Jerry Brito

Tomorrow Sen. John McCain, along with five other Republican senators, plans to unveil a cybersecurity bill to rival the Lieberman-Collins bill that Majority Leader Harry Reid has said he plans to bring to the Senate floor without an official markup by committee.

At a hearing earlier this month, Sen. McCain criticized the Lieberman-Collins bill for not giving the NSA authority over civilian networks. And as we’ve heard this week, the NSA has been aggressively seeking this authority—so aggressively in fact that the White House publicly rebuked Gen. Keith Alexander in the pages of the Washington Post. But as CDT’s Jim Dempsey explains in a blog post today,

The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

The military, and especially the NSA, has great experience and useful intelligence that should leveraged to protect civilian networks. But that assistance should be provided at arms-length and without allowing the military to conduct surveillance on the private Internet. Military involvement in civilian security is as inappropriate in cyberspace as it is in the physical world.

As Gene Healy has explained, civilian law enforcement and security agencies “are trained to operate in an environment where constitutional rights apply and to use force only as a last resort”, while the military’s objectives are to defeat adversaries. The NSA’s warrantless wiretapping scandal speaks to this difference. “Accordingly, Americans going back at least to the Boston Massacre of 1770 have understood the importance of keeping the military out of domestic law enforcement.” The Senate Republicans would do well to leave NSA involvement in civilian networks out of a new cybersecurity bill.

And FYI: I will be presenting at a Cato Institute Capitol Hill briefing on cybersecurity on March 23rd along with Jim Harper and Ryan Radia. Full details and RSVP are here.

Speaking of anonymously sourced cybersecurity articles, the Washington Post has a mini-bombshell of a story today that uncovers a bit of a feud between the NSA—which has continuously sought a greater role in overseeing civilian cybersecurity—and the White House, which has rebuffed it. All this according to anonymous administration officials. Now here’s the kicker:

White House officials cautioned the NSA that President Obama has opposed cybersecurity measures that weakened personal privacy protections. They also warned the head of the spy agency, Gen. Keith Alexander, to restrain his public comments after speeches in which he argued that more expansive legal authority was necessary to defend the nation against cyberattacks, according to several officials.

“We have had to remind him to at least be cognizant of what the administration’s policy positions are, so if he’s openly advocating for something beyond that, that is undermining the commander-in-chief,” said an administration official.

If this is true, then the White House must have been none too pleased with last week’s leak to the Wall Street Journal of General Alexander’s comments in confidential briefings that he thinks Anonymous might pose a threat to the power grid. At the time, I wondered what motivated the leak, and today’s Post story gives at least a plausible explanation.

What’s more interesting is the very public rebuke of General Alexander in the paragraph quoted above. I’m just reading tea leaves here, but it wouldn’t surprise me if the WSJ story was not the last straw and this “airing of grievances” in the Post is retaliation by the administration.

On a more technical note, I’m having a hard time understanding how NSA surveillance of Internet traffic related to critical infrastructure is supposed to prevent attacks. Here is how the Post describes the NSA plan:

The proposal drew on a Pentagon pilot program launched last year in which Internet service providers used NSA’s library of threat data to scan e-mails and other computer traffic flowing to and from the nation’s top defense contractors. That program was a response to fears that foreign spy services were using cybertechnology to steal corporate or U.S. military secrets.

I’ve heard similar descriptions elsewhere. It would be great if a technically inclined reader might explain in the comments how an “advanced persistent threat” like Stuxnet could be prevented by such monitoring. From what I’ve been gathering, the kind of attack that would compromise critical infrastructure is so specific and unique to a target that it would be much more difficult to detect than a general purpose attack.

UPDATE 10:45 PM: Beginning to answer my own question, there’s this from the Harvard National Security Jounral: Can It Really Work? Problems with Extending EINSTEIN 3 to Critical Infrastructure by Bellovin et al.

Last week the Wall Street Journal reported that government officials believed that the hacktivist group Anonymous might in a couple of years time acquire the capability to take down the power grid. The digerati did not care for such alarmism.

One critique of the report (mine) was that the paper’s reporting was third-hand and credulous. Another widely espoused criticism was that attacking critical infrastructure did not fit the modus operandi of Anonymous. It simply would have no motive to cause widespread damage; quite the contrary, Anonymous sees itself as fighting for the people against the powerful.

Now a new article by Thomas Rid of the War Studies Department at Kings College London makes me think that even the notion that Anonymous could acquire such a capability is highly questionable. Rid’s thesis is that the more destructive a cyber weapon is, the more expensive and difficult it will be to produce, especially in terms of the intelligence needed about the target. And as a consequence, such cyber weapons will be very specific to targets, not easily repurposed, and unlikely to cause collateral damage. He writes:

A thorough conceptual analysis and a detailed examination of the empirical record corroborates our hypothesis: developing and deploying potentially destructive cyber-weapons against hardened targets will require significant resources, hard-to-get and highly specific target intelligence, and time to prepare, launch and execute an attack. Attacking secured targets would probably require the resources or the support of a state actor; terrorists are unlikely culprits of an equally unlikely cyber-9/11. The scant empirical record also suggests that the greatest benefit of cyber-weapons may be using them in conjunction with conventional or covert military strikes, as Israel did when it blinded the Syrian air defence in 2007. This leads to a second conclusion: the cost-benefit payoff of weaponised instruments of cyber-conflict may be far more questionable than generally assumed: target configurations are likely to be so specific that a powerful cyber-weapon may only be capable of hitting and acting on one single target, or very few targets at best.

The record of cyber attacks, such as it is, seems to corroborate this idea. DDoS attacks are common, while cyber weapons like Stuxnet are rare and highly targeted. (So targeted, in fact, that over 100,000 computers have been harmlessly infected with Stuxnet.) Malware that can steal information or zombify computers to be used in DDoS is general purpose. Asa result, thousands upon thousands of machines are compromised. In contrast, SCADA systems used in critical infrastructure are so specific that known attacks are very few and very caveated.

If Rid is correct, it’s not clear to me how Anonymous could acquire the capability to successfully attack critical infrastructure. Anonymous would have to, in secret, select one specific target, then gather serious intelligence on its SCADA installation, then find a vulnerability to exploit, and do this in an environment in which critical infrastructure providers are taking greater notice of cyber risks. This is the sort of operation that would seem to require centralized planning and staunch discipline, two attributes that with all due respect I wouldn’t ascribe to Anonymous.

If you want to see what excellent cultural and political criticism is, check out Mark Hemingway’s new essay on Portland in The Weekly Standard:

While it’s hard not to root for entrepreneurial initiative wherever you find it, in Portland it carries a whiff of desperation. I submit that the real reason Portland has a thriving artisanal economy is that the regular economy is in the dumps. Portland’s hipsters are starting craft businesses in their garages and opening restaurants not merely because they “reject passive consumption” but because they can’t find jobs, the kind that offer upward mobility. If there’s a more rational reason why a small city like Portland has 671 food trucks, I’d love to hear it.

I knew they were crazy, but I didn’t know how corrupt they were as well. Here is a great spoof of the Portlandia premiere video. In it hipsters sing about moving across the bridge from Portland to Vancouver, WA, to avoid high taxes and get upwardly mobile jobs.

After some controversy, the Academy of Motion Picture Arts and Sciences has decided to allow Sacha Baron Cohen into the Oscars tonight. Noted without comment:

According to conversations Reuters held with Academy of Motion Picture Arts and Sciences officials who did not wish to be identified, many within the Academy still feel very strongly that the Oscar red carpet is not an appropriate setting for promotional stunts.

Via Haaretz, where I get all my Sacha Baron Cohen news.

Adam Weinstein reports:

The lion’s share of political contributions by servicemembers and defense industry workers is going to anti-war, “soft on Israel,” also-ran candidate Ron Paul. In fact, the battle for their dollars isn’t even close: Paul has raised at least $282,868 from individual active-duty servicemembers and Pentagon employees—more than four times what the other three Republican presidential candidates have raised, combined.

Earlier this week I wrote about how privacy regulation could lead to a Peltzman effect, where feeling more confident about privacy protection, consumers might take more risks. A new paper (PDF) by Nicholas Wilson, Wentao Xiong, and Christine Mattson says the same could happen for mass adult male circumcision:

In response to a scientific finding that the female-to-male HIV transmission rate is as much as 76% lower for men who are circumcised, the World Health Organization is advocating for a mass adult male circumcision in Africa. Governments and NGOs have jumped onboard, including The Bill and Melinda Gates Foundation that has promised $50 million, making 650,000 circumcisions possible in Swaziland and Zambia in the next few years.

One possible problem with this plan is that people will change their sexual behavior in response to the now lower risk of having unprotected sex with multiple sexual partners. If the scale of this behavioral effect is large enough then these programs will not only be ineffective, they could actually increase the HIV transmission rate.

How about a new series: unintended consequences in everything?

In the new issue of Foreign Affairs, the house organ of establishment foreign policy thinking, Micah Zenko and Michael A. Cohen argue that despite the hype we are constantly subjected to by politicians and the media about foreign threats to the country, the fact is America is incredibly secure. Why all the threat inflation?

Warnings about a dangerous world also benefit powerful bureaucratic interests. The specter of looming dangers sustains and justifies the massive budgets of the military and the intelligence agencies, along with the national security infrastructure that exists outside government — defense contractors, lobbying groups, think tanks, and academic departments.

This is a point Tate Watkins and I have made in our cybersecurity work, and Zenko and Cohen bring up cybersecurity here as well:

A more recent bogeyman in national security debates is the threat of so-called cyberwar. Policymakers and pundits have been warning for more than a decade about an imminent “cyber–Pearl Harbor” or “cyber-9/11.” In June 2011, then Deputy Defense Secretary William Lynn said that “bits and bytes can be as threatening as bullets and bombs.” And in September 2011, Admiral Mike Mullen, then chairman of the Joint Chiefs of Staff, described cyberattacks as an “existential” threat that “actually can bring us to our knees.”

Although the potential vulnerability of private businesses and government agencies to cyberattacks has increased, the alleged threat of cyberwarfare crumbles under scrutiny. No cyberattack has resulted in the loss of a single U.S. citizen’s life. Reports of “kinetic-like” cyber- attacks, such as one on an Illinois water plant and a North Korean attack on U.S. government servers, have proved baseless. Pentagon networks are attacked thousands of times a day by individuals and foreign intelligence agencies; so, too, are servers in the private sector. But the vast majority of these attacks fail wherever adequate safeguards have been put in place. Certainly, none is even vaguely comparable to Pearl Harbor or 9/11, and most can be offset by commonsense prevention and mitigation efforts.

Nicholas Carr says that he no longer buys MP3s. Instead, he buys vinyl records:

But the decisive factor in the transformation of my purchasing behavior, as a marketer would say, wasn’t aesthetic. It was the decision by record companies to start giving away a free digital copy of an album when you buy the vinyl version. Hidden inside the sleeve of a new record, like a Cracker Jack prize, is a little card with a code on it that lets you download the digital files of the songs, often in a lossless format, from the record company. So I no longer have to choose between the superior sound and packaging of vinyl and the superior mobility of digital. When I’m near my turntable, I spin the platter. When I’m not, I fire up the MP3s.

Buy the atoms, get the bits free. That just feels right - in tune with the universe, somehow.

He says that publishers should consider doing the same for ebooks: buy the hardcover, get the digital copy free. Makes sense. It also strikes me that if you just switch the order, you have the strategy that people like Mike Masnick have been suggesting to the music industry for years. Get a free song, buy the t-shirt.

Awesome skull Thursday

I love my wife edition.

So as stakeholders address the challenge of cybersecurity, it’s vital that we preserve the ingredients that have and will fuel the Internet’s growth and success. Specifically, it’s critical that we preserve Internet freedom and the open architecture of the Internet, which have been essential to the Internet’s success as an engine of innovation and economic growth. Preserving the openness of the Internet is not a concern to be balanced with security risks, it is a guiding principle to be honored as we seek to address security challenges.

That was FCC Chairman Julius Genachowski in an address on cybersecurity this morning at the Bipartisan Policy Center (emphasis mine). Bravo. I’m glad he said it because that’s now the standard I’ll use to judge any regulatory proposals on cybersecurity, especially those from the FCC.

One other thing to point out: While the Chairman’s calls for ISPs to adopt DNSSEC is welcome, he should remember that the FCC has no authority to regulate the Internet. We shouldn’t forget that, either, as the Commission begins to dip its toes into the cybersecurity waters.

In a Wall Street Journal op-ed, FCC Commissioner Robert McDowell warns that several countries, including Brazil, Russia, China, and India, would like the UN to have a larger role in Internet governance. McDowell makes many of the same points I made in TIME.com last week and I agree with him completely. Here’s one thing he says that I find interesting:

Merely saying “no” to any changes to the current structure of Internet governance is likely to be a losing proposition. A more successful strategy would be for proponents of Internet freedom and prosperity within every nation to encourage a dialogue among all interested parties, including governments and the ITU, to broaden the multi-stakeholder umbrella with the goal of reaching consensus to address reasonable concerns. As part of this conversation, we should underscore the tremendous benefits that the Internet has yielded for the developing world through the multi-stakeholder model.

I’m not so sure about that. SOPA/PIPA showed that a “no compromises” approach can sometimes work. And it seems like the news today that the EU is pulling out of ACTA under pressure from netizens underscores that. ITU control of the Internet is ten times the threat that SOPA ever was, so I’m not sure we should rule out merely saying “no”. Dialog is always a good thing, but why should we enter a conversation agreeing we’re going to give in on some margin to states like China and Russia?

Here’s a question that remains a mystery to me: Assuming every other country agrees to centralize control of the Internet, wouldn’t true control require the U.S. handing over the root to the UN? Why would we ever do that? And what does it mean to “Subsume under intergovernmental control many functions of the Internet Engineering Task Force, the Internet Society and other multi-stakeholder groups that establish the engineering and technical standards that allow the Internet to work”? These are volunteer-run non-profits. How can they be “subsumed” by the ITU? Why would they submit?

And even if they are subsumed, all the power they now employ is merely putting out technical recommendations. It is the voluntary adhesion to these recommendations by the thousands of networks that make up the Internet which make them powerful. How would you mandate compliance with new standards from a centralized global body? Would nations have to make it illegal to belong to a rebel IETF putting out recs to compete with the ITU? I’m having a hard time envisioning how you ‘repeal and replace’ such a large, distributed, and successful bottom-up process.

UPDATE: Milton Mueller responds:

@jerrybrito the Internet is in no danger of being “taken over” by the UN. This meme is the twin brother of the “digital pearl harbor” meme

— Milton Mueller (@miltonmueller)

February 25, 2012

Three headlines from the New York Times yesterday:

• Drones in Afghanistan, Drones in … Akron?
• Body Cameras Will Put Law Officers Under Scrutiny
• Google to Sell Heads-Up Display Glasses by Year’s End

Spot the trend? Ubiquitous sousveillance is here, and David Brin predicted this development and these exact technologies in The Transparent Society published in 1999. Here he is in Wired in 1996:

In fact, it is already far too late to prevent the invasion of cameras and databases. The djinn cannot be crammed back into the bottle. No matter how many laws are passed, it will prove quite impossible to legislate away the new tools and techniques. They are here to stay. Light is going to shine into every aspect of our lives.

The real issue facing citizens of a new century will be how mature adults choose to live - how they might compete, cooperate, and thrive - in such a world. A transparent society.

Here’s a Tweet this morning from James A. Lewis, one of the key cybersecurity experts pushing for legislation.

Amazing squeals of rage, indignation & disbelief over WSJ Anonymous/Grid story. No countering data, however, just opinion and noise.

— James A. Lewis (@james_a_lewis)

February 22, 2012

So the Wall Street Journal says that anonymous government sources said that NSA chief Gen. Alexander said—without any context given for his remarks—that anonymous might, at some future point, have a capability to disrupt the power grid, and we’re not supposed to think critically about this? And to the extent we question the story the onus is on us to disprove the third-hand hearsay with “evidence”? I’m sorry, but it doesn’t work like that. We’ve seen this movie before and it doesn’t have a happy ending. The American public should question anonymous-source reporting of alleged national security threats, and the onus is on those who claim there is a threat to make their case with evidence. What is the evidence that Anonymous will acquire the capability, and perhaps more importantly, that it would have any motive to use it?

What we have in the WSJ story was a leak. Whoever it was in government that leaked this nugget about Anonymous wanted to alarm people. Why did they want to do that? There are several possible answers to that question, but that’s what critical thinking looks like. And we don’t need “countering data” to engage in it.

The director of the National Security Agency has warned that the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack.

That’s the lede of the article “Alert on Hacker Power Play” in the Wall Street Journal today. But NSA chief Gen. Keith Alexander isn’t quoted. It’s reported by anonymous sources that he said this at a private briefing.

What was the context for Alexander’s remarks? Who knows. And what’s the extent of the threat he outlined? Anonymous has never before threatened infrastructure, and it’s not clear what their motivation would be now. But according to the article,

A stateless group like Anonymous doesn’t yet have that capability, officials say. But if the group’s members around the world developed or acquired it, an attack on the power grid would become far more likely, according to cybersecurity experts.

Shorter version: Anonymous doesn’t have the power to attack the grid, but if they were able to get it someday, then they would have it. Got it.

The article is by Siobahn Gorman, who often writes articles about cyber threats based on anonymous government sources. In a competitive news market, that’s nothing to begrudge. But, it is problematic when press accounts based on anonymous government officials then become the evidence used by government officials to support an expansion of government power. One example is Gorman’s article on the power grid being penetrated by Chinese and Russian hackers. That article has been cited by members of Congress as evidence of a serious cyber threat in need of a legislative response. I wonder who in Congress will be the first to cite this article and the threat Anonymous poses to the power grid.

Anonymous has already responded (to the extent Anon can):

Why would Anons shut off a power grid? There are ppl on life support / other vital services that rely on it. Try again NSA. #FearMongering

— Anonymous (@YourAnonNews)

February 21, 2012

From the Guardian:

Major music groups want British internet service providers (ISPs), such as BT and BSkyB, to prevent their millions of customers from accessing The Pirate Bay in the UK.

In a judgment handed down at the high court in London on Monday, Mr Justice Arnold ruled that The Pirate Bay and its users unlawfully share copyrighted music. …

The high court is expected to rule in June whether the ISPs should prevent their customers from accessing The Pirate Bay.

I was aware that the UK has a “voluntary” anti-child-porn blocking regime, but I didn’t know ISP blocking extended to piracy as well. At least there seems to be rigorous due process. Any UK folks have more details?

UPDATE: Tim Lee points out he’s written about this before. Here is the answer: “The judge’s order relied on the European Union’s 2001 Information Society Directive, as implemented by the UK Parliament in 2003. That law states that a court can ‘grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright.’”

I can’t complain about the one in Madrid, where, after holding forth in a packed auditorium, the American, British, German, French and Spanish editors who broke news based on WikiLeaks commemorated the collaboration with an after-hours prowl through the Prado Museum and a 27-course meal cooked by master chef Ferran Adrià.

That is the third sentence in his column today, which is ostensibly about how Wikileaks was a fluke, and therefore insignificant in the grand scheme of things.

Compulsory licensing as a way to address online piracy is alive and well, at least in France. Challengers to Nicolas Sarkozy are making the HADOPI three-strike law a campaign issue:

To Mr. Sarkozy’s right, the leader of the National Front, Marine Le Pen, says she would scrap the law and replace it with a so-called global license, under which consumers would be free to share content and artists would be remunerated in other ways, perhaps with revenue from new taxes.

On the left, the Socialist Party’s nominee for president, François Hollande, also opposes Hadopi. …

The Socialists, some of whom previously championed the global license, backed away from it once Ms. Le Pen took it up. Ms. Filippetti said, however, that there could still be a role for new taxes on Internet service providers, search engines or other Internet companies, with the proceeds being distributed to artists.

Nick Bilton in the NYT today, arguing that on privacy, “the current system of self-regulation is clearly not working”:

But the argument that if consumers care about their privacy they shouldn’t use these technologies is a cop-out. This technology is now completely woven into every part of society and business. We didn’t tell people who wanted safer cars simply not to drive. We made safer cars.

Well, safety advocates, consumers and the government dragged the automobile industry toward including seat belts, air bags, more visible taillights and other safety features.

Actually, the auto industry was making cars safer and safer before government regulation in the 1970s. Rearview mirrors and self-canceling turn signals are two innovations that were never mandated, but slowly became standard as consumers demanded more safety. Seatbelts and airbags were mandated, but as Sam Peltzman will tell you, there was no decline in the number of auto fatalities and injuries. That’s because drivers, feeling safer, took more risks, thus canceling any increase in safety.

It’s impossible to predict what the unintended consequences from privacy regulation might be, but I can imagine folks taking more risks with what they put online.