Wednesday, May 28

Edward Snowden and the House of the Internet's toxic mold problem

"Mold needs a couple of things to grow. It needs water, it needs cellulose. Everything we build our homes out of, almost, is cellulose-based."
-- Attorney Alex Robertson, specialist in toxic mold cases, commenting in 2001 on the toxic mold in Erin Brockovich's house

Mike Hayden, a former NSA director, has complained vociferously that Edward Snowden didn't just steal copies of stolen classified material as other leakers have done; he revealed what Hayden called "the plumbing" -- files that show how the NSA data collection system works, the NSA's methods.

Darn tootin' Snowden revealed the plumbing. That's what a good house inspector is supposed to do.  The NSA's methods depend for their success on vulnerabilities that were deliberately built into the Internet by its American creators; add the fact that as with cellulose the Internet is highly permeable.  It's that last part that the builders of the House of the Internet didn't take into consideration. They were thinking in terms of trap doors.  As to what would happen when the doors, which were themselves highly permeable, got waterlogged from leaks.... 

What happened is that it's not only the 'good guys' who can exploit the vulnerabilities; it's also the toxic types.  And so the inbuilt vulnerabilities have cost companies and even the U.S. government untold billions in dollars from cybercrime, and put the entire world -- to include the U.S. military -- under serious threat of cyberwar.

The vulnerabilities have also made privacy a joke for individual Internet users and made fools out of sophisticated cyber prophets such as Mark Pesce who envision the Internet replacing brick and mortar government.  But how could the prophets have known about the Internet's true vulnerabilities, until Snowden got into the basement of the House of the Internet and began inspecting the plumbing?

So it's not only the "Stasi State" that Snowden's saving us from, as Daniel Ellsberg wrote last year.  He's saving the entire modern era.  Any doubts, read the book of the year and maybe the book of the decade: Cybersecurity and Cyberwar by two academics, P.W. (Peter Warren) Singer and Allan Friedman, based at Brookings Institution. 

The book, published this April by Oxford University Press for its "What Everyone Needs to Know" series, had to meet Oxford's high bar for the series: satisfy academia while being accessible to a reasonably literate general reader.

Singer and Friedman cleared the bar. But by the time they're finished explaining how this modern era in communications has shaped up, it's painfully clear that Snowden wasn't kidding when he said that he was still working for the NSA only they were the last people to know -- although I assume he meant the last people in the cybersecurity field.
The situation reminds me of what happened to Erin Brockovich. She bought the million-dollar house of her dreams with proceeds she famously won from exposing that a power company was knowingly contaminating residential groundwater with a toxic chemical. Her McMansion turned out to be so toxic it was unlivable.

But while Erin and her family kept getting sicker and sicker over the course of the year after they moved in, they didn't make a connection between this and the house.  It was a contractor she'd brought in to fix a leak, one who could chew and walk, who clued her that behind the lovely walls of her lovely house was very toxic mold. 

She refused to be run off by a mold, but the cleanup price was $600,000.  And she sued everyone in sight -- the builder, the subcontractors and the former owner -- on the grounds that it was faulty construction that had caused the water leaks that led to the mold.  Yet given what she went through with the power company, one would think that she would have found a house inspector who left no stone unturned before she signed the papers.  Obviously, she didn't. 

Just so, the world's Internet users, including the U.S. military, have paid a very high price for not closely inspecting a communications system that has more holes than Swiss cheese, every one of which can be readily turned against them.

Of course nobody planned it that way. It just happened, when within a decade hundreds of millions of individuals, and every government entity from federal to municipal, and every major private corporation, piled onto a system that had never been given a thorough inspection.
As for the military's use of the Internet -- it wasn't as if they didn't know about the vulnerabilities; it's just that no one could have projected how the vulnerabilities would combine in a system that wasn't built to hold up the entire modern era! 

The consequences are turning out to be worse than anyone imagined. Just one consequence, from the Washington Post's illuminating  2013 profile of Keith Alexander:
He has been credited as a key supporter of the development of Stuxnet, the computer worm that infected Iran’s main uranium enrichment facility in 2009 and 2010 and is the most aggressive known use to date of offensive cyberweaponry. U.S. officials have never publicly acknowledged involvement in what has been described by experts as the first known, industrial-scale cyber attack on a sovereign nation, one that is estimated to have set back Iran’s uranium production by as much as a year.

Alexander also pushed hard for expanded authority to see into U.S. private sector networks to help defend them against foreign cyberattacks.

Quiet concerns also have been voiced by some of the private companies that would potentially benefit from government protection against cyberattack.

At a private meeting with financial industry officials a few years ago, Alexander spoke about the proliferation of computer malware aimed at siphoning data from networks, including those of banks. The meeting was described by a participant who spoke on the condition of anonymity because the discussion was off the record.

His proposed solution: Private companies should give the government access to their networks so it could screen out the harmful software. The NSA chief was offering to serve as an all-knowing virus-protection service, but at the cost, industry officials felt, of an unprecedented intrusion into the financial institutions’ databases.

The group of financial industry officials, sitting around a table at the Office of the Director of National Intelligence, were stunned, immediately grasping the privacy implications of what Alexander was politely but urgently suggesting. As a group, they demurred. [...]
Alexander hasn't given up, by the way.  In his farewell testimony in February to the Senate Armed Services Committee, he was still pushing to make NSA the guardian of American financial security:
But while he appeared to soften his position on bulk domestic surveillance on Thursday, Alexander also implored Congress to pass legislation that would expand the authority of the NSA and its twin-sister military organization, Cyber Command, to protect private and business networks from online data theft and cyber attacks.

“We need to have a classified relationship” with major businesses to aid their ability to secure their data, Alexander said. That relationship is currently the responsibility of the Department of Homeland Security; Alexander said he would meet with the new DHS secretary, Jeh Johnson, over the next several weeks.
Do you see what's happened?  The military was still thinking of cyberwar as an air and ground offensive: you attack, then pull your tanks back and put your planes in the air to protect your flanks.

It doesn't work that way in a world in which there is no real ground and sky. 

So now Alexander and everyone else in U.S. government security is running around, trying to guard every gate. Can't be done in a highly permeable world with no real gates.
Short of practically razing the Internet to the ground and rebuilding it, just how are they going to secure it from devastating cyber attacks?  Companies here in the USA and the world over are now scrambling to devise security patches to the Internet. The cyber security industry has grown by leaps and bounds since Snowden revealed that the House of the Internet is full of holes and places toxic mold can grow -- places that are hard to detect unless you get into the basement and know what you're doing while you're mucking around in there. 

That's also what the somewhat unfortunately named Trustycon conference was about in February:
TrustyCon” – short for the Trustworthy Technology Conference – came together in a hurry after Mikko Hypponen, chief research officer for F-Secure, a Finnish security company, announced in January, in a public letter to RSA, that he was canceling his scheduled RSA conference talk and that his own company would skip the event entirely.

Hypponen, a rock star in the computer security world, gave the opening keynote at TrustyCon instead. It was a pessimistic assessment of technology users’ chances to have a computing and communications they can genuinely trust in an age when nation-states have taken over as the most dangerous – even malicious – hackers on Earth.

“Our worst fears turned out to be fairly accurate,” Hypponen said of what’s transpired in the security world over the past few years.
Hypponen's letter to RSA is linked to in the report.  And read the entire report to understand why he pulled out of the RSA conference.

Governments are also scrambling.  The German government wanted to leave the Internet, build its own, it was so spooked by Snowden's revelations. He told them during an interview on German public TV that it wouldn't work. Then, like a good house inspector he explained what it would take to be secure:
"The NSA goes where the data is. If the NSA can pull text messages out of telecommunications networks in China, they can probably manage to get Facebook messages out of Germany. The solution to that is not to set everything in a walled garden.  It’s much better to secure the data internationally rather than playing, ‘let’s move the data’. Moving the data isn’t fixing the problem, securing the data is the problem.”
All governments better start listening to Snowden and doing what he advises; the first government that should listen is the U.S. one.  Snowden's enemies need to can the crap about his being a spy, or being a tool of the Russian government, or the FSB pulling secrets out of him, or whatever the latest accusation.  Another fallback position is that he was just a hacker.  So then Snowden told NBC's Brian Williams that actually no, he'd been a spy -- a trained U.S. government spy. The interview is being aired tonight at 10 PM in its entirety.
(Did I not remark that Putin pegged him as a former spy?  Recall my post about Putin boxing his ears on Russian national TV.)  Putin surely also knew that because Snowden was trained in spycraft, trying to pull secrets out of him would be asking to get sent for a ride on a Trojan Horse.
As to why Snowden came in from the cold -- in a way the news was already out, given what Putin said about him on Russian TV. But one guess is that he got tired of listening to people in Washington and London smear him and for no other reason than CYA.

Yet I would hope that by now the U.S. military knows they have to get this man home and pick his brains about how to clean up the Internet's toxic mold problem.

Deutsche Welle summed it all up in their discussion of Snowden's appearance on German TV:  "Millions of people who never before glanced at the innards of the digital era now strive to learn its arcane terminologies so they can follow the juggernaut's progress."

Yes. Most of us are at the bottom of a high ladder of learning. The crux of the situation is that the holes in the Internet can be made into many juggernauts by all kinds of bad actors who do know the innards.  As the book by Singer and Friedman makes clear, it's going to take a lot of cooperation among governments to deal with the situation.
If nothing else, Snowden's revelations (the bulk of which were made after the book's publication) scared a lot of governments straight -- well, as straight as a government can get. Germany's Parliament has fielded an enormous inquiry that will take at least two years to complete. They want to cover all the bases:
Where are the limitations of international cooperation of German intelligence services? What are Americans allowed to do in Germany and what not? Did German authorities know about the practices of the NSA? Who operates and secures the Internet hubs - the sites that were used to get information? The investigation committee has to tackle all of these questions.
All that and much more. They can't subpoena witnesses from foreign governments but they're hoping to get cooperation from the U.S. and U.K. What the Bundestag has in mind, broadly, is to develop a kind of template that going forward their government and all others can use, to help them determine where the lines are when it comes to clandestine surveillance, and cyber war.
This kind of template should have been made 10 years ago, but now there's the impetus to build it.  The commission has already been turned into a political circus in Germany, although that's to be expected -- and of course Snowden got dragged into the uproar.  But as they slog forward, I hope their effort will attract greater international cooperation.

Yet cooperation is only one part. The other part is the need for brilliant minds that are very knowledgeable about the House of the Internet.  The April Vanity Fair profile of Snowden mentions that the U.S. military has vetted the account that a NSA employee provided to Forbes last year about Snowden's time at the NSA Hawaii branch. The employee stressed that Snowden is a genius, a rare type of genius.  We need to benefit from that rare genius, not try to jail it on a trumped up espionage charge.

Singer and Friedman point out that in a key respect this era harks to the pre-World War I one:  European governments had gotten control of a host of new technologies, such as the telegraph, which they sought to weaponize.  But the governments and their militaries didn't know how to control how the technologies would work and interact when deployed as weapons. This is because they couldn't imagine many of the outcomes, which had never been set in motion before.

There was no Edward Snowden, no rare genius with a highly integrated understanding of the new technologies, to warn, to explain how much could go wrong and how it could go wrong.  So the governments that led the fighting in World War I had to learn the hard way. It is nearly unbearable to contemplate in detail what the learning process entailed.


No comments: