In the wake of last month’s massive Heartbleed security flaw, Chinese tech companies have stepped up and are now outspending their U.S. counterparts to secure the internet, including, as BuzzFeed has learned exclusively, a $50,000 per year sponsorship deal from the Chinese IT company Huawei.
Heartbleed, a critical flaw in the code of OpenSSL, the security toolkit used by many of the internet’s biggest sites, drew intense scrutiny to the work of OpenSSL’s Stephen Henson and Steve Marquess, who, as BuzzFeed revealed, along with a couple of other part-time developers, are working tirelessly to protect the internet on a shoestring budget.
Marquess, speaking to BuzzFeed for that article, explained that many big technology companies had approached him in the aftermath of the Heartbleed bug to begin negotiations around supporting the open-source project financially.
At the time, in an email to the OpenSSL development email group, Marquess wrote that “as appropriate funding becomes available, the OpenSSL team will expand to be bigger, better, and more effective.”
Stephen Henson affirmed in a subsequent email: “Changes are coming,” he wrote in late April, “big changes for the better.”
While money is coming in, it’s showing up from an unexpected region. Since the news of Heartbleed first broke, it has been Chinese companies who have run to ensure the future protection of the internet. “To date we’ve had only one outright donation from any U.S. company (not to diminish some significant funding via commercial contracts, of course),” Marquess tells BuzzFeed.
Of the companies that have donated, Globalsign, a web security certificate authority, has pledged an unspecified amount to the future development of OpenSSL. They join Acano Ltd, a United Kingdom-based firm, and Nokia, the Finnish cell phone company, both of whom have pledged an unspecified amount — but Nokia, at least, is listed on the OpenSSL website as a “platinum level” sponsor, meaning it has donated at least $50,000 per year to OpenSSL’s development.
However, the majority of the money directed to the OpenSSL project has come from Chinese private industry. A donation of 1 million renminbi ($160,000) was announced earlier this month by Smartisan Technology, a Chinese company run by Luo Yonghao, a 41-year-old former English teacher who taught himself the language.
“From initial contact to bank transfer took only 10 days,” explained Marquess, the founder of the OpenSSL Software Foundation, which received unsolicited interest from Smartisan and another Chinese company better known to the West: Huawei.
Huawei, based in Shenzhen, designs and builds tablets, cell phones, and routers for the consumer market, as well as numerous IT tools for industry and governments. In January it lost one high-profile customer, the U.K. government, when concerns were raised over the security of video conferencing software the government used made by the Chinese company.
Marquess confirmed exclusively to BuzzFeed that Huawei is currently in the process of signing a sponsorship deal with the OpenSSL Foundation, and will be bankrolling the development of the widely used security protocol to the tune of $50,000 a year. An official announcement is expected to be made later today.
These are “outright no-strings, no obligation, do-what-you-will-with-it donations,” stressed Marquess, who has long been adamant that OpenSSL will not be beholden to any vested interests. (He told BuzzFeed in late April, “It’s not even acceptable to me to rely entirely on funding from any one specific interest, whether they attach conditions or not. That would in and of itself be an undue influence.”)
Huawei’s signing of a sponsorship agreement with OpenSSL includes clauses that clarify sponsors cannot expect any quid pro quo or specialist treatment for their donation — something Marquess said he emphatically clarified, particularly given the language barrier.
“In the space of about a week suddenly the PRC [People’s Republic of China] is the source of the most no-strings donation/sponsorship funding that OpenSSL has ever received; either of those donations exceeds the sum total of every donation we’ve ever received in the past,” said Marquess. The cash may be enough, Marquess believes, to sustain a third full-time developer for OpenSSL for several years.
But the question of why Chinese companies and individuals — OpenSSL has received a flurry of private donations via PayPal, even though the payments website is not accessible on the Chinese mainland without using a virtual private network (VPN) — are backing OpenSSL is a curious one. The country is famed for its internet censorship, including its Great Firewall, which blocks information the ruling Communist Party views as unsuitable.
“Both Smartisan and Huawei noted that they use OpenSSL extensively, and that once they realized how under-resourced OpenSSL was they felt compelled to act,” Marquess told BuzzFeed. “I don’t see any reason to presume any less sincerity on their part that I would for any non-Chinese company.”
Far from funding Western-developed encryption, China has of late made the news for trying to break it. Five Chinese men, believed to be under the payroll of the Chinese government, last week were indicted by the U.S. Department of Justice for allegedly hacking into the IT systems of American businesses. Mandiant, a cyber security company, warned last year that a Chinese army unit, 61398, systematically probes Western computer security to steal secrets from IT systems. Of course, revelations made by Edward Snowden of United States government spying on online activities show most national governments engage in some form of espionage.
But for all the concerns surrounding Chinese sponsorship, perhaps an even more uncomfortable question is why U.S. companies — many of whom rely on the free tools OpenSSL developers maintain — have not stepped up to contribute the cash for what many realized last month was a vital part of our online infrastructure? And then there’s the issue of the curiously small size of the donations themselves. Why, in a year that has showed that U.S. tech giants won’t shy away from multibillion-dollar acquisitions, is the biggest donation to the outfit that protects many of the internet’s biggest website only $200,000?