Cybersecurity

When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed

by on April 29, 2011 · 8 comments

When it comes to information control, everybody has a pet issue and everyone will be disappointed when law can’t resolve it. I was reminded of this truism while reading a provocative blog post yesterday by computer scientist Ben Adida entitled “(Your) Information Wants to be Free.” Adida’s essay touches upon an issue I have been writing about here a lot lately: the complexity of information control — especially in the context of individual privacy. [See my essays on “Privacy as an Information Control Regime: The Challenges Ahead,” “And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars,” and this recent FTC filing.]

In his essay, Adida observes that:

In 1984, Stewart Brand famously said that information wants to be free. John Perry Barlow reiterated it in the early 90s, and added “Information Replicates into the Cracks of Possibility.” When this idea was applied to online music sharing, it was cool in a “fight the man!” kind of way. Unfortunately, information replication doesn’t discriminate: your personal data, credit cards and medical problems alike, also want to be free. Keeping it secret is really, really hard.

Quite right. We’ve been debating the complexities of information control in the Internet policy arena for the last 20 years and I think we can all now safely conclude that information control is hugely challenging regardless of the sort of information in question. As I’ll note below, that doesn’t mean control is impossible, but the relative difficulty of slowing or stopping information flows of all varieties has increased exponentially in recent years.

But Adida’s more interesting point is the one about the selective morality at play in debates over information control. That is, people generally expect or favor information freedom in some arenas, but then get pretty upset when they can’t crack down on information flows elsewhere. Indeed, some people can get downright religious about the whole “information-wants-to-be-free” thing in some cases and then, without missing a beat, turn around and talk like information totalitarians in the next breath. Continue reading →

SHARE: 8 comments

Overclassification stifles the cybersecurity conversation

by on April 27, 2011 · 5 comments

Thanks to all of you who have sent your comments about Tate Watkins and my new cybersecurity paper. It’s been getting a good reception.

James Fallows of *The Atlantic*, for example, [noted yesterday](http://www.theatlantic.com/technology/archive/2011/04/two-fascinating-exhibits-on-data-security/237891/) that the paper “represents a significant libertarian-right voice of concern about this latest expansion of the permanent national-security surveillance state,” and that while we can’t underestimate cyber risks, “the emphasis on proportionate response, and the need to guard other values, comes at the right time. We should debate these threats rather than continuing to cower.”

Today I wanted to bend your ears (or eyes, I guess) with another excerpt. The subject today is the “if you only knew what we know,” rationale for government action. I’m happy to see that Sen. Sheldon Whitehouse has [a new bill](http://www.fas.org/blog/secrecy/2011/04/cyber_secrecy.html) getting right at the problem of over-classification that allows leaders to get away with “just trust us” rhetoric. Check out the excerpt is after the jump.
Continue reading →

SHARE: 5 comments

Threat Inflation in Cybersecurity Policy

by on April 26, 2011 · 1 comment

Today my colleague [Tate Watkins](http://shortsentences.org/) and I are releasing [a new working paper on cybersecurity policy](http://mercatus.org/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy). Please excuse my patently sleep-deprived mug while I describe it here:



Over the past few years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cybersecurity threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.

The rhetoric of “[cyber doom](http://mercatus.org/publication/beyond-cyber-doom)” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation.

Threat inflation, [according to Thrall and Cramer](http://books.google.com/books?id=EzUtuTOIfTEC&lpg=PP1&ots=3AQmVD2Slb&dq=AMERICAN%20FOREIGN%20POLICY%20AND%20THE%20POLITICS%20OF%20FEAR&pg=PP1#v=onepage&q&f=false), is a concept in political science that refers to “the attempt by elites to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify.” Different actors—including members of Congress, defense contractors, journalists, policy experts, academics, and civilian, military, and intelligence officials—will each have their own motives for contributing to threat inflation. When a threat is inflated, the marketplace of ideas on which a democracy relies to make sound judgments—in particular, the media and popular debate—can become overwhelmed by fallacious information. The result can be unwarranted public support for misguided policies.

The run-up to the Iraq War illustrates the dynamic of threat inflation. After 9/11, the Bush Administration decided to invade Iraq to oust Saddam Hussein. Lacking any clear casus belli, the administration sought popular and congressional support for war by promoting several rationales that ultimately proved baseless.
Continue reading →

SHARE: 1 comment

DC event on Internet governance

by on April 20, 2011 · 0 comments

“Global Internet Governance: Research and Public Policy Challenges for the Next Decade” is the title for a conference event held May 5 and 6 at the American University School of International Service in Washington. See the full program here.

Featured will be a keynote by the NTIA head, Assistant Secretary for Commerce Lawrence Strickling. TLF-ers may be especially interested in the panel on the market for IP version 4 addresses that is emerging as the Regional Internet Registries and ICANN have depleted their free pool of IP addresses. The panel “Scarcity in IPv4 addresses” will feature representatives of the American Registry for Internet Numbers (ARIN) and Addrex/Depository, Inc., the new company that brokered the deal between Nortel and Microsoft. There will also be debates about Wikileaks and the future of the Internet Governance Forum. Academic research papers on ICANN’s Affirmation of Commitments, the role of the national governments in ICANN, the role of social media in the Middle East/North Africa revolutions, and other topics will be presented on the second day. The event was put together by the Global Internet Governance Academic Network (GigaNet). Attendance is free of charge but you are asked to register in advance.

SHARE: 0 comments

Bitcoin, intermediaries, and information control

by on April 20, 2011 · 36 comments

I’m gratified that my recent writing on the Bitcoin virtual currency project has stirred much conversation and I thought I’d take a moment to continue that conversation.

Tim Lee has written two posts critiquing the viability of Bitcoin from the supply and demand side. Dan Rothschild has responded in part. Tyler Cower also weighed in.

To address Tim I’ll simply say this: Do I think Bitcoin will replace the dollar? No. Might Bitcoin have certain systemic design flaws that might impede its success? Quite possibly. Will Bitcoin become the de facto, manipulation-proof currency of the internet? Who knows. Tim’s posts are a somewhat technical critique of Bitcoin’s long-term feasibility. It’s a great contribution, but since I’m neither a gold bug nor a Bitcoin booster per se, I don’t find it especially interesting.

That all said, what I do think is revolutionary about Bitcoin is that its developers have solved, without the use of a middleman, the double-spending problem faced by virtual currencies. That gives us license to realistically imagine a world without regulable financial intermediaries online.

While Tim overlooks what makes Bitcoin radical, Tom Sydnor groks it viscerally. Writing in a lengthy comment on my post, Tom expresses dismay at what Bitcoin represents and offers what I would, with apologies, characterize as the cyber-conservative response. Continue reading →

SHARE: 36 comments

Bitcoin: Imagine a net without intermediaries

by on April 16, 2011 · 43 comments

Yesterday the FBI effectively [shut down](http://thehill.com/blogs/hillicon-valley/technology/156429-fbi-shuts-down-online-poker-sites) three of the largest gambling sites online and indicted their executives. From a tech policy perspective, these events highlight how central intermediary control is to the regulation of the internet.

Department of Justice lawyers were able to take down the sites using the same tools we’ve [seen DHS use](http://techland.time.com/2011/02/17/operation-protect-our-children-accidentally-shutters-84000-sites/) against alleged pirate and child porn sites: they seize the domain names. Because the sites are hosted overseas (where online gambling is legal), the feds can’t physically shut down the servers, so they do the next best thing. They get a seizure warrant for the domain names that point to the servers and [force the domain name registrars](http://pokerati.com/2011/04/15/poker-panic-11-update-on-domain-name-seizures/) to point them instead to a government IP address, such as [50.17.223.71](http://50.17.223.71). The most popular TLDs, including .com, .net, .org, and .info, have registrars that are American companies within U.S. jurisdiction.

Another intermediary point of control for the federal government are payment processors. The indictments revealed yesterday relate to violations of the [Unlawful Internet Gambling Enforcement Act](http://www.firstamendment.com/site-articles/UIEGA/), which makes it illegal for banks and processors like Visa, MasterCard and PayPal to let consenting adults use their money to gamble online. According to the DOJ, in order to let them bet, the poker sites “arranged for the money received from U.S. gamblers to be disguised as payments to hundreds of non-existent online merchants purporting to sell merchandise such as jewelry and golf balls.” ([PDF](http://www.wired.com/images_blogs/threatlevel/2011/04/scheinbergetalindictmentpr.pdf))

Now, imagine if there were no intermediaries.

[In my TIME.com Techland column today, I write about Bitcoin](http://techland.time.com/2011/04/16/online-cash-bitcoin-could-challenge-governments/), a completely decentralized and anonymous virtual currency that I think will be revolutionary.

>Because Bitcoin is an open-source project, and because the database exists only in the distributed peer-to-peer network created by its users, there is no Bitcoin company to raid, subpoena or shut down. Even if the Bitcoin.org site were taken offline and the Sourceforge project removed, the currency would be unaffected. Like BitTorrent, taking down any of the individual computers that make up the peer-to-peer system would have little effect on the rest of the network. And because the currency is truly anonymous, there are no identities to trace.

And if a P2P currency can make it so that there is no fiscal intermediary to regulate, how about a distributed DNS system so that there are no registrars to coerce? This is something Peter Sunde of Pirate Bay fame [has been working on](http://www.wired.co.uk/news/archive/2010-12/02/peter-sunde-p2p-dns). These ideas may sound radical and far-fetched, but if we truly want to see an online regime of “[denationalized liberalism](http://techliberation.com/2010/11/28/mueller%E2%80%99s-networks-and-states-classical-liberalism-for-the-information-age/),” as Milton Mueller puts it, then getting rid of the intermediaries in the net’s infrastructure might be the best path forward.

Again, check out [my piece in TIME](http://techland.time.com/2011/04/16/online-cash-bitcoin-could-challenge-governments/) for a thorough explanation of Bitcoin and its implications. I plan to be writing about it a lot more and devote some of my research time to it.

SHARE: 43 comments

Hayden: Less secrecy for a public conversation on cybersecurity

by on March 15, 2011 · 0 comments

One of the arguments [I’ve been making](http://techliberation.com/2010/10/20/what-is-the-evidence-for-cybersecurity-regulation/) about proposed cybersecurity regulation and legislation is that despite a lot of hype about a massive online threat, there is little evidence to corroborate the dire warnings. Almost every article I’ve read revealing a breach or cyberattack only quotes anonymous government sources, then defense contractors and politicians point to these articles and proclaim, “If you only knew what we know, you’d be taking action now!”

Fear, however, is poor driver of public policy. Before we start telling private companies how to run their security, we should analyze the threat and asses whether there is a legitimate concern and whether government could do a better job. That’s impossible as long as most evidence of a threat is classified.

So I’m glad to see former NSA and CIA chief Gen. Michael Hayden call for less secrecy in order to get better analysis. In the [new issue](http://www.au.af.mil/au/ssq/spring11.asp) of Startegic Studies Quartley, he writes [[PDF]](http://www.au.af.mil/au/ssq/2011/spring/hayden.pdf):

>Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats from US government agencies than to learn about cyber threats. In the popular culture, the availability of 10,000 applications for my smart phone is viewed as an unalloyed good. It is not—since each represents a potential vulnerability. But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat. To do that we need to recalibrate what is truly secret. Our most pressing need is clear policy, formed by shared consensus, shaped by informed discussion, and created by a common body of knowledge. With no common knowledge, no meaningful discussion, and no consensus . . . the policy vacuum continues. This will not be easy, and in the wake of WikiLeaks it will require courage; but, it is essential and should itself be the subject of intense discussion. Who will step up to lead?

Who indeed. Congress may be getting secret briefings that outline a potential cyberthreat. If they are, they should recognize that they may be only getting one view of the issue. Also, the people on whose behalf they are legislating also deserve to have a clear understanding of the risks against which Congress might legislate. “Trust us,” is not good enough. By reducing the over-classification Hayden writes about, Congress could allow economists, computer scientists, and other academics delve into the weeds of determine what is the true nature of the threat and whether a market failure exists that calls for government intervention.

SHARE: 0 comments

Is Digital Utopianism Dead? And Other Questions

by on March 10, 2011 · 0 comments

What I hoped would be a short blog post to accompany the video from Geoff Manne and my appearances this week on PBS’s “Ideas in Action with Jim Glassman” turned out to be a very long article which I’ve published over at Forbes.com.

I apologize to Geoff for taking an innocent comment he made on the broadcast completely out of context, and to everyone else who chooses to read 2,000 words I’ve written in response.

So all I’ll say here is that Geoff Manne and I taped the program in January, as part of the launch of TechFreedom and of “The Next Digital Decade.”   Enjoy!

 

 

SHARE: 0 comments

The Internet Kill-Switch Debate

by on February 19, 2011 · 8 comments

Experienced debaters know that the framing of an issue often determines the outcome of the contest. Always watch the slant of the ground that debaters stand on.

The Internet kill-switch debate is instructive. Last week, Senators Lieberman (I-CT), Collins (R-ME) and Carper (D-DE) introduced a newly modified bill that seeks to give the government authority to seize power over the Internet or parts of it. The old version was widely panned.

In a statement about the new bill, they denied that it should be called a “kill switch,” of course—that language isn’t good for their cause after Egypt’s ousted dictator Hosni Mubarak illustrated what such power means. They also inserted a section called the “Internet Freedom Act.” It’s George Orwell with a clown nose, a comically ham-handed attempt to make it seem like the bill is not a government power-grab.

But they also said this: “The emergency measures in our bill apply in a precise and targeted way only to our most critical infrastructure.”

Accordingly, much of the reportage and commentary in this piece by Declan McCullagh explores whether the powers are indeed precisely targeted.

These are important and substantive points, right? Well, only if you’ve already conceded some more important ones, such as:

1) What authority does the government have to seize, or plan to seize, private assets? Such authority would be highly debatable under any of the constitutional powers kill-switchers might claim. Indeed, the constitution protects against, or at least severely limits, takings of private property in the Fifth Amendment.

and

2) Would it be a good idea to have the government seize control of the Internet, or parts of it, under some emergency situation? A government attack on our private communications infrastructure would almost certainly undercut the reliability and security of our networks, computers, and data.

The proponents of the Internet kill-switch have not met their burden on either of these fundamental points. Thus, the question of tailoring is irrelevant.

I managed to get in a word to this effect in the story linked above. “How does this make cybersecurity better? They have no answer,” I said. They really don’t.

No amount of tailoring can make a bad idea a good one. The Internet kill-switch debate is not about the precision or care with which such a policy might be designed or implemented. It’s about the galling claim on the part of Senators Lieberman, Collins, and Carper that the U.S. government can seize private assets at will or whim.

SHARE: 8 comments

← Previous Entries

Next Entries →