If you haven’t been following the intrigue around Wikileaks and the security companies hoping to help the government fight it, this stuff is not to be missed. Recommended:
The latter story links to a document purporting to show that a government contractor called Palantir Technologies suggested unnamed ways that Glenn Greenwald might be made to choose “professional preservation” over his sympathetic reporting about Wikileaks. A later page talks of “proactive strategies” including: “Use social media to profile and identify risky behavior of employees.”
Wikileaks has no employees. I take this to mean that the personal lives of Wikileaks supporters and sympathizers would be used to undercut its public credibility. Because Julian Assange hasn’t done enough…
While we’re on credibility: This may well be Wikileaks’ rehabilitation. Wikileaks erred badly by letting itself and Julian Assange become the story. We’re not having the discussion we should have about U.S. government behavior because of Assange’s self-regard.
But now defenders of the U.S. government are making themselves the story, and they may be looking even worse than Wikileaks and Assange. (n.b. Palantir has apologized to Greenwald.) That doesn’t mean that we will immediately focus on what Wikileaks has revealed about U.S. government behavior, but it could clear the deck for those conversations to happen.
The concept of “miscalculation” seems more prominent in international affairs and foreign policy than other fields, and it comes to mind here. Wikileaks and its opponents are joined in a negative duel around miscalculation. The side that miscalculates the least will have the upper hand.
(HT: Schneier) Here’s a refreshingly careful report on cybersecurity from the Organization for Economic Cooperation and Development’s “Future Global Shocks” project. Notably: “The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.” There will be no cyber-“The Day After.”
Here are a few cherry-picked top lines:
Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact.
The vast majority of attacks about which concern has been expressed apply only to Internet-connected computers. As a result, systems which are stand-alone or communicate over proprietary networks or are air-gapped from the Internet are safe from these. However these systems are still vulnerable to management carelessness and insider threats.
Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.
The hyping of “cyber” threats—bordering on hucksterism—should stop. Many different actors have a good deal of work to do on securing computers, networks, and data. But there is no crisis, and the likelihood of any cybersecurity failure causing a crisis is extremely small.
I’ve been looking into the cybersecurity issue lately, and I finally took the time to do an in-depth read of the Securing Cyberspace for the 44th Presidency report, which is frequently cited as one of the soundest analyses of the issue. It was written by something of a self-appointed presidential transition commission called the “Commission on Cybersecurity for the 44th President,” chaired by two congressmen and with a membership of notables from the IT industry, defense contractors, and academia, and sponsored by CSIS.
What I was struck by is the complete lack of any verifiable evidence to support the report’s claim that “cybersecurity is now a major national security problem for the United states[.]” While it offers many assertions about the sorry state of security in government and private networks, the report advances no reviewable evidence to explain the scope or probability of the supposed threat. The implication seems to be that the authors are working from classified sources, but the “if you only knew what we know” argument from authority didn’t work out for us in the run up to the Iraq war, and we should be wary of it now.
Continue reading →
Based on two (1, 2) previous cyber security bills, a draft bill that has been circulating around town backed by Senate Majority Leader Harry Reid would give the White House sweeping new powers over companies that operate “covered critical infrastructure” or (CCI). And more than that, the bill would eliminate a vital aspect of the governmental process: a right to a day in court.
People often think of critical infrastructure as power plants, dams, and public safety communication networks. On the Internet, modems, routers and other specific network equipment could be designated as CCI. But this bill is written broadly, so that the Administration could even designate online services—such as e-mail and cloud computing services—that use the Internet but are not themselves network infrastructure.
All businesses want to keep Americans safe and protect infrastructure that supports the American economy. But what happens if a company (or an industry) wants to challenge their CCI designation? Typically, what makes America work is that we can question authority and even challenge our government in court when we think it’s wrong. But this legislation explicitly denies businesses their right to challenge a CCI designation in court.
(4) Final appeal.—A final decision in any appeal under this subsection shall be a final agency action that shall not be subject to judicial review except as part of an enforcement action under section 306(b)(7). [emphasis added]
This part of the bill has to be amended to allow judicial appeals to make it fair for the businesses that will pay for it. Continue reading →
Washington Times reporter Shaun Waterman has a characteristically excellent article out today about U.S. cybersecurity authorities failing to secure their own systems.
According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.
Time and again, people look to government intervention based on what they imagine government might do under ideal conditions. Real conditions produce far weaker results.
We’re better off distributing the problem of data, network, and computer security among all the self-interested actors in the country—fallible as they are. We should not abandon the problem to a central authority whose failure fails us all.
Individuals, shadowy criminal organizations, and nation states all now have the capacity to devastate modern societies through computer attacks.
It’s simply not true.
The author must not know the meaning of “devastate,” which is, according to the handiest Web dictionary, “to lay waste; render desolate.”
There is no such capacity—anywhere—to do such damage through computer attacks, and the capacity of some actors to produce some inconvenience, to cause some economic harm, and perhaps to cause physical damage or injury—none of that justifies such a stupidly phrased sentence.
It’s the first line of the abstract to “An e-SOS for Cyberspace” by Temple University law professor Duncan Hollis. Almost certainly, given the overblown premise, it calls for overblown reactions.
This concludes my review of the first sentence of another fear-mongering cybersecurity paper.
The Washington Post reports today on an article coming out in Foreign Affairs in which Deputy Defense Secretary William J. Lynn III reveals a successful 2008 intrusion into military computer systems. Malicious code placed on a thumb drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command and propagated itself across a number of domains.
The
Post article says that Lynn “puts the Homeland Security Department on notice that although it has the ‘lead’ in protecting the dot.gov and dot.com domains, the Pentagon — which includes the ultra-secret National Security Agency — should support efforts to protect critical industry networks.”
The failure of the military to protect its own systems creates an argument for it to have preeminence in protecting private computer infrastructure? Perhaps the Department of Homeland Security will reveal how badly it has been hacked in order to regain the upper hand in the battle to protect us.
Check out national security reporter Shaun Waterman’s report on lapses in security using techniques that only recently became known as “social engineering.”
Ms. Sage’s connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs.
“If I can ever be of assistance with job opportunities here at Lockheed Martin, don’t hesitate to contact me, as I’m at your service,” one executive at the company told her.
Then there’s former DHS policy official Stewart Baker’s unusually harsh attack on the “privacy lobby” and Wired reporter Ryan Singel at Volokh.com. The comments are good-quality and interesting.
Knowing how canny Baker is, I would guess that his unusually shrill tone is a ploy to start a fight that helps him sells more copies of his book. But maybe he’s just losing his cool.
Congressmen working on national intelligence and homeland security either don’t know how to secure their own home Wi-Fi networks (it’s easy!) or don’t understand why they should bother. If you live outside the Beltway, you might think the response to this problem would be to redouble efforts to educate everyone about the importance of personal responsibility for data security, starting with Congressmen and their staffs. But of course those who live inside the Beltway know that the solution isn’t education or self-help but… you guessed it… to excoriate Google for spying on members of Congress (and bigger government, of course)!
Consumer Watchdog (which doesn’t actually claim any consumers as members) held a press conference this morning about their latest anti-Google stunt, announced last night on their “Inside Google” blog: CWD drove by five Congressmen’s houses in the DC area last week looking for unencrypted Wi-Fi networks. At Jane Harman’s (D-CA) home, they found two unencrypted networks named “Harmanmbr” and “harmantheater” that suggest the networks are Harman’s. So they sent Harman a letter demanding that she hold hearings on Google’s collection of Wi-Fi data, charging Google with “WiSpying.” This is a classic technopanic and the most craven, cynical kind of tech politics—dressed in the “consumer” mantle.
The Wi-Fi/Street View Controversy
Rewind to mid-May, when Google voluntarily disclosed that the cars it used to build a photographic library of what’s visible from public streets for Google Maps Street View had been unintentionally collecting small amounts of information from unencrypted Wi-Fi hotspots like Harman’s. These hotspots can be accessed by anyone who might drive or walk by with a Wi-Fi device—thus potentially exposing data sent over those networks between, say, a laptop in the kitchen, and the wireless router plugged into the cable modem.
Google’s Street View allows you to virtually walk down any public street and check out the neighborhood Continue reading →
Reliable national security reporter Siobhan Gorman at the Wall Street Journal has broken a story about an Internet surveillance program called “Perfect Citizen” to be managed by the National Security Agency.
Reading about it is frustrating, and for me blame quickly settles on Congress. Our legislature is utterly supine before the national security bureaucracy, which exaggerates cybersecurity threats and consistently uses the secrecy trump card to defy oversight.
If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such—the unique characteristics of new attacks—might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.
A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.
Benign intentions do not control future results, and governmental surveillance of the Internet for “cybersecurity” purposes may warp over time to surveillance for ideological and political purposes.
These abstract criticisms of “Project Citizen” are all that publicly available information allows. Far better would come from me and others more qualified if Congress were to do its job.
Congress owes it to us, the United States’ true citizens, to have public hearings on “Perfect Citizen.” Congress should reject broad assertions of secrecy so that the whole body politic can participate in securing our country from all threats.
Congressional and public oversight—searching oversight that tests assumptions and asks hard questions—would strenghten any government cybersecurity effort we find warranted. It would also ameliorate the threat of such programs to our civil liberties, democratic processes, and privacy.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.