Schneier on Security
A blog covering security and security technology.
« New Orleans Scrapping Surveillance Cameras |
| Me at TED »
October 29, 2010
The Militarization of the Internet
Good blog post.
Posted on October 29, 2010 at 6:48 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't think it is about declaring "war". After all that is a congressional decision which is why nobody does it.
The key question is state vs. non-state. China, Russia etc have the ability to project power via non-state actors. Does the US? No.
Humans have militarized every physical and virtual domain they have encountered -- land, sea, air, space, and now cyberspace -- it is species-specific behavior and won't stop. The US has promoted militarization and responded to it in a consistent fashion throughout the historical eye-blink of its national existence -- isolationist, then sub-rosa activist, then activist, and periodic leader. What has modulated this behavior is US political will. Where there was a will, no matter how delayed and perhaps inconstant, the country protected its interests, but usually at a steeper price than need have been paid. Does the US have the will for this round? Can (not will, this time) it pay the price? I've my doubts.
This is the exact same pattern that was used to drive creation of the US Cyber Command over the past few years. Each year the rhetoric was ratcheted up a notch until they finally got what they wanted. The general population does not understand the Internet or the concept of cyberwar, and thus are easily manipulated through FUD. The mainstream media seems to be no better.
@charlie "Does the US? No."
Uh. Yeah we do. Bay of Pigs Invasion, In El Salvador supporting forces against the FMLN, the Contra's, UNITA, the mujahedin, possible support to Jundallah but we've denied that. And these are what we know of.
It's what CIA's SOG does. And there are reports they are adding cyberspace to their operations portfolio (but duh.)
"Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet?"
Emphasis on nations. No, nations are nothing, nations are not something sentient. Nations are just a concept.
People are relevant.
And they have a lot more to gain from free and open internet than they have to lose, as the last couple of decades has shown us.
The best part is this.
"Should law enforcement be able to require all technologies online to have “back doors” allowing officials to (essentially) require that the same information be produced to them that was produced during the circuit-switched telephone era?"
Now, what would happen should ALL of the FUD be realized?
Chinese agents cracking law enforcement's back-doors into your communications with your bank. But able to blame it on the Israelis.
Guess now we're finding out what all those "reserved for future use" spots in the IP header bitmask are for... Stallings, "Handbook of Computer Communications Standards", Vol 3, page 47.
For all the good fringe blogging ever seems to do, we might as well print all of our best arguments for privacy onto on thousands of rolls of toilet paper, and distribute them to the cleaning crews at the capital. That way, our legislative bodies can at least read up on all the freedoms they're flushing down the toilet *while* they're wiping their assess with them.
We really just have to stop voting these idiots into office in the first place.
How ironic that lately there is so much talk about the constitution, the declaration, our founding fathers, the bill of rights, et al... yet for all the warnings even a nearly illiterate citizen can plainly see in our founding documents, we might as well be giving them all a great big middle finger when it comes to protecting what so many Americans gave their lives to instill some 230-odd years ago.
All thanks to the conveniences of technology, and the masses' ignorance thereof. Well, that mixed with a few sprinkles of 'boogey-man' powder to spice it up a bit.
I'm at first reminded of the NSA project to fingerprint attacks to ensure retribution is properly targeted. This is like an interim step. Authentication is not required for all if accurate targeting can be developed. On the other hand the conventional weapon accurate targeting systems seem to be less than perfect so it's hard to imagine something better will emerge in IT.
I'm second reminded of the Dutch Police who not only took over control of a botnet this week but then used the handy "back door" it gave them to modify computers without authorization to alert the victims.
Wow, really. The US is of course projecting power through non-state actors. Why in the world would you think it would not?
The blog has a good point in the beginning:
Someone needs to take a good hard look at those Internet surveillance stories being strategically placed on the front page of the New York Times.
Sometimes the stories are not strategically in the best locations, but people SHOULD pay attention to what kind of stories they are being offered in the newspapers. Because whether the stories are REALLY true or not, they are often portrayed as such, and with enough stories comes a change in mentality in the believing population.
What are the factors that then cause a person to believe in the stories? One major factor is trust. If the reader thinks that "my government [or people here in my land] would never [say or do something bad]" they will be less willing to question what has been told.
Not being funny but Militarization is an old fashioned concept, it goes back to the time of full time paid militia acting as a standing defence of a Nations integrity.
People tack the word Cyber on the front of exisiting words in the hope of transfering some meaning to others. In reality mostly what it does is to confuse ordinary mortals and most definatly persons of a purely Political bent.
First off the Internet does not unlike a plot of land have physical boarders. What it does have in some places are "choke points". However these are one heck of a sight more difficult to maintain than borders are.
The Internet is not tangable in that it does not really have a physical actuality the addresses of it's data sources and sinks have no physical location constraints and can be moved almost at will. The only physical part is simply a vast collection of communications channels, relays and switches that move the almost ephemeral data around.
Thus anybody can change the intangable internet topology at any time simply by plugging another relay in between any two points of their chosing, or by changing a single entry in a router table, with care it will go undetected almost indefinatly.
The point needs making that unlike the physical world the Internet is a world of information that is effectivly unconstrained by energy costs to an attacker. Thus as a conciquence a single person can have with a modicum of skill an effectivly infinate force multiplier and can raise and control a hugh array of attacking automata that can pass almost undetected for months (think Stunex and other APT ideas).
Again unlike the physical world the Internet currently does not have a realistic distance cost metric. That is all places are effectivly local to each other.
Because of this even "choke points" do not represent any realistic limitation to an attacker. Likewise neither does the "big off switch" idea have any credability.
For instance I can place a malware seed in any location either by time delay or by providing my own comms bridge to the other side of the any "choke point" any athority is likely to put in place.
With any large or public network you are deluding yourself when it comes to "access security" by "physical measure" it almost always can be trivialy negated and as such just cann't be made to work.
People need to remember that working around faults of all kinds was one of the original design requirments and is very much "built in" to the protocols the Internet works on.
Then when you consider what vectors are available it is apparent the OS has been a major source of vectors (less so currently). Basicaly when it comes to OS security we talk a good game but... lets be honest Stunex had atleast four zero days and a stolen signing certificate. As has been said in a song about a goat that head butted a dam "he had high hopes" and "opps there goes another...."
Yes we do know how to make things more secure BUT it's the weakest links that generaly defines the strength of the overal chain, and we all know or aware of a great number of "failed to patch" or "can't patch systems directly or indirectly connected to the Internet...
Thus personaly I will not be holding my breath over this Militarization idea acheiving anything helpful. But who knows maybe a rabbit can magicaly appear in a hat, rather than just giving the illusion it has.
Shouldnt it be more like "RE-militarization" or "escalation" since the internet was created for military purposes in the first place? (granted they were "electronic support measures" rather than "electronic counter-measures" back then.)
This is becoming a familiar story, and I think that Bruce himself frames the problem excellently in his post to his TEDx speech - here we have an agent (the government) with an agenda (securing the United States against attack), which is able to exploit the fact that people's feelings (that we're under serious threat by foreigners, especially the tech-savvy Chinese) and their models (a reporting bias in the media leads to over-reporting of successful and spectacular web hacks) are pretty similar. So naturally, they're not interested in revealing that the reality is that "cyberwar" as a concept is seriously problematic, and even if it wasn't, the massive invasion of our privacy that certain government officials are proposing is arguably not the best way to conduct it.
Posted by: Shane at October 29, 2010 12:04 PM
the bill of rights, et al... we might as well be giving them all a great big middle finger when it comes to protecting what so many Americans gave their lives to instill some 230-odd years ago. - end quote.
The Bill of Rights means nothing. It isn't even a contract and it was pushed in secrecy behind closed doors without any consent by any citizen. Thus it doesn't even have legal binding, because a bill signed 230 years ago (by and for people who are all dead now) cannot bind anyone living here and now. Imagine you create a contract to which your great great grandchildren must obey in the future for thousands of years, sounds feasible? Not to me it is. We The People actually meant: "We the people, living 230 years ago". Read up on Lysander Spooner for more gems.
What I find interesting in the discussion that the origins of the internet are in DARPA, i.e the DoD. This is the military. I'm not saying they should "take it back" because that's not possible, but it's interesting how they're going back to trying to get what they supported in the first place.
I can't understand why they don't take more time to audit the data and clean up the observations if they don't want people to blog about them.
There will be little or NO support (from those who PAID for it originally) for a "kill switch" or "militarization" of the Web. The rest is blather.
Actually, the bill of rights was discussed extensively in the open. Accounts from the period suggest that it was a subject heavily debated with people on both sides of the argument. The bill of rights was drafted and passed by representatives elected by the population at large (admittedly missing several important segments of the population, but by the standards of the time, very inclusive.) How is it, pray tell, that just because the signers of the bill are all dead, that nullifies the bill. At what point is such a bill nullified. On the death of the first signer, the second, the forty-second, the last? based on what logic? Must your great great great grand childern, thousands of years later (actually that would only be about a hundred years, but I get your point) abide by such a rule. Well, yes and no. No, because any of the following generations could change it using the same procedures as were used to initiate the bill (or by war). Failing these remedies, yes they would be bound. Do you find these concepts mean, cruel, unfair? What is the alternative? Where has such an alternative worked on a community of any scale that included voluntary and non-voluntary members (i.e. a country)? If you like natural law, who gets to decide if something is in violation of only man-made laws (i.e. is not illegal)? At that time, would it not become man-made law? Could I guess it would be OK if it were Obama, but not OK if it were Bush deciding? If you like anarchy, who protects the innocent weak in an anarchy? Under anarchy or natural law, who decides when the actions of a group to protect one individual or group from another is legal or illegal? This sounds feasable to you? The bill of rights was an attempt to put natural law into writting. Not perfect, but... where has the ordering of society been done better, again a country (more than 2 or 3 million persons) with a history of more than fifty years. Is any large complex society automatically invalid? Or is a society invalid be virtue of living more than fifty years? What is the option? Revolution every fifty years or so? Kill off the old people? Once a society is successful and grows split it because it is too successful?
Mr. Spooner had some wonderful ideas. I had most of the same ideas when I was sixteen. So did Mr. Washington and Mr. Jefferson. Fortunately as they grew up, they had some ideas about how to make those ideas work in an imperfect world. Had they not, Mr. Spooner's ideas would have been forgotten by now. His ideas were made possible by Jefferson et. al. not the other way around.
Learn your history. It ends much better than you think.
If bills were only binding to the generation that signed them, the US debt would be a lot easier to solve.
disappointed i was not the first to make a smarmy observation that the inter-tubes started off as a department of defense project.
as malcolmX noted, looks like the chickens have come home to roost.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.