cybersecurity

Hacking and the Era of Fragile Secrets

Written with Christopher E. Whyte of George Mason University

What would it mean if a country couldn’t keep any secrets? 

The question may not be as outlandish as it seems. The hacks of the National Security Agency and the Democratic National Committee represent only the most recent signposts in our evolution toward a post-secrecy society. The ability of governments, companies, and individuals to keep information secret has been evaporating in lock step with the evolution of digital technologies. For individuals, of course, this development raises serious questions about government surveillance and people’s right to privacy. But more broadly, the inability for governments to keep secrets foreshadows a potential sea change in international politics.

To be sure, the U.S. government still maintains many secrets, but today it seems accurate to describe them as “fragile secrets.” The NSA hack is not the first breach of American computer networks, of course, but the nature of the hack reveals just how illusory is our ability to keep secrets. The Snowden affair made clear that the best defense isn’t proof against insider threats. The Shadow Brokers hack – against the NSA’s own top hacker group – has now shown that the best defense isn’t proof against outsider threats either. Even if the Shadow Brokers hack is a fabrication and the information was taken from the NSA in other ways – a traditional human intelligence operation, for instance, where a man with a USB drive managed to download some files – it seems clear that we’re in an era of informational vulnerability.

And what is true for the federal government is even more clearly true for private organizations like the Democratic National Committee. The theft and release of the DNC’s email traffic – likely carried out by Russian government hackers – illustrates that it’s not just official government information at risk. Past years have made it clear that civil society organizations – both venerable (political parties, interest groups, etc.) and questionable (the Church of Scientology, for instance, was the target of a range of disruptive attacks in 2008-‘09) – are as often the targets of digital intrusion as are government institutions.

At this point, it seems fair to think that there is no government or politically-relevant information that couldn’t, at some point, find its way into the hands of a hacker. From there, it is just a short hop into the public domain.

“This Process Stinks”

Those are the words of Paul Ryan (R-WI) in October, ahead of his elevation to Speaker of the House. He was objecting to a budget deal being rammed through the House, and he went on to say, “This is not the way to do the people’s business, and under new management we are not going to do the people’s business this way.”

Bandying “Terrorism”

George Clooney has now joined North Korea’s United Nations ambassador Ja Song Nam in bandying charges of “terrorism” against a foe. North Korea’s emissary in New York complained in July that the production of Sony’s film, The Interview, was “the most undisguised sponsoring of terrorism as well as an act of war.”

Cyber-Espionage (Not Necessarily Implicating U.S. Agencies) Returns to the Headlines

The Washington Post reported this morning that the U.S. government is “charging members of the Chinese military with conducting economic cyber-espionage against American companies.”  According to the story, Attorney General Eric Holder will “announce a criminal indictment in a national security case,” naming members of the People’s Liberation Army.

If you will recall, cyber-security, cyber-espionage, and cyber-theft of trade secrets and other intellectual property belonging to American businesses started becoming prominent sources of friction in the U.S.-China relationship about 18 months ago before suddenly dropping off the front pages 11 months ago to make way for revelations of domestic spying by the U.S. National Security Agency.  Somehow, the notion that Chinese government-sponsored cyber-theft broached a red line lost some of its luster after Americans learned what Edward Snowden had to share about their own government.

But today the issue of Chinese cyber-transgression is back on the front pages.  Never before – according to the Washington Post – has the U.S. government leveled such criminal charges against a foreign government.  The U.S. rhetoric has been heated and, just this afternoon, the Chinese government responded by characterizing the claims as “ungrounded,” “absurd,”  “a pure fabrication,” and “hypocritical.”

While the U.S. allegations may be true, given well-publicized U.S. cyber-intrusions, it isn’t too difficult to agree with the “hypocritical” characterization either.  Perhaps that’s why the U.S. government is attempting to distinguish between cyber-espionage, which is conducted by states to discern the intentions of other governments – and is, from the U.S. perspective, fair play – from “economic” cyber-espionage, which is perpetrated by states or other actors against private businesses and is, from the U.S. perspective, completely unacceptable.  It’s not too difficult to understand why the United States has adopted that bifurcated position. The Washington Post quotes a U.S. government estimate of annual losses due to economic cyber espionage at $24-$120 billion.

Do New Cybersecurity Restrictions Amount to Regulatory Protectionism?

Protectionism masquerading as regulation in the public interest is the subject of an excellent new paper by my colleagues Bill Watson and Sallie James.  As tariffs and other border barriers to trade have declined, rent-seeking domestic interests have turned increasingly to regulations with noble sounding purposes – protecting Flipper from the indiscriminating nets of tuna fishermen, fighting the tobacco industry’s efforts to entice children with grape-flavored cigarettes, keeping U.S. highways safe from recklessly-driven, dilapidated, smoke-emitting Mexican trucks, and so on – in order to reduce competition and secure artificial market advantages over you, the consumer.

The paper documents numerous examples of this “bootleggers and Baptists” phenomenon, where the causes of perhaps well-intentioned advocates of health and safety regulation were infiltrated or commandeered by domestic producer interests with more nefarious, protectionist motives, and advises policymakers to:

be skeptical of regulatory proposals backed by the target domestic industry and of proposals that lack a plausible theory of market failure. These are red flags that the proposal is the product of privilege-seeking special interests disguised as altruistic consumer advocates.

After reading this incisive paper, you might consider whether a new law restricting U.S. government purchases of Chinese-produced information technology systems in the name of cybersecurity fits the profile of regulatory protectionism.  A two paragraph section of the 574-page “Consolidated and Further Continuing Appropriations Act of 2013,” signed into law last week, prohibits federal agency purchases of IT equipment “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People’s Republic of China” unless the head of the purchasing agency consults with the FBI and determines that the purchase is “in the national interest of the United States” and then conveys that determination in writing to the House and Senate Appropriations Committees.

Cybersecurity Improves No Matter What Congress Does

The Hill’s “Hillicon Valley” blog reported late Wednesday that cybersecurity legislation was likely to fail in the Senate today.

The post, originally titled “Cybersecurity Act Expected to Crash and Burn in Senate,” indulged in some typical Washington, D.C. conceit: “The Senate’s cybersecurity bill is likely to go down in defeat on Thursday,” it said, “ending any hope of passing a measure by the end of the year to protect America’s networks.”

Pages

Subscribe to RSS - cybersecurity