The Cyber Security Syndrome

Nowhere is the tension between global citizenship and the nation-state system so apparent as it is in cyberspace. Ron Deibert on finding a middle ground.
By: /
November 25, 2014
RAF Menwith Hill base, which provides communications and intelligence support services to the United Kingdom and the U.S. is pictured near Harrogate, northern England June 15, 2013. Britain has dismissed as "baseless" accusations that security agencies such as GCHQ had been circumventing British law by using information gathered on British citizens by PRISM, a secret U.S. eavesdropping programme run by the NSA. REUTERS/Nigel Roddis
ron
Director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs

Buried in a recent Edward Snowden disclosure is a passing remark from a briefing sheet on a program called “Sentry Eagle.”   According to the briefing sheet, “unauthorized disclosure” of its contents would negatively impact the United States’ “ability to exploit foreign adversary cyberspace while protecting U.S. cyberspace.”

For many, such a remark might pass barely noticed, obscured beneath the more salacious operational details in the top secret slides. It definitely should not. It represents a deeply entrenched worldview at the heart of cyber security problems today.

What do we mean when we say “cyber security?” What is it, exactly, that we are securing? And for whom? Are we securing the Internet as a whole — that vast global information infrastructure that envelops the planet, from the code to satellites, the handheld devices, and everything in between?

Or, instead, do we mean 'we protect our nation's cyberspace first and others second, if at all'? Do we regard other nations' networks as fair game to be “exploited” in order to gain competitive advantage?

The tension between these points of view is not unique to cyber security, but reflects a deeper tension at the heart of global politics today: between a slowly emerging sense of global responsibility and citizenship on the one hand, and the old Westphalian nation-state system on the other.

While the rift runs deep at the extremes, these competing worldviews can be reconciled. Indeed, for human rights to achieve their promise they must be entrenched across the globe by sovereign democratic states.  Governments that are premised on human rights and the rule of law need agencies to domestically enforce the law while guarding their citizens from extremism or international violence.

But also fundamental to a liberal democratic society is that these agencies be highly accountable, transparent to democratically elected representatives, and unleashed to act only in tightly circumscribed ways; loosen those checks and balances, and you begin to unravel what it means to be a liberal democracy in the first place.

Our rights and security are the collateral damage.

Unfortunately, after the Cold War and since 9/11 that is precisely what has happened: the most secretive, war-fighting agencies of the state have ballooned in size and their missions have swollen out of proportion to their prior limits. Our rights and security are the collateral damage.

The most obvious evidence for this shift is in terms of sheer growth, especially the growth of signals intelligence (SIGINT) agencies and the military’s allotment of resources towards cyber security. For example, the budget of the U.S. National Security Agency (NSA) has reportedly doubled since 9/11. According to the Guardian, the UK’s Government Communications HeadQuarters (GCHQ) takes most of the “£1.9bn budget for Britain’s intelligence services, and has a staff that is more than twice the size of the combined workforces of MI5 and MI6.”  The Pentagon’s cyber security budget for 2014 is $4.7 billion, a $1 billion increase over the previous year. Canada’s Communications Security Establishment (CSE) has also seen its budget skyrocket in recent years, in part to pay for a massive new billion-dollar, airport-terminal-sized headquarters.

But size alone is only one-dimension of the problem; mission creep is another. SIGINT agencies were born deep in the shadows, originally designed to be vital but highly secretive supports to military and political authorities.  Over time, however, the resources have poured in and their responsibilities and influences have compounded.  This metamorphosis (one not debated openly by the societies now subjected to it) leads to some interesting paradoxes.


A Split Personality

For example, securing cyberspace is part of a SIGINT agency’s mission, but at times so is destroying it. The same agencies one might expect and hope to be at the forefront of patching software bugs, are simultaneously coveting, stockpiling, and even purchasing them…as weapons.  Agencies like the NSA are tasked with defending critical infrastructures on the one hand, while fueling a multi-million dollar industry of products and services to exploit them on the other. Protecting the integrity of communications systems is a mission imperative, but so is building “back doors” — a kind of insecurity-by-design — programs designed to proactively weaken information security are justified on the basis of strengthening national security.

The same agencies one might expect and hope to be at the forefront of patching software bugs, are simultaneously coveting, stockpiling, and even purchasing them … as weapons

There are good indications this institutional split-personality is not effectively managed in practice. A recent Wiredexposé on U.S. policies around “zero days” — undisclosed flaws in software marketed by defense contractors — describes disagreement as to whether they should be hoarded or quickly disseminated to industry to be patched.  One official dismissed the idea of zero-day notification as “unilateral disarmament”; said another, “You are not going to see the Chinese give up on ‘zero days’ just because we do.”  In other words, zero days are seen in zero-sum terms.

While Canadian government officials routinely condemn China-based hacks of private sector and government computers, a Snowden disclosure shows Canada’s CSE itself maintains a massive botnet, called Landmark, of several thousand hijacked computers in “non-Five Eyes countries” to mask attribution around their own computer network attacks and exploitation.  Whose computers are they? What vulnerabilities are used to exploit them? CSE will not say. Not surprisingly, when the Heartbleed bug was discovered many naturally wondered aloud whether SIGINT agencies secretly knew about and were exploiting it while innocent bystanders were victimized (something they adamantly deny).

For decades in exchange for a license to operate the wireless spectrum in Canada, mobile companies have had “to provide government with the capability to monitor the devices that use the spectrum,” including provisions to unscramble encryption, monitor SMS, and track users’ geolocation. Backdoors deliberately built into mobile networks in this manner have been the source of many criminal and nation-state exploits, including one infamous and unsolved case of a Greek hacker who in 2004 successfully penetrated Vodafone’s lawful intercept system.  No matter; in Canada national security trumps network security.

These programs saw the NSA and GCHQ, with the assistance of CSE, collectively work to covertly weaken encryption standards — standards that are relied upon by businesses, governments, and critical infrastructure to secure vital and sensitive information.

Perhaps the most egregious insecurity to be generated as a byproduct of the SIGINT agencies’ approach to security is illustrated in the Snowden disclosures around the programs codenamed Bullrun and Edgehill. These programs saw the NSA and GCHQ, with the assistance of CSE, collectively work to covertly weaken encryption standards — standards that are relied upon by businesses, governments, and critical infrastructure to secure vital and sensitive information.  According to the New York Times, the NSA and CSE subverted the International Standards Organization (ISO) process to push a deliberately weakened version of the Dual EC DRBG encryption standard, a claim that CSE did not deny.

In addition to duping the ISO, the Canadian government also foisted a flawed encryption standard, called CVMP, upon industry. The standard was jointly developed by CSE and the U.S. National Institute of Standards and Technology and included a vulnerability that let Western signals intelligence agencies read communications that businesses understood were cryptographically secure. Companies such as Blackberry, RSA, Cisco, Microsoft, and others included the standard in their products. Another document shows that the U.S. spends hundreds of millions of dollars annually to engage  “the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.”  The same set of documents describe how the NSA’s “Commercial Solutions Center” works “to leverage sensitive, co-operative relationships with specific industry partners to insert vulnerabilities into security products.” Disclosures from Edward Snowden, as well as reporting on the Stuxnet attack, suggest the NSA and GCHQ have also repeatedly forged the cryptographic certificates that are used by banks and Internet companies to guarantee the authenticity and security of information online.

In a telling response to these disclosures on encryption hacking, the U.S. Office of the Director of National Intelligence stated, “it should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries’ use of encryption.”

Perhaps. But what should be surprising is how we could allow agencies with this mindset to be entrusted with cyber security for the rest of us in the first place.


Distorting the Private Sector

Most of cyberspace is owned by the private sector, and it is critical their networks are secure regardless of borders. How do we ensure that happens? SIGINT agencies view telecommunications companies through the lens of state competition, and as national assets to be leveraged for parochial ends.  The companies are cajoled or otherwise enticed to cooperate in defence and intelligence missions over other priorities, like tending to their users’ security regardless of jurisdiction.  In some cases, they even benefit financially from assisting, as did UK telco Cable and Wireless (now owned by Vodafone) — paid tens of millions of pounds to secretly collude with GCHQ.

What should be surprising is how we could allow agencies with this mindset to be entrusted with cyber security for the rest of us in the first place

But companies also face intimidating non-disclosure arrangements and, quite commonly, informal pressures that are hard to resist.  In Canada, telcos pressed on their intercept practices by the Office of Privacy Commissioner explicitly identified “not antagonizing” the federal government as a reason to withhold details.

The Snowden fallout has left many of these companies in a public relations nightmare, their trust weakened, lucrative contracts in jeopardy for fear of secret backdoors. In response, companies are pushing back. U.S.-based Internet companies sued the government over gag orders which stifle them from disclosing information on the nature and number of requests for user information. Others have implemented end-to-end encryptions, including Google, Microsoft, Apple, Facebook, and just last week WhatsApp.  Tellingly, the new director of GCHQ, Robert Hannigan, lashed out at such measures, and called the companies “the command and control networks of choice” for terrorists, presumably intending to guilt them back into collusion. What seems missing from his logic, however, is the obvious point that weakening the entire infrastructure for one set of targets invariably weakens it for all others as well.


Fuelling International Insecurity and Repression

There are international implications of the cyber security syndrome. Top-down, secretive approaches breed vicious cycles of mutual suspicion and hostility that stifle numerous forms of lower level cooperation. Consider the deleterious impact on the information sharing practices of national-level computer emergency response teams (CERTs).  In an ideal world, CERTS are entirely apolitical and operate as early-warning systems that share network threat information with each other seamlessly.  But as Asia Pacific CERT coordinator Yuri Ito explained at the 2013 Bali IGF, the growing influences of national security agencies and the rivalries and suspicion they engender have eaten into the system of international trust and cooperation. If CERTs are seen as “instruments of state competition,” says Ito, “it can become very hard to share information.” Jeopardizing the integrity of CERTs in this way — the frontline sensors for computer security threats worldwide — is a clear indication that we are down the wrong path.

Having secretive state agencies dominate cyber security in the West legitimizes those same practices all over the world.  Countries like China and Russia are perfectly comfortable with such an approach, and each have long track records of weakening encryption for purposes of surveillance, and leveraging national telcos as instruments of state power.  But more concerning should be the way the national-security-first approach to cyber security is becoming the norm throughout the developing world. India’s version of PRISM, the “Central Monitoring System,” gives India’s SIGINT agencies a one-stop access point for mobile, landline, satellite, VOIP, email SMS, and geolocation traffic. Canada’s Blackberry agreed to participate in the Indian Central Monitoring System as quid pro quo for getting a national license, to the point of even training Indian engineers how to undertake surveillance over Blackberry’s networks.

Having secretive state agencies dominate cyber security in the West legitimizes those same practices all over the world

Research by the Citizen Lab has documented a growing market for sophisticated commercial spyware sold by European companies as cyber security products to dozens of governments in the global South that employ them to target dissidents, opposition, journalists, and pro-democracy activists.  The next billion digital users are coming from countries where, just like ours, cyber security is being defined in state-territorial terms. Like us, their governments are assuming militarized approaches to “cyber problems,” approaches that fuel the exploitation and subversion of cyberspace for short-term national ends at the expense of human rights.

There are other ways we can proceed.  A different approach could focus on the securing of communications systems as a function of the preservation of human security and on the basis of widely respected international human rights, regardless of territorial boundaries. Starting this way would result in different points of institutional emphasis: a much greater role for civilian agencies compared to military and intelligence; the prioritizing of distributed centres of early warning and information sharing, and a model in which such information sharing is insulated from national rivalries.  Such an approach would put checks and balances around law enforcement and intelligence front and centre while giving greater power and authority to independent commissioners and public advocates.  We would need to extend these principles to the private sector because of how much data they now control about our habits, movements, social relations, and intimate thoughts, and ensure that what they do with those data, with whom data are shared is transparent and accountable to users.  We need to assert the widespread use and adoption of encryption at every point of the network, and encourage continuous open, peer-reviewed research to ensure encryption standards are robust.

The next billion digital users are coming from countries where, just like ours, cyber security is being defined in state-territorial terms

Yes, there will still be acts of wickedness, organized state violence, subterfuge to be dealt with — and for that we will always need highly equipped law enforcement, defence, public safety, and intelligence agencies. But we cannot let their priorities overwhelm and subsume those which they are ostensibly designed to protect in the first place.

Historians like to remind us that intelligence is “the second-oldest profession.”  But in the past decade, we have accorded extraordinary powers and capabilities over society to mammoth military-intelligence agencies that are unprecedented in human history. Their overarching prominence and power have begun to undermine core values upon which our societies rest while exposing us and our communications to widening risks.  It is time we address squarely this syndrome for what it is: the most important threat to cyber security today.