The militarization of the Internet | Susan Crawford blog

The militarization of the Internet | Susan Crawford
blogThe militarization of the Internet
Someone needs to take a good hard look at those Internet surveillance stories being strategically placed on the front page of the New York Times.
There’s a trail here, I believe, that’s worth following. Here are some data points:
1. Cyberattack - there appears to be a deep interest in the ability to declare war online, as evidenced by cybersecurity research and public speeches by Herbert Lin, a key player who has worked on several cybersecurity reports for the National Research Council. Ethan Zuckerman has summarized a presentation by Lin, which included the following paraphrase of Lin’s remarks:
If we’re interested in pre-empting cyber attack, “you need to be in the other guy’s networks.” But that may mean breaking into the home computers of US citizens. To the extent that cloud computing crosses national borders, perhaps we’re attacking computers in multiple jurisdictions. Lin wonders whether a more authenticated internet will actually help us to pre-empt attack. And he reminds us that US Strategic Command asserts authorization to conduct “active threat neutralization” – i.e., logging into your machine to stop an attack in progress. . . .
Dr. Lin notes that it’s not a violation of international law to collect intelligence abroad. It’s possible to engage in covert action as regulated by US statute. And there’s an array of possible responses the US could launch in response to cyberattack (Lin pauses to note that he’s not advocating any of these) – we could attack enemy air defenses, hack their voting machines to influence an election, conduct campaigns of cyberexploitation to spy within those nations. Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet? Might they reasonably choose to tighten national control over the internet?
2. A “more authenticated Internet” would obviously include using the leverage provided by network operators to permit only fully-authorized, identified machines to connect. The ability to remotely disconnect machines or devices until they are cleansed is now within reach for federal networks - this same capability will inevitably spread to private connections.
3. A “more authenticated Internet” would also include more-easily tappable applications as well as machines. That’s what FBI Director Mueller is talking about in this video at 3:29.
4. There must be deep stress inside the USG re what the overall public position of the Administration will be on enhancing surveillance, authentication, and the ability to declare war online. Secretary Clinton’s “Internet Freedom” speech of January 2010 made clear that the free flow of information online is an important component of the nation’s foreign policy.
5. Given this stress, the agencies that are most interested in forwarding cyberattack abilities, surveillance, guaranteed back doors for encrypted communications, and all the other trappings of a “more authenticated Internet” have an interest in portraying their vision of the future Internet as inevitable. Part of that campaign would logically be to get the story into the mainstream media.
6. So, here we go - another front-page story yesterday in The Times: “Officials Push to Bolster Law on Wiretapping.” This is a hugely contentious issue. Should law enforcement be able to require all technologies online to have “back doors” allowing officials to (essentially) require that the same information be produced to them that was produced during the circuit-switched telephone era?
7. The Internet is not the same thing as a telephone network. It’s a decentralized agreement to route packets of information to particular addresses. It has made possible unparalleled innovation, free speech, and improvements to human lives around the world. Retrofitting it to make it fit law enforcement’s (or national security’s) “authentication” needs would be an enormous, retrograde step.
But it would certainly help us wage war online.
October 20, 2010 | Filed Under Uncategorized
Comments
7 Responses to “The militarization of the Internet”
pablo garcia mexia on October 21st, 2010 3:38 am
Dear Professor Crawford:
Just read your article on the Internet’s militarization.
I fully share your view.
Congratulations for an excellent synthesis of the risks of comprimising Net neutrality from the “military” side.
You might be interested in checking other “sides” of the same issue and also a comparison with the European situation on my most recent blog post for the Oklahoma Law School technology review:
http://www.okjolt.org/index.php?option=com_content&view=article&id=116:net-neutrality-whats-at-stake
Best wishes.
Pablo García Mexía, J.D., Ph.D.
Visiting Professor of Internet Law
The College of William & Mary
C.E. Petit on October 22nd, 2010 1:31 pm
Well, I for one am not surprised, as I still have my DARPANet password in a file somewhere… the ‘net as we know it today began with DOD funding, sponsorship, etc.
Snide remarks about “return to the womb” are probably beyond me at the moment.
G.J. Gordo on October 29th, 2010 8:27 am
If the “authorities” succeed in requiring backdoors to every ‘net-enabled application, device, protocol, etc., then they will basically destroy all of the security that has been built up.
Unlike installing hardware in an access-limited secret room to tap phone lines, backdoors everywhere will be accessible by anyone who can crack the security. This effectively means that *all* security will be compromised.
Now try doing business on a net that has no security.
jbmoore on October 29th, 2010 9:23 am
Most of the systems hooked up to the Internet are Windows systems. Millions of them already have backdoors placed there by criminals. Now the “good” guys want to do the same thing legally. Windows is so vulnerable, it’s a big fat juicy target and any network it;’s connected to is the same. Look at the success of Stuxnet in Iran. Good luck militarizing Windows and Windows networks.. The DOD couldn’t even keep their own networks clean from trojans on USB sticks.
Alex K on October 29th, 2010 9:42 am
Scary, very scary…. To be fair though, we have been hearing news like this for quite some time now.
I am just wondering if the relatively slow bureaucracy of a government or an organised group of governments can keep up with the dazzling speed new technologies appear.
David Dennis on October 29th, 2010 11:08 am
One of the chief problems of cyber conflict is attributability–a “free and open Internet” provides numerous ways to obscure or hide an infiltration or attack. But doesn’t a “more authenticated Internet” inhibit our own national means of infiltration and attack, even as it protects us from other groups’ efforts?
Your point about the Internet being different from the phone system is also a good one. To think that law enforcement authorities would retain sole access to back door keys to digital systems is also a fool’s errand. The theft or leakage of that knowledge, as well as the inevitable improvement of brute-force cracking make the model of multi-authority access (general use vs. “official use” class of service) unsustainable. The inevitable rise of unauthorized or stolen “official use” makes the government’s vision of a “more authenticated Internet” a dangerous slippery slope.
Davi Ottenheimer on October 29th, 2010 1:14 pm
Nicely said. You probably don’t want/need another argument to cite regarding authentication but here is one I see more and more: to ease attribution needed for response and retribution attacks. The NSA is supposedly working on various ways to fingerprint cyberattack, for example, so their response easily can be justified without the usual fear of hitting the wrong or proxy source. It should be noted that they of course, while fingerprinting others, will retain ways to obfuscate and hide their own tracks.