Whether Syrian rebels hacked President Bashar al-Assad’s e-mails themselves or with the help of Western spy agencies or “hactivists”, the release of dozens of revealing messages points to a new era of information warfare (para. 1).
So begins an article in the Globe and Mail last month. The number of referents in this short passage really emphasizes the fact that we still don’t really know how to talk about things that happen in cyberspace. There are rebels, spy agencies, activists, hackers, and nation-states, all apparenty now considered key actors in warfare.
Umm… what frame are we using again? There are guerrila tactics, there’s espionage, protest, digital trespass with probable criminal damage, and covert military operations, all grouped together under the delightfully vague term of ‘information warfare’, which has been used to indicate everything from propaganda to shutting down the power grid.
So what actually happened? Members of Syria’s opposition ‘intercepted’ emails from President Bashar al-Assad’s office. Somehow these emails reveal “evidence of Iranian support for Syria’s crackdown… the spending of thousands of dollars on luxury items by Mr. Assad’s wife and details of his iTunes account and Internet video viewing habits” (para. 4).
There is no need for details about how this ‘interception’ occurred because it is understood that ‘hackers’ can just tap some keys and find out this kind of information through the magic of ‘the Internet’. However later on it is mentioned that “[t]he Syrian opposition say they were given details of the passwords by an internal regime source” (para. 12). It’s easy to ‘hack’ an email account when you’re given the password.
In this discussion, Wikileaks is mentioned in the same breath as Chinese censorship, and reference is made to suspected Chinese ‘hackers’ who used their coding know-how to… create a fake Facebook profile for NATO supreme commander Admiral James Stavridis, hoping to fool collegues into ‘friending’ and sharing top secret intel with them. Over Facebook.
Communications systems have long been a target in warfare, and misinformation and propaganda, or ‘strategic communication’ as they are increasingly called, are staples of conflicts. However the weaponizing of information that we see in this article is I think an indicator of something else. For some reason, because these things are occurring online, they somehow become completely new. We forget what it is we are talking about when things happen in cyberspace. So what should clearly be a case of espionage, with the resulting information being used as propaganda, is actually an instance of ‘hacktivism’ and ‘cyber warfare’, a “tool that could become increasingly popular” (para. 14), as if there is no historical precedent. In addition, so poor is the general understanding of how the machines which we spend so much of our lives hooked up to actually, technically, work, that we fall back on the use of buzzwords which change their meaning daily, and are almost universally inaccurate in describing the situations to which they are applied.
For some reason, the prefix ‘cyber’ is attached to all things that occur online, with little attention is given to the appended part of the term in arriving at a definition and appropriate usage. Cyber-terrorism, cyber-warfare, cyber-crime, cyber-espionage… they all seem to be used indiscriminately, despite the fact that we have fairly static definitions for what counts as terrorism, warfare, crime, and espionage, hammered out for jurisdictional certainty if nothing else. And yet, when they occur online, all this goes out the window. Never mind the fact that the definition of ‘cyber’ is completely amorphous, given the fact that it is usually assumed to refer to the Internet, which is itself a network of networks, and that there are many networks that are not connected to the Internet.
I suppose I shouldn’t be surprised by the confusion. Twenty years have passed since the fall of the Soviet Union and the end to the last clear national threat frame. It’s over a decade since the beginning of the amorphous ‘war on terror’ into which anyone and anything can be subsumed. Add to this ever-expanding threat frame a history of technophobia that can be traced from War of the Worlds through to War Games, The Matrix, and Die Hard 4.0, and you have a situation where the definition of cyber-anything can change as frequently as is convenient for the powers that be.
A bit of a political economic post today to balance the cultural bent of yesterday’s. I’m currently writing about the framing of the showdown that occurred two years ago between Google and China, when attacks on the digital infrastructure of Google and as many as 34 other major U.S. ICT organizations resulted, in a bizarre twist of logic, in Google’s refusal to continue censoring its search results in China, in the name of freedom. Google’s unhappy decision to abide by Chinese censorship laws, and the degree to which it did so, had long been a sticking point between the search engine and the Chinese government. However the cyberattacks were clearly an attempt at intellectual property theft, especially given the simultaneous intrusions at so many other companies. However in Google’s statement on the matter, it seemlessly combined the two issues, explaining that “These attacks and the surveillance they have uncovered–combined with attempts over the past year to limit free speech on the Web–have led us to conclude that we should review the feasibility of our business operations in China” (para. 8). While some speculated on the effect this would have on U.S.-China relations, the U.S. government jumped at the chance to push China on its censorship and human rights issues, emphasizing the need for a free and open internet. Of course this freedom benefits the U.S. as it opens up China to U.S. ideology.
The themes of national security, economic markets, and human rights are seemlessly blended together in the news coverage of the incident. The attack was against Google, targeting its digital infrastructure, so it should clearly be a business issue between Google and China (and the other victims of the attack), and not necessarily something that influences U.S. foreign policy. But Google’s motto is ‘do no evil’, and the email accounts of human rights activists were also targeted in the attacks. In addition, censorship has been a major bone of contention between Google and China, and it’s an issue which resonates with the American people and with the U.S. ideology of openness, democracy, and freedom. At the same time, there are longstanding issues of Chinese espionage in the U.S., with China trying to access U.S. companies’ trade secrets, as well as pirating U.S. products, so the targeting of Google’s intellectual property plus that of 34 other major companies could be seen as an issue of national economic security as much as it’s a problem for those specific companies.
So the issue is far more complex than “the Chinese hacked us so we’re not censoring their search results any more”. What made Google’s announcement significant is that U.S. companies face successfuland unsuccessful cyberattacks all the time, but no one talks about them because they fear the negative publicity it will bring, and the effects this may have on public confidence in their product, and subsiquently on their share prices. Google decided to risk that negative publicity in admitting that its infrastructure is not secure, because they had something bigger to gain. The attacks were a convenient excuse to challenge issues of censorship that have an economic as well as ideological impact. Google has always framed its decisions around censorship in moral terms, but there is also a strong economic incentive; China is one of the biggest online markets globally, and Google wanted access to it. If Google decided to walk away from this potentially lucrative market, then it must be for economic as much as moral reasons. In looking at Google’s historical position on censorship, we can see how these economic incentives have played out.
One of the first tests of Google’s stance on censorship was in 2004, when complaints were received over the top search results that were returned when the query ‘Jew’ was entered. An anti-Semitic site called ‘Jew Watch’ displaced Wikipedia as the top entry, as well as various Holocaust denier sites. The issue highlighted a central concern of Internet governance: jurisdiction online. Different nations have different approaches to hate speech; in the U.S., freedom of speech is enshrined in the constitution, and therefore all types of speech are protected, although there are exceptions for when such speech results in civil rights infringements, or enables terrorism. European countries on the other hand have much stronger laws around the restriction of hate speech, indicative of the stamp that the Holocaust has left on the continent (Geist, 2002). Jurisdictional issues are raised when websites hosted in the U.S. are accessible in Europe, and notably when these sites are made available to European countries through U.S.-based search engines. The common response from ISPs in such cases was usually to direct the complainant to the website owner. However this was challenged in one of the most famous early cyberlaw cases, wherein a French judge ordered Yahoo! to block access to Nazi memorabilia available in its auctions, and Yahoo! responded by suspending these auctions to appease the French court. As Michael Geist notes, “[a]lthough the decision raises issues pertaining to jurisdiction, the Internet’s technological underpinnings, and commercial free speech, at its core the case is about France seeking to apply its hate speech laws to Internet activity” (2002, p. 190).
In Google’s case, the censorship challenge in April of 2004 came from within the U.S., from the Anti-Defamation League. Google responded to complaints over its search results with the application of its mantra “don’t be evil”, which was generally determined by what founder Sergey Brin says is evil (Levy, 2011, p.273). Brin decided to stand by the purity of Google’s computer algorithms, stating that
[t]he beliefs of and preference of those who work at Google, as well as the opinions of the general public, do not determine or impact our search results… Google views the comprehensiveness of our search results as an extremely important priority. Accordingly, we do not remove a page from our search results simply because its content is unpopular or because we receive complaints concerning it. (in Vaidhyanathan, 2011, p. 65)
Concerned, however, that Google would be seen as endorsing these anti-Semitic views, the company provided its own ‘sponsored link’ to the search query, which explained how the algorithms could sometimes produce such disturbing results. Since then, however, this adherence to the purity of the algorithm has waned; Vidhyanathan points out that, despite this defense that the results were purely computer generated, similar results were not yielded when the German site Google.de was visited, indicating that the manipulation of search results was well within Google’s control, but it chose to intervene only in certain circumstances, to respect the laws of the nations within which it operates, and thus ensure its continued operation there. By 2007, Vidhyanathan notes that Google had changed its ‘explanation of our search results’ page so that search results were no longer “automatically” determined by computer algorithms, but rather the results “rely heavily” on these algorithms (2011, p. 66). The company’s preferred method of influencing results was to use “quality raters” to evaluate the search results, to determine whether the algorithms needed to be changed, and by 2009 registered Google users were able to add or delete sites from search results in order to improve this quality feedback loop (ibid).
Censorship in China
Google’s approach towards Chinese internet speech laws has been slightly different. Relations with the Chinese government began poorly. Google went into the national market with little political and cultural awareness, and no development of its relationship with the government, knowing only that this market was to big to ignore. It was a late arrival, with Yahoo! already having opened offices in Bejing by the time Google started offering search results in Chinese in 2000. The company’s name was also probelmatic for the Chinese market, as it sounded too much like “Gou-gou” meaning “dog-dog”, an unfortunate cultural faux-pas (Levy, 2011, p. 287). While Google did gain some popularity in China, it then became a target for the Great Firewall—the Chinese government’s censorship technology—and the search engine suddenly became inaccessible in 2002 (Levy, 2011). After the company hurriedly began diplomatic overtures towards the Chinese government, access was resumed. Two years later, the company still had not developed good relationships with the government, but was exploring the possibility of setting up an office in China, although obtaining a license to operate would mean restricting search results according to the government’s liking (ibid). When it finally launched in 2006, it used algorithms to produce the same censored results as competitors like Chinese search engine Baidu, and in a somewhat conciliatory gesture, posted a notice on the search results page indicating that it had been censored according to Chinese law (ibid).
Many Americans were unimpressed at this apparent shift away from Google’s “don’t be evil” motto, which provided critics with an easy target. At a hearing of the House Subcommittee on Human Rights and International Operations in 2006, congressman Tom Lantos—the only Holocaust survivor in Congress—lambasted representatives from Google, Cisco Systems, Microsoft, and Yahoo! for their various concessions to China, comparing these actions to the work of certain companies in aiding the Nazis (Nocera, 2006, para. 2). The New York Times covered the incident:
“Are you ashamed?” he thundered again in his thick Hungarian accent. Was Cisco ashamed of selling networking equipment to the Chinese police? Was Microsoft ashamed of taking down a blog because the government disapproved of its content? Was Yahoo ashamed of turning over data that led to the arrest and imprisonment of Shi Tao, a journalist who had used an anonymous Yahoo e-mail account to leak a government memo to the foreign media? Was Google — yes, “don’t be evil” Google — ashamed of setting up a Chinese search engine that filtered out Web sites that the government wanted blocked, sites that used such forbidden words as “democracy?”
Every time the companies tried to mouth the party line — that the Chinese people were better off for them being there than not; that under the terms of their license, they had no choice but to comply with Chinese law; that banned information had a way of leaking through the filters — Mr. Lantos cut them off. “Yes or no. Are you proud of it or ashamed of it?” he asked. There was, of course, no good answer to the question, so the four witnesses were left stumbling and stuttering their way through the humiliation. (Nocera, 2006, para. 3-4)
However despite Google’s attempts to appease the Chinese government, they still clashed repeatedly. In 2009 Google was accused of suggesting “obscene” results for the combination of terms like “mother” and “son”, leading to the temporary blocking of the search engine (Stone and Xin, 2010, p. 402). But there is a clear difference in the type of restrictions that are being placed on China’s internet in terms of their intentions. Chinese officials often use ‘obscene content’ as an excuse to shut down access, as outlined above. But when it comes to academic research and the need for access to information the government is keen to promote the country’s best interests. As Stone and Xin note, “realizing that innovation requires freedom to explore new ideas, censors are not deaf to pleas from the academic community. When researchers recently complained about some pages of the Massachusetts Institute of Technology’s Website being blocked, according to an official with the China Education and Research Network, a national academic network under the education ministry, access was restored” (ibid, p. 403). In simply blocking Google sites, researchers lose access to Gmail, Google Scholar, and Google Earth, but there are other sites such as PubMed that can compensate for this loss (ibid, p. 402).
The problem with Google is that “undesirable” or destabilizing content makes up the lion’s share of what it provides, and it’s also the content through which Google makes money; all that user-generated content, mostly in English, often from the U.S. or at least the West, the content that goes viral, content that depends on freedom of speech and the ability to express ideas that may run counter to government ideals. This is the content that the Chinese government doesn’t want, and that the academic/research community doesn’t necessarily need. Google therefore really doesn’t have much of a pull with the support of the Chinese government; Google doesn’t have the same kind of leverage that it does in the U.S. because the service it provides doesn’t have much obvious benefit to the Chinese government. Meanwhile the Chinese search engine Baidu is by far the most popular choice in China, and dominates the market, calling further into question the benefits of Google’s decision to stay and have its service be subject to the whims of the Chinese government.
However Google was lacking the leverage to resist Chinese government demands without U.S. backing. Comparing the Chinese case to that of South African apartheid in the 1970s, Nocera explains that a number of companies operating in South Africa began adopting voluntary antidiscrimination guidelines, but finally pulled out of the country altogether after Congress imposed economic sanctions (ibid, para. x). As Representative Smith of the Subcommittee on Human Rights and International Operations stated, while the voluntary measures were helpful, “what changed South Africa more than anything were the sanctions” (ibid, para. x).
To examine the reason for the unwillingness of the U.S. government to impose sanctions on China, even as it criticized companies who enabled Chinese oppression, a brief overview of the history of U.S. relations with China is necessary.
In the 1970s and 80s, some attempts were made to open up China to foreign trade and investment, however it wasn’t until the fall of the Soviet empire in 1991 that a concerted effort was made. The fall of Communism in Europe demonstrated that China must provide its people with a rising standard of living in order for the socialist government to secure its survival (Bremmer, 2010). In order to create this economic growth China needed access to the consumer markets of the U.S., the E.U., and Japan; developing trade relationships with the more volatile states in Africa, Asia, and the Middle East was seen to be too great a risk. China provided low cost labour for U.S. companies, and learned from U.S. management and marketing techniques as well as new technologies, while the U.S. targeted the market of China’s growing middle class (ibid).
However in recent years there has been a pushback from China against what it sees as Washington’s interference in its affairs, resulting from a change in thinking about the benefits of its partnership with the U.S. China recovered quickly from the recent financial crisis, whereas the U.S. did not, highlighting the success of China’s economic model and the fact that it may not actually need the U.S. The impact of the financial crisis on the U.S. also resulted in the loss of jobs within China as factories producing goods for export were forced to close, indicating that the U.S. may in fact be a liability for the Chinese economy, and prompting the Chinese government to shift its focus and concentrate on catering to consumer markets at home (ibid). As a result, “the Chinese leadership no longer believes that American power is as indispensable as it once was for either China’s economic expansion or the Communist party’s political survival” (ibid, para. 4). Bremmer suggests that the developing conflict between China and the U.S. is more dangerous than the Cold War, as “[e]conomic decision-making in Moscow had little impact on western power or standards of living. But globalisation means there is no equivalent to the Berlin wall, insulating China and American from turmoil inside the other” (ibid, para. 7).
Therefore the attacks on Google’s infrastructure and the renewed tensions between China and the search engine giant must be understood in the context of larger geopolitical and economic shifts. Bremmer suggests that cyber-espionage (stealing information to enable technological advancement, as in the Google case) has long been a tactic of China towards U.S. organizations. In addition, technology companies in the U.S. and Europe “charge that China’s policy of favouring products made with domestically created intellectual property proves that Beijing is no longer even pretending to observe international intellectual property rules” (ibid, para. 18).
The conflict between Google and China over these cyber-attacks cannot be understood simply as an issue of censorship, or persecution of dissidents, although framing the conflict in this way allows Google to stand by its motto of ‘do no evil’, and the U.S. to challenge Chinese policies through its position as self-proclaimed defender of the free world. However it is clear that these efforts align with economic goals, as China’s attempts at reducing its dependance on U.S. companies and instead promoting Chinese organizations are reflected in its preference for Chinese search engine Baidu, Google’s main Chinese rival.
Bremmer (2010, March 22). “China vs America: fight of the century” in Prospect Magazine, Issue 169
Levy (2011). In the Plex: How Google thinks, works, and shapes our lives. Simon and Schuster
Geist (2002) Internet Lawin Canada. 3rd Edition, Ontario: Captus Press
Nocera (2006, February 18). “Enough Shame to Go Around on China” in New York Times
I’m working on a paper for a conference at U of T next Summer. I think it’ll be useful in helping me develop the surveillance/privacy aspect of my thesis, as most of my work thus far has focused on the security and risks/threats side and only really touched on surveillance. Coming from a cybersecurity perspective, I’ll look at the technical and legal possibilities for surveillance versus the popular conception of what the government/NSA are allowed to do and what is technically possible.
In popular culture, from 1983 and the release of War Games or 1984’s Neuromancer by William Gibson, the popular understanding of computers- and especially networked computers- has been that they can be manipulated by anyone with the requisite skills into doing almost anything, even accidentally starting nuclear war. Written in an era of intense insecurity and doubt, especially with regards to technology, the imprint of the Cold War is clear in these popular imaginaries. More recently, in an equally strong climate of fear, season 7 of the TV show 24 showed terrorists hacking into the air traffic control network in a display marrying the intense fear of terrorism centred around the hijacking of commercial flights on 9/11, with the growing uneasiness around these technological devices that we are so dependent on but don’t really understand. The most recent Die Hard movie, Live Free or Die Hard, took this uneasiness further, suggesting that hackers could take over the transportation system, air traffic control, phone and television networks, the power grid, the computer system at the FBI… anything run by a computer was potentially at risk, or was a threat.
More worryingly, however, is the message that comes from mainstream media, following a similar line. CNN in collaboration with the DHS earlier this year released footage of an experiment carried out on a generator like those operating the electrical power grid. The experiment was to show how easily an experienced hacker could break into the computers operating the generator, and not just shut it down, but blow it up. (The insider knowledge required to complete such a feat was not mentioned; nor was the fact that the hacking had occurred on a software program similar to the SCADA software operating the real grid.) The fear that there could be physical repercussions for acts carried out in cyberspace is not a new one, Weekly World News Ran this story in 2000:
Weekly World News is known for its outlandish cover stories which often verged on the satirical, however satire is based on reality. The actually alarming thing is that this rhetoric which was once restricted to sci fi movies and tabloids is now the fodder of mainstream newscasters such as CNN, who also recently ran a two hour special “focumentary”, Cyber Shock Wave, in which a situation room made up of current and former government officials attempted to formulate a strategy to deal with the catastrophic effects caused by a cyberattack. Richard Grusin describes this onslaught of cyber-fear mongering as part of a strategy of “premediation”, through which the media reports on potential threats with such detail and immediacy as to keep viewers in a constant state of low-level fear, and thus prepare the nation to face any threat that might occur in the future, rather than being surprised by the unthinkable in the manner of the 9/11 attacks. Grusin provides an interesting breakdown of this strategy at work in Cyber Shock Wave in his blog here.
Perhaps more alarmingly, while some strategists and members of the military and intelligence communities have been worrying about cyber attacks for some time, the hype and rhetoric involved is in some cases beginning to approximate that of CNN. Richard A. Clarke, counter terrorism and cybersecurity adviser for the Bush Sr., Clinton, and Bush Jr. administrations recently published a book warning of the perils of cyberterrorism and cyberwar which sounds at times as if it has borrowed great chunks from Die Hard 4.0; all that’s missing is a battered and bleeding John Maclean (but others are battered an bleeding in his place, as a result of the explosions triggered at oil refineries, chlorine gas released from chemical plants, the disabling of air traffic control, trains crashing into each other, and the entire country being plunged into darkness). For a more detailed review of Clarke’s book, visit Wired Magazine’s article “Richard Clarke’s Cyberwar File Under Fiction”.
However his book is not without merit. He offers a breakdown of the potential threats and various administrations’ and military and intelligence organizations’ reactions to these threats with a clarity and detail afforded by an insider. And his analysis of the threats is often quite reasonable and grounded- he presents the issues and potential solutions clearly and assesses them logically. However once he has done away with the workable potential for any limited solution, his alternative suggestions are so extreme that they would seem more fitting to the tightly regulated regime of China rather than the hands-off, limited big government ethos favored by Americans. In fact in describing the Great Firewall of China, he explains how China is in a much better position defensively due to the level of control is has over its networks, sounding somewhat envious of this level of regulation. Objectively this is probably true, but is he advocating such a controlling system for the US? It would seem so, as later on he promotes the idea of using deep packet inspection on Internet backbone ISPs (as an alternative to the apparently distasteful idea of using real incentives to force industry to regulate itself). While championing the American ethos of non-regulation of industry, he seems happy to do away with privacy rights as an alternative. Rather than promoting education and using stronger incentives to encourage industry to regulate itself, he would rather that we lock the Internet down as the safest and most fool-proof solution. He claims that “our nation’s strong belief in privacy rights and civil liberties is not incompatible with what we need to do to defend our cyberspace” (2010, P162). The people just need to trust in their government and intelligence organizations that this surveillance is not being misused, but is only used to protect. That’s a big ask considering, among other things, the recent warrentless wiretapping scandal over the NSA.
These are this issues I hope to explore in my paper. The public perception, the hype, the premediation, and in this context the strategies being pushed by the administration and their potential impact on privacy and civil liberties. Surveillence mechanisms and proposals to review will include the Einstein programs, Perfect Citizen, and, briefly, Echelon, as well as getting into some of the legal and jurisdictional issues.
I recently wrote a paper on the development of U.S. cyberpolicy in which I noted an interesting shift in the rhetoric being employed from one of anti-terrorism in the Bush Administration’s National Strategy to Secure Cyberspace, to Cold War rhetoric in the Obama Administration’s Cyberspace Policy Review. This shift seemed to be in line with recent assertions that the U.S. is engaging in a cyber arms race. An obvious reason for this emphasis on an increase in cyber capabilities is so as to be able to use the strategy of deterrence so popular in the Cold War. This would then imply that the Obama administration has abandoned the Bush Doctrine of pre-emptive attack, and was returning to a superpower-centric vision of world order. However the reason the the Bush Doctrine was taken on in the first place was due to the changing nature of global power; a stalemate had developed precipitated by the unwillingness of nations to initiate nuclear war; the Soviet Union had collapsed and Russia was now an ally of the States; and 9/11 demonstrated that perhaps the greatest threat to national security could come from unpredictable and perhaps irrational non-state actors who were not averse to risks and did not want to maintain the status quo. Cold War-style deterrence only works against an adversary who has something to lose. Pre-emptive action was therefore the safest alternative, striking in ‘anticipatory self-defence’ before the adversary can strike you.
A preemptive cyber-strike makes no sense for several reasons: firstly, the aim of a pre-emptive strike is for the superior power to thwart an imminent attack by a growing power before this power reaches its fully potential an attack capabilities. However in the case of cyber capabilities, the U.S. is not the strongest power- China is far more developed. Secondly, attribution is a very difficult issue in cyberattacks; it is easier to attribute blame through political motivation than through examining the cyber trail. Therefore it is difficult to pre-empt an attack when it is not clear even after the fact where it might have originated from or to what ends. Even if this could be ascertained, the likelihood of the attackers being state-sponsored or even working independently so as to allow plausible deniability, makes any kind of national response difficult. And finally, a full-scale debilitating cyber attack is unlikely to occur by itself; this would not disable the ability of an enemy to retaliate. It would mostly likely occur in one of two scenarios: in conjunction with a kinetic attack, with the aim of confusing communication and computer-based military functions enough that they would not be able to respond to a physical attack; or it would be used discretely as a form of espionage, in which case a physical retaliatory attack would be excessive, and a similar cyberattack may not currently be within U.S. cyber capabilities.
Therefore a strategy of deterrence would seem to be the best option, building up the U.S.’s cyber capabilities so that no one will challenge them. However the U.S. is already far behind China, and not in a position to deter anyone. If anything it is China who is leading in the cyberspace race. Therefore, it would seem that the U.S. is adopting a strategy of straight-up defense, in the hope of detecting and minimising the damage of a cyberattack, until its capabilities are developed enough to match that of China. The Obama Administration may be using Cold War rhetoric to inspire a sense of urgency and competition in its citizens, to arm against an attack from China, but this is not a cyber arms race in the way this rhetoric would have us understand it. It is more a race to catch up.