After Snowden: Towards Distributed Security in Cyberspace | MIT Center for Civic Media

After Snowden: Towards Distributed Security in Cyberspace

Black Code

These notes were liveblogged from the talk  After Snowden: Towards Distributed Security in Cyberspace. Ronald Deibert, Professor of Political Science, and Director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs, University of Toronto, spoke at , Harvard Law School, Wasserstein Hall. The hashtag for the talk was #BlackCode. Live blog by @schock, @erhardt, and various anonymous pandas (tweet at us to add your name if you contributed). All errors ours!

TL;DR: Ron put the NSA revelations in a broader context, emphasizing the political economy of the cyber security industrial complex and its unintended consequences in a world of Big Data, and then spent some time outlining an alternative approach to securing cyberspace, drawing from his book, Black Code (http://blackcodebook.com/).

Jonathan Zittrain, who has collaborated with Ron over the past 10–13 years on projects including the Open Net Initiative, introduces Prof. Deibert. with a series of anecdotes about early work looking into Chinese censorship. JZ shares that at one point, Ron determined that the Dalai Lama's laptop had been pwned, and worked back to find the news organizations and other institutions that had been pwned by the same malware. The question then became: should you call everyone up and let them know their systems had been comprimised? Without further ado, JZ hands the mic to Ron.

After Snowden

The book is meant to be about the Snowden revelations. It's “After Snowden,” or after PRISM. This story dominates the headlines now, but even beforehand cybersecurity was a hot topic. Everything we do depends on the net, so people care deeply about it. The Citizen Lab is meant to 'lift the lid' on cyberspace, find out what's happening beneath the surface. “Think 'Academia meets the X-Files, without the Aliens,” says Ron. (JZ interjects: "Not yet, anyway!") They are trying to build a digital early warning system, and they feel that the changes in cyberspace are fast and disturbing. Questions of cybersecurity are important now as our lives are enmeshed with these technologies. The NSA / Snowden revelations have amplified these pressures.

Ron says that his talk will take place in three parts:
First, he'll put Snowden revelations in a broader, historical context.
Next, he'll look at the consequences (these are mostly going to be bad for the internet and for human rights).
Finally, he'll address the question "What do we do now?"

Part 1: Snowden in historical context

Deibert's book came out May 21st, the day Snowden left for Hawaii. Not much that has been released has been surprising for those of us with a modicum of knowledge about the world of surveillance and intelligence. Metadata is more useful than content for intelligence: structured data that allows for analysis, as well as making it possible for Obama to deny that the NSA is reading people's email or listening to their calls.

Deibert reminds us of the series of recent revelations: Verizon and others giving over our data, PRISM mining social media, and Bull Run and Edge Chill projects weakening encryption standards. Of course, there is a history of signals intelligence that goes back to at least WWI. US/UK intelligence collaboration goes back to WWII. And many data gathering and intelligence programs are decades old. PRISM-like collaborations with companies like Western Union also set a precedent. He's interested also in recent developments in SIGINT in space, optical systems that can see through clouds, at night, in all weather, down to the centimeter level.

So when people say "there's nothing new" in the Snowden revelations, in part they're correct. But he feels 9/11 was a watershed that led to broader transformations. We now know that in the wake of the attacks, the NSA focus turned inward. During the Cold War, it was Spy v Spy: focus on one another, and mostly on diplomatic communications or missile tests. After the end of the Cold War, intelligence shifts from a focus on state based actors to new kinds of threats. 

There's also an urgent desire to overcome the barriers that prevented agencies from connecting the dots. In addition, there's irreverence, or dismissal, of the rule of law. There are also legal shifts: Patriot Act and its international spawn. These dramatically empower law enforcement and water down oversight.

At the same time, you have new tech platforms and a shift in the defense industry and program, Total Information Awareness being the most infamous. The idea was: vacuum up everything into a massive database that can be analyzed, indexed, and archived. Poindexter freaked people out, as did the creepy logo:

TIA was supposedly killed in Congress, but in reality it splintered and went dark. So there was a mushrooming cyber security complex of private contractors. Dana Priest, in Top Secret America does a great job analyzing 10s of billions of dollars in this sector, including offensive capability computer networks. Deibert flew over the Utah NSA complex last week, 'NSA's cloud.' Even the cooling equipment required is astounding.

The sea change in the intel posture of the USA and its allies is taking place alongside two other shifts: first, the changing communications ecosystem itself. People often talk about a paradigm shift, with the Internet described as a shift akin to the printing press. But he sees SNS, cloud computing, and mobile as a more recent paradigm shift. These are integrated: we use mobile devices with cloud computing and SNS. Apple just announced 50 billion apps downloaded, 7 for every person on the planet. Each grabs our personal info and shares it elsewhere after we click ToS. Also: the Internet of Things. Add it all up, and think about how quickly it's arrived. He feels it's a massive historical transformation, in terms of the amount of info we entrust to third parties. 

Even as we're exposing ourselves, the world's most powerful surveillance machinery is turning inwards onto us. And it's doing so in a cloak of secrecy. 

Diebert feels that we need to have a real conversation about the balance between surveillance and privacy.

The second big change he sees is that 'the who of cyberspace' is changing as fast as the 'what.' Deibert provides a series of demographic statistics about internet users around the world: 2.5 billion internet connected, North America and Europe > 33% of users; Asia > 45% of internet population, but ranks only 6th in terms of penetration rates; 2/3 undert twenty five years of age; 4–6 billion mobile phones in developing world. 

Part 2: The Consequences

What we do here in the United States will legitimize what takes place in the rest of the world. After PRISM, with the model of the NSA in mind, with cybersecurity at the top of the agenda, and with powerful new commercial surveillance tools.

On the one hand, the scandal has generated public interest, journalism, and potentially new oversight. However, people are distractable. It's amazing that Alexander still has his job. It would seem there would be an urgent call for a new Church Committee, but it hasn't happened. He foresees four negative consequences for the internet and democracy.

1. The nationalization of cyberspace. 

Diebert is thinking about the importance of the geography in which the internet infrastructure is located. These infrastructures are embedded in socio-political contexts that are within local, national, and international jurisdictions, which each matter a lot. 

We tend to ignore the physicality of it, we send an email and it appears. Our experience seems virtual, but the infrastructure is a complex logistical technical political system spanning many jurisdictions. Data that we assume are in our posession are not. Many of the servers that send us info are in another jurisdiction.

Additionally, Data that used to be stored locally have evaporated into the 'clouds.' Where are they? Most are in the USA. Michael Hayden, former NSA director, said 'we built it here, and it's American.' He admitted we take a 'picture' of it for intelligence purposes. So, no country will want to keep routing through the USA.  

Nationalization processes have been going on for quite some time. Part of the ONI's project has been to document that nationalization. Firewalls and censorship are examples of how nationalization is practically applied. Countries are also requiring private companies to police themselves. There are now more than 40 countries with national firewalls. We've seen a normalization of net censorship practices. The technical means are accompanied by a thicket of new regulations. Nation states are criminalizing bloggers, tweeters, platforms; Pakistan announced today they'll be banning Skype for 3 months. India's 2011 intermediaries act requires ISPs to screen out all kinds of content that 'threatens' or 'insults' India and other nations. But in the light of NSA, it will be hard to argue.

Brazil's response to the NSA revelations has been explicit. Dilma spent half of her speech at the UN talking about the NSA. Domestically, Brazil is planning to build infrastructure that bypasses the USA entirely. This process has been underway for a while in Brazil. Brazil has the second most internet exchange points per country compared the USA. After Snowden, we'll see more countries try to localize cyberspace. Many will also use this as a source of control.  We will we see more countries build these interconnections so that they can avoid American parts of internet infrastructure and those countries will use that for local control over the internet: meaning more censorship.

2. The International Legitimization of Nationalization. 

Hillary Clinton's internet governance and diplomacy program has had the wind taken out of its sails because of the NSA revelations. At the upcoming Internet Governance Forum in Bali, the conversation has already turned to localization.  

Regionally, we'll see a similar process. The Shanghai Cooperation Organization's Regional Anti Terror Structure (RATS!) has been developing coordination processes designed to 'counter arab spring like mobilizations' in their countries.  

3. DIY NSAs

Cybercrime has been something that countries have already been exploiting to go after political targets online. Dalai Lama and the Tibetans offices have been one example of Chinese domestic espionage targets. Gh0st RAT malware was sent to a Tibetan office in 2008. It's actually still be sent around; it can be downloaded for free, and it's open source, and it's the top choice of hackers going after human rights organizations.

Tools like Gh0st RAT represent the emerging space of DIY cyber-espionage. In the tracking GhostNet project, they were able to see the attacker's infrastructure laid out, as well as targets. The attackers used basic social engineering techniques to do this. He shows an image of a legit-looking email that was sent to the offices of campaigns@freetibet.org; it contained malware. It allowed attackers to silently delete files, turn on audio and video capture devices, and so on. Ghost Rat can be downloaded for free, it's open source, it has been translated into dozens of languages, and it's a menace to human rights organizations. Ghost Rat is used very widely, more than 10 times any other tool. It's free, easy to use. We've entered the age of DIY cyberespionage.

It used to be fashionable to mock authoritarian regimes in the internet space. They were assumed to be incompetent. That's changing. During the Green movement in Iran in 2009, you had a movement heavily using social media. The Iranian regime took offensive countermeasures. The Net was slowed down in many cities. SMS messaging and mobile phone connections were jammed. The Iranian authorities got Nokia-Seimens to turn info over to the Revolutionary Guard. Cyber organizers were targeted and arrested. The pro-regime Iranian Cyber Army started taking action to attack protesters. Families of protesters outside the counntry were also monitored. The Green movement dissipated. The same thing is taking place in Syria. The Syrian state is using these tools to surveil, target, and kill dissidents. These are the playbooks for asymmetrical cyberwarfare used by autocratic regimes.

4. Growing Market for Tools of Repression

The Citizen Lab has been monitoring the activities of companies that have been providing the tools to governments for "lawful" surveillance. CitizenLab reports on BlueCoat, Fortinet, websense. These are silicon valley companies that provide tools and services to repressive regimes. A Canadian company netsweeper runs the whole Pakistani firewall.

They found out that dissidents in places like UAE and Bahrain were being arrested and tortured. They were presented with transcripts of encrypted chat messages. They found that many were infected by Gamma's FinSpy malware. They did a wide area scan of the net, 12 billion packets over two months, and found evidence of finspy command and control in Mexico, Pakistan, and elsewhere. Their research has only tapped the surface. Products provide advanced deep packet inspection, cell phone tracking, advanced spyware; developed by US and Candian firms and sold to regimes that want to use it to target dissident groups. Chinese, Israeli firms are stepping into the same market.

After Snowden, every state will continue to pursue these capabilities. If the NSA does it, why can't we, they'll all say? This leads us to a dangerous arms race in cyberspace. It's bad for human rights, and bad for digital humanitarian projects. It also portends the end of an open internet. We'll see the balkanization of the net accelerate.

Part 3: What do we do?

These revelations allow us to step back and think about what we need to do.

Diebert thinks we need to discuss the right balance, and ask fundamental questions: cyber security is security for whom? Security for what? As a political scientist and international relations scholar, he thinks about these issues in terms of realism. The tradition of deference to military intelligence may have to be challenged. Cyberspace is a globally networked commons of information. We can't have our cake and eat it too!
ICANN was a vision of the multi-stakeholder approach. We need to ask what if anything of this vision can be salvaged?
Deibert has been advocating for a return to the roots of liberal security policy. He calls this "distributed security." He believes it can tie together disparate communities and the polar positions of realism and anarchic security perspectives. He also believes we need to understand the liberal roots of distributed security. He says that this paradigm goes back to ancient Greece and the founding of America, and can provide a key narrative.

Bruce Schneir argues that engineers need to take the internet back from the nation state. But Diebert argues that without government, we can't protect people, and will end up in a Hobbesian world. So he doesn't think we want that either.

Some of the areas he thinks there are practical opportunities to work on things:

  • Multi-stakeholder governance
  • University stewardship: Universities have a special role to play, as custodians of the original internet. We need more interdisciplinary centers like Berkman and Citizen Lab to lift the lid on all this and call out negative developments based on empirical evidence.
  • Arms-control: Arms control has largely been dismissed in this space, but shouldn't be. Liberal democracies need to clean up their house, before looking outward.
  • Legal safeguards
  • Open source: These communities should be reflective about their politics and practices and where they stand against these trends.
  • Corporate self-governance: can we go farther with us, especially among American companies that we want to encourage in innovation?
  • Independent oversight: In the liberal democratic core of countries, it's obvious we need better oversight mechanisms. Privacy commissions need more power; we have to watch the watchers. Diebert says that the Citizen Lab knows we have to deal with malicious forces out there. There are people who want to wreak violence and cause massive harm. We need police and intelligence. But warrantless surveillance is incompatible with liberal democracy. We need not only corporate self governance, and initiatives like globalnet are good. But companies also need to be subject to audits.  

Cyberspace is ours, it's what we make of it, and we need to take it back collectively.

Question and Answer

Q: Jake Appelbaum and Bruce Schneir are saying strong encryption is still worthwhile. But SSL has been comprimised.  

R: I have respect for Bruce. Encryption is critical, we have to communicate to people how to use it, especially those at risk. But this can't be solved by tech. It requires policy, law, and proper oversight mechanisms. Also, saying 'engineers need to take back the net' mythologizes the prehistory. Engineers had military contracts at universities.  

Encryption is critical. Citizen Lab has gone through a fundamental shift because of the revelations to clean up their own house. The Ultimate change has to come from policy and law because otherwise can trust each other. Engineers were dependent on US and military contracts from the beginning of the internet. So I disagree with the mythology that this was ever a project that was independent. Lots of policing of the net took place in informal collusion between engineers, intelligence agencies, and private companies. It should continue, but subject to much more oversight. We need to lift the lid on informal policing activities that aren't subject to oversight. The next IETF in Vancouver will be really interesting. A lot of people in that forum have been on the payroll of intelligence agencies; it'll be apparent who they were. We have to reinvigorate forums like that. 

Question: One of the more appalling revelations of the Snowden disclosures was that NSA was passing a great deal of information to Israel. How do we protect citizens if the data is given to foreign governments?

R: As a worrying Canadian, I agree we have to look transnationally. About 90% of our Canada's communication traffic goes through the United States. Most of our emails go through the USA. IXMaps.ca (see VIDEO) shows how email even between Canadian users still go through the USA and can be grabbed by the NSA. We should be worried about how they can put borders around cyberspace. We need meaningful oversight, and that needs to come from civil society. Universities need to step up as the independent monitors here: that watch the watchers.

Question (Sasha): I was recently at Sun Yat Sen University and asked students if they know how to jump the firewall. I asked if they do often, and they said why do we need to? We don't need Facebook, Twitter, we have Sina Weibo, YouKu, WeChat, etc. This changed my perspective on how I think about net filtering. Nation-states might justify the creation of domestic networks as part of a larger strategy to foster domestic web service companies, even when security is not the primary concern. The political economy of web services militates towards a fragmented net, as each regional power develops its own domestic industry. 

R: It's a dynamic that was going on before these revelations, and now it's going to accelerate for the very reasons that you identify. When I was in Europe, I spoke to a number of officials about using services like Google Docs that even though they were on Belgian servers, they were still subject to US laws. So, they were interested in home-grown digital products in order to maintain local jurisdictions over those products and their data. This is happening around the world and that process of domestication will be magnified.

Question: Even though you mention the multi-stakeholder model, I doubt that this will matter in the future. Because territorialization is a state matter. The US-dominated model of ICANN is not tenable around the world. How do you think about those conflicts?

R: The upcoming event in Bali in mid-October will be interesting around these issues. Shanghai forum and OAS are all discussing cybersecurity. In the wake of these revelations there will be an impetus to create cyber commands, etc. The whole export of infrastructure that has surveillance built in by demand will be very attractive to policymakers in Africa and elsewhere. We are looking closely at the Sochi Olympics, which is reconstructing a city around total surveillance and we expect it will be a model that is marketed to other countries and events in the future. Hillary Clinton's speech/movement and the Freedom Online Coalition are demoralized right now because their country's have been shown to be hypocritical. Their position has no credibility anymore.

Question: It feels like the political solution would be to ask the NSA to collect less data, and their counter-argument would be that you are asking this of us while other countries are arming-up on this. We also hear a little bit less about the private infrastructure of the internet and the need for confidence in privacy and security to allow us to undertake transactions like purchasing cars, etc.

R: We secrete so much data nowadays that we can never turn the clock back on it and it's not even really desirable because we count on the services that are provided with that data. We need oversight to ensure that this data is not being abused for purposes other than what it was intended. Talking about privacy: it's hard for us to make an argument because we are emitting so much data like our phones sending out identifying info as we sit here.

Question: What is the potential for social movements in this country? What are the difficulties of universities as stewards who rely on funding from companies and governments?

R: If and whence revelations come out that NSA manipulated financial markets then we will see a big backlash from corporations. When companies realize losses hitting their pocketbooks because of international backlash from the Snowden revelations, we might see a strong response from the private sector. They may be interested in helping fund the independent research at universities. We also need to overcome disciplinary boundaries in the university to make this research and stewardship happen. I think students can press for that. Berkman Center is a great model for that.

Question: Could you talk more about the oversight you are calling for and how it differs from what Congress currently does?

R: I was talking to an advocate for the NSA, who was arguing how the surveillance was actually legal by the three branches of government. Which I argue with since the officials lied about what NSA was doing. In Canada, we have privacy commissioners that actually have power. One commissioners successfully fined Google under Canadian privacy law, effectively internationalizing our privacy law. We are beginning to educate people about how much data they are giving away and that may lead to more outrage that can be combined with stronger oversight.

Question: To what extent do you think that the oversight you are seeking could be resolve through simple transparency? Is there a level of optimal transparency that can deliver oversight?

R: I think to some degree law enforcement requires secrecy, but there is a necessary conversation about what is the appropriate depth of secrecy. A recent NYT article mentioned that eavesdropping on the Al Jazeera communications did more damage than the Snowden revelations. Need relentless pressure on states and companies. Somehow this should become an international norm. EFF's score card can be effective in shaming companies. Deibert has been personally pressuring Blackberry's operations in various countries.

Question: What do you think about quantum computing and its ability to either break encryption or provide secure communications?

R: There is no magic in the technology. Humans are still humans and could divulge the secrets behind such technologies, and that's why we need regulations.

Question: How do you get past the issue of the people making laws who don't understand the ramifications of their decisions?

R: Don't elect them, and barring that: This is why we need civil society organizations that can call out policymakers. 

Question: Is there anyone in journalism left that can do that?

R: Citizen Lab research has been profiled in many high profile media. These same outlets have been where the Snowden revelations have been published. The real issue is why aren't people listening or caring about it. In Canada, the media is atrocious: there is no independent investigation going on.

Question: There is meaningful mobilization going on. I am the organizer in Boston for the StopWatchingUs demonstrations going on in DC and elsewhere. My concern is that we are mobilizing against a political culture that is very defensive about its surveillance practices, and the agencies themselves have performed surveillance on any of the individuals that are capable of putting pressure on them and their surveillance programs. How do we ensure that institutions are paying attention to your work and others here to make change?

R: We need to create more fora for conversation between officials and experts. There is a place for the kind of demonstrations you are talking about. But we need quieter spaces for dialogue on these issues too.