The Exceptionally Tough Politics Of Cyber Power
Whenever I write about the thickly complicated politics of cyber power or cyber security, the most frequent question I'm asked is whether the National Security Agency can read your e-mail. My answer used to be, "I don't know." Now, my answer is, "Well, of course they can. But they're probably not. I don't know. And besides, the amount of information that's collected about you, with, at least, your tacit approval, by companies like Google and Facebook far exceeds whatever information the NSA ever wants to collect, much less retain, about you. And you care about it, a little, but not that much -- not enough to make an issue out of it, anyway."
We allow Google, Amazon.com, credit companies and all manner of private corporations to collect intimate information about our lives, but we reflexively recoil when the government proposes to monitor (and not even collect) a fraction of that information, even with legal safeguards. We carry in our wallets credit cards with RFID chips. Data companies send unmarked vans in our neighborhoods, mapping wireless networks. The IBM scientist and tech guru Jeff Jonas noted on his blog that every time we send a text message, we're contributing to a cloud where "powerful analytics commingle space-time-travel data with tertiary data." Geolocated tweets can tell everyone where we are, what we're doing, and who we like. Sure, The data is ostensibly anonymized, but the reality is a bit different: we provide so much of it that, as Jonas notes, we tend to re-identify ourselves -- out our identity -- fairly quickly. This is good and bad; the world becomes more efficient, we leave less of a footprint, we get what we want more quickly. But we also sacrifice privacy, individuality, and other goods that can't be measured in dollars and cents.
Government power is just different than corporate power. Our engagement with technology implies a certain consent to give up information to companies. A deeper mistrust of government is healthy, so far as the it places pressure on lawmakers to properly oversee the exercise of state power. Warrantless domestic surveillance by NSA during the Bush administration doubtless ensnared a number of innocent Americans and monitored the communications of people who posed no harm to anyone. Where the standard is personal privacy and the rule of law, the violation is severe.
But where the standard is harm, the damage is minimal compared to the information that is routinely and legally collected by non-state entities -- information that is used to target us for political appeals, to sell us something, or to steal money, to pilfer intellectual property or abuse technology. 85 percent of infrastructure in this country is in private hands; it is extremely vulnerable to attack and even to catastrophic resource failure. (Thought experiment: everyone gets electric plug-in cars, which are, weirdly, notorious energy hogs. When do you charge the car? When you get home from work. It wouldn't take more than a chunk of Americans charging their electric cars at the same time everyday to bring down parts of the electric grid.)
This asymmetry is distorting the politics of cyber security. It frustrates the front line cyber folks to no end, but they are, in some ways, responsible for it.
For one thing, the NSA lacks credibility with many Americans and with some lawmakers because of its aforementioned activities. And yet the NSA is -- really -- the only entity with the expertise, the size, and the capability to secure the cyber realm. For another, the government remains obsessed with secrecy. The NSA and the Department of Defense can penetrate virtually any computer network on the face of the planet, and probably do so with regularity for defense purposes. Their capabilities in this "offensive" realm are awesome, and kind of scary. The technology that'll be used to defend the country from cyber attacks of all types is the same technology used to track insurgents in Iraq (classified), tap into terrorist net-centered communications (classified), probe nation-state computer defenses (classified), figure out how to electronically hack into missile guidance systems (classified). Also: they're worried that terrorists would figure out how vulnerable we really are if they knew everything. Here's the weird part: China, Russia, savvy cyber terrorists -- they know all this. They have the same technology.
For the most part, as one former NSA official remarked to me recently, keeping it classified keeps it out of the minds of the American people, and no one else. That's why other former senior intelligence officials, including, quite notably, former NSA director and former DNI Mike McConnell, are encouraging their colleagues to open up, to crash through firewalls, to share information about threats and even some technology.
Fact: if the NSA were to detect the presence of a malicious worm or destructive virus on a U.S. Internet server targeted at a bank, perhaps stealing money from that bank, it could do nothing but warn the bank. The bank, most likely, does not have the capacity to deal with the worm itself; the NSA does not have the legal authority to employ methods to screen out the bad code, even though it has the technological capability. You can employ any type of thought of experiment you want here. Entities like utility companies and banks often rely on overtaxed communications networks to assess their performance; those communications networks are extraordinarily vulnerable because they rely on vulnerable machines -- machines that are old and were built with technology that, in many instances, originated elsewhere. The backbone of the Internet itself is very fragile; the VeriSign corporation, which essentially runs the Net, deals with thousands of attacks per day, some of them harmless, some of them dangerous, some of them from state actors (like China), others from well-funded and savvy techno-terrorists.
This is a tech problem and a law problem. Congress is trying to come up with ways to designate certain types of corporations that are responsible for large segments of some major activity -- power generation, money transferring, information sharing -- as, essentially, too big to fail -- or be shut down -- by cyber intruders. The idea, in essence, would be to require these entities to submit to a cyber audit. In the event of a major attack, the government (actually, the Department of Homeland Security, using NSA technology) would have the authority to quarantine the problem until it was removed. As you might imagine, this approach raises hackles with a lot of people. The corporations resist the idea of government intrusion. Their CFOs don't see the risk, so they're not interested in spending money to preemptively solve the problem. Civil libertarians properly ask about oversight; who's going to watch the watchers? Technologists wonder whether there aren't other ways to protect the nation's information grid from systemic threats.
The White House wants to create a "dot.sec" culture, where transactions and information exchange occur on secure servers with solid authentication procedures and widely distributed knowledge of the security risks. This is ambitious and important, but it is a long way from being reality. They've yet to appoint a cyber coordinator -- a national Smokey the Bear type -- to begin to think about framing these issues in a way that facilitates the national debate. Recently, the Senate Intelligence Committee appointed Sen. Sheldon Whitehouse (D-RI) to head a panel that will look at the intersection of civil liberties and cyber security -- an examination that's long overdue. They will release a public version of their classified report. At this point, no one is dealing with the jurisdictional issues that cyber security alone confronts -- more than 20 congressional subcommittees want a piece of the action.
These values aren't easy to reconcile; even President Obama will have a hard time finding false alternatives to reject. But some way or another -- maybe it'll be some catastrophic attack, maybe something harmless but symbolic -- we're living in a world of cyber power, and we ought to be better informed about what the heck we're doing.