Originally Published in Foreign Policy Association Blogs
Foreign Policy Concepts spoke with Dr. Deibert recently to discuss cybersecurity, internet freedom, and his new book Black Code: Inside the Battle for Cyberspace.
The exponential growth of cyberspace on a global scale has happened in less than two decades. How would you characterize the key social and cultural implications of this growth of cyberspace?
The emergence of cyberspace has happened in a dramatically short period of time, making it the fastest growing medium of communications in world history. However, the biggest changes within that timeframe have happened just within the last five years or so with the growth of social media, cloud computing or what is otherwise known as Software-as-a-Service, and mobile connectivity. Together, these three have fundamentally transformed our relationship to information, turning our digital lives inside out. This change has happened so fast that we have not yet had time or knowledge to understand the full implications or to protect ourselves from newly emerging threats connected to unforeseen vulnerabilities. There are obvious privacy implications, but as users we know very little of what we are giving away since so much of what we actually communicate is hidden even from us – for example, the meta-data that is included in the “envelope” around all of digital communications, or the ways in which mobile phones emit a signal every few seconds, as a beacon to the nearest WiFi or cell tower (even when the phone is not in use) that gives away the location of the user. This shift has brought about the world of Big Data, and all of its wonderful potential for science and communication, but there are downsides to the world of Big Data that we have yet to fully grasp.
You assert in your book that “the companies that control huge swaths of cyberspace are at once flexing their political muscles and being deputized with more expansive policing responsibilities.” How do you see the relationship between the increasing power of corporations in cyberspace and their adherence to principles of information freedom?
The vast majority of cyberspace is owned and operated by the private sector. As cyberspace has become more important to all aspects of politics, economics, and indeed all of life, security of cyberspace has become a major public policy issue. In order to secure cyberspace, governments must enlist the private sector, either through laws or some other means of compulsion. In many country contexts, this has meant difficult choices for companies as they must grapple with entering into and servicing potentially lucrative markets but being asked by authorities in those jurisdictions to hand over data on users, or censor access to information, in ways that would otherwise be considered a violation of human rights. Blackberry’s experiences in India, United Arab Emirates, Saudi Arabia, and Indonesia are a case in point. Most Internet companies benefit by an open Internet, and so have a stake in information freedom. But that only goes so far, and companies are driven ultimately by the bottom line and the quest for profit. There is also a growing market for censorship and surveillance technologies – for products and services that undercut information freedom – and many companies are gravitating towards that market as cyberspace securitization unfolds.
Concerns for internet and data security have increasingly become a common theme not just for governments and armed forces around the world, but also in corporate boardrooms, where top executives ponder how to counter the rise of global industrial cyber espionage. To what extent should we expect the emergence of a cyberspace with a whole new set of restrictions and regulations?
There is a long-standing myth that the Internet (and cyberspace) is somehow a realm removed from regulation and restriction. However much that may have been true at a certain point in the past (and that is debatable in and of itself) it is certainly no longer the case now. Governments and other actors are imposing restrictions and regulations on the Internet and related digital media for many reasons, the most important of which is security. Given the nature of security policies, many of these restrictions and regulations operate behind a cloak of secrecy (as we found out in the Snowden revelations). These security regulations can make for a complex and risky operating environment for companies – particularly when national security issues appear to be compromising the integrity of products and services that companies operate abroad. There are many circumstances where company execs and their legal officers will find themselves having to try to discern laws and protocols in an environment of corruption and a lack of transparency, where they are asked to do things informally in an uncertain context.
Given the increased uncertainty in cyberspace by revelations of government-sponsored intrusions against Western corporations from countries like China and Iran, as well as the extent of government spying on its own citizens, how much room is there for faith and trust in cloud-based IT services and the whole sector known as software-as-a-service (SAAS)?
There are discussions now that the NSA revelations will bring about losses to the US IT industry of upwards of $200 billion. These are major impacts on an industry that is directly traceable to the concerns that non-U.S. citizens, governments, and industry have over whether they can trust U.S.-based companies. For many people, cloud computing is a special kind of magic that just works. But it is important to remember that “clouds” are merely a metaphor for equipment, routers, cables and physical infrastructure that operate in some particular national jurisdiction, subject to the laws of that jurisdiction. My prediction is that the NSA revelations will have a dramatic impact on non-U.S. countries taking stronger measures to “nationalize” the ICT industry, creating their own “Google’s” and “Facebook’s” and subjecting them to their own nationalized controls. In the long run, this is not good for any one country’s national interest, or to an open and free Internet. I wrote about this dynamic in a recent editorial on CNN .
Communications Security Establishment Canada (CSEC) is believed to be Canada’s most secretive intelligence agency, comparable to the National Security Agency (NSA) in the United States. Is CSEC responsible for protecting both Canada’s government-owned and private sector digital communication infrastructure from cyber warfare?
CSEC’s mission is three fold: to collect data from the global information infrastructure that is relevant to Canada’s national security, and in particular around foreign threats to our security; to protect Canadian government communications; and to assist domestic law enforcement and national security investigations, where relevant. The third pillar of its mission was added after 9/11 and represents the most potentially controversial and opaque aspect of its mission-set. The question of whether CSEC should broaden its mission to secure private sector communications is a controversial one as it raises questions about the relationship between public authority and private property. Keep in mind that many companies are transnational in composition, and having one national security agency secure their communications may put them at odds with other national interests. Ultimately, having a shadowy spy agency secure an ecosystem that is private, global, and highly distributed seems awkward and ill conceived to me, both in practice and in principle. Instead, we should be looking for distributed ways to secure a distributed network, and that means bolstering the existing, open and distributed networks of information exchange that exist in the non-profit and private sector. Government has a role to play, and even national intelligence agencies should be included in the equation, but as peers in a distributed network and not as ultimate authorities in a hierarchy. These ideas are not new to the digital age, but have their roots in ancient Greece and the early Renaissance in Europe, and are referred to in political theory as the tradition of res publica, or classic republican security theory. Now, more than ever, we need to remind ourselves of this tradition, which is why I end Black Code on a plea for distributed security and stewardship in cyberspace.
Your book describes in detail the planning and methods of implementation used in the Stuxnet virus that was jointly designed by Israel and the United States and targeted Siemens-made equipment at Iran’s Natanz nuclear facility. As we know, the virus nearly crippled Tehran’s enrichment activities. In your opinion, how capable are Iranians in striking back against Western targets in cyberspace, and do you foresee a future whereby cyber attacks would lead to armed conflict?
At the Citizen Lab, we have been engaged in research on Iranian information controls for at least a decade. Over time, we have seen the Iranian regime’s controls evolve from crude and largely ineffective filters on access to information, to a system that combines Internet censorship with highly sophisticated means of surveillance, including western-manufactured deep packet inspection technologies, to developing and employing a range of offensive computer network attack techniques. After the Stuxnet attack came to light, the Iranian regime devoted more resources to offensive capabilities and some people attribute the computer network attacks on the Saudi Oil Industry (Shamoon) to Iranian agents or their forces. It is unlikely that the Iranians have the capability now to wreak havoc on critical infrastructure in the industrialized world, but it is something we should be sensitive to and aware of given the arms race in cyberspace. The demonstration effect of Stuxnet is huge, and the genie is now out of the bottle. As former NSA Director Michael Hayden remarked, a Rubicon was crossed with Stuxnet and we may see more countries developing (and employing) offensive computer network attacks against critical infrastructure in the future.
How can government and private entities protect themselves from the Mannings and Snowdens on the inside and hackers on the outside?
Data security is a major issue, of course, in the world of Big Data. Over the years, the world of “Top Secret America” has mushroomed, and there are now hundreds of private contractors orbiting around the Pentagon and defense and intelligence agencies employing personnel with security clearances and access to sensitive data. I have no doubt that we will see more Snowdens and Mannings in the future. Of course, one way to prevent whistleblowers from taking steps to alert the public is by preventing wrong-doing in the first place. Beyond that obvious point, I do believe we need to fundamentally re-think the level of classification and secrecy in government. As for protection against “outsiders” – that is a different challenge. The ecosystem of cyberspace is in constant flux and so the challenge itself always evolves. But basic measures of digital hygiene are important in a context of employees moving through and handling data in Internet cafes, airports, hotels, and foreign countries. Encryption is critical.
Recently, the Internet Engineering Task Force (IETF) proposed a measure that calls for encryption of data for all websites and browsers, which would make it very difficult for governments and hackers to break into people’s browsing and email communications. What’s your take on this proposed measure and could its implementation prevent blanket surveillance of cyberspace?
Naturally, we cannot address this question without also addressing one of the recent revelations connected to the Snowden documents: that the NSA has been systematically working to lower encryption standards worldwide, including through the forum of the IETF. These revelations are causing a crisis in the engineering community, and some (like Bruce Schneier) have gone so far to advocate for engineers to “take the Internet back.” Although I’m sympathetic to his plea, I’m not sure it makes a lot of sense given the extent to which many among the engineering community have been in bed with those very same national security agencies, through funding and research and development. Technical measures are important for overall security, but so are laws and policies, and especially proper checks and balances.
Compared to other leading Western democracies, where does Canada stand today in cyber-security policy, capacity, and competency?
It is really difficult to generalize about Canada. We are a quiet country when it comes to international Internet and cyberspace governance issues. Although we are part of the Freedom Online Coalition, we are not seen as one of the leaders of that coalition. It is well known that Canada is an integral part of the Five Eyes alliance, but we have very little public information about exactly what Canada’s role is in this alliance, and whether our intelligence agencies have overstepped their mandate in ways that the NSA has. Perhaps further Snowden documents will shed light on these questions. Meanwhile, Canadian companies are known to be providing and profiting from Internet censorship and surveillances products and services sold to some of the world’s most notorious autocratic and authoritarian regimes – without fear of repercussions. I believe that as a country we need to articulate a strong vision of a secure AND open Internet, because it is in our national interest. Until such time, we will be sideshow players caught up in a game where others determine the rules.
What are the key mandates of Citizen Lab at the Munk School of Global Affairs and what was the rationale behind its launch?
I founded the Citizen Lab in 2001 as an interdisciplinary research centre, to engage in cutting edge research that probes security issues of cyberspace from a broadly human rights perspective. We are not an advocacy group, but our research has real world impacts, and is often employed by advocacy groups to push for legal and policy changes.
Our research has uncovered global cyber espionage networks, documented Internet censorship and surveillance around the world, and exposed companies selling filtering and surveillance products to authoritarian regimes. We are independent of government or corporate interests, and publish on the basis of evidence based, peer reviewed research
We take a mixed methods approach to the study of information controls, security, and human rights combining technical research (information security, network measurement) with fieldwork, social science and legal and policy analysis. Through this research we strive for policy impact from a civil society perspective.