As the Obama Administration attempts to push some heavy-handed cyber security bills through the House that would further chip away at privacy, officials are painting a very bleak picture of America’s vulnerability to a “Digital Pearl Harbor”.
Media reports note that “foreign spies and organized criminals are inside virtually every U.S. company’s network”, and that “our infrastructure is being colonized”.
The logic of the bills, six of them in all, is to enforce cooperation from companies and private individuals, particularly those operating power plants, chemical facilities, and communications systems. The underlying theory is that the government must step in to protect the private sector in the name of national security.
The Cyber Intelligence Sharing Protection Act, for instance, attempts to provide incentives for corporations that control critical energy, financial and communications infrastructure, offering tax breaks in return for sharing intelligence about possible attacks with the government. A clause stipulates that any non-crucial private data from customers would be erased before handing information over. Another bill that rivals this one proposes mandating information sharing through government regulation – minus the incentives package.
Civil liberties groups are highly critical of the bills because of the implications for privacy. The Intelligence Community has also been critical – for them the issue is that they can’t govern cyberspace and simultaneously protect privacy and the rights of big business. They say the bills are irrelevant.
The private sector, for its part, does not want government protection. Business groups, including the US Chamber of Commerce, are opposed to the new cyber security laws, claiming they would lead to an increase in costs for business without a clear reduction of associated risks – a short-term argument that ignores the mounting losses to business especially over the past two years due to cyber attacks.
According to FBI Director Robert Mueller, there are only two types of companies: “those that have been hacked, and those that will be.”
Howard Schmidt, special assistant to U.S. president Barack Obama and White House cybersecurity coordinator, is tasked with modernizing and guarding America’s cyberspace. He was also George W. Bush’s cybersecurity expert. Speaking at Bloomberg’s 2012 Cybersecurity Conference on 20 April, Schmidt lobbied for the new cyber security bills, stressing that there has been a clear escalation of cyber attacks on critical infrastructure, with around 200 attempts in 2011 – five times the amount in 2010.
So who are the real enemies?
There are hackers and there are hacktivists, and it is an important distinction, even if the government does not think so.
The biggest name in “hacktivism” today is Anonymous, which has attacked censorship proponents, hit back at Wikileaks’ enemies, and taken on the Church of Scientology, credit card companies and the bank of America, while at the same time dabbling in Middle East rebellions.
The NSA has in recent weeks and months spread fears that Anonymous could launch a cyber attack on critical US energy infrastructure and force a “limited blackout”. In late February, the NSA warned of the group’s developing capabilities, referring in particular to an alleged plan for a global internet outage on 31 March (which didn’t happen). Through its Twitter account, the group noted that it had no such plans and that such plans went against its principles, as it would affect the people it is trying to protect through its “hacktivism”. In fact, Anonymous probably does more to protect the internet than to destroy it when all is said and done.
Is Anonymous a threat to US national security? Perhaps, on some level, but not in the way that the NSA would have us believe. They will not target US energy infrastructure. It is not in their interest, nor does it jive with their overall objectives, which focus on freedom of information. What they can do, however, is make the US Intelligence Community look bad and ill-prepared. (In July last year, the group attacked government contractor Booz Allen Hamilton and a cache of 90,000 military emails and passwords causing a significant security problem for the Department of Defense.)
There is also a host of smaller, perhaps less serious and dubiously principled “hacktivist” groups, some of whom seem to be at war with each other. These smaller groups, on their own, may not yet have the capabilities to attack critical energy infrastructure, but their lack of clear motivations, sometimes very personal agendas and thoughtless prankster attitudes render them greater threats than Anonymous simply due to unpredictability. Among them are Lulzsec, which appears to have joined forces with Anonymous, and Web Ninjas, which appears to be a direct rival of Anonymous and may have been involved in helping to take down Wikileaks.
Also of note are a few lone wolfs, such as Lebanese hacker “Idahc”, who appears to be focused singularly on Sony – for now.
The real threat to US energy infrastructure from the cyber theater is China and Russia, both of whom are believed to be developing cyber warfare methods capable of dealing a major blow to critical infrastructure.
According to Franz-Stefan Gady, writing for the EastWest Institute, “the real danger to a country's economy arises from advanced persistent threats (APTs) - highly sophisticated and long-planned intrusions often executed with state sponsorship,” which threatens high-value technology and energy assets.
Experts estimate that the number of engineers in the US is equivalent to the number of “cyber jedis” in China, and that they have immense capabilities for hacking governments and companies in the West.
Paul Rosenzweig, former deputy secretary with the Department of Homeland Security, equates the mapping of critical energy and water infrastructure, for instance, to “preparation of the battlefield”. China, he opines, could easily warn the US not to interfere in Taiwan by threatening to “take out the electricity supply in Los Angeles.”
Russia and China have already “done the reconnaissance necessary to plan to attack US critical infrastructure," Jim Lewis, from the Center for Strategic and International Studies in Washington, told reporters. "You might think we should put protection of critical infrastructure at a slightly higher level. It is completely vulnerable. It is totally unprotected."
Time to Choose: Privacy or Security
Meanwhile, as the House considers new cyber security laws, it becomes clear that the debate must be reframed. There is a price we have to pay for the luxuries of the cyber world – a trade-off for being connected to everyone and everything. It is no longer possible to frame this debate as along distinctly privacy-versus-security lines. We gave up our privacy and opened a Pandora’s Box of security threats when we embraced the cyber world – that world of instant gratification, human connection and convenience.
Big business is concerned only about the bottom line – profits. Privacy advocates are concerned only about being able to make full use of this cyber world without losing control of personal data. The US Intelligence Community is only concerned about removing barriers to the collection and sharing of intelligence on possible national security risks among agencies.
The fact is, in an escalating cyber war theater, businesses lose out to security breaches; hackers pose a greater threat to personal privacy than the FBI, CIA and NSA; and the Intelligence Community has lost the competitive advantage to deal with cyber threats. This is an untenable situation, and the rival objectives will make it very difficult to prepare for cyber attacks on the level predicted.
Everything is about balance, and Anonymous perhaps exists as part of this necessary balance. Neither security threats nor privacy threats can be allowed to overbalance the equation. This means that the public must decide now how much it is willing to risk and what manner of risk they are willing to accept in return for harnessing the power of the cyber world. Privacy may be a thing of the past, unless you forge it in your own terms and mold it to your own desires. More than anything, it is the public that needs to rethink its cyber activities. If the public cannot come to terms with security-versus-privacy issues, it always has the freedom of choice to disengage. Outside the cyber world, privacy still exists. It’s a choice.
By Jen Alic of Oilprice.com
Jen Alic is a geopolitical analyst, co-founder of ISA Intel in Sarajevo and Tel Aviv, and the former editor-in-chief of ISN Security Watch in Zurich.