The Cyber-Industrial Complex
A recent article on the rise of the Cybersecurity-Industrial complex hits spot on in many regard. However, one line in particular struck me as disastrously wrong: “A re-engineered, more secure Internet is likely to be a very different Internet than the open, innovative network we know today. A government that controls information flows is a government that will attack anonymity and constrict free speech.”
This line assumes that a more secure Internet is going to be one with more government control – a grave misunderstanding. For years, technologists at the end of the spectrum which has not been given massive amounts of public money have been crying out for increased security online. The reason for this, they say, is that governments and corporations, not to mention criminals and terrorists, are in fact, on a regular basis, using the lack of structural security to their own ends. Governments attack anonymity and constrict free speech, corporations violate privacy, package people’s identities and sell them off as market research, criminals hijack personal and financial information and use it to extract monetary benefits and get away under borrowed identities, while terrorists, well, it’s not entirely clear what they have to do with cybersecurity at all. Probably not a lot.
What the technologists from the “freedom camp” (for lack of a better name) have been suggesting is that introducing technologies such as IPSec on the substrate of the Internet, as will happen with the adoption of IPv6, and switching communications to encrypted by default, for example by providing verified SSL certificates at no charge and encouraging the use of HTTPS everywhere, and introducing encryption systems like OTR as default on instant messaging systems while supporting the further expansion of anonymity networks such as TOR to increase throughput and availability.
Technologists from that camp have also argued against proprietary software on the basis of it being fundamentally less secure; software that nobody can independently inspect the inner workings of is software which is waiting to be exploited.
The same technologists have argued against the consolidation of telecommunications vendors and monopoly situations on those markets, as these infrastructure provision companies are potential points of failure. An Internet which has thousands of ISPs is more resilient to external force and influence, attack and disruption, than an Internet which has a dozen.
It is entirely true that “a government that controls information flows is a government that will attack anonymity and constrict free speech,” but that’s nothing new. What the Cypherpunks and the Cryptoanarchists have been arguing for decades is that the only way to stop third parties from controlling information flows is to adopt a security by design policy on the Internet: that the network itself be fundamentally resilient to inspection and manipulation.
So why hasn’t this happened?
There are umpteen gazillion reasons why this hasn’t happened, and many of them have to do with the forces who are entirely okay with the Internet not becoming more secure: governments, corporations, and to a lesser extent, criminals. All of these actors of course want their own little pockets of the Internet to be impregnable fortresses of cybersecurity, which is why the nascent Cybersecurity-Industrial Complex is doing so well, but none of them is willing, or perhaps capable, of understanding that security on the Internet is a “all or nothing” kind of thing in many regards, as every insecure node on the network is a potential threat.
A little known conspiracy theory I heard was that the adoption of IPv6 has been intentionally held back by the Tier 1 network providers, who operate the largest backbones of the Internet, at the request of government intelligence agencies such as NSA and GCHQ, who worry that the widespread adoption of IPSec would render them unable to intercept and analyse network traffic on a large scale, as they are known to do. This would be a very sensible thing for them to request, but yet I don’t really believe this theory – it assumes malice where stupidity would suffice. It’s a bit of a stretch to imagine nation states voluntarily putting everybody in the world at risk for the purpose of retaining their ability to spy on their neighbors, while it is entirely possible to understand the non-adoption of IPv6 through the fact that it will cost quite a bit of money to do the switchover – a more or less fixed cost regardless of when it is done – and the money pinching telcos are putting it off as long as they can, ignoring the fact that without the IPv6 switchover the Internet will stop growing soon, which itself will cause economic growth to become even more stifled than it already is.
A harder nut to crack is that of HTTPS. In order for HTTPS to work, people need SSL certificates, which, owing to some strange decisions made at Netscape back in the day, are required to be signed by a ranking organisation in a certificate authority hierarchy. These organisations charge money for people to have the privilege of a signature, and for good measure they choose to let the signatures run out once a year, by default. People who make their own SSL certificates and don’t have them signed will have their users scared senseless with intimidating warning messages which are, more often than not, entirely overstated.
There is a market problem here. Certificate authorities make money from signing certificates, so small websites and companies don’t use them. There’s also an ever so slight overhead cost to running everything through encrypted channels, both in terms of bandwidth and computation power, so large companies try to avoid them, because slight overheads add up very quickly to major operational costs when you’re streaming thousands of terabytes of video every minute, for instance. These two things have turned online security into a kind of boutique luxury service, mostly reserved for banks and e-commerce sites, where people will not stand for anything less.
This particular problem can be solved pretty easily. If domain registrars would start bundling basic level signed certificates with domain leases, small websites could use SSL by default. And if they were all doing it, there would be more pressure on larger companies to stop providing insecure connections, which might eventually get them to suck it up and accept the overhead as a baseline operating cost – it’s not like the companies in question are doing badly, and there’s only a handful of them. I look forward to the time when every “http://” has been replaced with a “https://”.
It’s possible to go on forever; there are so many simple fixes that aren’t being commonly used. The Internet doesn’t have to be an insecure place, and what’s more, increasing Internet security is actually one of the major ways in which we can curtail censorship and protect our rights. But on the other hand, no re-engineering is required. Online security can be improved now, at very little cost, because all of these mechanisms are precisely possible because the Internet is open and innovative.
The fact that governments are upping the antes in cybersecurity and feeding yet another something-industrial complex is appalling. It’s a waste of time, it’s a waste of money, and it’s creating more threats than it’s eliminating. I cackle at the irony of governments trying to hire the most anti-authoritarian bunch of people they can find and tasking them with coming up with a new form of authoritarian control structure, because it simply will not work. The only people they’re going to manage to hire to those ends are people who are too dumb to realize that, or too opportunistic to point it out.
The private enterprise side of this, aptly dubbed the Cybersecurity-Industrial complex in the article, is simply a nefarious new scheme under which self-asserted technology specialists are leveraging public funds to protect states against a threat which does not really exist, and moreover intends to do so by not actually fixing the perceived problem, but rather just make a ton of money off holding back the tide. There is no honor amongst consultants.
A more self-interested man than myself might not write an article like this, because, to be fair, these developments are presenting people with my skill set with an abundance of potential lucrative ventures as clearly noted by the notable presence of three letter agencies at the DEFCON and Blackhat conferences last week. (Pro tip: if your computer security specialist looks comfortable in a suit and hasn’t told you the things I just did, you’re overpaying him by about 100%). On the other hand, I’d rather have freedom than money, and this militarisation of the Internet is going to make us less free. That said, if there are any governments out there that are interested in paying me absurd amounts of money to tell them how not to destroy the Internet and improve their security while they’re at it, feel free to drop me a line.