Tag: Security

Some Thinking on “Cyber”

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Iraq’s Future Is Up to Iraqis

The U.S. is not yet out of Iraq, but American forces have pulled back from Iraqi cities.  Iraq’s future increasingly is in the hands of Iraqis.  And most Iraqis appear to be celebrating.

Reports the Washington Post:

This is no longer America’s war.

Iraqis danced in the streets and set off fireworks Monday in impromptu celebrations of a pivotal moment in their nation’s troubled history: Six years and three months after the March 2003 invasion, the United States on Tuesday is withdrawing its remaining combat troops from Iraq’s cities and turning over security to Iraqi police and soldiers.

While more than 130,000 U.S. troops remain in the country, patrols by heavily armed soldiers in hulking vehicles as of Wednesday will largely disappear from Baghdad, Mosul and Iraq’s other urban centers.

“The Army of the U.S. is out of my country,” said Ibrahim Algurabi, 34, a dual U.S.-Iraqi citizen now living in Arizona who attended a concert of celebration in Baghdad’s Zawra Park. “People are ready for this change. There are a lot of opportunities to rebuild our country, to forget the past and think about the future.”

On Monday, as the withdrawal deadline loomed, four U.S. troops were killed in the Iraqi capital, the military announced Tuesday. No details about the deaths were provided. Another soldier was killed Sunday in a separate attack.

The Bush administration never should have invaded Iraq.  The costs have been high: more than 4,000 dead American military personnel.  Tens of thousands more have been injured, many maimed for life.  Hundreds more military contractors and coalition soldiers have died.  And tens of thousands of Iraqis – certainly more than 100,000, though estimates above that diverge wildly. 

The U.S. has squandered hundreds of billions of dollars and the ultimate cost is likely to run $2 trillion or more, as the government cares for seriously injured veterans for the rest of their lives.  America’s fine fighting men and women have been stretched thin and America’s adversaries, most notably Iran, have been strengthened.  Yet another cause has been added to the recruiting pitch of hateful extremists seeking to do Americans and others harm.

Nevertheless, let us hope that Iraqis take advantage of the opportunity they now enjoy.  It will take enormous statesmanship and restraint to accommodate those of different faiths and ethnicities, forgive past crimes committed by Sunni and Shia forces, eschew violence for retaliation and revenge, resolve even bitter disagreements peacefully, and accept political defeat without resort to arms.

Other peoples who have suffered less have failed to surmount similar difficulties.  But it is no one’s interest, and especially that of the Iraqis, to lapse back into sectarian conflict and political tyranny.  Let us hope – and dare I suggest, pray? – that they prove up to the challenge.

Finally, an Ally That Doesn’t Wait for America

Washington’s willingness to toss security guarantees about the globe like party favors has encouraged other nations to do little for their own defense.  From the European, Japanese, and South Korean standpoint, why spend more when the Americans will take care of you?

But it looks like Australia takes a different view, and is willing to do more to defend itself and its region.  Reports the Daily Telegraph:

The latest defence White Paper recommends buying 100 advanced F-35 jet fighters and 12 powerful submarines equipped with cruise missiles, a capability which no other country in the region is believed to possess.

The “potential instability” caused by the emergence of China and India as major world powers was cited as the most pressing reason for this military build-up. In particular, Australian defence planners are believed to be concerned about China’s growing naval strength and America’s possible retreat as a global power in the decades ahead.

Chinese officials say their country’s growing power threatens no-one. Behind the scenes, Beijing is thought to be unhappy about Australia’s White Paper, with one Chinese academic saying it was “typical of a Western Cold War mentality”.

But the Chinese navy has almost doubled the number of secret, long-distance patrols conducted by its submarines in the past year. The reach of its navy is extending into Australian waters. China is also acquiring new amphibious assault ships that can transport a battalion of troops.

So instead of calling Washington to deal with Beijing, the Australians are building up their own navy.  Novel approach!  Now, how can we implant a bit of the Aussie character in America’s other friends around the globe?

Schneier and Friends on Fixing Airport Security

Security guru Bruce Schneier comes down on the strictly pragmatic side in this essay called “Fixing Airport Security.” Because of terrorism fears, he says, TSA checkpoints are “here to stay.” The rules should be made more transparent. He also argues for an amendment to some constitutional doctrines:

The Constitution provides us, both Americans and visitors to America, with strong protections against invasive police searches. Two exceptions come into play at airport security checkpoints. The first is “implied consent,” which means that you cannot refuse to be searched; your consent is implied when you purchased your ticket. And the second is “plain view,” which means that if the TSA officer happens to see something unrelated to airport security while screening you, he is allowed to act on that. Both of these principles are well established and make sense, but it’s their combination that turns airport security checkpoints into police-state-like checkpoints.

The comments turn up an important recent Fourth Amendment decision circumscribing TSA searches. In a case called United States v. Fofana, the district court for the southern district of Ohio held that a search of passenger bags going beyond what was necessary to detect articles dangerous to air transportation violated the Fourth Amendment. “[T]he need for heightened security does not render every conceivable checkpoint search procedure constitutionally reasonable,” wrote the court.

Application of this rule throughout the country would not end the “police-state-like checkpoint,” but at least rummaging of our things for non-air-travel-security would be restrained.

I prefer principle over pragmatism and would get rid of TSA.

Trading Washington for Tbilisi?

Alliances often are advanced, as with NATO expansion, as a cheap way of keeping the peace.  After all, it is said, no one would dare challenge America.  But while alliances can deter, deterrence can fail – with catastrophic consequences.  Both World Wars I and II featured failed alliances and security guarantees.  Oops!

If deterence fails, the guaranteeing state either has to retreat ignominously or plunge into war, neither of which is likely to be in America’s interest.  Moreover, promising to defend other nations encourages them to be irresponsible:  after all, why not adopt a risky foreign policy if Washington is willing to back you up, nuclear weapons and all?  It’s a form of moral hazard applied to foreign policy.

That appears to be the case with the country of Georgia.  There’s a lot of disagreement over the character of Mikhail Saakashvili’s government, even among libertarians.  But a new European Union panel has amassed evidence that President Saakashvili is a bit of a foreign policy adventurer.  Reports Spiegel online:

Unpublished documents produced by the European Union commission that investigated the conflict between Georgia and Moscow assign much of the blame to Georgian President Mikhail Saakashvili. But the Kremlin and Ossetian militias are also partly responsible.

From her office on Avenue de la Paix, Swiss diplomat Heidi Tagliavini, 58, looks out onto the botanical gardens in peaceful Geneva. The view offers a welcome respite from the stacks of documents on her desk, which deal exclusively with war and war blame. They contain the responses, from the conflicting parties in the Caucasus region – Russia, Georgia, South Ossetia and Abkhazia – to a European Union investigative commission conducting a probe of the cause of the five-day war last August. The documents also include reports on the EU commission’s trips to Moscow, the Georgian capital Tbilisi and the capitals of Abkhazia and South Ossetia, dossiers assembled by experts and the transcripts of interviews of diplomats, military officials and civilian victims of the war.

The Caucasus expert, nicknamed “Madame Courage” by the Zurich-based Swiss daily Neue Zürcher Zeitung, is considered a specialist on sensitive diplomatic matters. The Caucasus issue is the most difficult challenge she has faced to date. The final report by the commission she heads must be submitted to the EU Council of Ministers by late July. In the report, Tagliavini is expected to explain how, in August 2008, a long-smoldering regional conflict over the breakaway Georgia province of South Ossetia could suddenly have escalated into a war between Georgia and its much more powerful neighbor, Russia. Who is to blame for the most serious confrontation between East and West since the end of the Cold War?

In addition to having a budget of €1.6 million ($2.2 million) at her disposal, Tagliavini can draw on the expertise of two deputies, 10 specialists, military officials, political scientists, historians and international law experts.

Much hinges on the conclusions her commission will reach. Is Georgia, a former Soviet republic, a serious candidate for membership in NATO, or is the country in the hands of a reckless gambler? Did the Russian leadership simply defend South Ossetia, an ally seeking independence from Georgia, against a Georgian attack? Or did Russia spark a global crisis when its troops occupied parts of Georgia for a short period of time?

The confidential investigative commission documents, which SPIEGEL has obtained, show that the task of assigning blame for the conflict has been as much of a challenge for the commission members as it has for the international community. However, a majority of members tend to arrive at the assessment that Georgian President Mikhail Saakashvili started the war by attacking South Ossetia on August 7, 2008. The facts assembled on Tagliavini’s desk refute Saakashvili’s claim that his country became the innocent victim of “Russian aggression” on that day.

In summarizing the military fiasco, commission member Christopher Langton, a retired British Army colonel, claims: “Georgia’s dream is shattered, but the country can only blame itself for that.”

Whatever the justification for President Saakashvili’s conduct, it certainly isn’t the kind of policy to which the U.S. should tie itself.  Yet including Georgia in NATO would in effect make President Saakashvili’s goals those of the American government and, by extension, the American people.

How many Americans should die to ensure that George gets to rule South Ossetia and Abkhazia?  Should we risk Washington for Tbilisi?  These are questions the Obama administration should answer before it joins the Bush administration in pushing NATO membership for Georgia.  The American people deserve to know exactly what risks the Obama administration plans to take with their lives and homelands before adding yet another fragile client state to Washington’s long list of security dependents.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Exciting! But Not True …

The Center for a New American Security is hosting an event on cybersecurity next week. Some fear-mongering in the text of the invite caught my eye:

[A] cyberattack on the United States’ telecommunications, electrical grid, or banking system could pose as serious a threat to U.S. security as an attack carried out by conventional forces.

As a statement of theoretical extremes, it’s true: The inconvenience and modest harms posed by a successful crack of our communications or data infrastructure would be more serious than an invasion by the Duchy of Grand Fenwick. But as a serious assertion about real threats, an attack by conventional forces (however unlikely) would be entirely more serious than any “cyberattack.”

This is not meant to knock the Center for a New American Security specifically, or their event, but breathless overstatement has become boilerplate in the “cybersecurity” area, and it’s driving the United States toward imbalanced responses that are likely to sacrifice our wealth, progress, and privacy.