Who supplies the weapons in the growing global cyber war?
Sometimes the most interesting aspects of society are where sectors and perspectives overlap. Moving beyond binary distinctions towards a more nuanced and inclusive understanding of how identity and organization are constructed.
We think of this when entertaining the notion that the nation state is either in the process of transforming into or being replaced by a kind of network state.
What if one area in which this is more visible is cybersecurity and the even murkier realm of cyber war?
For example, we know that state based hacking is a rapidly growing area, in which intelligence agencies and military organizations alike develop internal expertise and external capabilities.
Yet we also know that zero day exploits and similar software that enable access and penetration are sold openly on markets that often feature governments and government entities as clients/buyers.
We’re fond of using the phrase “fog of war” (also applied to social media) and in this case it is an accurate description of the market for cyberweapons and the ongoing conflicts that comprise a kind of global cyber war.
Although make no mistake, this war is not just on the Internet, but is having significant impacts on what we used to think of and refer to as the real world:
"Between 2019 and 2020, more than 600 towns, cities and counties were hit by ransomware attacks, shutting down hospitals, police departments and more."
The Most Serious Security Risk Facing the United States https://t.co/qUeNuCBYeN
— Michael Thompson (@sehric) February 14, 2021
Solar Winds may have been the biggest cyberattack on the United States in years, if not ever. But it was hardly a singular event. In the last half decade or so, American corporations have suffered billions of dollars of losses in similar incursions. Between 2019 and 2020, more than 600 towns, cities and counties were hit by ransomware attacks, shutting down hospitals, police departments and more. America’s adversaries — Russia, China, Iran and North Korea — have by now thoroughly infiltrated the computer systems that run some of the United States’ most important infrastructure, including not just power grids and dams but also nuclear plants.
All of which raises the question: Why does this keep happening? After all, the United States isn’t just the most formidable and intimidating military power in the world; it’s also the most sophisticated cyber power. The country’s conventional arsenal has proved remarkably effective at scaring off any would-be attackers; these days, no nation on the planet would dream of going toe-to-toe with the United States military. So why doesn’t the same logic work in the cyber realm, where Washington could just as easily inflict biblical vengeance on anyone who messed with it?
There are two basic answers. The first is that deterring cyberattacks turns out to be much, much harder than deterring conventional ones, for a long list of reasons. Among them: Despite all its offensive power, the United States, as one of the most wired nations on earth, is also more vulnerable to such attacks than many of its less-connected enemies. Cyberattacks are also relatively cheap, while cyberdefense is expensive and painstaking. And then there’s the problem of attribution: Given how hard it often is to spot digital incursions in the first place (remember, the Solar Winds hack went undetected for months), and the tendency of countries to rely on private hackers only loosely connected to the government to do their dirty work, figuring out whom to retaliate against can be very difficult. Unlike nuclear missiles, hacks rarely come stamped with a clear return address.
Cyber war is not just about hacking, or denial of service, or extortion, but also psychological warfare and propaganda. Attribution issues are but one element of a larger campaign to hack reality as we know it.
The asymmetrical nature of cyberwar means that creating a weapon is relatively easy, and using it is even easier. Which is ironic, because the book cited in the article above, and in the negative review below, amplifies and promotes the idea that this is a problem that can be resolved, at least using conventional means, like laws, which is arguably not the case.
Nicole Perlroth’s book about the global market in cyberweapons "ultimately achieves its goal of scaring the shit out of anyone who doesn’t know much about the topic," writes @tarah. https://t.co/pBtDdTZJxA
— Foreign Policy (@ForeignPolicy) May 4, 2021
Or similarly that funding offensive cyberweaponry is not also a means of funding your own vulnerability?
Even more importantly, as those dollars rolled in, “Congress continued to approve vague ‘cybersecurity’ budgets, without much grasp of how dollars funneled into offense or defense or even what cyber conflict necessarily entailed.” It’s disturbing to realize how much Congress budgeted for offensive weapons without understanding that those weapons would not be functional without puncturing holes in U.S. defenses, nor that the tools of offense and defense in cybersecurity are fundamentally different. They didn’t seem to understand that they weren’t buying guns that could be used in both offense and defense—they were buying the digital equivalent of nuclear weapons, biological agents, and mustard gas.
Perlroth exposes the inner ethical absence in the brokers and purchasers of these weapons when saying that “nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they were rendering America’s critical infrastructure … vulnerable to foreign attacks.” Perlroth explains that “More hacking—not better defenses—was the Pentagon’s response to the Russian attacks on its own classified networks.” She’s right. Adding more offensive cyber-capability isn’t fixing the problem of crumbling U.S. cyber-infrastructure, which is decaying along with the country’s bridges, dams, and roads.
It’s almost as if there are rogue actors on the Internet who wish to see the fall of nation states as we know them, and towards that end, are supplying cyber arms that pit these nations against each other, towards a lose-lose outcome.
Just as past wars led to the end or at least neutering of monarchies as we know it, will this current cyber war lead to the end of nation states as we know them?
Not without a fight, and thus relatedly, the UN will be convening a meeting of nation states to move towards a global Cyber crime treaty:
A possible global treaty to address cybercrime, first proposed by Russia, risks legitimizing abusive practices and could be used as an excuse to silence government critics and undermine privacy in many countries. Negotiations at the UN start May 10. https://t.co/ufKDWgtSrW pic.twitter.com/PGILZYbfGo
— Kenneth Roth (@KenRoth) May 5, 2021
Yet the concern here, is that much like a fog of war, the actual cyber war goes unaddressed. Meanwhile the chaos it unleashes, the cyber crimes that happen along side it, as happens with most wars, they become an excuse for governments to do what they do best, crush and arrest their perceived opponents.
7/ In Uganda, academic & activist Stella Nyanzi was sentenced to 18 months in prison for “cyber harassment” under the Computer Misuse Act for a poem she published on Facebook criticizing President Museveni. Her sentence was later revoked bc right to a fair trial was violated. pic.twitter.com/Qf6YK0Q4FX
— Deborah Brown (@deblebrown) May 5, 2021
The current treaty is being negotiated in secret, and has faced opposition from the civil society organizations work are active in these areas.
15/ Leading digital rights and human rights organizations and experts urged delegations to vote against the resolution, warning that the proposed treaty poses a threat to human rights online. @APC_Newshttps://t.co/gpBcWMpBMM
— Deborah Brown (@deblebrown) May 5, 2021
At some levels we’re all cyber criminals, as we all violate terms of service that we don’t read and could not understand if we did.
Similarly our technology often requires that we hack it in order to fix it or even use it. Such as in this example which ironically enough evokes the tropes of spies and the cold war.
McDonald’s ice cream con: “Sell franchisees a complicated and fragile machine. Prevent them from figuring out why it constantly breaks. Take a cut of the distributors’ profit from the repairs.”https://t.co/Hr55O1rWzp
— Frank Pasquale (@FrankPasquale) April 28, 2021
The secret menu reveals a business model that goes beyond a right-to-repair issue, O’Sullivan argues. It represents, as he describes it, nothing short of a milkshake shakedown: Sell franchisees a complicated and fragile machine. Prevent them from figuring out why it constantly breaks. Take a cut of the distributors’ profit from the repairs. “It’s a huge money maker to have a customer that’s purposefully, intentionally blind and unable to make very fundamental changes to their own equipment,” O’Sullivan says. And McDonald’s presides over all of it, he says, insisting on loyalty to its longtime supplier. (Resist the McDonald’s monarchy on decisions like equipment, and the corporation can end a restaurant’s lease on the literal ground beneath it, which McDonald’s owns under its franchise agreement.)
So two years ago, after their own strange and painful travails with Taylor’s devices, 34-year-old O’Sullivan and his partner, 33-year-old Melissa Nelson, began selling a gadget about the size of a small paperback book, which they call Kytch. Install it inside your Taylor ice cream machine and connect it to your Wi-Fi, and it essentially hacks your hostile dairy extrusion appliance and offers access to its forbidden secrets. Kytch acts as a surveillance bug inside the machine, intercepting and eavesdropping on communications between its components and sending them to a far friendlier user interface than the one Taylor intended. The device not only displays all of the machine’s hidden internal data but logs it over time and even suggests troubleshooting solutions, all via the web or an app.
The result, once McDonald’s and Taylor became aware of Kytch’s early success, has been a two-year-long cold war—one that is only now turning hot. At one point, Kytch’s creators believe Taylor hired private detectives to obtain their devices. Taylor recently unveiled its own competing internet-connected monitoring product. And McDonald’s has gone so far as to send emails to McDonald’s franchisees, warning them that Kytch devices breach a Taylor machine’s “confidential information” and can even cause “serious human injury.”
On the one hand, we’ve seen decades long attempts to frame hackers as criminals, and thereby suggest that defiance of technology is itself a kind of criminal act.
Yet on the other hand, we can also argue that hackers are a new kind of citizenry. Citizens in emerging network states that are using their new found rights and responsibilities to fix their milkshake machines, tractors, or whatever it is that needs a fix.
When it comes to war, we definitely want peace. Yet in this cyber war, that peace may come at too high a cost, and therefore perhaps we benefit from waiting this one out until we get the kind of society we desire. #metaviews