Radical Instrument

IT is changing the exercise of power. Radical Instrument is picking up the signals.

Posts Tagged ‘cybersecurity

“I want to find a way to work within the Chinese system…”

leave a comment »

The quote is from Google’s Sergey Brin – and the (admittedly dated) link is here. The back-tracking begs a better PR strategy:

Mr. Brin said he didn’t think the question of whether the Chinese government was behind the intrusions was significant because the government is made up of so many people. “If there were a Chinese agent, it might represent a fragment of policy,” he said.

Right. What exactly is Google’s algorithm for this? The significance of the question of government sponsorship of cyber-espionage is the inverse of the size of the government potentially involved?

By this logic, an intrusion sponsored by my local city government = significant question for Google.

Written by Mark

February 15, 2010 at 10:24 pm

Ending the “conspiracy of secrecy” in cybersecurity

leave a comment »

The excellent James Fallows has an article in the March issue of the Atlantic on the cybersecurity threat posed by China:

As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. … While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.

Written by Mark

February 10, 2010 at 10:27 pm

Posted in Technology

Tagged with ,

China and the “gray zone” of cybersecurity

leave a comment »

Via Computerworld and other sources:  China has announced the shutdown of what the BBC says “is believed to be the country’s biggest training website for hackers,” Black Hawk Safety Net, resulting in the arrests of three.  The WSJ confirms the arrests actually occurred in November, leading to speculation that this may be an attempt to ward off negative press from its recent flap with Google.

Whether or not that’s true, the shutdown of this site does signal that China is having to navigate a difficult balance with cybersecurity issues as Internet use grows. On the one hand, the growth of nationalist hacker groups has afforded the government the advantage of plausible deniability for activities ranging from campaigns against Tibetan exiles to sophisticated penetration attempts of U.S. government and industry databases. On the other hand, the sheer volume of trained hackers (or untrained, armed with a few easy-to-use tools) combined with a growing e-commerce market makes for … a fertile (if illicit) opportunity, sized at $1B in 2008 and fuel for a $35M “hacker training” industry.

Written by Mark

February 8, 2010 at 9:57 pm

Jack Goldsmith on the cyber arms race

leave a comment »

Today’s Washington Post contains an editorial from Jack Goldsmith, head of the U.S. Justice Department’s Office of Legal Counsel for several months in 2003-2004. It’s a striking piece, arguing that cyber-norms can’t come about until the U.S. discloses or curbs its offensive cyber-activities.

Beneath the text seems to be a concern that animates Goldsmith’s book about his time in the OLC, “The Terror Presidency.” While sympathetic to the Bush Administration, Goldsmith’s time in the OLC saw him concerned with the legal cover that a potentially limitless war gave to executive seizure of power by fiat, rather than via “softer measures.” To quote from his article on the Obama Administration’s counterterrorism strategy:  “Packaging, argumentation, symbol, and rhetoric, it turns out, are vitally important to the legitimacy of terrorism policies.One can’t help but wonder whether some of the same concerns around power aren’t evident here.

More recently, Goldsmith co-authored a book which attempts to dismantle claims that the Internet will undermine government power, among other things. But doesn’t the current Google-China dispute show that that the question of norms actually isn’t being actively pursued by governments, but by non-governmental actors? Goldsmith highlights a possible hypocrisy in Secretary of State Clinton’s call for “norms of behavior among states.” But he neglects to note that this speech was prompted – or at least pre-empted – by actions taken by Google.

Certainly, patterns of similar cyberattacks had occurred previously, without a clear response on the part of the U.S. government (which has, as Goldsmith notes, provided tacit support for “hacktivism” in other circumstances). The vacuum of government action to promote norms may well lead to a situation in which norms originate from the private sector – either consciously, or through business decisions created by an environment of cyber-insecurity. To answer the question posed by the title of Goldsmith’s book, “Who Controls the Internet?” … well, I’m still not sure.

Written by Mark

February 1, 2010 at 11:42 pm

School of Hack (Chinese version)

with one comment

Courtesy of Fergie’s Tech Blog:  this report on the $34.8M “hacker training” industry in China, derived from this China Daily story. The China Daily piece also cites $1B in losses in China in 2008 due to cybercrime, attributed to theft from personal accounts.

Not really convinced that you would get a lot out of course that runs maybe $30 … maybe access to a few tools that can be clumsily deployed, absent any other skills. The math is interesting – at the thirty-dollar rate, $34.8M buys you over a million “courses.” Assume for a moment that the courses are in Chinese (could be wrong there)…with a total combined Internet user population in China and Taiwan of ~300M, and assuming one course = one user, that’s not a bad rate of penetration. It’s a rate roughly equivalent to Amazon’s share of the U.S. retail market.

I previously referenced this Bloggingheads discussion between Evgeny Morozov and Ethan Zuckerman on cyberwar. Listen about midway through or check out Evgeny’s previous Slate article for a description of how a non-expert can get access to the right tools fairly easily.

Written by Mark

August 5, 2009 at 10:11 pm

Journos, poseurs, and spies

leave a comment »

Seems like the Defcon and Black Hat conferences are ground-zero for spies with an information-warfare bent:  this report from Computerworld discusses the ejection of four South Koreans apparently posing as journalists at Defcon. Any article that name-checks the Mossad and the French Foreign Legion in the same paragraph is worth reading.

Written by Mark

August 3, 2009 at 9:08 pm

Posted in Random

Tagged with ,

Questioning “digital Pearl Harbor”

with 2 comments

In its Sunday op-ed section, the New York Times raised the specter again of “digital Pearl Harbor,” this time contained in a quote from the CEO of a network security company:

“If you’re looking for a digital Pearl Harbor, we now have the Japanese ships streaming toward us on the horizon,” Rick Wesson, the chief executive of Support Intelligence, a computer consulting firm, said recently.

The term dates back to 1991, first used to discuss the U.S. government’s digital signature standard, and took on new prominence in a speech delivered by Richard Clarke at a computer security conference in 2000, in which he advocated the establishment of a Federal CIO position with responsibilities for cybersecurity (a policy that is coming to be realized, eight years and a few months later).

The term has also proliferated – roughly 303,000 Google results tonight – to the point where it’s straining credibility, like other overused metaphors involving cyberspace and international goings-on, nefarious or otherwise. A few points for consideration:

1.  After a wargame sponsored by the Gartner Group and the U.S. Naval War College in 2002 – named, predictably enough, “Digital Pearl Harbor” – 79% of participants walked away saying that a “strategic cyber attack is likely within the next 2 years.” Saying that you could use better security is not the same as saying that the attack is just over the horizon.

2.  “Cyberwar,” “cyberespionage,” Internet-enabled crime, virus releases, and simple malfunctions can be difficult to distinguish from each other by their effects. Political actors schooled to think only in terms of “Pearl Harbors” (or “Munichs,” for that matter) may be predisposed to solutions which could be wasteful, or even counterproductive. A hypothetical:  imagine the Cold War never ended, but turned even more tense. A new worm originates from inside Russia and disrupts U.S. air traffic systems. Is it the work of a bored college student? The prelude to an attack? In 1983, a Soviet air defense commander “made a serious but honest mistake” in the shootdown of a South Korean 747 due to conditions of tension and high alert, according to a CIA monograph. The point is that there’s a danger of escalation in any crisis, and while these conditions do not currently exist, metaphors like “digital Pearl Harbor” substitute predisposition for analysis.

3.  As Bruce Schneier has pointed out, legitimate security concerns, once given a backdrop of “ships streaming towards us” or terrorism, tend to get washed out by calls for regulation that limit the productive use of technology and threaten privacy. 

It might be time to start a contest for a new metaphor.

Written by Mark

February 16, 2009 at 10:50 pm

Obama appoints a cybersecurity czar

leave a comment »

Via Reuters: President Obama today named Melissa Hathaway, an advisor to former Director of National Intelligence Adm. Mike McConnell, to oversee a 60-day cybersecurity review. Prior to her work in government, Ms. Hathaway worked for Booz Allen Hamilton, which, interestingly enough, was the centerpiece for a BusinessWeek cover story on cybersecurity last spring.

Written by Mark

February 9, 2009 at 9:58 pm

Posted in Military & Security

Tagged with

New thievery and old rivalries in cyberspace

leave a comment »

This year’s Davos is like a bad family reunion: Vladimir Putin told off Michael Dell, Turkish Prime Minister Erdogan says he’s never coming back, and McAfee, Inc., brought the news that malware increased 400% in 2008 – resulting in an average intellectual property loss of $4.6 million per company, for a reported global loss of $1 trillion.

The most interesting finding from the survey behind McAfee’s data:  “Geopolitical perceptions have become a reality in information security policies.” Respondents – drawn from across the globe – cited China, Pakistan, and Russia as having the highest “threat levels” to “digital assets,” but the report perceptively notes that:

Perceptions among respondents may be rooted in both historical conflicts and modern economic, cultural and political differences. Responses can be sorted according to long-time tensions between China and Japan, India and Pakistan, the U.S. and Russia, the U.K. and Russia, as well as more modern conflict between China and Taiwan and China and the U.S. … For example, when asked to rate the threat level of various countries, 47 percent of Chinese respondents chose the U.S., followed by Taiwan (41 percent). Japanese respondents chose China (57 percent) followed by Russia (44 percent). Indian respondents overwhelmingly chose Pakistan (61 percent) as having the highest threat level. U.S.-based respondents chose China (62 percent) followed by Russia (59 percent). U.K.-based respondents selected Russia (74 percent) followed by Pakistan (68 percent) and China (66 percent).”

The data add to the argument that nationalism is prevailing over globalism in cyberspace, a trend likely to continue with recession and regulation. Absent a change in mood at Davos, the report’s call for an international cybersecurity convention seems like it’ll go unanswered in 2009.  One might expect what happens on the Internet – the exchange of information – to follow what happens in trade. Less of it, justified in nationalist terms and enforced by the technical equivalents of protectionism.

You can find the full McAfee report here (registration required).

Written by Mark

January 29, 2009 at 10:37 pm

Joining the 2009 prediction racket

with 4 comments

Forecasting has taken a beating in 2008, from the hard landing crash of the economy to the Iowa and New Hampshire primaries, from the odds of seeing snow in Las Vegas this winter to the chances given to the NY Giants against the Patriots in Superbowl XLII. 

And yet we continue. In the spirit of tradition (if not science and probability), here are my top five calls on for where (and how) ICT will (and won’t) affect international affairs in 2009

1. Global economic conditions tilt the balance towards greater Internet regulation… Watch for nationalist-protectionist tendencies to surface in cyberspace as much as they will in the world of physical trade, assuming the recession extends until mid-2009 or longer. Expect commentators to blur their depictions of “unregulated finance” and “unregulated cyberspace,” and for politicians to justify Internet regulation as a means to “safeguard the economy,” whether by preventing cyber-crime or otherwise. 

2. …and prolong the “digital divide” in the developing world.  The capital drought has already halted or delayed major investments in the developed world. Watch for a similar, if not amplified, effect on ICT projects – charitable or otherwise – in BRIC countries, and definitely the Third World. Cell phones will remain a key network technology in the Third World – but without additional investment, will existing networks be able to handle increased capacity?

3.  Cybercrime gets worse.  The recession presents two key conditions for fraud and exploitation:  (a) significant dislocation in the corporate environment, presenting opportunities for the leakage of sensitive information, and (b) heightened psychological insecurity, increasing the size of the “target audience” for exploitation. Add in year-over-year improvements in criminals’ technical savvy, and 2008 looks to be a year to batten down the security hatches. For a good read, see McAfee’s annual cybercrime report.

4.  The next “Internet election” might be in Iran.  Expect a lot of attention to be paid to Iran’s 2009 presidential election, slated for June. There’s an interesting question as to whether Iran’s filtering mechanisms, which block access to five million websites, will be able to contain both (a) criticism of current President Ahmadinejad from political rivals and (b) both a web-savvy populace’s desire for information and the desire of external parties (e.g., exile groups) to provide it. OpenNet Initiative has an article from November (original source:  ynetnews.com) noting the passage of a draconian “computer crimes” bill earlier this year. Seems like the regime might lack some confidence in its firewall.

5.  Cloud computing will raise new questions about regulation, privacy, and security.  If there’s any technology in the hype cycle right now, it’s cloud computing (see this earlier post for more background). If – and this is a big if – we’re on a path towards the concentration of processing and storage in a limited number of massive data centers, servicing hundreds (or thousands, or…) of customers, there’s going to be a showdown with some questions that have yet to see satisfactory resolution. Such as:  will there be political acceptance of warrantless surveillance (not to mention government data-mining) once data is concentrated? Will government cybersecurity efforts concentrate on fortifying “clouds” as critical infrastructure, and leave the rest of the Internet wild? What responsibilities do Internet giants have towards governments for the data that runs through them? The answer’s going to have to be a little more precise than Google’s “Don’t be evil.” 2009 won’t be the year these questions get answered, but I’m betting that we’re going to start hearing (and listening to) them more.

Written by Mark

December 24, 2008 at 1:22 am