So what is this cyber-thing anyway?

Whether Syrian rebels hacked President Bashar al-Assad’s e-mails themselves or with the help of Western spy agencies or “hactivists”, the release of dozens of revealing messages points to a new era of information warfare (para. 1).

So begins an article in the Globe and Mail last month. The number of referents in this short passage really emphasizes the fact that we still don’t really know how to talk about things that happen in cyberspace. There are rebels, spy agencies, activists, hackers, and nation-states, all apparenty now considered key actors in warfare.

Umm… what frame are we using again? There are guerrila tactics, there’s espionage, protest, digital trespass with probable criminal damage, and covert military operations, all grouped together under the delightfully vague term of ‘information warfare’, which has been used to indicate everything from propaganda to shutting down the power grid.

So what actually happened? Members of Syria’s opposition ‘intercepted’ emails from President Bashar al-Assad’s office. Somehow these emails reveal “evidence of Iranian support for Syria’s crackdown… the spending of thousands of dollars on luxury items by Mr. Assad’s wife and details of his iTunes account and Internet video viewing habits” (para. 4).

There is no need for details about how this ‘interception’ occurred because it is understood that ‘hackers’ can just tap some keys and find out this kind of information through the magic of ‘the Internet’. However later on it is mentioned that “[t]he Syrian opposition say they were given details of the passwords by an internal regime source” (para. 12). It’s easy to ‘hack’ an email account when you’re given the password.

In this discussion, Wikileaks is mentioned in the same breath as Chinese censorship, and reference is made to suspected Chinese ‘hackers’ who used their coding know-how to… create a fake Facebook profile for NATO supreme commander Admiral James Stavridis, hoping to fool collegues into ‘friending’ and sharing top secret intel with them. Over Facebook.

Communications systems have long been a target in warfare, and misinformation and propaganda, or ‘strategic communication’ as they are increasingly called, are staples of conflicts. However the weaponizing of information that we see in this article is I think an indicator of something else. For some reason, because these things are occurring online, they somehow become completely new. We forget what it is we are talking about when things happen in cyberspace. So what should clearly be a case of espionage, with the resulting information being used as propaganda, is actually an instance of ‘hacktivism’ and ‘cyber warfare’, a “tool that could become increasingly popular” (para. 14), as if there is no historical precedent. In addition, so poor is the general understanding of how the machines which we spend so much of our lives hooked up to actually, technically, work, that we fall back on the use of buzzwords which change their meaning daily, and are almost universally inaccurate in describing the situations to which they are applied.

For some reason, the prefix ‘cyber’ is attached to all things that occur online, with little attention is given to the appended part of the term in arriving at a definition and appropriate usage. Cyber-terrorism, cyber-warfare, cyber-crime, cyber-espionage… they all seem to be used indiscriminately, despite the fact that we have fairly static definitions for what counts as terrorism, warfare, crime, and espionage, hammered out for jurisdictional certainty if nothing else. And yet, when they occur online, all this goes out the window. Never mind the fact that the definition of ‘cyber’ is completely amorphous, given the fact that it is usually assumed to refer to the Internet, which is itself a network of networks, and that there are many networks that are not connected to the Internet.

I suppose I shouldn’t be surprised by the confusion. Twenty years have passed since the fall of the Soviet Union and the end to the last clear national threat frame. It’s over a decade since the beginning of the amorphous ‘war on terror’ into which anyone and anything can be subsumed. Add to this ever-expanding threat frame a history of technophobia that can be traced from War of the Worlds through to War Games, The Matrix, and Die Hard 4.0, and you have a situation where the  definition of cyber-anything can change as frequently as is convenient for the powers that be.

Advertisements

Cyber-Surveillance in Everyday Life

I’m working on a paper for a conference at U of T next Summer. I think it’ll be useful in helping me develop the surveillance/privacy aspect of my thesis, as most of my work thus far has focused on the security and risks/threats side and only really touched on surveillance. Coming from a cybersecurity perspective, I’ll look at the technical and legal possibilities for surveillance versus the popular conception of what the government/NSA are allowed to do and what is technically possible.

How about a nice game of chess?

In popular culture, from 1983 and the release of War Games or 1984’s Neuromancer by William Gibson, the popular understanding of computers- and especially networked computers- has been that they can be manipulated by anyone with the requisite skills into doing almost anything, even accidentally starting nuclear war. Written in an era of intense insecurity and doubt, especially with regards to technology, the imprint of the Cold War is clear in these popular imaginaries. More recently, in an equally strong climate of fear, season 7 of the TV show 24 showed terrorists hacking into the air traffic control network in a display marrying the intense fear of terrorism centred around the hijacking of commercial flights on 9/11, with the growing uneasiness around these technological devices that we are so dependent on but don’t really understand. The most recent Die Hard movie, Live Free or Die Hard, took this uneasiness further, suggesting that hackers could take over the transportation system, air traffic control, phone and television networks, the power grid, the computer system at the FBI… anything run by a computer was potentially at risk, or was a threat.

Yes, that’s a car flying into a helecopter. Pretty standard fair during cybarmaggedon.

More worryingly, however, is the message that comes from mainstream media, following a similar line. CNN in collaboration with the DHS earlier this year released footage of an experiment carried out on a generator like those operating the electrical power grid. The experiment was to show how easily an experienced hacker could break into the computers operating the generator, and not just shut it down, but blow it up. (The insider knowledge required to complete such a feat was not mentioned; nor was the fact that the hacking had occurred on a software program similar to the SCADA software operating the real grid.) The fear that there could be physical repercussions for acts carried out in cyberspace is not a new one, Weekly World News Ran this story in 2000:

Weekly World News is known for its outlandish cover stories which often verged on the satirical, however satire is based on reality. The actually alarming thing is that this rhetoric which was once restricted to sci fi movies and tabloids is now the fodder of mainstream newscasters such as CNN, who also recently ran a two hour special “focumentary”, Cyber Shock Wave, in which a situation room made up of current and former government officials attempted to formulate a strategy to deal with the catastrophic effects caused by a cyberattack. Richard Grusin describes this onslaught of cyber-fear mongering as part of a strategy of “premediation”, through which the media reports on potential threats with such detail and immediacy as to keep viewers in a constant state of low-level fear, and thus prepare the nation to face any threat that might occur in the future, rather than being surprised by the unthinkable in the manner of the 9/11 attacks. Grusin provides an interesting breakdown of this strategy at work in Cyber Shock Wave in his blog here.

Perhaps more alarmingly, while some strategists and members of the military and intelligence communities have been worrying about cyber attacks for some time, the hype and rhetoric involved is in some cases beginning to approximate that of CNN. Richard A. Clarke, counter terrorism and cybersecurity adviser for the Bush Sr., Clinton, and Bush Jr. administrations recently published a book warning of the perils of cyberterrorism and cyberwar which sounds at times as if it has borrowed great chunks from Die Hard 4.0; all that’s missing is a battered and bleeding John Maclean (but others are battered an bleeding in his place, as a result of the explosions triggered at oil refineries, chlorine gas released from chemical plants, the disabling of air traffic control, trains crashing into each other, and the entire country being plunged into darkness). For a more detailed review of Clarke’s book, visit Wired Magazine’s article “Richard Clarke’s Cyberwar File Under Fiction”.

However his book is not without merit. He offers a breakdown of the potential threats and various administrations’ and military and intelligence organizations’ reactions to these threats with a clarity and detail afforded by an insider. And his analysis of the threats is often quite reasonable and grounded- he presents the issues and potential solutions clearly and assesses them logically. However once he has done away with the workable potential for any limited solution, his alternative suggestions are so extreme that they would seem more fitting to the tightly regulated regime of China rather than the hands-off, limited big government ethos favored by Americans. In fact in describing the Great Firewall of China, he explains how China is in a much better position defensively due to the level of control is has over its networks, sounding somewhat envious of this level of regulation. Objectively this is probably true, but is he advocating such a controlling system for the US? It would seem so, as later on he promotes the idea of using deep packet inspection on Internet backbone ISPs (as an alternative to the apparently distasteful idea of using real incentives to force industry to regulate itself). While championing the American ethos of non-regulation of industry, he seems happy to do away with privacy rights as an alternative. Rather than promoting education and using stronger incentives to encourage industry to regulate itself, he would rather that we lock the Internet down as the safest and most fool-proof solution. He claims that “our nation’s strong belief in privacy rights and civil liberties is not incompatible with what we need to do to defend our cyberspace” (2010, P162). The people just need to trust in their government and intelligence organizations that this surveillance is not being misused, but is only used to protect. That’s a big ask considering, among other things, the recent warrentless wiretapping scandal over the NSA.

These are this issues I hope to explore in my paper. The public perception, the hype, the premediation, and in this context the strategies being pushed by the administration and their potential impact on privacy and civil liberties. Surveillence mechanisms and proposals to review will include the Einstein programs, Perfect Citizen, and, briefly, Echelon, as well as getting into some of the legal and jurisdictional issues.

Cyberdefence: Deterrence vs Pre-emptive Strategies

Deterrence

I recently wrote a paper on the development of U.S. cyberpolicy in which I noted an interesting shift in the rhetoric being employed from one of anti-terrorism in the Bush Administration’s National Strategy to Secure Cyberspace, to Cold War rhetoric in the Obama Administration’s Cyberspace Policy Review. This shift seemed to be in line with recent assertions that the U.S. is engaging in a cyber arms race. An obvious reason for this emphasis on an increase in cyber capabilities is so as to be able to use the strategy of deterrence so popular in the Cold War. This would then imply that the Obama administration has abandoned the Bush Doctrine of pre-emptive attack, and was returning to a superpower-centric vision of world order. However the reason the the Bush Doctrine was taken on in the first place was due to the changing nature of global power; a stalemate had developed precipitated by the unwillingness of nations to initiate nuclear war; the Soviet Union had collapsed and Russia was now an ally of the States; and 9/11 demonstrated that perhaps the greatest threat to national security could come from unpredictable and perhaps irrational non-state actors who were not averse to risks and did not want to maintain the status quo. Cold War-style deterrence only works against an adversary who has something to lose. Pre-emptive action was therefore the safest alternative, striking in ‘anticipatory self-defence’ before the adversary can strike you.

A preemptive cyber-strike makes no sense for several reasons: firstly, the aim of a pre-emptive strike is for the superior power to thwart an imminent attack by a growing power before this power reaches its fully potential an attack capabilities. However in the case of cyber capabilities, the U.S. is not the strongest power- China is far more developed. Secondly, attribution is a very difficult issue in cyberattacks; it is easier to attribute blame through political motivation than through examining the cyber trail. Therefore it is difficult to pre-empt an attack when it is not clear even after the fact where it might have originated from or to what ends. Even if this could be ascertained, the likelihood of the attackers being state-sponsored or even working independently so as to allow plausible deniability, makes any kind of national response difficult. And finally, a full-scale debilitating cyber attack is unlikely to occur by itself; this would not disable the ability of an enemy to retaliate. It would mostly likely occur in one of two scenarios: in conjunction with a kinetic attack, with the aim of confusing communication and computer-based military functions enough that they would not be able to respond to a physical attack; or it would be used discretely as a form of espionage, in which case a physical retaliatory attack would be excessive, and a similar cyberattack may not currently be within U.S. cyber capabilities.

Therefore a strategy of deterrence would seem to be the best option, building up the U.S.’s cyber capabilities so that no one will challenge them. However the U.S. is already far behind China, and not in a position to deter anyone. If anything it is China who is leading in the cyberspace race. Therefore, it would seem that the U.S. is adopting a strategy of straight-up defense, in the hope of detecting and minimising the damage of a cyberattack, until its capabilities are developed enough to match that of China. The Obama Administration may be using Cold War rhetoric to inspire a sense of urgency and competition in its citizens, to arm against an attack from China, but this is not a cyber arms race in the way this rhetoric would have us understand it. It is more a race to catch up.

Ender’s Game

Woo embedded pictures! Now I have set myself the task of finding an appropriate pictoral representation for every post. More hours of procrastination!

Well I finished Ender’s Game a week or so ago- I fairly raced through it, it was an easy read and well-written too. Lagging slightly towards the end in the post-climax cleanup. Necessary though- I didn’t feel like it was just wrap up or filler, Card was still bringing in new ideas and further developing the plot even in the wrap-up chapter.

I find it bizarre that, according to Peter Singer in Wired for War, Ender’s Game is on the Marine Corps Commandant’s required reading list.

Some intitial scattered thoughts of elements which the book might be intended to encourage/instill in its military readers:

Paternalism- Graff. Father knows best, worry for the boy. It is impossible to dislike Graff because even though his methods and overall aims (extermination of the buggers) are disagreeable, he is a father figure to Ender and always has his best interests at heart. A message that is delivered with the subtlety of a frying pan to the head and the end of the book when Ender realises what Graff has been doing. We should all just put our trust in our military fathers and unquestioningly let them do whatever they think best to keep us safe.

Heroism- Ender always volunteers, self-sacrifice, hardship to make better person. Could there be a more ideal soldier?

Camaraderie- family, respect, support- all the positive things we always hear about the military

Aside from that, I thought that the provocation towards distrust of military leaders prompted by the implication that the buggers are not real and are just used as a method of control was really interesting in a book that is required reading in the marine corps. The need to fear something in order to hold alliances together is what kept the world functioning throughout the Cold War. And then there’s the need to justify military spending… It’s a veritable roadmap for Bush’s War of Terror, and every other overhyped immenant danger since we lost the USSR as a focus of threat and fear.

I also found this blog post which I though illustrated similar themes of the good of the many vs the good of the few, and the need to trust the good intentions of our benevolent commanders, as analyzed through Star Trek and Battlestar Galactica.

Actually, I’m surprised this isn’t required reading for all elements of the military. It is surely the militaristic dream of total control in safe, sanitized warfare. The informationalization of war is not a new concept- RAND’s John Arquilla and David Ronfeldt take their definition of ‘cyberwar’ from an interpretation of the Mongols’ strategy in wargfare, in which superior communications and military intelligence, speed, awareness of the enemy’s tactics, and propaganda or psychological operations secured Mongol victories against armies that were far greater in number. Arquilla and Ronfeldt find similar evidence for the effectiveness of the strategy of information-dominance in the German Blitzkreig doctrine of World War 2 (Arquilla and Ronfeldt, 1997, P38). Information has always been power, especially in the battlefield, and surely the only desire for a military officer greater than the wish to cut through the Fog of War is the desire for a war with minimal bloodshed.

Ender’s Game surely expresses the ideal in warfare- completely sanitized battles which rely on highly developed combat skills, strategies and tactics, in a setting safe enough even for children to become soldiers. No one is hurt (no one in the human camp anyway), no blood is visably spilled, no soldiers get post traumatic stress- they don’t even know they’re doing any killing. It’s the military dream- pure informational separation. And in reality we’re not far off. Ender’s Game was written in 1985. In 1992 John Arnett in one of the earlier uses of the term ‘cyberwar’ described the massive data gathering  project that was the legacy of the Cold War, and the development of robots and drones which we could send into these carefully mapped areas, operated by soldiers safely behind the scenes. “These technologies allow for the progressive separation of man and machine, as ‘autonomous’ weapons such as smart bombs, and planes that do not need pilots are developed, and vast amounts of data are collected from the field by sensors and processed by computers, meaning that humans are increasingly reliant on the interpretation provided by these computers as humans do not have the capacity to process such volumes of data themselves” (Arnett, 1992 P15). Now these drones are in regular use, directed by kids at CIA headquarters in the US, who drop bombs and destroy entire villages in Afghanistan, Pakistan, Iraq, with the same kind of distancing effect as a video game. It’s not quite Ender’s Game, but it’s pretty darn close.

However despite these advancements, the dream remains illusive. As Chris Hables Gray explains in Peace, War, and Computers, “[a]s for perfect security, we know today that there will be no such thing no matter what the [Revolution in Military Affairs], for three fundamental reasons: the fog of war, the limits of information technology, and the postmodern war system.” [2004, P29] There will always be uncertainties in war; there is no such thing as total information awareness (despite DARPA’s best efforts!). And technology fails; it is imperfect. Drones cannot accurately identify targets to the same degree that soldiers can, and accidents are inevitable. And add to that: the very nature of war is changing. Gray calls in ‘postmodern war’.

He explains, “[w]ith World War II, war became global, battle became continuous, and weapons becomes absolute. Atomic bombs made it clear that modern war’s main assumption, for the political utility of total war, no longer held. Yet, most of the modern war system remains in place: the military-industrial complex, the military modernization of technoscience, and the assumption that war is still the most effective political tool available to policy makers. Hence, postmodern war.” (Gray, 2004, P24)

Hannah Arendt identified this paradox of postmodern war in her assessment of the changing nature of war since the creation of nuclear weapons: “The third fact seems to indicate a radical change in the very nature of war through the introduction of the deterrent as the guiding principle in the armament race. For it is indeed true that the strategy of deterrence ‘aims in effect at avoiding rather than winning the war it pretends to be preparing. It tends to achieve its goals by a menace which is never put into execution rather than by the act itself.’… the point of the matter is that today the avoidance of war is not only the true or pretend goal of an over-all policy but has become the guiding principle of the military preparations themselves. In other words, the military are no longer preparing for a war which the statesmen hope will never break out; their own goal has become to develop weapons that will make a war impossible.” (1963, P6)

This benefits everyone; it allows for the continuation of huge volumes of military spending- in fact it necessitates it because your army/weaponry/technology must be superior to all other. At the same time it avoids war itself which would be destabilizing and potentially lost. Even if the war was won, the government may not come out of it looking good due to the loss of life on the opposing side. And for what? How was the war justified? It is a precarious media campaign that no one wants to have to deal with.

The military used to be the organization that dealt with war, and it was separate from civilian life and the way it was governed. WW1 and 2 changed that, with civilians becoming targets in an indiscriminate war. Since the horrors of industrial warfare and the destructive power of nuclear weapons, we have been moving steadily away from war involving civilians, towards a sanitized, safe, secure version of war in which not even soldiers are killed. The Cold War was all about deterrence, to ensure that nuclear weaponry could not be used. Now we are moving towards cyberwars that use robots and drones rather than soldiers, and potentially that use only computers.