The militarization of the Internet

Someone needs to take a good hard look at those Internet surveillance stories being strategically placed on the front page of the New York Times.

There’s a trail here, I believe, that’s worth following.  Here are some data points:

1.  Cyberattack – there appears to be a deep interest in the ability to declare war online, as evidenced by cybersecurity research and public speeches by Herbert Lin, a key player who has worked on several cybersecurity reports for the National Research Council.  Ethan Zuckerman has summarized a presentation by Lin, which included the following paraphrase of Lin’s remarks:

If we’re interested in pre-empting cyber attack, “you need to be in the other guy’s networks.” But that may mean breaking into the home computers of US citizens. To the extent that cloud computing crosses national borders, perhaps we’re attacking computers in multiple jurisdictions. Lin wonders whether a more authenticated internet will actually help us to pre-empt attack. And he reminds us that US Strategic Command asserts authorization to conduct “active threat neutralization” – i.e., logging into your machine to stop an attack in progress. . . .

Dr. Lin notes that it’s not a violation of international law to collect intelligence abroad. It’s possible to engage in covert action as regulated by US statute. And there’s an array of possible responses the US could launch in response to cyberattack (Lin pauses to note that he’s not advocating any of these) – we could attack enemy air defenses, hack their voting machines to influence an election, conduct campaigns of cyberexploitation to spy within those nations. Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet? Might they reasonably choose to tighten national control over the internet?

2.  A “more authenticated Internet” would obviously include using the leverage provided by network operators to permit only fully-authorized, identified machines to connect.  The ability to remotely disconnect machines or devices until they are cleansed is now within reach for federal networks – this same capability will inevitably spread to private connections.

3.  A “more authenticated Internet” would also include more-easily tappable applications as well as machines.  That’s what FBI Director Mueller is talking about in this video at 3:29.

4.  There must be deep stress inside the USG re what the overall public position of the Administration will be on enhancing surveillance, authentication, and the ability to declare war online.  Secretary Clinton’s “Internet Freedom” speech of January 2010 made clear that the free flow of information online is an important component of the nation’s foreign policy.

5.  Given this stress, the agencies that are most interested in forwarding cyberattack abilities, surveillance, guaranteed back doors for encrypted communications, and all the other trappings of a “more authenticated Internet” have an interest in portraying their vision of the future Internet as inevitable.  Part of that campaign would logically be to get the story into the mainstream media.

6.  So, here we go – another front-page story yesterday in The Times::  “Officials Push to Bolster Law on Wiretapping.”:  This is a hugely contentious issue.  Should law enforcement be able to require all technologies online to have “back doors” allowing officials to (essentially) require that the same information be produced to them that was produced during the circuit-switched telephone era?

7.  The Internet is not the same thing as a telephone network.  It’s a decentralized agreement to route packets of information to particular addresses.  It has made possible unparalleled innovation, free speech, and improvements to human lives around the world.  Retrofitting it to make it fit law enforcement’s (or national security’s) “authentication” needs would be an enormous, retrograde step.

But it would certainly help us wage war online.

15 thoughts on “The militarization of the Internet

  1. Dear Professor Crawford:
    Just read your article on the Internet’s militarization.
    I fully share your view.
    Congratulations for an excellent synthesis of the risks of comprimising Net neutrality from the “military” side.
    You might be interested in checking other “sides” of the same issue and also a comparison with the European situation on my most recent blog post for the Oklahoma Law School technology review:
    Best wishes.
    Pablo García Mexía, J.D., Ph.D.
    Visiting Professor of Internet Law
    The College of William & Mary

  2. Well, I for one am not surprised, as I still have my DARPANet password in a file somewhere… the ‘net as we know it today began with DOD funding, sponsorship, etc.

    Snide remarks about “return to the womb” are probably beyond me at the moment.

  3. G.J. Gordo

    If the “authorities” succeed in requiring backdoors to every ‘net-enabled application, device, protocol, etc., then they will basically destroy all of the security that has been built up.

    Unlike installing hardware in an access-limited secret room to tap phone lines, backdoors everywhere will be accessible by anyone who can crack the security. This effectively means that *all* security will be compromised.

    Now try doing business on a net that has no security.

  4. jbmoore

    Most of the systems hooked up to the Internet are Windows systems. Millions of them already have backdoors placed there by criminals. Now the “good” guys want to do the same thing legally. Windows is so vulnerable, it’s a big fat juicy target and any network it;’s connected to is the same. Look at the success of Stuxnet in Iran. Good luck militarizing Windows and Windows networks.. The DOD couldn’t even keep their own networks clean from trojans on USB sticks.

  5. Scary, very scary…. To be fair though, we have been hearing news like this for quite some time now.
    I am just wondering if the relatively slow bureaucracy of a government or an organised group of governments can keep up with the dazzling speed new technologies appear.

  6. David Dennis

    One of the chief problems of cyber conflict is attributability–a “free and open Internet” provides numerous ways to obscure or hide an infiltration or attack. But doesn’t a “more authenticated Internet” inhibit our own national means of infiltration and attack, even as it protects us from other groups’ efforts?

    Your point about the Internet being different from the phone system is also a good one. To think that law enforcement authorities would retain sole access to back door keys to digital systems is also a fool’s errand. The theft or leakage of that knowledge, as well as the inevitable improvement of brute-force cracking make the model of multi-authority access (general use vs. “official use” class of service) unsustainable. The inevitable rise of unauthorized or stolen “official use” makes the government’s vision of a “more authenticated Internet” a dangerous slippery slope.

  7. Nicely said. You probably don’t want/need another argument to cite regarding authentication but here is one I see more and more: to ease attribution needed for response and retribution attacks. The NSA is supposedly working on various ways to fingerprint cyberattack, for example, so their response easily can be justified without the usual fear of hitting the wrong or proxy source. It should be noted that they of course, while fingerprinting others, will retain ways to obfuscate and hide their own tracks.

  8. kosh

    Go ahead and authenticate your own citizens, United States. The rest of the world will either fall in line (Britain, Australia, Canada) or tell you to Get Stuffed (Israel, Russia, France, China, Syria, Iran).

    Assuming anyone is nuts enough to fund such a scheme, you’ll need to authenticate every packet. i.e. sniff every packet.

    But it’ll fail anyway because a layered end-to-end architecture like the Internet always has covert channels unless you physically isolate it, or use the crypto equivalent.

    Thus, you’ve achieved two goals:
    1. Ghettoising the entire US+Allied bloc for communications, and
    2. Creating the infrastructure for future governments to undertake total interception and censorship of communications. Nice.

    but failed in the main goal. The bad guys didn’t capitulate to the wacky scheme to spy on them. Who’da thunk it?

  9. anonymous

    Don’t various US agencies already have root certs etc. from various CAs?

  10. Randy Bush

    OK, well said. And the prop attack is on a wide front, not just internationally, but in research funding, blah blah. But all this is the depressing side. What is the high road forward out of this vale of paranoia and skullduggery?

  11. Arjun

    Is the Windows OS is so vulnerable(?).I’m running an antivirus product on my computer and have never gotten a virus…I am using Windows with some common-sense browser settings (No ActiveX) automated updates,and a Linksys firewall.I don’t see too many pitfalls.

  12. Very interesting. It seems government has difficulty understanding how internet technologies actually work. A backdoor which is guaranteed by government it really one more vulnerability to exploit or patch against. I, for one, would work to generate patches to prevent backdoor access to my personal machine, network access, and servers. When it comes down to it, I don’t see a big difference between my own government installing a backdoor on my PC or a foreign government, or a criminal organization – They are all using my personal property and information for unauthorized purposes.

  13. Kevin

    As the old dissidents in the USSR used to say: if you want to know what is really going on, look in the press for the tell-tale sign of excesses in propaganda, then take its opposite. If too many propagandize the risks of a free internet, you can be sure that the real risk is in NOT having a free internet.

  14. […] her blog post on the militarization of the internet, Susan Crawford says: A “more authenticated Internet” would obviously include using the […]

  15. […] The desire to “militarize” the internet […]

Leave a Comment