by Shane Harris
The military-Internet complex is like its industrial predecessor insofar as the government has always outsourced national security to some degree. The military doesn’t build weapons and defenses, it pays companies to do that, and it has since the founding of the republic. But the government has always had a monopoly on the use of force. And that’s where the military-Internet complex takes a screaming turn off the road of history. Corporations’ intelligence-gathering capabilities are as good if not better than the government’s. They are designing threat signatures and discovering zero days, and they employ them for their own purposes. For all the emerging, menacing power that Eisenhower saw in the military-industrial complex, he didn’t predict that corporations would compete with government in the conduct of hostilities.
The market is ripe for sophisticated and reliable cyber security technologies and tactics. With every revelation of a high-profile data breach, particularly those like the Target credit and debit card theft in 2013 that affected nearly a third of the US population and captured headlines for weeks, more companies will become desperate to prevent losses. Federal authorities notified more than three thousand companies in 2013 that their networks had been hacked—a huge number, but likely only a small fraction of the real total. Those were just the intrusions that the government had noticed or been tipped to by security companies. The owners of critical infrastructure are in an especially precarious position. In December 2013, Ernest Moniz, the secretary of energy, said that the majority of “cyberattacks” in the United States that year had been directed at energy infrastructure, which includes the companies that own and operate the electrical grid and that control oil and natural gas production and distribution. So far, those attacks have consisted of attempted intrusions into the networks that run energy facilities or the computers in their owners’ corporate offices. But, Moniz said, “there’s no question” that the United States will suffer a major attack that threatens to bring down part of the power grid. “There is certainly not an ‘if’ when it comes to cyberattacks. I am not willing to concede on bringing the grid down. But that’s the race we are in to try to shore up our defenses. . . . We have a lot of work to do.”
The government is certainly in that race, and there are things it can do to help companies keep up: share more specific, useful intelligence about where the threats are coming from; pressure Internet service providers to deny access to known hostile sources; and ultimately take offensive measures to repel an imminent attack, if it can be detected. Not all of these solutions would require new legislation. An administration could take them on as a matter of executive policy. But energy companies, just like companies that are less central to a functioning economy, would still be largely on their own when it comes to fending off the intruders who are at their gates every day, threatening to breach their defenses. There are simply too many networks spread out over too big a geographic area for the government to protect them all, even if Keith Alexander’s master plan of installing a sensor in every bank’s network came to pass.
The adversaries aren’t relenting. From September 2013 to March 2014 there were more than three hundred denial-of-service attacks against banks, like the ones attributed to Iran that crashed websites and ignited so much panic in the financial sector. The government is well aware of the attacks—the three hundred figure came from the NSA, which tracks them. If companies are going to protect themselves, they’ll have to share some information with the government about what’s happening on their networks. But they have a bigger incentive to take their security into their own hands and defend themselves.
Eventually, strong security will be a selling point, a feature that banks, Internet service providers, and other companies that handle personal information use to lure customers, the same way that automakers promote airbags and antilock brakes. In fact, it’s already happening. American Express, which has long sold itself not so much as a credit card but as a members-only club whose annual fee affords particular benefits (status, higher spending limits), launched a series of television and web ads in 2013 touting its “intelligent security” system, which sends alerts to customers’ mobile phones the moment Amex spots a suspicious charge that might indicate fraud. One ad shows a trim, well-dressed city dweller walking beneath surveillance cameras, past the security guards in his elegant apartment lobby, and next to speeding police cars as a narrator asks, “But who looks after us online, where we spend more than two hundred billion dollars a year?” Answer: American Express does, with an algorithm that learns your personal spending patterns and spots anomalies. (The narrator, incidentally, is actress Claire Danes, who plays a CIA agent obsessed with stopping another terrorist attack in the United States in the Showtime series Homeland.)
Of course, credit card companies have been using fraud-detection systems for years, but they’ve only recently begun marketing them as a lifestyle service, in response to their customers’ dawning awareness that they and their money are vulnerable online. Our hip cardholder gets an alert on his iPhone and, standing in the middle of a crowded street, informs American Express that, no, he didn’t authorize that $1,245 purchase made nine seconds ago on an electronics website. He relaxes over lunch at a diner and confidently plops down his Amex card, knowing that he’s “a member of a more secure world.” The message is inescapable. You can be safe. (You should want to be safe.) But it’s going to cost you.
In February 2014, the Obama administration came out with a set of voluntary cyber security guidelines and “best practices” that it encouraged companies to adopt. But it wouldn’t force them to do so. “At the end of the day it’s the market that’s going to drive the business case” and determine whether companies follow the guidelines, said a senior administration official.
Companies will also be responsible for the most innovation in cyber security—the new tools and techniques to keep data safe, and to attack their adversaries. Cyber security companies will attract the most highly skilled employees because they’ll pay vastly higher salaries than government agencies and militaries. The government will never be able to offer competitive wages to skilled technology workers. To attract talent, the government and the military will offer the promise of adventurous work—espionage, combat—and will appeal to a sense of duty and honor that has always been the allure of public service. But this won’t be sufficient to address the security shortcomings that the government will face, particularly in the civilian agencies where security in some organizations is still appallingly inadequate. You’re far more likely to call the Veterans Affairs Department, which has repeatedly lost track of patient information, including their Social Security numbers and other sensitive records, than you are the CIA, which practices generally good defense. And yet the places in government where citizens’ information is most vulnerable are usually the least defended.
Agencies that can’t hire their own defenders will hire the corporations, whose ranks are stocked with well-trained former government and military personnel, and whose leaders were once themselves in charge of so many of the government’s cyber security programs and operations. Public service is already seen as a pathway to private enrichment. Government agencies and the military now plan for the fact that most new employees stay long enough to acquire training, a top-secret security clearance (an absolute requirement for cyber security work), and a base of professional contacts and acquaintances before heading off to industry. This is the classic revolving door between government and business. It will spin faster.
The US government will continue sharing classified threat signatures with Internet service providers, who will use them to scan their customers’ traffic. That means your e-mail, your web searches, the sites you visit. Congress will have to enact laws for some of this security by government proxy to happen more frequently than it does now. The service providers, as well as other companies that store and transmit personal information, have demanded assurances that if they give data to the government, they won’t be held liable for any privacy violatio
ns that might occur with how it’s handled. Some of these companies also want to be given immunity in case they fail to respond to a cyber attack that results in physical damage or loss of information. Once those liability protections are in place, the government will look to Internet service providers in particular to mount a more forceful defense of cyberspace. These five thousand or so providers and carriers that effectively run the infrastructure of cyberspace will be expected to stop selling Internet domains to cybercriminals; to shut down service to known or suspected malicious actors; and to reroute or cut off traffic during a major cyber attack.
Some observers have likened today’s cybercriminals and malicious hackers to pirates in seventeenth-century Europe. The comparison is apt and instructive. English pirates once roamed the open seas, harassing commercial traders and bedeviling more powerful sovereign navies, mainly the Spanish. Chinese cyber spies are like those pirates, operating on behalf of their government but with enough remove or obfuscation to create plausible deniability, so that the government can claim to be powerless to rein them in. At the highest levels of government, this façade is eroding. US officials have privately and publicly called on the Chinese government to end the cyber piracy all sides know it’s committing. But in that same vein of piracy, governments might employ cyber privateers to combat threats. The modern equivalent of a letter of marque, or a traditional bounty system, may be employed to allow private cyber warriors to attack criminals and spies, or at least to employ the euphemistic “active defense” that is the trademark of the NSA. To be sure, the state of cyber security would have to be far worse than it is now for governments to resort to such mercenary tactics. But the companies with the requisite skills for the job are in business today. It might seem implausible, but it’s not at all impossible that a government could grant special exemptions to certain firms allowing them to hack back against dangerous targets, especially during a major cyber attack that threatened critical infrastructure.
Governments will still forbid companies from launching private cyber wars—that includes hacking back as retaliation for a theft or an attack on a privately owned network. But there will have to be rules that recognize the legitimate right to self-defense. Will these rules take the form of law? Perhaps in the long run. But in the nearer term they will take the form of generally accepted norms of behavior, and they will be extremely difficult to regulate. As soon as one company hacks back in self-defense, another will feel justified in doing the same, even if the law doesn’t expressly allow it. Private cyber wars are probably inevitable. Someday soon a company is going to bait intruders with documents loaded with viruses that destroy the intruder’s network when opened. That provocation will escalate into a duel. Then governments will have to step in to defuse the crisis or—in the worst case—forcefully respond to it.
But to protect people from day-to-day threats, which pose less risk to life and limb, companies will create Internet safe zones. Banks have tried to get rid of the .com domain name for their websites and replace it with .bank or with their company name. They hope this will signal to customers that they’re communicating with a legitimate bank and not a scam site. But companies will also build entire cyber infrastructures in which security is rooted in the foundations, and where traffic is more actively and closely patrolled than it is on the public Internet. These will be the online equivalent of gated communities. And like any private organization, its owners may restrict membership, write and enforce rules, and offer special benefits, namely, safety. Imagine all the services you rely on in your daily life—your bank, your e-mail service, your favorite stores—running in this private network, or in several of them. Inside, the owner scrutinizes traffic for malware, alerts you to a potential theft or breach of your personal information, and keeps tabs on who’s trying to get into the networks and keeps out any suspicious characters. It is, in effect, like the top-secret networks the military uses. It won’t be impervious to assault—neither are the military’s, as the Buckshot Yankee operation showed. But they will afford a higher level of security than what you have now in the mostly ungoverned expanse of the Internet.
Who would build such a community? Perhaps Amazon. In fact, it has already built a version—for the CIA. Amazon Web Services, which hosts other companies’ data and computing operations, has a $600 million contract to build a private system, or cloud, for the spy agency. But unlike other clouds, which are accessed through the public Internet, this one will be run this one using Amazon’s own hardware and network equipment. Amazon hasn’t historically offered private clouds to its customers, but the CIA may be on the frontier of a new market.
In the near future, you may be spending more of your time inside these protected communities. And the price for entry will be your identity. The company will need to know who you are but, more important, where you and your computer or mobile device are physically located. The ability to attribute your location will help the safe zone know whether you are more likely a friend or a foe. And it will let them kick you out should you violate the rules. Anonymity will be perceived as a threat. It will mean you have something to hide, like a malicious hacker who masks his true location by hijacking a server in a different country. You will carry a credential, analogous to a photo ID or passport, that says you belong in the safe zone, and that you consent to its rules in exchange for protection. Security in cyberspace won’t be your right. It will be your privilege. And you will pay for it.
The fundamental questions facing our future in cyberspace aren’t whether we should govern it or create laws and rules to regulate behavior there. Ungoverned spaces fall apart. They’re unhealthy. They become safe havens for criminals and terrorists. No one is seriously proposing a future with no rules. The dilemma is how much relative weight we give to security in cyberspace, and who should be responsible for it. Which transactions, and how many of them, do we subject to scrutiny? All e-mails? All web searches? All purchases? And by whom? Should people be allowed to opt out of a more secure cyberspace in favor of one that gives them anonymity? We’ve never recognized a right to remain anonymous. But cyberspace affords us the capability. And for many, it is the essence of free expression that the Internet is meant to foster. The US government embraced that concept when it helped to build Tor.
And what of privacy? Our vocabulary for describing that concept has been rendered useless by the pervasiveness of the surveillance state. Most of the information the US intelligence agencies collect on American citizens consists of logs and records, so-called metadata, that are not protected by the Fourth Amendment from search and seizure. When people talk about a right to privacy online, do they really mean a right to remain anonymous? To be unrecognizable to the surveillance state? From the government’s perspective, that immediately makes one suspect. A potential threat. It’s why the NSA ultimately devoted so much time to undermining the Tor network. Anonymity and collective security may be incompatible in cyberspace. They will certainly remain in tension for years to come.
We should be skeptical about entrusting governments alone to make the calculations necessary to balance those competing interests. Clandestine intelligence operations aren’t the appropriate means of making sound, durable public policy. The NSA conducted mass warrantless surveillance of American citizens for nearly four years, a hidden program, parts of which were almost certainly illegal, that laid the foundations for the military-Internet complex. We didn’t know it was rising until it was upon us.
By its own actions, which were directed by two presidents, the NSA has in many respects made the Internet less safe. By injecting malware into tens of thousands of computers and servers around the world, the agency could introduce new vulnerabilities on machines used by innocent people, putting them at greater risk of being attacked or spied upon by third parties, including their own governments. The agency has also made it harder for American companies to do business in a global economy. IBM, Hewlett-Packard, Cisco, and Microsoft all reported falling sales in China and other key markets
in the wake of the NSA spying revelations. Foreign countries now view American technology, once the gold standard for performance and innovation, as tools of American spying. To be sure, companies bear a big share of the blame for this, to the extent that they participated in government surveillance programs or knowingly allowed the NSA to install backdoors in their systems. We should be skeptical, too, of corporations deciding how to balance the competing interests of civil liberties and security in cyberspace. But they will certainly have the most direct effect on the future shape of the Internet, and they’re already taking steps—largely in opposition to NSA spying—to enhance the security of their products and services. Google, for instance, has now beefed up encryption on its e-mail service, making it harder for spies to read the private communications they intercept. That counts as a win for privacy-conscious consumers. Demand for more secure, potentially more anonymous technologies will fuel a new sector of the high-tech economy: surveillance-proofing yourself in cyberspace.
But the NSA is not the enemy. It’s home to indispensable expertise about how to protect computers—and the people who use them—from malevolent actors, whether they’re criminals, spies, or soldiers. The NSA and Cyber Command should build up their capacity to provide for the national defense. But the spy agency has maintained too tight a grip over Cyber Command’s evolution. Cyber warfare is properly a military function, and the military, which is controlled by civilians and not soldiers or spies, should take the lead. It should be in charge of integrating cyber warfare into the armed forces’ doctrine—just as every modern military in the world undoubtedly will. A future president may elect to separate the leadership of the NSA and Cyber Command, which would go a long way toward maintaining a competent and accountable cyber force.