Information Security practitioners aren’t used to getting political; so there was apparently a small but vocal stream of nationalists complaining to the conference organizers by the time I was done.
One reason is because there is a fairly substantial ex-military contingent in the security work-force. I tried to get them on my side, but I don’t think calling out “brainwashed nationalists” was the right strategy, so I made my call by pointing out that information security practitioners are part of the machine that has built the surveillance state, and we all bear some responsibility for that mistake. I could tell that was not a popular view.
Back in 2017, a senior Microsoft Executive (that’s corporate for: a big shot but not big enough to affect policy) published a position paper asking “Is it time for a Geneva Convention for Cyberspace?”[msft] My answer was (on the slide above):
Here’s the problem – most Americans don’t realize that international humanitarian law is not written in the nation-state favoring language of warfare. Wars are something governments sometimes declare on each other. The IHL is written in terms of “conflict”; there are “combatants” who are participating in “conflict” and everyone else is a “noncombatant.” See, the IHL was written by lawyers not Washington spin-doctors. By the way, IHL has no definitions for “illegal combatant” or “collateral damage” – none of that; those words were created by various US administrations to down-play their own war-crimes. In IHL, attacking non-combatants or engaging in wars of aggression are crimes against humanity.
So, my answer was that we don’t need a Geneva Convention for cyberspace, we need governments that follow the Geneva Conventions. The internet is civilian infrastructure; the military – when they depend on civilian infrastructure – are placing it at risk of attack (basically, using it as human shields); that’s also a war crime. If the military wants to have cyberwars, they should have them on their own networks, not civilian networks.
It’s interesting to speak, and to watch the reaction of the audience; there were people in the room who looked like I had just punched them. American nationalism has heavily over-sold the idea that we are the good guys and therefore above reproach. So I laid it on hard: I pointed out that the 1977 Geneva Conventions enjoin combatants from interfering with dams, power plants, nuclear power plants, and dangerous forces. When the US/Israeli-released Stuxnet virus interfered with the centrifuge cascade at Natanz, it also interfered with the cooling pump systems of the Iranian reactor at Bushehr – a reactor 2 miles outside of a city of 180,000. That was an incredibly irresponsible act, and it’s exactly the kind of thing that would cause “epic freakout” if the Chinese did anything to an American nuclear reactor.
I’m not a big fan of moral equivalencies, because I think it ought to be possible to simply argue what is wrong and what’s not, but the audience was rather shocked to contemplate the possibility that, by doing what they did, the NSA not only invited, they justified a comparable retaliation against US power-grid systems. Why not?
Anyhow, I shan’t review my entire talk here, but: it’s disappointing to me how little most Americans think about this stuff. They accept what they are told is reasonable, whether they are told on MSNBC or FOX – either one is acceptable. To me, both are wrong.
Computer security practitioners are used to worrying about the details like “are my firewall rules right?” and I asked them to think, instead, whether they should work at all for the government, and – if they do – to backdoor systems with an eye toward preventing governments from acting in secret.
I finished by pointing out that there are simple techniques for dealing with this stuff: diplomacy, state-craft, leadership, willingness to understand and balance other nations’ needs against our agenda. In fact, the Stuxnet attack against Natanz didn’t slow down the Iranian enrichment program because negotiation did. None of it was necessary.
Perhaps all this means I won’t be doing so many keynote talks, anymore. Which is fine, it’s just as amusing to be in my shop hammering steel.
I’ve been quiet lately because Tuesday I was driving, Wednesday I was in meetings all day and then had a big dinner and too much wine, Thursday I was up at 5 to get to the airport and was on a plane all day (writing slides for my talk in powerpoint) and this morning I was up at 6 to get to the conference. I haven’t been doing anywhere near as much speaking as I used to, and now I wonder how I managed it, or why I bothered. Tomorrow I’ll be hanging out in LA with what is possibly the cutest kid on earth and his wonderful parents, then heading home Sunday.
I have soap drying in the oven and some metal experiments to do; next week is going to be a lot of busy digging out, and fun.