• United States



Maybe Siemens should pay more attention to who uses its stuff

Aug 24, 20115 mins
Data and Information Security

Updated to include reader feedback.

News that Siemens-Nokia tech may have been used as instruments of injustice makes me think it’s time for vendors to reconsider some of the people they do business with.

This is tricky ground, because a lot of people, organizations and nations use technology in harmless, honest ways.

As one of my contacts on Google+ noted, “If I buy a hammer, I will usually use it for its designed purpose – hammer on nails. Does that mean that all producers of hammers should be (or are) responsible for people using a hammer to torture someone with?”

Another friend noted that some countries use defibrillators for torture. Does that mean we stop selling defibrillators where they are needed, he asked.

Good points. But I don’t see this as a case of a few crazy people buying guns and shooting people. This is more about dealing with regimes that can turn around and do harm to a much larger group of people.

When I look at how we have been seeing Siemens in the headlines of late, it’s getting harder to believe it’s completely unaware of what some foreign-government customers are doing. I know some great people who work for Siemens and it’s a massive company with its hand in many places. I don’t think you can reasonably expect a company of that size to keep an eye on every single customer. But if the customer is a government operation known for unsavory activities, I have to wonder if there can’t be a better way.

This is swimming in my head after reading an article in the October issue of Bloomberg Markets magazine called “Torture in Bahrain Becomes Routine With Help From Nokia Siemens.”

I found the opening paragraphs particularly disturbing:

The interrogation of Abdul Ghani Al Khanjar followed a pattern.

First, Bahraini jailers armed with stiff rubber hoses beat the 39-year-old school administrator and human rights activist in a windowless room two stories below ground in the Persian Gulf kingdom’s National Security Apparatus building. Then, they dragged him upstairs for questioning by a uniformed officer armed with another kind of weapon: transcripts of his text messages and details from personal mobile phone conversations, he says.

If he refused to sufficiently explain his communications, he was sent back for more beatings, says Al Khanjar, who was detained from August 2010 to February.

“It was amazing,” he says of the messages they obtained. “How did they know about these?”

The answer: Computers loaded with Western-made surveillance software generated the transcripts wielded in the interrogations described by Al Khanjar and scores of other detainees whose similar treatment was tracked by rights activists, Bloomberg Markets magazine reports in its October issue.

The spy gear in Bahrain was sold by Siemens AG (SIE), and maintained by Nokia Siemens Networks and NSN’s divested unit, Trovicor GmbH, according to two people whose positions at the companies gave them direct knowledge of the installations. Both requested anonymity because they have signed nondisclosure agreements. The sale and maintenance contracts were also confirmed by Ben Roome, a Nokia Siemens spokesman based in Farnborough, England.

This isn’t the first time we’ve heard of Siemens technology being used by oppressive regimes. In the most famous case, Siemens technology was targeted with Stuxnet to kick Iran’s nuclear program below the belt. That’s the widely-held belief among researchers, anyway.

Of course, the case of Stuxnet is different from what’s going on in this latest report out of Bahrain. Different technologies are involved in each, and while one story is about using it to steal someone’s information so it can be used against them during a vicious interrogation, the other is about flaws in an industrial control system being exploited to sabotage an operation.

But it’s hard to look at either case and think of Siemens as a complete innocent who has simply been taken advantage of by the bad guys.

A few years ago, I visited Eugene Kaspersky and asked him why so much malware was coming from Russia. He explained that the guys writing the code saw it as them simply doing a job. They just made the stuff. They weren’t the one’s using it for attacks.

Just like the guys making the nuclear weapons during the Cold War.

Come to think of it, a lot of those guys were products of the Cold War, left in want of work after the Soviet Union — and their old jobs — evaporated. Morals weren’t as important as money. Times were desperate and families had to be fed.

Back then my thought was this: People and companies whose technology can be used for evil have a responsibility to pay attention to who uses it and and how. Today’s events make me feel the same way.

I’m not trying to suggest that vendors have evil intentions. I don’t think they do.

But now that it’s becoming apparent just how much the bad guys are using them, it’s time for Siemens and other giant tech providers to step up to the plate and take some action.

Surely there’s a way to track how your own technology is used? Surely, there’s a point where you are willing to pull your business from certain countries because it’s the right thing to do?

Maybe I’m being naive.

But I suspect I’m not the only one who feels this way.

–Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a