In today’s New York Times, David Sanger published an article that the damage caused by Edward Snowden’s disclosures of NSA surveillance might have killed what Sanger calls “the equivalent of a ‘Star Wars’ defense for America’s computer networks, designed to intercept cyber attacks before they could cripple power plants, banks or financial markets.” More specifically:
Under this proposal, the government would latch into the giant “data pipes” that feed the largest Internet service providers in the United States, companies like A.T.&T. and Verizon. The huge volume of traffic that runs through those pipes, particularly e-mails, would be scanned for signs of anything from computer servers known for attacks on the United States or for stealing information from American companies. Other “metadata” would be inspected for evidence of malicious software.
Whether this idea would have matured and proceeded without leaks about NSA surveillance is not clear because opposition within the US government existed:
Top officials of the Department of Homeland Security, which is responsible for domestic defense of the Internet, complained that N.S.A. monitoring would overly militarize America’s approach to defending the Internet, rather than making sure users took the primary responsibility for protecting their systems.
The deputy secretary of defense, Ashton B. Carter, described in speeches over the past year an alternative vision in which the government would step in to defend America’s networks only as a last line of defense. He compares the Pentagon’s proper role in defending cyberattacks to its “Noble Eagle” operation, in which it intercepts aircraft that appear threatening only after efforts by the airlines to identify the passengers and by the Transportation Safety Administration to search passengers and luggage have failed.
The disclosures about NSA surveillance and its scale have, however, altered the nature of discourse in Washington, D.C. about this debate on US cyber defense in ways that make progress in this area, for the near future, potentially very, very difficult.
Today, President Obama outlined steps his administration would take to address the controversial debate taking place concerning NSA surveillance activities disclosed by Edward Snowden. The New York Times reports that:
Mr. Obama announced the creation of a high-level task force of outside intelligence and civil liberties specialists to advise the government about how to balance security and privacy as computer technology makes it possible to gather ever more information about people’s private lives.
The president also threw his administration’s support behind a proposal to change the procedures of the secret court that approves electronic spying under the Foreign Intelligence Surveillance Act in order to make its deliberations more adversarial. The court, created in 1978, was initially envisioned to carry out a limited role of reviewing whether there was sufficient evidence to wiretap someone as a suspected foreign terrorist or spy.
. . .
The Obama administration is also planning to release a previously classified legal analysis explaining why the government believes it is lawful under a provision of the Patriot Act known as Section 215 for the N.S.A. to collect and store logs of every phone call dialed or received in the United States.
At the same time, the N.S.A. was expected to release a paper outlining its role and authorities, officials said. The six- to seven-page document was described as setting up a “foundation” to help people understand the legal framework for its activities. Next week, the agency will open a Web site designed to explain itself better to the public amid Mr. Snowden’s disclosures.
The “previously classified legal analysis” on the government’s interpretation of Section 215 is available now in a document entitled: Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act (August 9, 2013).
For the argument that the bulk telephony metadata program does not satisfy the requirements of Section 215, see this amicus brief filed with the US Supreme Court today by a group of professors expert in information privacy and surveillance law, a group that includes me. This amicus brief supports the petition filed in July with the Supreme Court by the Electronic Privacy Information Center against the bulk telephony metadata program.
Related to the President’s announcement, the NSA released a document today entitled The National Security Agency: Mission, Authorities, Oversight and Partnerships (August 9, 2013), which, among other things, describes NSA’s authorities to collect intelligence under Executive Order 12333 and the Foreign Intelligence Surveillance Act, including Section 702 of that Act (the legal basis for the PRISM program targeting non-US persons located outside the US).
Greg Austin of the EastWest Institute published a piece in China-US Focus on August 6th in which he identifies possible push-back against the US government’s race to achieve “cyber superiority” and the emergence of “the American cyber industrial complex” from people in the US military knowledgeable about US nuclear weapons and strategy. He argues that disclosures by Edward Snowden reveal a “lack of restraint” in US cyber behavior and:
This lack of restraint is especially important because the command and control of strategic nuclear weapons is a potential target both of cyber espionage and offensive cyber operations. The argument here is not to suggest a similarity between the weapons themselves, but to identify correctly the very close relationship between cyber operations and nuclear weapons planning. Thus the lack of restraint in cyber weapons might arguably affect (destabilize) pre-existing agreements that constrain nuclear weapons deployment and possible use.
The cyber superiority of the United States . . . is now a cause of strategic instability between nuclear armed powers. . . . [I]n the long run, the most influential voice to end the American quest for cyber military superiority may come from its own armed forces. There are military figures in the United States who have had responsibility for nuclear weapons command and control systems and who, in private, counsel caution. They advocate the need to abandon the quest for cyber dominance and pursue a strategy of “mutual security” in cyber space – though that has yet to be defined. They cite military exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that might affect critical nuclear command and control or wider war mobilization functions. Strategic nuclear stability may be at risk because of uncertainty about innovations in cyber attack capability. This question is worth much more attention.
Cybersecurity literature contains references and analogies to nuclear weapons and nuclear strategy, including attempts to draw on the nuclear experience to address what some perceive as a cyber arms race. However, Austin is talking about something different–concern among experts that what is happening with US cyber policy, strategy, and capabilities threatens US nuclear strategy and stability. I do not know how prominent such strategic introspection actually is, or whether it deserves the level of deliberation Austin advocates.
In the most general terms, Austin seeks reassessment of what he and others believe is an insufficiently restrained American quest for superiority in military and intelligence cyber capabilities–not because of perceived threats to privacy and other civil liberties at home, but because this path might create strategic problems for US national security down the road, including in the context of nuclear weapons. For Austin, this reassessment should include more scrutiny of permitting one military officer to lead both NSA and US Cyber Command, a situation Austin provocatively describes as “an unprecedented alignment of Praetorian political power in any major democracy in modern political history.”
A unrestrained cyber industrial complex led by a cyber Praetorian guard potentially causing strategic nuclear instability? Well, now, the “national conversation” is getting more interesting by the day . . .
This past week brought more discomfort in the United States produced by Edward Snowden’s disclosures about NSA surveillance activities:
- The House of Representatives narrowly defeated a proposal to restrict NSA authority to collect telephone metadata in the United States, a vote that caused intra-party clashes within both the Democratic and Republican parties;
- Legislators in Congress grilled NSA officials on the NSA’s collection of telephone metadata within the US, producing testimony that only heightened congressional concerns about the executive branch’s metadata surveillance activities and their legal justification;
- The NSA released previously classified documents related to the now infamous Verizon Order leaked by Snowden, an effort at transparency that, apparently, did not make anything more transparent;
- Courtesy of Snowden, The Guardian revealed another NSA program, called XKeyscore, which caused another round of national and international controversy about US surveillance policies and practices; and
- The Russian government granted Snowden asylum for one year, allowing him to leave his limbo-laden life at the Moscow airport, a development that perhaps guarantees Snowden’s place in history (and not Bradley Manning) as the Benedict Arnold of the cyber age and made already fraying US-Russian relations worse.
To have Congress close to over-turning a key law passed after 9/11, to deepen tensions between the legislative and executive branches, to provoke the masters of secrecy to try to be more transparent, to wrong-foot the NSA again with a new disclosure, to cause rifts within both major US political parties, and to exacerbate problems between great powers is, ladies and gentlemen, one hell of a week, in more ways than one.
Each development of this past week deserves its own scrutiny, but my objective here is to try to assess what the sum of these episodes means for the US. The initial disclosures from Snowden brought forth calls for a “national conversation” about the implications of the revelations of NSA surveillance activities and the policy and legal justifications for them. This conversation has been extremely awkward because a proudly open and free society found itself debating critical issues kept secret by its government and only revealed by a law-breaker who sought succor in the sovereignty of anti-American governments. To quote one of history’s great admirers of the US, not our finest hour.
But, this past week should signal that the “national conversation” requires decisions needed to shape post-Snowden American policy and law on issues ranging from the privacy of American citizens dependent on digital communications technologies to the impact of cyber espionage on the power and reputation of the US in geopolitics. No one should underestimate the gravity of these decisions because the questions to be answered go deep into what America means at home and abroad. In its main leader of its August 3rd issue, The Economist–hardly an American nemesis–embeds the Snowden affair along with other post-9/11 policies in what it calls “liberty’s lost decade.”
Provocative, to be sure, but The Economist is trying to piece together what it all means for the US, from Mohamed Atta to Edward Snowden, and is encouraging Americans to re-evaluate where their government has been–from detention cells in Guantanamo Bay to “collecting it all” in cyberspace–and whether and how they want the future to be different. We might not like the headlines, the harsh questions, and the flippant or cynical condemnations of American behavior as hysterical hypocrisy. But, when someone like Edward Snowden can affect this country’s domestic politics and foreign affairs as wrenchingly as he repeatedly has (see, this past week), we have serious work to do in crafting policies and laws less dependent on the fear secrecy breeds and more confident in the resilience openness brings when betrayal from within and enmity from without test our interests and values.
On July 13, 2013, Nicole Perlroth and David Sanger published a story entitled “Nations Buying as Hackers Sell Flaws in Computer Code” in the New York Times. Perlroth and Sanger wrote:
All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
. . .
But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”
The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.
The cybersecurity challenge created by the emerging global market in “zero day” exploits has been recognized before by experts (see, e.g., efforts by Christopher Soghoian of the ACLU to highlight this issue) and journalists (see, e.g., this story entitled “The Digital Arms Trade” from The Economist on March 30, 2013). But the Times article gives this problem heightened exposure and will increase political attention on it. With companies–such as Microsoft, Google, and Facebook–and countries–such as Brazil, Britain, China, India, Iran, Israel, Malaysia, North Korea, Russia, Singapore, South Africa, South Korea, and the US–willing to buy “zero day” exploits, Perlroth and Sanger report that “the market for information about computer vulnerabilities has turned into a gold rush.”
Among the many cybersecurity issues the development of this market creates is the question of whether to regulate it, and, if regulation is thought prudent, how to regulate the problem effectively. In its article, The Economist noted that:
Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.
The effort to turn to export-control laws as a way to regulate the sale of “zero day” exploits or, more broadly, the development and sale of purpose-built malware, suggests that strategies and “soft” or “hard” regimes used in non-proliferation and arms control might serve as a basis for thinking about what to do about the market for “digital weapons,” including:
- National export-control laws with multinational coordination of such regimes among countries (a cyber version of something like the Wassenar Arrangement);
- Bans or limitations on development, transfer, and use of certain weaponized code intended to have specific purposes or effects considered illegitimate (a cyber version of something like the Protocol Banning Blinding Laser Weapons); or
- Confidence-building measures, including declaratory policy strategies, aiming for heightened transparency and trust (cyber versions of the CBMs used in the BWC or of “no first use” declaratory statements).
The attractiveness of drawing on ideas from non-proliferation and arms control experience in the realm of cyber weapons exists, as made clear by, among other things, a provision in the proposed National Defense Authorization Act for Fiscal Year 2014 for the President to “establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, and diplomatic engagement, and such other means as the President considers appropriate” (Sec. 946, Control of the Proliferation of Cyber Weapons).
Without question, reasons why cyber versions of these approaches would not work can multiply rapidly, including arguments related to the questionable effectiveness of these strategies in their traditional non-proliferation and arms control contexts. In addition, as in many areas of cybersecurity policy and law, reasoning by analogy to policies and regimes designed for other challenges breaks down rather quickly because cyber presents such a different kind of problem attached to technologies unlike what non-proliferation and arms control efforts have addressed in the past.
These various reasons are often why cybersecurity experts exhibit skepticism about “arms control” in the cyber context. Here are Paul Rosenzweig’s thoughts on this question in his blog post on the Perlroth and Sanger article on “zero day” exploits:
In the physical world, the production of weaponry is restricted by the need for an industrial base. In cyberspace, weapons are bits and bytes and produced as intellectual property. With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade. The market for zero-day exploits will, I think, grow exponentially in the years to come.
Rosenzweig’s prediction might well prove accurate, but policy concerns with this uncontrolled global market for “zero day” exploits and other purpose-built malware are mounting, as illustrated by the ideas being floated in the European Parliament and (perhaps ironically given significant US government participation in this market) by proposed Section 946 of the National Defense Authorization Act for Fiscal Year 2014. As the market charges on, policy anxieties and demands for action will also increase, which will make efforts to control behavior amounting to “beggar thy neighbor’s software” one of the most interesting and difficult cybersecurity challenges governments and companies face.