In the wake of the debate over the renewal of the Patriot Act, Americans should consider a related problem with implications for their privacy and security: the assumptions behind cybersecurity policy.
Several new developments bolster the argument in “The Cyber Conundrum: Why the Current Policy for National Cyber Defense Leaves Us Open to Attack” (published in the Spring 2015 issue of The American Prospect). These developments reinforce the view that U.S. cybersecurity policy is primarily based on the military’s framing of the security problem, at the expense of the online security of the private sector and ordinary citizens.
During the Cold War our approach was to undermine Soviet security systems while bolstering our own, but the problem isn’t so simple in an age of shared global technology and online infrastructure.
Today, the military’s Cyber Command continues to see online security the same way its Strategic Command sees nuclear security: as a situation where the only realistic strategy is to develop an offensive capacity to punish enemies that attack the United States. At a Senate Armed Services Committee hearing on March 19, Admiral Mike Rogers—the director of the National Security Agency and the head of the military's Cyber Command—said, "We’re at a tipping point. We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence?”
The technical security community, however, views this framing skeptically. Many computer security problems have simple fixes that could be easily deployed with government support. While an offensive capacity may deter hacking by foreign governments, it will probably do little to stop the many criminal organizations and independent political hackers, both foreign and domestic. Malicious hackers often operate from jurisdictions in which law enforcement finds it difficult or politically inconvenient to work effectively. An offensive capacity will not stop these motivated attackers because a deterrent must convincingly be able to target them, and attacks are notoriously difficult to attribute reliably. Even when attacks can be attributed to a specific group, that group may not be targetable militarily and hence will not see cyber-offence capabilities as imposing credible costs on its operations.
In February President Barack Obama called for “international protocols that … set some clear limits and guidelines, understanding that everybody's vulnerable and everybody's better off if we abide by certain behaviors.” This arms-control solution, however, is ill suited to cyber weapons, which can be constructed quickly and hidden anywhere, making verification of compliance impossible.
In U.S. cybersecurity, according to the president, there is “no clear line between offense and defense. Things are going back and forth all the time.” At first glance that statement might seem like an acknowledgement of the cyber conundrum: Actions that increase the government’s capability to undermine adversaries also limit our capability to protect ourselves. But the president also says that, “the same sophistication you need for defenses means that potentially you can engage in offense”—in other words, that we can use cyber attacks or their possibility as a deterrent against threats.
Rather than accepting that “everybody's vulnerable,” however, we should aim to make all systems more secure, protecting global infrastructure and relying on the U.S. military's significant offensive capability when it is needed.
This military approach to cybersecurity allows broad industry sectors to be treated as collateral damage. In February 2015, the National Security Agency (NSA) and its United Kingdom counterpart, Government Communications Headquarters (GCHQ), were reported to have infiltrated several major mobile phone carriers and manufacturers of the Subscriber Identification Module (SIM) cards used to secure mobile phones. The NSA and GCHQ sought to capture the encryption keys used by the carriers to encrypt phone conversations and prevent installation of malicious software on phones. Experts have long known that phone software can be modified to cause phones to record and transmit audio or location data even when they appear to be switched off. Previously leaked documents showed that the NSA offered this capability to its analysts.
Poor policy in the past meant to preserve surveillance capabilities has resulted in weaknesses even years after that policy was changed. The “FREAK” and "Logjam" attacks on secure browsing technology, discovered respectively in March and May of this year, provide clear examples. Until 1992 (and in some cases even later), the U.S. government tried to maintain surveillance of foreigners by requiring American companies to register as arms dealers and to obtain export licenses if they wanted to sell secure web systems abroad. Instead, companies designed systems with highly secure modes for their domestic clients, but deliberately weaker cryptography for foreign users. This switching between security levels ultimately became part of the widely adopted standard for secure web browsing, which is still in use today even though the government has eased export restrictions on strong cryptography. Attackers discovered how to trick systems into using the weaker mode, which is now trivial to defeat thanks to advances in technology.
When the FREAK attack was discovered, nearly two in five web servers on the Internet were vulnerable to this trick. The broader Logjam attack applied to up to two-thirds of virtual private network connections, both foreign and domestic, making them vulnerable to surveillance by sophisticated attackers. FREAK and Logjam present object lessons in why government policies encouraging insecure systems can lead to vulnerabilities even decades after the policy changes.
Secure systems are now easier to export. But a rule proposed by the Department of Commerce's Bureau of Industry and Security may broaden the export-licensing regime long applied to security software using cryptography to cover nearly all computer security technology. Onerous licensing requirements for cryptographic products have made U.S. companies less globally competitive. In fact, since it can be easier to import secure products than to get a license to export them, some companies have outsourced the development of these products to foreign subsidiaries or “inverted” their headquarters abroad.
These controls stem from the Wasennaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a multilateral organization of 41 countries that aims to promote global security by restricting trade in conventional arms and dual-use technologies (those with both a military and a civilian application).
There certainly are security products that might reasonably be subject to export control. Today there is a thriving trade in undisclosed software vulnerabilities and in surveillance-enabling equipment sold to states with unsavory human rights records. But the proposed rules are written broadly and could apply to products that are purely defensive in nature, such as tools meant to assist programmers in avoiding common pitfalls by scanning for common patterns of vulnerability, or even generic tools for writing large software systems, such as source code editors that are not specific to security software. Again, the government is viewing cybersecurity policy mostly as a military problem without considering the interests of ordinary citizens and businesses.
The policy landscape is not, however, without hope. Congress has now passed legislation to limit the scope of some NSA surveillance programs, a clear signal that it sees little benefit to open-ended surveillance as a strategy for security, online or otherwise. And in a speech on May 20, Assistant Attorney General Leslie R. Caldwell spoke at length about the insufficiency and inadvisability of “hacking back” as a defensive tactic for U.S. companies.
Current cybersecurity policy isn’t achieving its goals. As revised policy emerges, it will be important to remember that increasing overall security for citizens and the private sector can be effectively balanced with national security, military, and intelligence goals. We're a long way from complete cybersecurity, but we can move toward a system that’s significant more effective than the one we have now.