Trends Research 
January 30, 2012
Do you remember the Safe-Cyber instructions they taught you in the mandatory Computer Ed class (operated by the National Institute of Standards and Technology)? First you fire up your Secured Computing Device (SCD) and its hardware token authenticator.
Then you enter the six-digit algorithmically generated password displayed (a new one flashes every 60 seconds) and are asked to supply your biometric identifier. You place your thumb on the built-in fingerprint pad, click, and wait for the Internet connection to begin. But it doesn’t.
Instead, the screen goes black for a second before the dreaded words appear: “Malware has been detected on this SCD. As mandated by federal law, it has been placed in quarantine.” Then the machine shuts down.
This is not just conjecture, but an imminent scenario. Policies, such as the White House proposed “National Strategy for Trusted Identities in Cyberspace,” which will transform the character, culture and freedom of the Internet, are already in place. The 20 cybersecurity-related bills introduced in the Senate in 2011, and the dozen introduced in the House of Representatives, have wound their way through committees and, according to Senator Harry Reid, are scheduled to be voted on in the first quarter of 2012. Almost all of them, with the blessing of the White House, would make the Department of Homeland Security the overseer of private-sector networks.
Considering the apocalyptic rhetoric coming from Washington and the ranks of cybersecurity experts – echoed by media reports that portray every picayune data breach as Armageddon – it would appear that the vulnerability of the Internet has been underplayed for many years.
In the Internet’s start-up decades, both industry and government were committed to establishing an atmosphere of trust that would draw the public into conducting more and more digital business. Though data breaches, theft of trade secrets, identity theft and bank robbery have been a fact of Internet life since its beginnings, there were few laws requiring disclosure. Banks and credit card firms ate their losses as a cost of doing business, and the giant corporations kept mum rather than roil the public. Recently, the pendulum has swung in the other direction and a raucous alarm has been sounded regarding the great danger posed by the Internet.
The Nation is at a crossroads. The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st century. The digital infrastructure’s architecture was driven more by considerations of interoperability and efficiency than of security. Consequently, a growing array of state and non-state actors are compromising, stealing, changing, or destroying information and could cause critical disruptions to U.S. systems. (White House Cyberspace Policy Review, 2011)
While there may be other factors behind the current wave of cybersecurity alarmism, we have identified three major forces: The Government, the Cybersecurity-Industrial complex, and the so-called “Hacktivists.”
The Hacktivists LulzSec and Anonymous, the most-publicized of the hacktivists, along with a growing community of ad hoc cyberactors, have had a multi-faceted impact on the cybersecurity environment that goes far beyond the number of hackers at work or the amount of actual damage their exploits have inflicted.
They have skillfully publicized their outsized, headline-ready cyberintrusions. Their attacks, which are something other than the garden variety cybercrime, have compromised the web assets of Sony, the CIA, Fox News, the Church of Scientology, Bank of America and many more. Beyond the financial damage and security breaches, they’ve created a public relations nightmare forcing these major institutions to go public with what they would otherwise go to great lengths to conceal.
As a result, attention has been focused on the inadequacies of Internet security. If organizations as large, powerful and security-conscious as these are vulnerable, who then is safe? Not only have the targets been breached and embarrassed, consumer trust in the Internet has also been shaken.
These high profile, anarchic Internet exploits – compounded by the role of social media in evading and undermining government control of the political and media arena (Arab Spring, Occupy Wall Street, etc.) – have intensified government efforts to clamp down on the Internet … while providing the media with scary cyber-stories to further that agenda.
The Government The US government agenda to control the Internet is at least a decade old. Just three months after the Bush White House created the Department of Homeland Security, it issued “The National Strategy to Secure Cyberspace.” The document begins:
My Fellow Americans:
The way business is transacted, government operates, and national defense is conducted have changed. These activities now rely on an interdependent network of information technology infrastructures called cyberspace. The National Strategy to Secure Cyberspace provides a framework for protecting this infrastructure that is essential to our economy, security, and way of life.
In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States.
Nearly a decade later, the basic message from the White House sounds much the same, if louder and more urgent. But there is a big difference. President Obama, and the rest of the Beltway insiders, have now formally defined cyberspace as a “strategic national asset.”
On the face of it, this appears to be a reasonable approach for a world that has become, in a relatively short time, totally dependent on digital resources. Unfortunately, it is an approach that provides a straight path to the militarization of the Internet and the loss of liberty that will follow. It is an approach that will elevate the most common forms of cybercrime (bank robbery, credit card theft) to the high-alert status of a cyberwar attack.
This government mindset will lead to the same abrogation of individual rights in cyberspace as the National Defense Appropriations Act of 2012 has codified in “Battlefield America.”
Given the integrated nature of cyberspace, computer-induced failures of power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption. DoD operations – both at home and abroad – are dependent on this critical infrastructure. As military strength ultimately depends on economic vitality, sustained intellectual property losses erode both U.S. military effectiveness and national competitiveness in the global economy. Cyber hygiene must be practiced by everyone at all times; it is just as important for individuals to be focused on protecting themselves as it is to keep security software and operating systems up to date. (Department of Defense Strategy for Operating in Cyberspace, July 2011)
Many Internet experts and cybersecurity professionals have deemed 2011 “The Year of the Hack,” in recognition of the unending stream of headlines related to data breaches and thefts. We believe that – aside from any real uptick in cybercrime or cyberwarfare skirmishes – this perception is the result of the government’s determination to soften up the public to meekly accept an upcoming barrage of Internet regulation. It is a digital-age version of the tried and true fear mongering that is always employed to further empower the president and further enrich the military/industrial and Homeland Security complex. The government says it’s not fear mongering, just education.
The national dialogue on cybersecurity must begin today. The government, working with industry, should explain this challenge and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action. People cannot value security without first understanding how much is at risk. Therefore, the Federal government should initiate a national public awareness and education campaign informed by previous successful campaigns. (White House Cyberspace Policy Review, 2011)
The Prominence of the Non-military Aspects of Warfare. Non-military means of warfare, such as cyber, economic, resource, psychological, and information-based forms of conflict will become more prevalent in conflicts over the next two decades. In the future, states and non-state adversaries will engage in “media warfare” to dominate the 24-hour news cycle and manipulate public opinion to advance their own agenda and gain popular support for their cause. (“Global Trends 2025,” National Intelligence Council, 2008)
The Money Card A key point being used to “educate” the public is the putative astronomical monetary loss caused by cybercrime in all its forms. There is, of course, no way to ascertain the validity of these numbers or even to figure out just what kind of losses are included in the estimates, which are generally arrived at by the large cybersecurity corporations. Some loss-figures appear to include the fall in a company’s stock price that usually follows revelation of a major hack (but doesn’t adjust that figure when the stock price climbs back up), as well as adding in an arbitrary sum attributable to time lost in recovery.
The largest global estimate of money lost to cybercrime currently floating around – as totted up by McAfee, the world’s largest cybersecurity company and endorsed by the White House – is $1 trillion a year. Symantec Corp., another cybersecurity giant, calculates the annual toll of global cybercrime to be about $388 billion. For dramatic impact, Symantec notes that figure is greater than the black market in marijuana, cocaine and heroin combined. Either of those (wildly divergent) sums is impressive, but do they mean anything? Or are they just part of a government “education campaign modeled on previous successful campaigns,” such as selling the public on the certainty of WMDs in Hussein’s Iraq?
Far from being broadly based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.
Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings.
There has long been a shortage of hard data about information security failures, as many of the available statistics are not only poor but are collected by parties such as security vendors or law enforcement agencies that have a vested interest in under- or over-reporting. (“Sex, Lies and Cyber-crime Surveys,” Microsoft Research)
The Cybersecurity-Industrial Complex The fear, uncertainty, and doubt (FUD) surrounding cyberspace has helped turn cybersecurity into an enormously profitable business, worth between $60 and $100 billion a year, depending on who’s providing the statistics. The sector is expected to grow 10 percent annually for at least the next five years. You don’t have to attribute any ethical lapses in the cybersecurity industry to recognize that it, like the government, has a great interest in “educating” the public in cybersecurity awareness.
Security experts say that it is virtually impossible for any company or government agency to build a security network that hackers will be unable to penetrate. (Reuters, 27 May 2011)
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact …. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.” – Dmitri Alperovitch, Vice President of Threat Research for McAfee
The military-industrial complex of the Cold War era has morphed into the cybersecurity-military/industrial-Homeland Security complex of the Cyber War era … to which there is no end in sight. With the cybersecurity industry creating the technology required to stem the very cyberattacks they are in charge of discovering and monitoring, we face an endless cyberarms race that will undoubtedly be fed on exaggerations of the virtual menace and our vulnerability to it.
On the heels of the fear and hysteria will come the firm push for strict control and regulation of the Internet. It will be championed by government and industry as the necessary response to cyberwar, cyberterrorism, and cybercrime which, since cyberspace is considered a “strategic national asset,” are essentially all the same.
The Stop Online Piracy Act (SOPA) for instance, which is scheduled for a vote in 2012, will take a page from the National Defense Appropriation Act of 2012. In order to protect the rights of copyright holders to profit from their intellectual property, SOPA would permit the dissolution of due process and open the door wide to censorship and the denial of the right to free speech. The bill, supporters suggest, is not just about recovering the billions lost to bootlegged movies and music, rather, it’s about protecting the military strength that ultimately depends on economic vitality.
We agree with The Electronic Frontier Foundation, which has called SOPA the most extreme, anti-Internet, anti-privacy, anti-free speech copyright proposal in US legislative history. It is, however, only one of many legislative proposals likely to be steamrollered through Congress in the coming year.
Computer security expert Eugene Kaspersky, co-founder of Kaspersky Labs, envisions the “passportization” of the Internet. In his opinion, to access critical online services, such as banking or electronic voting, “it should be made mandatory to log-on only with the use of a unique personal identifier [for example, a token – a sort of cyber-passport] and establish a secure authoring connection.”
Microsoft has proposed what it calls a “public health model” for the Internet. Cybercitizens would be required to have a “clean bill of health,” make their computers open to inspection, and, if contaminated by a virus or other malware, be prepared for quarantine.
President Obama’s National Strategy for Trusted Identities in Cyberspace is pushing for development and public adoption of Internet user authentication systems that will function as a driver’s license for the cyberhighway.
Government control of the flow of information will strike a blow against Internet anonymity and the free speech it has made possible. Driver’s license, bill of health, passport, whatever you call it – it’s all about the ability to track and control the individual. Today, traffic in copyrighted digital material is the criminal behavior supposedly under attack; tomorrow, it will be the ability to speak out against corrupt government.
Hello, Big Brother.
Trendpost: The demand for ever-more effective cybersecurity tools to counter the ever-more inventive depredations of cybercriminals and cyberwarriors will be with us far into the foreseeable future. Clearly, this situation will create many jobs, both for the formally educated and the creative hacker. In addition, The National Initiative for Cybersecurity Education – established to provide cyber-awareness training to students in Kindergarten through post-graduate programs – will need many specialized teachers.
Somewhat farther along on the timeline, there is a high likelihood that the manufacture of cyber-components will be repatriated to the US. The 2011 Department of Defense’s “Strategy for Operating in Cyberspace” notes: “The majority of information technology products used in the United States are manufactured and assembled overseas. The reliance of DoD on foreign manufacturing and development creates challenges in managing risk at points of design, manufacture, service, distribution, and disposal.”
A high probability exists that 2012 will bring revelations about contamination in the global IT hardware and software supply chain and proof that computer components are providing our “enemies” with entry to critical networks or transmitting sensitive information to them. This will turn the DoD’s security concern into a hot imperative.