Sunday 7 February 2010

Can we stop the cyber arms race?

In a speech recently on ‘Internet freedom’, Secretary of State Hillary Clinton decried the cyberattacks that threaten US economic and national security interests. ‘Countries or individuals that engage in cyber attacks should face consequences and international condemnation,’ she warned, alluding to the China-Google kerfuffle. We should ‘create norms of behaviour among states and encourage respect for the global networked commons’. Perhaps so. But the problem with Mrs Clinton’s call for accountability and norms on the global network is the enormous array of cyberattacks originating from the US. Until we acknowledge these attacks and signal how we might control them, we cannot make progress on preventing cyberattacks emanating from other countries.

2 comments:

Guanyu said...

Can we stop the cyber arms race?

By JACK GOLDSMITH
04 February 2010

In a speech recently on ‘Internet freedom’, Secretary of State Hillary Clinton decried the cyberattacks that threaten US economic and national security interests. ‘Countries or individuals that engage in cyber attacks should face consequences and international condemnation,’ she warned, alluding to the China-Google kerfuffle. We should ‘create norms of behaviour among states and encourage respect for the global networked commons’. Perhaps so. But the problem with Mrs Clinton’s call for accountability and norms on the global network is the enormous array of cyberattacks originating from the US. Until we acknowledge these attacks and signal how we might control them, we cannot make progress on preventing cyberattacks emanating from other countries.

An important weapon in the cyberattack arsenal is a botnet, a cluster of thousands and sometimes millions of compromised computers under the ultimate remote control of a ‘master’. Botnets were behind last summer’s attack on South Korean and American government websites, as well as prominent attacks a few years ago on Estonian and Georgian sites. They are also engines of spam that can deliver destructive malware that enables economic espionage or theft.

The US has the most, or nearly the most, infected botnet computers and is thus the country from which a good chunk of botnet attacks stem. The government could crack down on botnets, but doing so would raise the cost of software or Internet access and would be controversial. So it has not acted, and the number of dangerous botnet attacks from America grows.

The US is also a leading source of ‘hacktivists’ who use digital tools to fight oppressive regimes. Scores of individuals and groups in the US design or employ computer payloads to attack government websites, computer systems and censoring tools in Iran and China. These efforts are often supported by US foundations and universities, and by the federal government. Mrs Clinton boasted about this support seven paragraphs after complaining about cyberattacks.

Finally, the US government has perhaps the world’s most powerful and sophisticated offensive cyberattack capability. This capability remains highly classified. But The New York Times has reported that the Bush administration used cyberattacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran’s nuclear weapons programme. And the government is surely doing much more. ‘We have US warriors in cyberspace that are deployed overseas’ and ‘live in adversary networks’, says Bob Gourley, the former chief technology officer for the Defense Intelligence Agency.

These warriors are now under the command of Keith Alexander, director of the National Security Agency. The NSA, the world’s most powerful signals intelligence organisation, is also in the business of breaking into and extracting data from offshore enemy computer systems and of engaging in computer attacks that, in the NSA’s words, ‘disrupt, deny, degrade, or destroy the information’ found in these systems. When the Obama administration created ‘cyber command’ last year to coordinate US offensive cyber capabilities, it nominated Lt-Gen Alexander to be in charge. Simply put, the US is in a big way doing the very things that Mrs Clinton criticised. We are not, like the Chinese, stealing intellectual property from US firms or breaking into the accounts of democracy advocates. But we are aggressively using the same or similar computer techniques for ends that we deem worthy. Our potent offensive cyber operations matter for reasons beyond the hypocrisy inherent in undifferentiated condemnation of cyberattacks.

Even if we could stop all cyberattacks from our soil, we wouldn’t want to. On the private side, hacktivism can be a tool of liberation. On the public side, the best defence of critical computer systems is sometimes a good offence.

Guanyu said...

Our adversaries are aware of our prodigious and growing offensive cyber capacities and exploits. In a survey published last Thursday by the security firm McAfee, more information technology experts from critical infrastructure firms around the world expressed concern about the US as a source of computer network attacks than about any other country. This awareness, along with our vulnerability to cyberattacks, fuels a dangerous public and private cyber arms race in an arena where the offence already has a natural advantage.

Everyone agrees on the need to curb this race by creating proper norms of network behaviour. But like Mrs Clinton, US cybersecurity policymakers are in the habit of thinking too much about those who attack us and too little about our attacks on others. Creating norms to curb cyberattacks is difficult enough because the attackers’ identities are hard to ascertain. But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries. -- LAT-WP

The writer teaches at Harvard Law School and is on the Hoover Institution’s Task Force on National Security and Law. He was a member of a 2009 National Academies committee that issued the report ‘Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities’