, University of Oxford. 193 00:17:05,810 --> 00:17:10,695 Funded by the Engineering and Physical Sciences Research Council.