Radical Instrument

IT is changing the exercise of power. Radical Instrument is picking up the signals.

Posts Tagged ‘cybersecurity

“I want to find a way to work within the Chinese system…”

leave a comment »

The quote is from Google’s Sergey Brin – and the (admittedly dated) link is here. The back-tracking begs a better PR strategy:

Mr. Brin said he didn’t think the question of whether the Chinese government was behind the intrusions was significant because the government is made up of so many people. “If there were a Chinese agent, it might represent a fragment of policy,” he said.

Right. What exactly is Google’s algorithm for this? The significance of the question of government sponsorship of cyber-espionage is the inverse of the size of the government potentially involved?

By this logic, an intrusion sponsored by my local city government = significant question for Google.

Written by Mark

February 15, 2010 at 10:24 pm

Ending the “conspiracy of secrecy” in cybersecurity

leave a comment »

The excellent James Fallows has an article in the March issue of the Atlantic on the cybersecurity threat posed by China:

As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. … While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.

Written by Mark

February 10, 2010 at 10:27 pm

Posted in Technology

Tagged with ,

China and the “gray zone” of cybersecurity

leave a comment »

Via Computerworld and other sources:  China has announced the shutdown of what the BBC says “is believed to be the country’s biggest training website for hackers,” Black Hawk Safety Net, resulting in the arrests of three.  The WSJ confirms the arrests actually occurred in November, leading to speculation that this may be an attempt to ward off negative press from its recent flap with Google.

Whether or not that’s true, the shutdown of this site does signal that China is having to navigate a difficult balance with cybersecurity issues as Internet use grows. On the one hand, the growth of nationalist hacker groups has afforded the government the advantage of plausible deniability for activities ranging from campaigns against Tibetan exiles to sophisticated penetration attempts of U.S. government and industry databases. On the other hand, the sheer volume of trained hackers (or untrained, armed with a few easy-to-use tools) combined with a growing e-commerce market makes for … a fertile (if illicit) opportunity, sized at $1B in 2008 and fuel for a $35M “hacker training” industry.

Written by Mark

February 8, 2010 at 9:57 pm

Jack Goldsmith on the cyber arms race

leave a comment »

Today’s Washington Post contains an editorial from Jack Goldsmith, head of the U.S. Justice Department’s Office of Legal Counsel for several months in 2003-2004. It’s a striking piece, arguing that cyber-norms can’t come about until the U.S. discloses or curbs its offensive cyber-activities.

Beneath the text seems to be a concern that animates Goldsmith’s book about his time in the OLC, “The Terror Presidency.” While sympathetic to the Bush Administration, Goldsmith’s time in the OLC saw him concerned with the legal cover that a potentially limitless war gave to executive seizure of power by fiat, rather than via “softer measures.” To quote from his article on the Obama Administration’s counterterrorism strategy:  “Packaging, argumentation, symbol, and rhetoric, it turns out, are vitally important to the legitimacy of terrorism policies.One can’t help but wonder whether some of the same concerns around power aren’t evident here.

More recently, Goldsmith co-authored a book which attempts to dismantle claims that the Internet will undermine government power, among other things. But doesn’t the current Google-China dispute show that that the question of norms actually isn’t being actively pursued by governments, but by non-governmental actors? Goldsmith highlights a possible hypocrisy in Secretary of State Clinton’s call for “norms of behavior among states.” But he neglects to note that this speech was prompted – or at least pre-empted – by actions taken by Google.

Certainly, patterns of similar cyberattacks had occurred previously, without a clear response on the part of the U.S. government (which has, as Goldsmith notes, provided tacit support for “hacktivism” in other circumstances). The vacuum of government action to promote norms may well lead to a situation in which norms originate from the private sector – either consciously, or through business decisions created by an environment of cyber-insecurity. To answer the question posed by the title of Goldsmith’s book, “Who Controls the Internet?” … well, I’m still not sure.

Written by Mark

February 1, 2010 at 11:42 pm

School of Hack (Chinese version)

with one comment

Courtesy of Fergie’s Tech Blog:  this report on the $34.8M “hacker training” industry in China, derived from this China Daily story. The China Daily piece also cites $1B in losses in China in 2008 due to cybercrime, attributed to theft from personal accounts.

Not really convinced that you would get a lot out of course that runs maybe $30 … maybe access to a few tools that can be clumsily deployed, absent any other skills. The math is interesting – at the thirty-dollar rate, $34.8M buys you over a million “courses.” Assume for a moment that the courses are in Chinese (could be wrong there)…with a total combined Internet user population in China and Taiwan of ~300M, and assuming one course = one user, that’s not a bad rate of penetration. It’s a rate roughly equivalent to Amazon’s share of the U.S. retail market.

I previously referenced this Bloggingheads discussion between Evgeny Morozov and Ethan Zuckerman on cyberwar. Listen about midway through or check out Evgeny’s previous Slate article for a description of how a non-expert can get access to the right tools fairly easily.

Written by Mark

August 5, 2009 at 10:11 pm

Journos, poseurs, and spies

leave a comment »

Seems like the Defcon and Black Hat conferences are ground-zero for spies with an information-warfare bent:  this report from Computerworld discusses the ejection of four South Koreans apparently posing as journalists at Defcon. Any article that name-checks the Mossad and the French Foreign Legion in the same paragraph is worth reading.

Written by Mark

August 3, 2009 at 9:08 pm

Posted in Random

Tagged with ,

Questioning “digital Pearl Harbor”

with 2 comments

In its Sunday op-ed section, the New York Times raised the specter again of “digital Pearl Harbor,” this time contained in a quote from the CEO of a network security company:

“If you’re looking for a digital Pearl Harbor, we now have the Japanese ships streaming toward us on the horizon,” Rick Wesson, the chief executive of Support Intelligence, a computer consulting firm, said recently.

The term dates back to 1991, first used to discuss the U.S. government’s digital signature standard, and took on new prominence in a speech delivered by Richard Clarke at a computer security conference in 2000, in which he advocated the establishment of a Federal CIO position with responsibilities for cybersecurity (a policy that is coming to be realized, eight years and a few months later).

The term has also proliferated – roughly 303,000 Google results tonight – to the point where it’s straining credibility, like other overused metaphors involving cyberspace and international goings-on, nefarious or otherwise. A few points for consideration:

1.  After a wargame sponsored by the Gartner Group and the U.S. Naval War College in 2002 – named, predictably enough, “Digital Pearl Harbor” – 79% of participants walked away saying that a “strategic cyber attack is likely within the next 2 years.” Saying that you could use better security is not the same as saying that the attack is just over the horizon.

2.  “Cyberwar,” “cyberespionage,” Internet-enabled crime, virus releases, and simple malfunctions can be difficult to distinguish from each other by their effects. Political actors schooled to think only in terms of “Pearl Harbors” (or “Munichs,” for that matter) may be predisposed to solutions which could be wasteful, or even counterproductive. A hypothetical:  imagine the Cold War never ended, but turned even more tense. A new worm originates from inside Russia and disrupts U.S. air traffic systems. Is it the work of a bored college student? The prelude to an attack? In 1983, a Soviet air defense commander “made a serious but honest mistake” in the shootdown of a South Korean 747 due to conditions of tension and high alert, according to a CIA monograph. The point is that there’s a danger of escalation in any crisis, and while these conditions do not currently exist, metaphors like “digital Pearl Harbor” substitute predisposition for analysis.

3.  As Bruce Schneier has pointed out, legitimate security concerns, once given a backdrop of “ships streaming towards us” or terrorism, tend to get washed out by calls for regulation that limit the productive use of technology and threaten privacy. 

It might be time to start a contest for a new metaphor.

Written by Mark

February 16, 2009 at 10:50 pm