The US has tried to assert its colonial dominance over the internet, and has acted as though it is its domain since the beginning. That has had a lot of policy implications, and has created a “karma debt” that I think we are only starting to confront.
In my opinion, one of the biggest mistakes the US made was letting the NSA run wild and hack all the things. That has been another way in which the US has asserted hegemony – the current high tech stack runs on American CPUs, American network physical interfaces, American switch/routers, American operating systems, American databases, American app stores, American social media, American cloud services, and American stuff is overtly or subtly backdoor’d. The US passes laws that require Facebook, or Google, to be able to turn a user’s data over to the FBI upon request.
That’s all deplorable behavior in a democratic society, but – this can’t be emphasized enough: the US is a stealth oligarchy run by an authoritarian security establishment. What’s sad is that the US appears to have expected other authoritarian regimes to not enviously say, “we’re gonna get us some of that.” [nyt]
The requests, which the F.B.I. says are critical to its counterterrorism efforts, have raised privacy concerns for years but have been associated mainly with tech companies. Now, records show how far beyond Silicon Valley the practice extends – encompassing scores of banks, credit agencies, cellphone carriers and even universities.
The demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don’t require a judge’s approval and usually come with a gag order, leaving them shrouded in secrecy. Fewer than 20 entities, most of them tech companies, have ever revealed that they’ve received the subpoenas, known as national security letters.
[A not-very-subtle bit of irony regarding the republicans’ big show about the FBI placing republican operatives under surveillance is that the republicans, under Bush, greatly acellerated the FBI’s push to collect data on everyone. “Surveillance” means “we look at what we already collected.” In normal people language, everyone in the US is under surveillance whenever they use any tech at all.]
When Hillary Clinton was secretary of state, she did some memorable finger-wagging at China for building it’s “great firewall” – i.e.: trying to control and surveil its people, like the US does. That’s a no-no because the internet is the US’ private lake. This attitude has resulted in another completely bizarre policy failure on the part of the US government: they use the internet all the time, in very stupid ways, and they expect the Chinese and Russians and every other nation we place arbitrary sanctions on, to behave like good kids when they are on the internet. So, you have weird bizzaro-world incidents like the US complaining loudly about state-sponsored hacking, while CIA and NSA archives of hacking tools leak (due to organizational incompetence and over-reliance on contractors) into the wild. The Russians, at least, have a sense of humor about it: the notpetya malware which is being used in many cryptolocker attacks against state governments and hospitals, is based on leaked CIA hacking code. Back in 2012 at RSA conference, I did a talk about cyberwar in which I characterized this as “the Department of Glass Houses is developing stone-throwing technology.” Since then, it has only gotten worse, to the point where I concluded that the US government’s cybersecurity ‘strategy’ consists of two things:
- Expecting everyone to be nice.
- Making dire threats about what happens to anyone who is not nice to us.
That sort of strategy only has the slightest chance of working if you, yourself, are nice to everyone. And probably not even then; at the level we are discussing, nobody is nice.
One of the tidbits you probably missed in the giant out-flow of shit that is Washington, is that the DoD is disappointed that Trump decided to start SPACE COMMAND, to the sound of a great deal of hilarity, because what it really wanted was CYBER COMMAND. (womp, womp!) So I thought I’d fill you in a bit about that.
Back in 1992 or so, there was
discussion of how to spend the “peace dividend” from when the USSR collapsed a great deal of concern that cyberwar would be a new battlefield. Suddenly, every government agency that had a pot to pee in tried to declare itself the agency responsible for cybersecurity. National Institute for Standards and Technology (NIST) tried, then NSA asserted eminent domain because it controlled evaluation and deployment of technology for classified systems, but the Department of Energy started its own security organization, the Army, and Air Force did as well, and – basically every beltway bandit in the Washington area was suddenly interested in setting up some kind of cyber command. When 9/11 happened and DHS happened, even DHS jumped into the fray, declaring itself as the repository of security expertise against cyberterrorism. They they turned around and hired contractors (ISS Security) to write all their announcements and provide a threat feed that they released by removing ISS’ logos and replacing them with their own.
Cyber Command, in other words, has been a big brass ring, or political football, or whatever, for a very long time. When the DoD grouses that Trump started Space Command instead of giving them a Cyber Command, they are just complaining about how the loot is being divided up. My guess is that they’re pissed off that they will have to interact with NRO (National Reconnaissance Office) and the Air Force in order to do spacey stuff. I don’t know if any of you noticed but the Army has absolutely zero skill at rockety-stuff, aside from medium range ballistic missiles. The NRO is the agency that controls the spy satellites, and arguably has the most rockety-stuff experience, though the Air Force is apparently also spending a lot of money on trans-atmospheric (i.e.: space) weapons that may violate various treaties, so they classified them.
Space Command is going to be a joke, unless the intelligence community somehow fail to strangle it in its cradle.
In other words, all of this amounts to the US’ stating its objective is limitless “force projection” and “full-spectrum dominance” in cyberspace, near space, and any other space that is identified as a space.
The Chinese have already been doing their own thing, which is the obvious response to the US’ policy: they’ve got their own network and their own technology stack and they are promoting their own cyber-businesses and they’ve told Ebay and Google and whatnot to go hump a pile of gravel. The Chinese are becoming increasingly old-school authoritarian, as they realize that they are not being welcomed into the global economy and are going to have to be ready to defend themselves against attack from any direction. And, of course, they want to control and surveil ‘their’ citizens. Because that’s how it’s done, apparently.
All of this comes to my mind as a consequence of reading that Russia is now requiring that apps pre-populated on Russian smart phones must be “Russia Friendly.” I’m not sure what that means but I bet it’s got something do with: you are a captive audience. It makes sense: why on earth would China and Russia want to see a giant flow of money going to Google for banner ads, when they can do their own (which supports languages that are not American English) – why would a Chinese web-surfer be interested in Amazon Prime, anyhow? Amazon Prime is not available in China, so don’t show me ads for it. [gizmodo]
Russia is getting closer to implementing the sort of internet regulations that exist under the Great Firewall of China. Earlier this year, internet providers began preparing to conduct tests to find out if Russia can build an internet disconnected from the rest of the world. Now, Russia plans to block major VPN (virtual private network) services that allow users to reach banned websites.
What capitalism doesn’t thoroughly fuck up, will be left to the nationalists to turn into smoking rubble.
In March, Russia’s telecommunications regulations agency Roscomnadzor told the top VPN providers to link their servers to the government-run IT system, which it uses to prevent people in the country from accessing banned sites.
Roskomnadzor wrote to the ten providers – ExpressVPN, HideMyAss!, Hola VPN, IPVanish, Kaspersky Secure Connection, KeepSolid, NordVPN, OpenVPN, TorGuard, and VyprVPN – and said the operations had 30 days to respond, according to a Reuters report at the time.
“In the cases of non-compliance with the obligations stipulated by the law, Roskomnadzor may decide to restrict access to a VPN service,: Roskomnadzor said in a statement, according to Reuters.
Naturally, the VPN companies are complaining, because what you just heard was the dying wail of their Russian market. All they’ve got left is their ability to complain, anyhow – VPN companies have been complaining for years that the Chinese great firewall blocks their traffic, and the Chinese just shrug. That’s what it’s supposed to do, silly capitalists! Fuck your “business model.”
I remember back in the 90s, the internet was alive with technophiles saying stupid things about how the WWW was going to change the world. It has: it has transferred a lot of money to technophiles, for one thing, but it sounds like the curtain is dropping on the first act. Authoritarian governments figured out some time ago that there was not going to be another Egypt, in which the US government promoted the use of Twitter and Facebook as forums for organizing anti-government protests, which eventually collapsed the authoritarian regime (which was replaced, pell-mell, by two more authoritarian regimes).
Christopher Hitchens used to say “religion poisons everything.” Let me extend that a bit:
“Religion poisons everything, capitalism steals whatever’s worth carrying off, and nationalism makes a smoking crater for the survivors.”
Back in the early 00’s I was telling my friends that there was a gigantic business opportunity to produce non-US backdoored national cyber infrastructure. It’d be expensive, say $400mn starting price, but it would include operating system for a basic phone, email infrastructure, search engine, basic network fabric, wifi stack, etc. Bill it as “cost-unloaded” i.e.: no money leaves your economy to go to Google or Microsoft or Oracle or Amazon – the money stays at home, so what if it’s not quite as fancy as what Apple offers? Build a big menu of components and offer it as turnkey technology transfer. Of course the NSA would still hack into it, but that’s not the point: the point is you’ve got their money.
Crossfire Hurricane, the FBI’s surveillance program against the Trump campaign [nyt] is a great example of the kind of thing that is done with the FBI’s improved access into citizen communications: a great big incompetent nothing.
Security practitioners, such as my old friend Avi Rubin, have long warned that voting machines should not be connected to the internet. Or, at the very least, they should be connected through a hub-and-spoke VPN with some very strict controls and visibility in the core. I.e.: a private network. There’s a lot of use for private networks and virtual private networks, but authoritarian governments are increasingly attuned toward breaking the privacy so they can surveil the population. Cue Apple VS FBI, in a fake grudge-match that’s as real as professional wrestling – how do you build a secure voting infrastructure on a network that your own CIA is wholeheartedly committed to compromising?