Read @War: The Rise of the Military-Internet Complex Online
Authors: Shane Harris
Tags: #Computers, #Non-Fiction, #Military, #History
Of course, credit card companies have been using fraud-detection systems for years, but they've only recently begun marketing them as a lifestyle service, in response to their customers' dawning awareness that they and their money are vulnerable online. Our hip cardholder gets an alert on his iPhone and, standing in the middle of a crowded street, informs American Express that, no, he didn't authorize that $1,245 purchase made nine seconds ago on an electronics website. He relaxes over lunch at a diner and confidently plops down his Amex card, knowing that he's “a member of a more secure world.” The message is inescapable. You can be safe. (You should
want
to be safe.) But it's going to cost you.
Â
In February 2014, the Obama administration came out with a set of voluntary cyber security guidelines and “best practices” that it encouraged companies to adopt. But it wouldn't force them to do so. “At the end of the day it's the market that's going to drive the business case” and determine whether companies follow the guidelines, said a senior administration official.
Companies will also be responsible for the most innovation in cyber securityâthe new tools and techniques to keep data safe, and to attack their adversaries. Cyber security companies will attract the most highly skilled employees because they'll pay vastly higher salaries than government agencies and militaries. The government will never be able to offer competitive wages to skilled technology workers. To attract talent, the government and the military will offer the promise of adventurous workâespionage, combatâand will appeal to a sense of duty and honor that has always been the allure of public service. But this won't be sufficient to address the security shortcomings that the government will face, particularly in the civilian agencies where security in some organizations is still appallingly inadequate. You're far more likely to call the Veterans Affairs Department, which has repeatedly lost track of patient information, including their Social Security numbers and other sensitive records, than you are the CIA, which practices generally good defense. And yet the places in government where citizens' information is most vulnerable are usually the least defended.
Agencies that can't hire their own defenders will hire the corporations, whose ranks are stocked with well-trained former government and military personnel, and whose leaders were once themselves in charge of so many of the government's cyber security programs and operations. Public service is already seen as a pathway to private enrichment. Government agencies and the military now plan for the fact that most new employees stay long enough to acquire training, a top-secret security clearance (an absolute requirement for cyber security work), and a base of professional contacts and acquaintances before heading off to industry. This is the classic revolving door between government and business. It will spin faster.
The US government will continue sharing classified threat signatures with Internet service providers, who will use them to scan their customers' traffic. That means your e-mail, your web searches, the sites you visit. Congress will have to enact laws for some of this security by government proxy to happen more frequently than it does now. The service providers, as well as other companies that store and transmit personal information, have demanded assurances that if they give data to the government, they won't be held liable for any privacy violations that might occur with how it's handled. Some of these companies also want to be given immunity in case they fail to respond to a cyber attack that results in physical damage or loss of information. Once those liability protections are in place, the government will look to Internet service providers in particular to mount a more forceful defense of cyberspace.
These five thousand or so providers and carriers that effectively run the infrastructure of cyberspace will be expected to stop selling Internet domains to cybercriminals; to shut down service to known or suspected malicious actors; and to reroute or cut off traffic during a major cyber attack.
Some observers have likened today's cybercriminals and malicious hackers to pirates in seventeenth-century Europe.
The comparison is apt and instructive. English pirates once roamed the open seas, harassing commercial traders and bedeviling more powerful sovereign navies, mainly the Spanish. Chinese cyber spies are like those pirates, operating on behalf of their government but with enough remove or obfuscation to create plausible deniability, so that the government can claim to be powerless to rein them in. At the highest levels of government, this façade is eroding. US officials have privately and publicly called on the Chinese government to end the cyber piracy all sides know it's committing. But in that same vein of piracy, governments might employ cyber privateers to combat threats. The modern equivalent of a letter of marque, or a traditional bounty system, may be employed to allow private cyber warriors to attack criminals and spies, or at least to employ the euphemistic “active defense” that is the trademark of the NSA. To be sure, the state of cyber security would have to be far worse than it is now for governments to resort to such mercenary tactics. But the companies with the requisite skills for the job are in business today. It might seem implausible, but it's not at all impossible that a government could grant special exemptions to certain firms allowing them to hack back against dangerous targets, especially during a major cyber attack that threatened critical infrastructure.
Governments will still forbid companies from launching private cyber warsâthat includes hacking back as retaliation for a theft or an attack on a privately owned network. But there will have to be rules that recognize the legitimate right to self-defense. Will these rules take the form of law? Perhaps in the long run. But in the nearer term they will take the form of generally accepted norms of behavior, and they will be extremely difficult to regulate. As soon as one company hacks back in self-defense, another will feel justified in doing the same, even if the law doesn't expressly allow it. Private cyber wars are probably inevitable. Someday soon a company is going to bait intruders with documents loaded with viruses that destroy the intruder's network when opened. That provocation will escalate into a duel. Then governments will have to step in to defuse the crisis orâin the worst caseâforcefully respond to it.
But to protect people from day-to-day threats, which pose less risk to life and limb, companies will create Internet safe zones. Banks have tried to get rid of the .com domain name for their websites and replace it with .bank or with their company name. They hope this will signal to customers that they're communicating with a legitimate bank and not a scam site. But companies will also build entire cyber infrastructures in which security is rooted in the foundations, and where traffic is more actively and closely patrolled than it is on the public Internet. These will be the online equivalent of gated communities. And like any private organization, its owners may restrict membership, write and enforce rules, and offer special benefits, namely, safety. Imagine all the services you rely on in your daily lifeâyour bank, your e-mail service, your favorite storesârunning in this private network, or in several of them. Inside, the owner scrutinizes traffic for malware, alerts you to a potential theft or breach of your personal information, and keeps tabs on who's trying to get into the networks and keeps out any suspicious characters. It is, in effect, like the top-secret networks the military uses. It won't be impervious to assaultâneither are the military's, as the Buckshot Yankee operation showed. But they will afford a higher level of security than what you have now in the mostly ungoverned expanse of the Internet.
Who would build such a community? Perhaps Amazon. In fact, it has already built a versionâfor the CIA. Amazon Web Services, which hosts other companies' data and computing operations, has a $600 million contract to build a private system, or cloud, for the spy agency. But unlike other clouds, which are accessed through the public Internet, this one will be run this one using Amazon's own hardware and network equipment. Amazon hasn't historically offered private clouds to its customers, but the CIA may be on the frontier of a new market.
In the near future, you may be spending more of your time inside these protected communities. And the price for entry will be your identity. The company will need to know who you are but, more important, where you and your computer or mobile device are physically located. The ability to attribute your location will help the safe zone know whether you are more likely a friend or a foe. And it will let them kick you out should you violate the rules. Anonymity will be perceived as a threat. It will mean you have something to hide, like a malicious hacker who masks his true location by hijacking a server in a different country. You will carry a credential, analogous to a photo ID or passport, that says you belong in the safe zone, and that you consent to its rules in exchange for protection. Security in cyberspace won't be your right. It will be your privilege. And you will pay for it.
Â
The fundamental questions facing our future in cyberspace aren't whether we should govern it or create laws and rules to regulate behavior there. Ungoverned spaces fall apart. They're unhealthy. They become safe havens for criminals and terrorists. No one is seriously proposing a future with no rules. The dilemma is how much relative weight we give to security in cyberspace, and who should be responsible for it. Which transactions, and how many of them, do we subject to scrutiny? All e-mails? All web searches? All purchases? And by whom? Should people be allowed to opt out of a more secure cyberspace in favor of one that gives them anonymity? We've never recognized a right to remain anonymous. But cyberspace affords us the capability. And for many, it is the essence of free expression that the Internet is meant to foster. The US government embraced that concept when it helped to build Tor.
And what of privacy? Our vocabulary for describing that concept has been rendered useless by the pervasiveness of the surveillance state. Most of the information the US intelligence agencies collect on American citizens consists of logs and records, so-called metadata, that are not protected by the Fourth Amendment from search and seizure. When people talk about a right to privacy online, do they really mean a right to remain anonymous? To be unrecognizable to the surveillance state? From the government's perspective, that immediately makes one suspect. A potential threat. It's why the NSA ultimately devoted so much time to undermining the Tor network. Anonymity and collective security may be incompatible in cyberspace. They will certainly remain in tension for years to come.
We should be skeptical about entrusting governments alone to make the calculations necessary to balance those competing interests. Clandestine intelligence operations aren't the appropriate means of making sound, durable public policy. The NSA conducted mass warrantless surveillance of American citizens for nearly four years, a hidden program, parts of which were almost certainly illegal, that laid the foundations for the military-Internet complex. We didn't know it was rising until it was upon us.
By its own actions, which were directed by two presidents, the NSA has in many respects made the Internet less safe. By injecting malware into tens of thousands of computers and servers around the world, the agency could introduce new vulnerabilities on machines used by innocent people, putting them at greater risk of being attacked or spied upon by third parties, including their own governments. The agency has also made it harder for American companies to do business in a global economy. IBM, Hewlett-Packard, Cisco, and Microsoft all reported falling sales in China and other key markets in the wake of the NSA spying revelations. Foreign countries now view American technology, once the gold standard for performance and innovation, as tools of American spying. To be sure, companies bear a big share of the blame for this, to the extent that they participated in government surveillance programs or knowingly allowed the NSA to install backdoors in their systems. We should be skeptical, too, of corporations deciding how to balance the competing interests of civil liberties and security in cyberspace. But they will certainly have the most direct effect on the future shape of the Internet, and they're already taking stepsâlargely in opposition to NSA spyingâto enhance the security of their products and services. Google, for instance, has now beefed up encryption on its e-mail service, making it harder for spies to read the private communications they intercept. That counts as a win for privacy-conscious consumers. Demand for more secure, potentially more anonymous technologies will fuel a new sector of the high-tech economy: surveillance-proofing yourself in cyberspace.
But the NSA is not the enemy. It's home to indispensable expertise about how to protect computersâand the people who use themâfrom malevolent actors, whether they're criminals, spies, or soldiers. The NSA and Cyber Command should build up their capacity to provide for the national defense. But the spy agency has maintained too tight a grip over Cyber Command's evolution. Cyber warfare is properly a military function, and the military, which is controlled by civilians and not soldiers or spies, should take the lead. It should be in charge of integrating cyber warfare into the armed forces' doctrineâjust as every modern military in the world undoubtedly will. A future president may elect to separate the leadership of the NSA and Cyber Command, which would go a long way toward maintaining a competent and accountable cyber force.
But cyberspace is too vast, and too pervasive, to allow a single entity to govern it or to dictate the norms of behavior. There is no neat way to define cyberspace. It's not a commons. But it's not private. We have come to depend on it as a public utilityâlike electricity and water. But it's still mostly a collection of privately owned devices. Fortunately, we are at the dawn of a new age, not its twilight, and there is some time to consider this conundrum, which has confounded every discussion about the nature of this space to which we seem inexorably tied.