by Al Gore
The speed with which the Internet proliferated made it difficult for its original architects to remedy the lack of truly secure encryption—which they quickly recognized in the Internet’s early days as a structural problem. “The system kind of got loose,” said Vint Cerf.‡
It is theoretically possible to develop new and more effective protections for the security of Internet data flows, and many engineers and information scientists are working to solve the problem. However, the rapidity with which Earth Inc. adapted to and coalesced around the Internet has made industry and commerce so dependent on its current architecture that any effort to change its design radically would be fraught with difficulty. And the extent to which billions of people have adapted their daily lives to the constant use of the Internet would also complicate efforts to fundamentally change its architecture.
McKinsey, the global management consulting firm, concluded in a recent report that four trends have converged to make cybersecurity a problem:
• Value continues to migrate online and digital data has become more pervasive;
• Corporations are now expected to be more “open” than ever before;
• Supply chains are increasingly interconnected; and
• Malevolent actors are becoming more sophisticated.
As a result, this radical transformation of the global economy has created what most experts describe as a massive cybersecurity threat to almost all companies that are using the Internet as part of their core business strategy. Particular attention has been focused on what appears to be a highly organized and persistent effort by organizations in China to steal highly sensitive information from corporations, government agencies, and organizations that have links to one or both categories.
U.S. intelligence agencies have long been assumed to conduct surveillance of foreign governments, including through cybertools to take information from computers if they have reason to believe that U.S. security is threatened. What is different about the apparent Chinese effort is that it seems to be driven not only by military and national intelligence concerns, but also by a mercantilist effort to confer advantage on Chinese businesses. “There’s a big difference,” says Richard Clarke, the former counterterrorism czar. “We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco. We don’t do that.”
There is no doubt that U.S. companies are being regularly and persistently attacked. Recent research published by the Aspen Institute indicates that the U.S. economy is losing more than 373,000 jobs each year—and $16 billion in lost earnings—from the theft of intellectual property. Shawn Henry, formerly a top official in the FBI’s cybercrime unit, reported that one U.S. company lost a decade’s worth of research and development—worth $1 billion—in a single night.
Mike McConnell, a former director of national intelligence, said recently, “In looking at computer systems of consequence—in government, Congress, at the Department of Defense, aerospace, companies with valuable trade secrets—we’ve not examined one yet that has not been infected by an advanced persistent threat.” The U.S. Secret Service testified in 2010 that “nearly four times the amount of data collected in the archives of the Library of Congress” was stolen from the United States. The director of the FBI testified that cybersecurity will soon overtake terrorism: “The cyberthreat will be the number one threat to the country.”
Another digital security company, McAfee, reported that a 2010 series of cyberattacks (called “Operation Shady RAT”) resulted in the infiltration of highly secure computer systems in not only the United States, but also Taiwan, South Korea, Vietnam, Canada, Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, India, the International Olympic Committee, thirteen U.S. defense contractors, and a large number of other corporations—none of them in China.
But the United States—as the nation whose commerce has migrated online more than that of any other nation—is most at risk. The United States Chamber of Commerce was informed by the FBI that some of its Asia policy experts who regularly visit China had been hacked, but before the Chamber was able to secure its network, the hackers had stolen six weeks’ worth of emails between the Chamber and most of the largest U.S. corporations. Long afterward, the Chamber found out that one of its office printers and one of its thermostats in a corporate apartment were still sending information over the Internet to China.
Along with printers and thermostats, billions of other devices are now connected to the Internet of Things, ranging from refrigerators, lights, furnaces, and air conditioners to cars, trucks, planes, trains, and ships to the small embedded systems inside the machinery of factories to the individual packages containing the products they produce. Some dairy farmers in Switzerland are even connecting the genitals of their cows to the Internet with a device that monitors their estrous cycles and sends a text when a cow is ready to be bred. Interspecies “sexting”?
THE PERVASIVENESS AND significance of the Internet of Things has clearly raised the possibility that cyberattacks can not only pose risks to the security of important information with commercial, intelligence, and military value, but can also have kinetic impacts. With so many Internet-connected computerized devices now controlling water and electric systems, power plants and refineries, transportation grids and other crucial systems, it is not difficult to conjure scenarios in which a coordinated attack on a nation’s vital infrastructure could do real physical harm.
According to John O. Brennan, the White House official in charge of counterterrorism, “Last year alone [2011] there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010.” In the spring of 2012, Iran announced that it had been forced to sever the Internet connections of major Iranian oil terminals on the Persian Gulf, oil rigs, and the Tehran offices of the Oil Ministry because of repeated cyberattacks from an unknown source. Later that year, Saudi Arabia’s state-owned oil company, Aramco, was the victim of cyberattacks that U.S. security officials said were almost certainly launched by Iran, which announced in 2011 that it had established a special military “cybercorps” after one of its nuclear enrichment facilities, in Natanz, was attacked by a computer virus. The attack on Aramco, which replaced all of the data on 75 percent of the firm’s computers with an image of a burning American flag, demonstrated, in the words of former national counterterrorism czar Richard Clarke, that “you don’t have to be sophisticated to do a lot of damage.”
The Stuxnet computer worm, which was probably set loose by Israel and the U.S. working together, found its way—as intended—into a small Siemens industrial control system connected to the motors running the Iranian gas centrifuges that were enriching uranium as part of their nuclear program. When the Stuxnet worm confirmed that it was inside the specific piece of equipment it was looking for, it turned itself on and began to vary the speeds of the motors powering the Iranian centrifuges and desynchronize them in a way that caused them to break apart and destroy themselves. In 2010, an even more sophisticated software worm, called Flame, which analysts said “dwarfs Stuxnet” in the amount of code it contains, reportedly began infecting computers in Iran and several other nations in the Middle East and North Africa.
Although the result of the Stuxnet attack, which slowed down the Iranian effort to develop weapons-grade nuclear material, was cheered in much of the world, many experts have expressed concern that the sophisticated code involved—much of it now downloaded on the Internet—could be used for destructive attacks against Internet-connected machinery and systems in industrial countries. Some have already been inadvertently infected by Stuxnet. After a wave of cyberattacks against U.S. financial institutions in late 2012 that security officials said they believed were launched by Iran, U.S. Defense Secretary Leon Panetta publicly warned that a “cyber–Pearl Harbor” could do serious damage to U.S. infrastructure.
Beca
use computer viruses, worms, and other threats can be resent from remote servers located in almost any country around the world, the original source of the attack is often virtually impossible to identify. Even when circumstantial evidence overwhelmingly points toward a single country—China, for example—it is difficult to identify what organization or individuals within that country are responsible for the attack, much less whether the Chinese government or a specific corporation or group was ultimately responsible. According to Scott Aken, a former counterintelligence agent and expert in cybercrime, “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product—only they’re making it 30 percent cheaper.”
While organizations in China have apparently been the principal offenders in this category, a large number of Western corporations have engaged in similar activities against their competitors. A division of News Corporation engaged in supermarket display advertising was found to have hacked into the private emails of its principal competitor to steal its intellectual property and then steal some of its most valuable customers. Another division of News Corp admitted to hacking into emails of individuals to gather information for news stories. And employees at yet another division have pled guilty to hacking into the telephone voicemails of thousands of individuals in the United Kingdom.
The constant reliance on Internet-connected digital devices has created a false sense of comfort that has led to the extreme vulnerability of almost all communications over the Internet. Experts generally agree that the weakest link in any security system is the role of human behavior. Independent hackers have demonstrated how easily they can hack into supposedly secure videoconferences held by venture capital companies, law firms, oil and pharmaceutical companies—even the boardroom of Goldman Sachs—because the people in charge of the videoconferencing systems forgot to, or did not know how to, use the complicated privacy settings. Many commercial targets of cybercrime have been reluctant to acknowledge the theft of important information because they have a financial incentive to keep the theft secret. Even some companies that have been explicitly warned that they are targets have failed to take action to protect themselves.
PRIVACY
Other companies are routinely collecting information about their own customers and users—often without permission. Social media sites like Facebook and search engines like Google are among the many companies whose business models are based on advertising revenue and who maximize the effectiveness of advertising by constantly collecting information on each user in order to personalize and tailor advertising to match each person’s individual collection of interests.
Many Internet sites, in effect, treat their customers as their products. That is, the revenue they receive from voluminous files of information about each user is simply too valuable for them to give up. The use of Facebook’s “like” button automatically “allows” the site to track users’ online interests without offering them an opportunity to give their consent. In a sense, this is yet another manifestation of the underlying cyber-Faustian bargain. The revenue that is earned from the targeted advertising made possible by all of those “cookies” (small software programs placed—often surreptitiously—on a user’s computer during its interaction with a website) supports the “free” distribution of voluminous amounts of valuable content on the Internet. Most Internet users seem to feel that the tradeoff is an acceptable one. After all, the advertisements they are exposed to are ones they are more likely to be interested in. The tracking technologies are, in the words of one analyst, “simply tools to improve the grip strength of the Invisible Hand.”
There are generational differences in the acceptance of this tradeoff where social media sites like Facebook and Twitter are concerned. Many in my generation, for example, are often surprised at the amount of personal information shared on Facebook by those who are younger. Already, some social media users who have left school to enter the workforce have been surprised when potential employers routinely access all of their posts and sometimes discover information that one would not necessarily want a potential employer to see. More recently, some employers have demanded that job applicants provide the password to their Facebook accounts so that private sites can also be accessed. (Facebook, to its credit, has reiterated that its policy is to never give out such passwords, and they urge their users not to do so. However, in a tough job market, the pressure to expand potential employers’ visibility into their online lives is obviously more acceptable to some than others.) It is also noteworthy that, after being hired, many employees have been subjected to cybersurveillance by their employers.
The extreme convenience offered by Internet websites leads many users to feel that incremental losses of privacy are a small price to pay. The very fact that I can find virtually every business in Nashville, Tennessee, where I live, and virtually every business anywhere in the United States (and in almost any other country) is almost, well, magical. This is a tangible illustration of what economists call the network effect—by which they mean that the value of any network, especially the Internet, increases exponentially as more people connect to it. Indeed, according to Metcalfe’s Law, an equation proposed by one of the early pioneers of the network, Robert Metcalfe, the inherent value of any network actually increases as the square of the number of people who connect to it.
Similarly, the convenience provided by online navigational software—like Google’s Street View—makes it easy to ignore the misgivings some have about having the picture and location of their homes displayed on the Internet. (Google’s apparent collection of large amounts of information from unencrypted WiFi networks in the homes and businesses it photographed—which it says was inadvertent—is a continuing source of controversy in several countries.)
Many take comfort in the fact that hundreds of millions of others are facing the same risks. So how bad could it be? Most people are simply unaware of the nature and extent of the files being compiled on them. And for those who do become aware—and concerned—they quickly find out that there is no way that they can choose not to have their every move on the Internet tracked. The written privacy policies on websites are typically far too long, vague, and complicated to understand, and the options for changing settings that some sites offer are too complex and difficult.
There is abundant evidence that the general expectations of privacy are at wide variance with the new reality of online tracking of people connected to the Internet, and adequate legal protections have not caught up with Internet usage. In some countries, including the United States, Internet users can choose to no longer have advertising based on the tracking delivered to them. But users who try to opt out of the tracking itself are presently unable to do so. The protections that supposedly provide a “do not track” option are essentially useless, due to persistent lobbying pressure from the advertising industry. Even when people try to opt out, the tracking continues for a simple reason: there is an enormous amount of money to be made from collecting all of the information about what everyone does on the Internet. Every click is worth a minuscule fraction of a penny, but there are so many clicks that billions of dollars are at stake each year.
The Wall Street Journal has published a lengthy series of investigative articles on the way cookies report information about a user’s online activities. Everyone who clicks on Dictionary.com automatically has 234 cookies installed on his or her computer or smartphone, 223 of which collect and report information about the user’s online activity to advertisers and others who purchase the data.
The cumulative impact of pervasive data tracking may yet produce a backlash. The word most frequently used by users of the Internet to describe the pervasiveness of online tracking is “creepy.” Although the companies that track people’s use of the Internet often say that the user’s name is not attached to the file that is assembled and constantly updated, experts say there is little difficulty in matching individual computer numbers with the name
, address, and telephone numbers of each person.
As computer processing has grown steadily faster, cheaper, and more powerful, some companies and governments have begun using an even more invasive technology known as Deep Packet Inspection (DPI), which collects “packets” of data sent to separate routers and reassembles them to reconstitute the original messages sent, and to pick out particular words and phrases in packets in order to flag them for closer examination and reconstitution. Tim Berners-Lee, the inventor of the World Wide Web, has spoken out against the use of DPI and has described it as a grave threat to the privacy of Internet users.
In one of the most publicized examples of the exposure of private data via computer, the roommate of a gay student at Rutgers was found guilty of using a webcam to share views of his roommate engaging in intimate acts (tragically, the gay student committed suicide soon after).
Some sites, including Facebook, use facial recognition software to automatically tag people when they appear in photos on the site. Voice recognition software is also now used by many sites to identify people when they speak. These audio files are often used to enhance the ability of the software to learn the accent and diction of each user in order to improve the accuracy with which the machine interprets successive verbal communications. In order to protect the user’s privacy, some companies erase the audio files after a few weeks. Others, however, keep every utterance on file forever. Similarly, many software programs and apps use location-tracking programs in order to enhance the convenience with which information can be delivered with relevance to the user’s location. An estimated 25,000 U.S. citizens are also victims of “GPS stalking” each year.
But all such information—websites visited, items within each website perused, geographic location day by day and minute by minute, recordings of questions users ask, pictures of the individuals wherever and whenever they may appear on websites, purchases and credit card activity, social media posts, and voluminous archival data in accessible government databases—when combined, can constitute an encyclopedic narrative of a person’s life, including details and patterns that most would not want to be compiled. Max Schrems, a twenty-five-year-old Austrian law student, used the European Union’s data protection law to request all the data collected about him on Facebook, and received a CD with more than 1,200 pages of information, most of which he thought he had deleted. The case is still pending.