Tag: cyber security

Hacking and the Era of Fragile Secrets

Written with Christopher E. Whyte of George Mason University

What would it mean if a country couldn’t keep any secrets? 

The question may not be as outlandish as it seems. The hacks of the National Security Agency and the Democratic National Committee represent only the most recent signposts in our evolution toward a post-secrecy society. The ability of governments, companies, and individuals to keep information secret has been evaporating in lock step with the evolution of digital technologies. For individuals, of course, this development raises serious questions about government surveillance and people’s right to privacy. But more broadly, the inability for governments to keep secrets foreshadows a potential sea change in international politics.

To be sure, the U.S. government still maintains many secrets, but today it seems accurate to describe them as “fragile secrets.” The NSA hack is not the first breach of American computer networks, of course, but the nature of the hack reveals just how illusory is our ability to keep secrets. The Snowden affair made clear that the best defense isn’t proof against insider threats. The Shadow Brokers hack – against the NSA’s own top hacker group – has now shown that the best defense isn’t proof against outsider threats either. Even if the Shadow Brokers hack is a fabrication and the information was taken from the NSA in other ways – a traditional human intelligence operation, for instance, where a man with a USB drive managed to download some files – it seems clear that we’re in an era of informational vulnerability.

And what is true for the federal government is even more clearly true for private organizations like the Democratic National Committee. The theft and release of the DNC’s email traffic – likely carried out by Russian government hackers – illustrates that it’s not just official government information at risk. Past years have made it clear that civil society organizations – both venerable (political parties, interest groups, etc.) and questionable (the Church of Scientology, for instance, was the target of a range of disruptive attacks in 2008-‘09) – are as often the targets of digital intrusion as are government institutions.

At this point, it seems fair to think that there is no government or politically-relevant information that couldn’t, at some point, find its way into the hands of a hacker. From there, it is just a short hop into the public domain.

Planning a Cybersecurity Auto-Immune Reaction

A Senate plan to give the president authority to seize control of the Internet in the event of emergency is security malpractice of the highest order. As I told C|Net’s Declan McCullagh, this is a plan for an auto-immune reaction. When something goes wrong with the Internet, the government will attack that infrastructure and make society weaker.

The Internet is the medium over which we communicate and self-organize. It’s where emergency response happens—where individuals learn what is happening, communicate it to others, compare notes with friends and loved ones, and determine appropriate responses. (Our appreciation for “first responders” should not be diminshed by noting that they are typically second responders, taking over for private citizens who are almost always first on any scene.)

The Internet is also self-repairing. When weaknesses in it are exposed, that fact is communicated via Internet, and the appropriate fixes and patches are distributed via Internet. Seizing control of the Internet—to the extent the government can do that—would degrade society’s natural response to emergency, and it would undercut the Internet’s ability to self-heal.

This idea—of government authority taking over the Internet for our protection—fundamentally misunderstands the nature of the Internet, the nature of our society, and the type of government the Framers prescribed for us.

House to Get its Own House in Order

The headline strikes fear: “House Takes Steps to Boost Cybersecurity,” says the Washington Post.

What boondoggle are they embarking on now?

Cybersecurity is hundreds of different problems that should be handled by thousands of different actors. The federal government is in no position to “fix” cybersecurity, as I testified in the House Science Committee earlier this year.

But this is a good news story. Realizing that its own cybersecurity practices are not up to snuff, the House of Representatives will be ramping up training for its staff.

Better awareness of the ins and outs of securing computers, data, and networks will disincline Congress to undertake a rash, sweeping “overhaul” of the systems and incentives that produce and advance cybersecurity.

This “Cyberwar” Is a Cybersnooze

The AP and other sources have been reporting on a “cyberattack” affecting South Korea and U.S. government Web sites, including the White House, Secret Service and Treasury Department.

Allegedly mounted by North Korea, this attack puts various “cyber” threats in perspective. Most Americans will probably not know about it, and the ones who do will learn of it by reading about it. Only a tiny percentage of people will notice the absence of the Web sites attacked. (An update to the story linked above notes that several agencies and entities “blunted” the attacks, as well-run Web sites will do.)

This is the face of “cyberwar,” which has little strategic value and little capacity to do real damage. This episode also underscores the fact that “cyberterrorism” cannot exist – because this kind of attack isn’t terrifying.

As I said in my recent testimony before the House Science Committee, it is important to secure web sites, data, and networks against all threats, but this can be done and is being done methodically and successfully – if imperfectly – by the distributed owners and controllers of all our nation’s “cyber” assets. Hyping threats like “cyberwar” and “cyberterror” is not helpful.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Cyber Security “Facts”

National Journal’s “Expert Blog” on National Security asked me late last week to comment on the question, “How Can Cyberspace Be Defended?” My comment and others went up yesterday.

My response was a fun jaunt through issues on which there are no experts. But the highlight is the response I drew out of Michael Jackson, the former #2 man at the Department of Homeland Security.

It does little to promote serious discourse about the truly grave topic of cyber security threats to begin by ridiculing DHS and DOD as “grasping for power” or to suggest that President Obama has somehow been duped into basing his sensible cyber strategy on “a lame and corny threat model called ‘weapons of mass disruption.’” It shows ignorance of the facts to deny that cyber vulnerabilities do indeed present the possibility of “paralyzing results.”

Jackson neglects to link to a source proving the factual existence of “paralyzing” threats to the Internet – he’d have to defeat the Internet’s basic resilient design to do it. (Or he has collapsed the Internet, the specific way of networking I was talking about, with “cyber” – a meaningless referent to everything.) But the need for tight argument or proof is almost always forgiven in homeland security and cyber security, where the Washington, D.C. echo-chamber relentlessly conjures problems that only an elite bureaucracy can solve.

In another comment – not taking umbrage at mine, but culturally similar to Jackson’s – Ron Marks, Senior Vice President for Government Relations at Oxford-Analytica, says, “Cyberterrorism is here to stay and will grow bigger.” The same can be said of the bogeyman, but the bogeyman isn’t real either.

(To all interlocutors: Claiming secrecy will be taken as confessing you have no evidence.)

Jackson’s close is the tour de force though: “Good people are working hard on these matters, and they deserve our unwavering financial and personal support. For now and for the long-term.”

A permanent tap on America’s wallets, and respect on command? Sounds like “grasping for power” to me.

Awesome, Fearsome, Awesome - Or Maybe Silly

This video is making the rounds because Senator Jay Rockefeller (D-WV) muses in it that perhaps the Internet shouldn’t have been invented.

He immediately grants, “That’s a stupid thing to say” - perhaps for political reasons, or perhaps because he recognizes that the Internet makes us much better off despite every risk it carries and security flaw in it.

But he goes on to overstate cybersecurity risks excessively, breathlessly, and self-seriously. Not quite to the point of stupid - maybe we can call it “silly.”

The Department of Defense, he says, is “attacked” three million times a day. Well, yeah, but these “attacks” are mostly repetitious use of the same attack, mounted by “script kiddies” - unsophisticated know-nothings who get copies of others’ attacks and run them just to make trouble. The defense against this is to continually foreclose attacks and genres of attack as they develop, the way the human body develops antibodies to germs and viruses.

It’s important work, and it’s not always easy, but securing against attacks is an ongoing, stable practice in network management and a field of ongoing study in computer science. The attacks may continue to come, but it doesn’t really matter when the immunities and failsafes are in place and continuously being updated.

More important than this kind of threat inflation is the policy premise that the Internet should be treated as critical infrastructure because some important things happen on it.

Of cyber attack, Rockefeller says, “It’s an act … which can shut this country down. Shut down its electricity system, its banking system, shut down really anything we have to offer. It is an awesome problem.”

Umm, not really. Here’s Cato adjunct scholar Tim Lee, commenting on a report about the Estonian cyber attacks last year:

[S]ome mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that’s true, the lesson of the Estonian attacks isn’t that the Internet is “critical infrastructure” on par with electricity and water, but that it’s stupid to build “critical infrastructure” on top of the public Internet. There’s a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea.

Tim has also noted that the Estonia attacks didn’t reach parliament, ministries, banks, and media - just their Web sites. Calm down, everyone.

But in the debate over raising the bridge or lowering the river, Rockefeller is choosing the policy that most enthuses and involves him: Get critical infrastructure onto the Internet and get the government into the cyber security business.

That’s a recipe for disaster. The right answer is to warn the operators of key infrastructure to keep critical functions off the Internet and let markets and tort law hold them responsible should they fail to maintain themselves operational.

I have written elsewhere about maintaining private responsibility for cyber security. My colleague Ben Friedman has written about who owns cyber security and more on the great cyber security freakout.