Friday, November 19, 2010

Cyberwar? Or just cyberespionage?

Seymour Hersch has a longish article in the New Yorker that I recommend, especially in light of the recent reappearance in the news of the Stuxnet worm. Looks like not a few outlets have taken this news peg as an excuse to talk about how we're all going to die, because Chinese hackers, etc.

And it's not just media hype. Hersch makes a good case that we should be aware of three things: why "cyberwar" is often the wrong term to use; how making it a "war" has been a conscious choice by people hoping to gain prestige and clout, not to mention sweet government contracts; and most worrisomely, how this supposed looming "war" risks letting the military intrude further into domestic civilian affairs. (The NSA is part of the military, and the guy in charge sounds at times as though he'd be right at home on the set of Dr. Strangelove.)

In May, after years of planning, the U.S. Cyber Command was officially activated, and took operational control of disparate cyber-security and attack units that had been scattered among the four military services. Its commander, Army General Keith Alexander, a career intelligence officer, has made it clear that he wants more access to e-mail, social networks, and the Internet to protect America and fight in what he sees as a new warfare domain—cyberspace. In the next few months, President Obama, who has publicly pledged that his Administration will protect openness and privacy on the Internet, will have to make choices that will have enormous consequences for the future of an ever-growing maze of new communication techniques: Will America’s networks be entrusted to civilians or to the military? Will cyber security be treated as a kind of war?


The bureaucratic battle between the military and civilian agencies over cyber security—and the budget that comes with it—has made threat assessments more problematic. General Alexander, the head of Cyber Command, is also the director of the N.S.A., a double role that has caused some apprehension, particularly on the part of privacy advocates and civil libertarians. (The N.S.A. is formally part of the Department of Defense.) One of Alexander’s first goals was to make sure that the military would take the lead role in cyber security and in determining the future shape of computer networks. [...]

The Department of Homeland Security has nominal responsibility for the safety of America’s civilian and private infrastructure, but the military leadership believes that the D.H.S. does not have the resources to protect the electrical grids and other networks. (The department intends to hire a thousand more cyber-security staff members over the next three years.) This dispute became public when, in March, 2009, Rodney Beckstrom, the director of the D.H.S.’s National Cybersecurity Center, abruptly resigned. In a letter to Secretary Janet Napolitano, Beckstrom warned that the N.S.A. was effectively controlling her department’s cyber operations: “While acknowledging the critical importance of N.S.A. to our intelligence efforts . . . the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.” Beckstrom added that he had argued for civilian control of cyber security, “which interfaces with, but is not controlled by, the N.S.A.”

General Alexander has done little to reassure critics about the N.S.A.’s growing role. In the public portion of his confirmation hearing, in April, before the Senate Armed Services Committee, he complained of a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.”

Alexander later addressed a controversial area: when to use conventional armed forces to respond to, or even preëmpt, a network attack. He told the senators that one problem for Cyber Command would be to formulate a response based on nothing more than a rough judgment about a hacker’s intent. “What’s his game plan? Does he have one?” he said. “These are tough issues, especially when attribution and neutrality are brought in, and when trying to figure out what’s come in.” At this point, he said, he did not have “the authority . . . to reach out into a neutral country and do an attack. And therein lies the complication. . . . What do you do to take that second step?"

I don't mean to make it all about this guy. (The article certainly doesn't.) But later on, there's a discussion of the "Maginot Line" mindset that is widespread among the boys downtown that to me indicates how and why this could be a real problem. To wit:

One solution is mandated encryption: the government would compel both corporations and individuals to install the most up-to-date protection tools. This option, in some form, has broad support in the technology community and among privacy advocates. In contrast, military and intelligence eavesdroppers have resisted nationwide encryption since 1976, when the Diffie-Hellman key exchange (an encryption tool co-developed by Whitfield Diffie) was invented, for the most obvious of reasons: it would hinder their ability to intercept signals. In this sense, the N.S.A.’s interests align with those of the hackers.

John Arquilla, who has taught since 1993 at the U.S. Naval Postgraduate School in Monterey, California, writes in his book “Worst Enemies,” “We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” Instead, many of those charged with security have adopted the view that “cyberspace can be defended with virtual fortifications—basically the ‘firewalls’ that everyone knows about. . . . A kind of Maginot Line mentality prevails.”

Arquilla added that America’s intelligence agencies and law-enforcement officials have consistently resisted encryption because of fears that a serious, widespread effort to secure data would interfere with their ability to electronically monitor and track would-be criminals or international terrorists. This hasn’t stopped sophisticated wrongdoers from, say, hiring hackers or encrypting files; it just leaves the public exposed, Arquilla writes. “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”

Ever since The Devil's Code came out (a fun read in lots of ways), I've been suspicious of the NSA. Yeah, it's "just a thriller" but Sandford makes a very compelling case. With just a few lines in a couple of places, he makes you wonder how much of what the NSA says Must Be Done is really nothing more than turf protection.

Remember the Clipper Chip? Yeah, that was them, too. In real life. Not to mention the missed signals of the 9/11 attack. Just sayin'.

So, whatever you may think of Hersch, I recommend giving his article a good long look. Do we know for sure about any of this stuff? Of course not. But there are lots of good questions to be asked, not least of which concerns the competence of the NSA, and Hersch does a good job raising them.

(h/t: KK | x-posted)

No comments: