how not to turn the web into a weapon
Wired’s Ryan Singel is weary about Michael McConnell’s sales pitch for cyber-weapon capabilities. According to his post on the Threat Level blog, some of the plans he’s been proposed to the NSA could be used for a massive crackdown on the open internet and the kind of espionage many paranoid computer users feared as web access spread over the last two decades.
Now, everything with an operating system and internet access could be used to spy on you at any time and any place if the government thinks it has a problem with you, with all due thanks to McConnell and his employer, Booz Allen Hamilton. But while there’s some truth to the notion of having your computers and smart phones snitching on you when someone presses a key, to make all this happen as Singel details is a lot tougher than it sounds and what he calls the open web can still fight back.
First off we need to start with what a cyber war actually entails. Basically, it’s the use of specialized software to mine top secret data from other nations, lock down your targets’ crucial websites and infect crucial automated systems which control key nodes in infrastructure as a prelude to a bombing run. In a world which relies on a myriad of computer networks, being able take those networks down within a few seconds is a major strategic advantage many countries want to have. So to sell his wares, McConnell decided to go on a scaremongering spree with the grim message of America’s seemingly inevitable loss on the digital battlefield without his help, something that doesn’t sit well with Singel, especially because what’s being advocated is technology to track down anyone of interest to the NSA much faster and easier than it can now…
The Washington Post gave McConnell space to declare that we’re losing some sort of cyberwar. He argues that the country needs to [adopt] a Cold War strategy, one complete with the online equivalent of ICBMs and Eisenhower-era, secret-codenamed projects. Google’s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is “losing” the cyberwar, according to McConnell. [ … ]
[Cyberwar proponents will] point to Estonia, where a number of the government’s websites were rendered temporarily inaccessible by angry Russian citizens. They used a crude [and] remediable denial-of-service attack to temporarily keep users from viewing government websites. Some like to say this was an act of cyberwar, but if it that was cyberwar, it’s pretty clear the net will be just fine. None of these examples demonstrate the existence of a cyberwar, let alone that we’re losing it.
And this is a very good point. The reality of the matter is that the United States isn’t actually losing a cyber war, but has been actively preparing for one and some experts believe that it’s top hackers could wreak all sorts of havoc with their current arsenal. While certain infrastructure nodes are vulnerable to external threats, it simply isn’t true that the Air Force has been asleep at the wheel while China racks up a cyber army.
It’s also very disingenuous to point to Russian nationalists hacking websites and blogs they find so offensive or what happened in China with Google as evidence of an actual war. After all, the Chinese hackers tried to get into a number of e-mail accounts of Chinese dissidents rather than American defense execs while Russian cyber soldiers were crudely censoring foreigners whose opinions they didn’t like. There are real attempts to peek in on military secrets by adapting and improving common phishing and ID theft routines you could find in your spam folder at any moment. This kind of international espionage is a constant threat but just because there’s someone who needs to slap a “cyber war” label on it since e-mail is involved, it doesn’t become one.
There’s also a major problem with McConnell’s appeal to turning the internet into an on demand geo-locator, one that should calm Singel’s fears. While cell phones have a GPS and your IP address could be used to get a fix on your approximate location (provided you didn’t mask it or alter it to hide yourself), all the data is stored on privately owned networks of the corporations that provide the services. To access this information, the NSA needs to get legal approval and if a company refuses to cooperate, a judge has to be involved.
During a cyber attack by a professional team, chances are that the hackers are well shielded behind dummy IPs and left their smart phones turned off somewhere far, far away from their war room. All the technologies McConnell pitches as vital in a cyber war aren’t going to work by magic and there will be plenty of ways to fool them, just like there are ways to fool existing methods of tracking someone on the web. This is why the open web would stay open for the foreseeable future. Figuring out where people are with a custom app looks cool in movies and helps to move the plot along, but it’s a real mess in the physical world.
Buying into hype from defense contractors out to tap into the nascent cyber warfare market would only give the DOD the ability to inaccurately track quite a few Facebook posts and web searches while those who could do serious damage hide from view. Even if the NSA manages to cajole wireless companies and ISPs into giving them a tap into their customer databases, their power is restricted to the U.S. while hooking up to a company in China to monitor potential threats would be met with a polite suggestion to forget it and go away.
Having to go through terabytes and terabytes of useless data on a daily basis from one country or looking for one e-mail in a sea of tens of millions sent every hour for a potential attacker who might be halfway around the world and who can’t be tracked until it’s too late due to the limits of the NSA’s reach and shielded IPs is hardly what you’d call an efficient way to wage a cyber war. Tracking down would-be cyber soldiers and terrorists is a task that’s going to require real world resources, informants, agents, spies and police agencies working in concert with all the nifty tracking gizmos and scripts being just one of many tools in their investigative arsenal.