Foreign involvement in the Critical National Infrastructure - The implications for national security
(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/205680/ISC-Report-Foreign-Investment-in-the-Critical-National-Infrastructure.pdf)
標題可譯為:「外國廠商參與關鍵國家基礎建設對國家安全的可能影響」,二十多頁的內容談的是資通訊產業的資安議題,絕大部分是針對中國的華為。
首先,在細讀資料之前,我習慣先搞清楚其背景資料。
請翻到p.27。這個資料是Intelligence and Security Committee (ISC)做出來的,讓首相能夠有充分的資料對國會做報告。這個資料也是公開的,可以讓大眾檢視。很遺憾,我們沒有這樣得資料,是誰的問題呢?
ISC這個政府單位很有趣,由國會提名委員,首相任命,直接對首相負責,可以監督英國的三大情資機關,the Security Service (MI5), the Secret Intelligence Service (MI6) and the Government Communications Headquarters (GCHQ),大概等同於我們的國安會(金溥聰剛接任秘書長)。
我們的政府,是否有這樣的報告呢?有的話,有沒有公開讓全民檢驗呢?
我對於政治不專業,所以查了一下資料。這裡有篇3/10的新聞報導(http://ppt.cc/chdf):『蔡得勝答詢時說,國安局2月14日召集41個部門單位做好仔細評估,報告已密件送立法院,經過這麼多天,各部會都動起來,做好安全管控評估,「現在來看,風險不是很大」。』
喔,我們的國安局真是厲害,才花了24天,就能夠做好評估,告訴民眾「現在來看,風險不是很大」。由於是密件,我們也看不到。他在報告時,還不忘記加上「現在來看」這幾個字,所以未來出問題也不是他的錯。
可是別忘了,國安局不是國安會,他是相當於MI5/MI6的機構,而一般商用資通訊設備的管理和資安議題,並不規他管轄,是我們相當於英國GCHQ的NCC來管的。所以其實這個層級應該要上到國安會才對,但是我們的國安會,似乎不管這個,也不必到國會備詢。
那麼NCC有沒有做什麼事呢?很遺憾,根據4月3日的新聞報導(http://ppt.cc/SWKE):「立委管碧玲說詢問服貿開放電信類項目,NCC是否參予談判、開放項目是否由中國大陸提出,石世豪表示,NCC沒有出席會議」
所以,當英國很慎重地檢視中國華為崛起後的資安影響的同時,我們的政府各機關都被動員起來宣傳一件事:「服貿利大於弊」,不斷以跳針式的作法,把這樣的訊息送到人民的眼前,但是沒有給我們看到任何有說服力的報告。
這些跳針式的發言,往往不堪一擊,但是政府似乎始終堅信,服貿非簽不可,只要一直重複宣傳下去,總會讓他過的。他的如意算盤似乎是:「先結婚,賺他一份聘禮,苗頭不對再離婚」。這樣不倫不類的比喻,是引申自馬總統的說詞。他似乎忘記了一點,進了古代傳統大家族的門,就得三從四德,哪有離婚這件事?
國安這件事,不能馬馬虎虎。如果以上台灣政府的作法,不算馬馬虎虎的話,那什麼才算?
看看年輕人怎麼說?
- 國家摧毀我們的未來,為什麼我們沒有資格憤怒?(http://ppt.cc/HD8s)
- 從服貿官員發言談網路,看政府失能的癥結 (http://mmdays.com/2014/04/06/gov_fails/)
所以,各位說,要不要先請政府搞清楚狀況,才來簽這個服貿協議?
然而,罵歸罵,讓我們自力救濟,從這篇報告中看看英國人是怎麼想的?
- 在開宗明義的p.4,他說:
1. ... In the UK, the Critical National Infrastructure (CNI) is now largely in the hands of private enterprises that are driven by commercial considerations. However, given the importance of the CNI, the decisions they take may have wider implications for national security.
(私有企業對商用基礎建設所做的決定,對於國家安全的影響非常大)
3. There is, potentially, a conflict between the commercial imperative and national security, as a result of increasing private ownership of CNI assets combined with the globalisation of the telecommunications marketplace. It is important to ensure in such situations that the correct balance is struck: Government must be clear what its strategy is when it comes to deployment of equipment – particularly where this has been developed or manufactured by foreign companies – within the UK’s CNI and have effective processes in place for considering these issues. We have considered the relationship between BT and Huawei in this context.
(由於私有化和國際化,商業利益和國家安全之間有潛在的衝突,政府在建置這些設備時,尤其是國外研發和製造的設備,必須有很清楚的策略與有效的規範,以確保商業利益和國家安全之間的平衡。我們在此以BT和華作為討論題材。)
- 在談華為的p.5~p.6,
5. ... In this context, the alleged links between Huawei and the Chinese State are concerning, as they generate suspicion as to whether Huawei’s intentions are strictly commercial or are more political.
(華為和中國的種種關連性值得關切,因為這些造成大眾懷疑華為的動機是否是純商業的還是政治性的)
6. However, Huawei strenuously denies that it has direct links with the Chinese Government or military, claiming that it receives no financial support from the Chinese Government and that it is 98.6% owned by its employees. Nevertheless, *** there is a lack of clarity about its financial structures.
(然而,華為矢口否認他與中國政府或軍隊有關,完全沒有接收政府的補助,可是,他的財務結構並不明確。)
7. When questions first arose concerning Huawei’s links to the Chinese State, Huawei launched a large-scale PR campaign to demonstrate that they could be trusted as a telecommunications equipment supplier.
(當華為與中國的關係被質疑時,他發動大批的文宣廣告,企圖製造他是可被信任的通訊設備製造商)
9. Huawei’s PR campaign appears to have fallen flat thus far, as other countries have taken an increasingly critical stance towards the company’s involvement in their national telecommunications networks. In the US, the House Permanent Select Committee on Intelligence (HPSCI) recently published a scathing assessment of Huawei’s reliability in an ‘Investigative Report on the US National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE’.9 Their report concluded that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests”. Meanwhile, the Australian Government has decided, reportedly on national security grounds, to exclude Huawei from involvement in their National Broadband Network, a similar upgrade project to that being pursued in the UK by BT (albeit that the Australian network is owned and funded by the Australian Government).
(華為的宣傳不大順利,其他的國家都逐漸提高戒備。在美國,最近的國會報告指出華為和中興的所提供的設備中的潛在危險,有可能傷害美國核心的國家安全。同時,為了國安,澳洲政府已經決定不准華為參與國家寬頻網路的建置。)
- 華為為什麼令這些國家不安呢?報告在p.8-10中列舉諸多的例證。
13. BT first notified Government officials in 2003 of Huawei’s interest in the 21st Century Network contract. However, the Committee has been told by the Cabinet Office that officials chose not to refer the matter to Ministers, or even inform them, until 2006, a year after the contract had been signed. The Committee sought to understand the reasons behind this failure:...
(相當於中華電信的BT,說在2003年告知政府職員華為有參與「21世紀網路建設案」,但是這些政府職員一直到2006年簽合約之前,並沒有將華為的參與告知內閣的部長們,這樣的失誤,是我們應該要搞清楚幕後原因的:
+首先,職員們的說法是,就算通知長官,因為無法可管,華為的參與也不會被禁止,所以通知了也沒用。
+然而,這是錯誤的認知,內閣其實知道這些交易,而且有權力可阻止這樣的交易,但是阻止交易所需付出的財務和政治代價太高。
+在這個案子裡,政府的著眼點在於商業利益,並沒有考慮國安議題。
這是完全無法合理化的失誤,類似這樣重大的決定,必須由內閣做決定。)
接下來幾點檢討,請各位自己看,我就不翻譯了。人家可是很認真在檢討的。我們跳到這節末粗體字:
The Government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences, or lack of appropriate protocols. However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked, and continue to risk, being overlooked.
(政府保護國民安全的職責絕對不可因為害怕經濟損失或是缺乏妥善的制度而打折扣。然而,由於缺乏明確的措施、權責不分,國家安全已經陷入危機,而且還一直在危機之中,被忽略。)
The BT/Huawei relationship began nearly ten years ago; the process for considering national security issues at that time was insufficiently robust. The Committee was shocked that officials chose not to inform, let alone consult, Ministers on such an issue. We are not convinced that there has been any improvement since then in terms of an effective procedure for considering foreign investment in the Critical National Infrastructure (CNI).
(BT和華為已有長達十年的關係,而其中牽涉到國安的議題居然沒有足夠信賴的制度可管。我們委員會很震驚,因為職員們連長官都沒有告知,更不用說讓部長們來關切這些議題。對於國外廠商參與關鍵國家基礎建設上的參與,我們不相信政府至今有任何的改進措施。)
- 以下是關於風險:
19. *** the Security Service had already told us in early 2008 that, theoretically, the Chinese State may be able to exploit any vulnerabilities in Huawei’s equipment in order to gain some access to the BT network, which would provide them with an attractive espionage opportunity. Furthermore, the Committee understands that the Joint Intelligence Committee (JIC) had previously warned that if a hostile actor were to exploit such an opportunity, an attack “would be very difficult to detect or prevent and could enable the Chinese to intercept covertly or disrupt traffic passing through Huawei supplied networks”. *** these assessments underline what could, theoretically, be at stake through Huawei’s involvement in the UK’s CNI.
國安局(Security Service)告訴我們,理論上,這些華為的設備提供中國很誘人的滲透諜報機會,而且情報聯席會(JIC)也警告過,透過這些機會所進行的有敵意的攻擊,是非常難以偵測和預防的,而且也讓中國能夠秘密攔截和擾亂我們的資訊網路。
- 第12頁的粗體字:While we note GCHQ’s confidence in BT’s management of its network, the software that is embedded in telecommunications equipment consists of “over a million lines of code” and GCHQ has been clear from the outset that “it is just impossible to go through that much code and be absolutely confident you have found everything”. There will therefore always be a risk in any telecommunications system, worldwide. What is important is how it is managed, or contained.
在這些通訊器材裡的軟體包含超過一百萬行程式碼,GCHQ根本無力查證,裡面總是有潛在危險,重點是要如何管理和防堵這些危險。
- 第13頁列舉英國政府GCHQ要求華為配合,以提高可信度的作法,但是也承認華為並不見得很積極(“on occasions there has been pushback from Huawei senior staff who have been seeking to reduce the overheads associated with the [requirements]”)。
- 在第28點,報告指出由於華為希望藉由與英國的合作,向國際證明他的可信度,所以他匴是很盡力也很花錢在做這個暱稱為Cell的資安評估中心(Cyber Security Evaluation Centre),因此告誡政府不可大意,還是必須更嚴格加強安全措施。
- 第31點,既然大多數資通訊設備都已經是在中國研發或製造的,那麼不買這些設備並不是個好辦法。
- 第33點,所以風險管理的方法(risk management approach)才是重點。政府要有適當的程序來評估這些風險,以及管理風險,而且關鍵是,這個程序必須完完全全與制度整合,無論是在簽約前或是簽約後,絕對不是附帶品。
- 報告的結論基本上重述以上我翻譯過的重點,最後有個總結:
We do not believe that these crucial requirements existed when BT and Huawei first began their commercial relationship. From the evidence we have taken during this investigation, the procedural steps that we have outlined still do not appear to exist. However, as we went to press, we were told that the Government has now developed a process to assess the risks associated with foreign investment into the UK. Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that Government does not find itself in the same position again.
我們不相信英國在與華為交易前有做好準備,而是因為我們給了壓力之後,政府才告訴我們說他們現在已經有了風險評估的制度。我們等著看這些制度是否有用:我們在報告中所提出的作法,是確保政府不會再次墮落所需要的東西。
先翻譯到這裡吧,沒譯到和翻譯有誤的部份,如果有人能接手翻譯和討論的話,我可以省一些時間。
看看英國的政府單位對於政府本身嚴厲的檢討,回頭看看國內的操作,各位做何感想?除了技術問題之外,報告中第一個檢討的是政治的問題。以華為龐大的資金韓廉價的設備,連英國政府都抵擋不了,何況是台灣呢?
報告中說,買設備是無可避免的,但必須要風險評估和管理措施。請問我們政府除了說「現在來看,風險不是很大」之外,有提出任何措施嗎?政府自己不提措施,讓民眾安心,難道我們民眾自己提嗎?
買設備的風險大,還是引入資通訊網路服務的風險大?當然是後者!設備還有辦法監控和管理,人家來一組人,你要怎麼管?英國根本不可能讓外國人來從事國家的基礎資通訊網路服務的。
這是不是國安問題呢?我知道「白狼」一定不認為這是國安問題。我無黨無派,但是只要台灣的現況還是一個獨立的政體,那就應該為了維護國家主權和人民安全而努力,不是嗎?
經濟部與NCC偕同電信業者與資策會等公設財團法人開記者會,批評教授無實務經驗... 這篇報告我可以花一個小時看完,花三個小時把重點翻譯給大家看,你政府找人做做看?請問政府單位為了取信於民,除了重複說風險不大之外,做了什麼能讓民眾安心的事情?設計和審議出什麼樣的制度?
沒有留言:
張貼留言