By Jason Worth
Prior to the advent of the Internet, there were no shortages of bookstores, travel agencies or video rental stores. But the advent of the Internet created not only a new channel for commerce like these to take place, but a channel uniquely suited to leveraging vast amounts of information, reaching unlimited numbers of customers and benefiting from centralized delivery models. As a result, Amazon, Priceline and Netflix have grown and flourished and dramatically changed the way in which books, travel and videos are now sold and delivered.
The same can be said about the seedier sides of our corporate, diplomatic and military activities. Prior to the Internet, companies and countries were not unfamiliar with corporate espionage, diplomatic spying, government propaganda or military warfare. But the interconnection of computers and people through online networks has tremendously changed (and continues to change) the manner in which all of these activities are undertaken today.
Just consider one example. Where it might have taken weeks or months in the past for one company to steal some of the trade secrets of another, typically by hiring or implanting a key employee who has access to blueprints, recipes or business plans, now the entire design and testing information of the F-35 stealth fighter aircraft, which required $400 billion in R&D money and over a decade of effort by hundreds of engineers, can be downloaded from Lockheed Martin’s servers in a matter of hours. (And, yes, that actually happened. China allegedly stole it.)
When I finished reading Adam Segal’s book The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age, the one word that kept going through my head was “complexity.” The Internet seems to have exponentially increased what was already the complex interplay of technologies, nation-states, intelligence agencies, corporations, trade associations, activists and criminals. The complexity has increased across the board. Where all of these “seedier” activities took place more slowly in the past, or perhaps not at all because of separation due to mountain ranges, oceans or national borders, the Internet has stripped away barriers and enabled actors to conduct their activities from afar and in real time.
In an ironic twist, the ability for the Internet to provide so much information to so many can be rapidly reversed when the seedier activities are undertaken. Specifically, the Internet also has the ability to cloak and mask identities, making it more complex for companies and nations to understand and respond to nefarious activities online. Because of the inherently covert nature of hacking, a company or government may never know that a hacker has penetrated its most protected sources of information. Once discovered that a hacker is poking around, a company or government may not have an idea as to that hacker’s nationality or location. It could just as easily be an organized crime figure from Russia, as it could a military cyberwarfare specialist from China, as it could a terrorist from Hamas, as it could a high school student in his parents’ basement. And, once you discover the penetration, it may not always be clear what that hacker’s intent is. For example, have the attempted and successful intrusions into our electrical grid and nuclear power plants been the attempts of corporations to obtain industrial information, or foreign hostile militaries pre-determining the best way to cripple our warfighting abilities once the next international powder keg gets ignited? Because it is difficult to identify the source of a cyber attack (a process called “attribution”), Russia and China are mindful of the possibility that the United States could initiate a cyber attack on itself or its allies in order to blame the attack on Russia or China as part of a larger plan to justify diplomatic actions or economic sanctions against them.
And what of the interplay between corporations, intelligence agencies and governments? Has the NSA shared with U.S. corporations, or the Shin Bet shared with Israeli corporations, or the BND shared with German corporations the competitive business intelligence they undoubtedly have come across in their dragnet searches for information intended to prevent the next terrorist strike? Should those intelligence agencies share that information with their domestic corporations in order to give them an advantage?
And, while it is to be expected that hostile forces have much to gain by hacking an adversary, what are we to make of the Snowden-like disclosures that allies have been spying on allies? The NSA, we now know, has tapped the phones of the German government, Brazilian government, the United Nations headquarters and numerous other sovereign entities. How should countries previously considered to have common interests and shared bonds respond to revelations their allies have been untrusting and prying? It is not surprising that when faced with these disclosures, concerned countries around the world have proposed legislation and regulations designed to protect their data and communications from prying eyes.
Brazil is a country which has widely and rapidly embraced Internet technologies and social media. The number of Internet users has exploded, from 5 million in 2000 to 107 million by 2014. More than half of the country is now online. Brazil is also a country that has deeply felt the sting of foreign spying on its government communications by countries believed to be friendly. Snowden’s leaks made it very clear that the NSA had been intercepting, collecting and storing mail and telephone records on millions of Brazilians, including government officials. This was made possible, potentially, because the vast majority of Latin America’s Internet traffic passes through a single building in Miami, known as the Network Access Point of the Americas.
Brazil’s actions in the wake of these disclosures are representative of the types of actions other countries around the world are undertaking to deal with these hacking realities. First of all, Brazil is pushing forward with plans to install a new undersea fiber-optic cable connecting it with Portugal. This will result in less of its data passing through countries where it has reason to believe it might be surveilled. The government also announced the deployment of a national encrypted email service to be provided by Correios, its national mail delivery system. This not only reduces the country’s reliance on US technology firms like Microsoft, but also makes surveillance of its citizens’ communications by agencies like the NSA more difficult, since they will now be encrypted. It had sought to force companies like Facebook, Google, Microsoft and Twitter to store data regarding Brazilian users within its own borders. Furthermore, Brazil has stepped up its role and participation on policy setting bodies, like United Nations’ committees on technology and communications, to democratize the Internet and free it from US hegemony.
Brazil isn’t alone. Many other developed and developing countries are analyzing their vulnerabilities, ensuring their data is routed through countries considered to be true allies, and taking steps to safeguard their data. This includes initiatives in Europe to route the data from European Union countries through communications networks domiciled in the EU, and preventing that traffic from crossing the Atlantic or into the UK unless necessary. In the aftermath of the Snowden disclosures, the German government discontinued its contract with Verizon and now uses Deutsche Telecom. The German parliament also began debating a bill at the end of 2014 that would keep US technology companies out of certain parts of the German economy.
Yes, I think “complexity” is a good word to summarize the hacked world order in which we now live. Although US companies are outraged to the extent that the Chinese are hacking its servers and stealing its intellectual property, the US government is somewhat limited in calling out China’s actions, since providing proof of Chinese hacking may reveal the US’ ability to track and monitor China’s hacking activities. And, there may be detriment to US intelligence data collection efforts if we are successful in curtailing Chinese hacking, since we allegedly have be successful at installing good signals intercept (SIGINT) capabilities to monitor Chinese hacking and are therefore learning a great deal ourselves from what China is stealing from other countries. This is, indeed, a very complex situation.
The word “sovereignty” also cropped up several times throughout Segals’ book, since the protection of a country’s private communications and policy making activities is not inseparable from its rights to self-determination. And, in the recent aftermath of the Brexit vote, we definitely see an increased yearn for national sovereignty around the world.
Finally, for your reading pleasure, I include a number of factoids from Adam Segal’s book that will give you a better understanding of just how large and pervasive this issue is becoming in the world today:
Everyone is Spying
- Forty-one nation-states have cyber warfare doctrines; seventeen of which allegedly have offensive capabilities. The United States is estimated to spend three or four times more on cyber offense than it does on cyber defense.
- The Department of Defense has identified the Internet as a field of battle equally important with land, sea, air and space operations. In addition to the US Army, Navy and Air Force, the Department of Defense now includes the US Cyber Command. This department, established in 2010, has seen only budget increases every year of its existence, and the number of “troops” in the US Cyber Command was recently increased from 900 to 4,900. It is anticipated to have 6,200 by the end of 2016.
- Russia announced plans in early 2012 to establish a new service focused on information warfare with an initial budget of $500 million.
- The Israeli military’s Unit 8200, dedicated to cyber operations, is the largest unit in the Israeli Defense Forces.
- The world was shocked when United Kingdom Defense Secretary Philip Hammond announced that the UK was “developing a full spectrum military cyber capability, including a strike capability.” The shock was not due to the secretary’s stated goal, which all major powers are assumed to be working on today, but shock that he actually announced the intentions publicly. (These objectives are usually kept private.)
Stuxnet Case Study
- The Stuxnet malware, developed by U.S. and Israeli intelligence and military agencies to target and destroy Iran’s nuclear enrichment activities by causing certain industrial centrifuges to malfunction and self-destruct, is considered to be the most complex malware ever created. Expert malware may contain one, or at most two, “zero days.” A zero days is a software or hardware vulnerability not yet publicly known (and therefore not yet patched by the manufacturer) which allows a hacker to access a computer, router or server. Zero days are so valuable to hackers that their discoveries are sold for six-figure prices. Not only was the Stuxnet code 10 megabytes in size, but it employed an unprecedented five zero day vulnerabilities. (It is believed by some experts that the successful deployment of the Stuxnet malware made it unnecessary for Israeli to dispatch bombers to physically destroy Iran’s uranium enrichment facilities. However, as Iran continues to get replacement centrifuges back online and resumes its efforts, we will undoubtedly hear again in the future about Israel’s need to bomb those facilities in order to protect its national interests.)
- In retaliation for the Stuxnet malware, Iran has invested heavily in cyber warfare capabilities. An activist group called Izz ad-Din al-Qassam Cyber Fighters attacked nearly fifty global financial institutions from September 2012 to June 2013. One bank alone had to spend nearly $10 million to get back online after the attacks. In an August 2012 attack on the oil producer Saudi Aramco, nearly 30,000 computers had to be replaced in order to rid the company’s networks of the malware which had destroyed data and shut down their mail servers.
The United States is a Very Active Participant in Worldwide Surveillance
- The Washington Post reported in 2013 that the United States had placed “covert implants” in tens of thousands of computers, routers and firewalls around the world. Three-quarters of these implants are intended to spy on potential adversaries, such as China, Iran, Russia and North Korea. The plan is to extend the surveillance to millions of machines.
- The National Security Agency (NSA), with assistance from the UK, hacked into undersea fiber-optic data cables connecting Google and Yahoo data centers.
- A PowerPoint slide from the NSA, leaked by Edward Snowden to the public, indicated that the NSA’s data collection goals are to “Collect It All,” “Process It All,” “Exploit It All,” “Partner It All,” “Sniff It All,” and “Know It All.”
- Under a program known as PRISM, the NSA, with permission from a secretive court established by the 1978 Foreign Intelligence Surveillance Act (FISA), can request data on specific foreign individuals from the major technology companies. These requests are nearly always rubber-stamp approved by this court. Technology companies that do not comply with these requests for data are fined up to $250,000 per day, for each day that they don’t hand over the requested data.
- The NSA is believed to be behind an initiative which placed malware deep in the firmware of the operating systems of hard disk drives, which launch every time a computer is turned on. This malware is impossible to remove and survives the erasing and reformatting of the hard drives themselves. This malware was used to spy on Afghanistan, India, Iran, Mali, Pakistan, Russia and Syria, among a total of at least 42-countries.
- The NSA reportedly has 2,000 zero days identified which it may use against China alone. In 2013 the NSA spent $25 million purchasing software vulnerabilities from private contractors.
- The NSA’s budget in 2014 was $10.8 billion.
Hacking as a National Security Threat
- In an October 2012 speech, Secretary of Defense Leo Panetta warned a group of business executives of the potential for a “cyber Pearl Harbor,” in which hackers could gain control of “critical switches” and “derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
- In July 2014, Chinese hackers allegedly hacked the Office of Personnel Management which contained personal information on tens of thousands of federal employees. A year later it was discovered the Chinese had compromised 22 million records, including security background checks, data on intelligence and military personnel, and fingerprint data on 5.6 million people. The hackers also gained access to “Form 86” files, which detail information on employees’ financial troubles, drug use, alcohol abuse and adulterous affairs. There is concern this Form 86 information will give Chinese operatives the ability to blackmail compromised government employees. And, out of concern that the stolen personnel data would lead the Chinese to identify CIA employees working undercover abroad, CIA agents were pulled from the US embassy in Beijing.
Hacking as a New Form of Corporate Espionage
- It is believed that Chinese state-sponsored hackers have repeatedly stolen over a period of years intellectual property from various defense contractors and the Pentagon, including plans for the F-35 Joint Strike Fighter, the Patriot missile system, the US Navy’s new littoral combat ship and dozens of other weapons programs. General Keith Alexander, director of the National Security Agency and commander of the US Cyber Command estimates the “greatest transfer of wealth in history” has taken place through these hacking thefts, costing American companies an estimated $250 billion in stolen information and another $114 billion in related expenses.
- The White House commissioned the International Strategy for Cyberspace report in 2011 which said that “every year an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities and government departments and agencies.”
Propaganda in the Age of Twitter
- 83% of the 193 UN member countries have a presence on Twitter. More than half of the world’s foreign ministers and two-thirds of heads of states and governments are also on Twitter.
- Russia employs English-speaking “trolls” to post pro-Putin and pro-Moscow comments on websites of US and UK media outlets (such as Fox, Politico and Huffington Post.) These trolls are expected to maintain six Facebook accounts and ten Twitter accounts, and are supposed to tweet at least fifty times per day.
- China pays between 250,000 and 300,000 people to cultivate anti-American and pro-Chinese Communist Party sentiments online. They receive approximately USD $0.08 for each comment posted, and some receive emails each morning telling them what news stories to focus on that day. The Communist Party also employs several hundred bots (automated programs that generate content) to flood comments on Twitter regarding controversial topics like Tibetan independence. (However, Twitter has identified these bots over time and taken steps to reduce their spam output.)
- ISIS is considered to have mastered the art of online propaganda. In one single day, ISIS tweeted over 40,000 times. It also has developed its own app which, when downloaded by supporters, gives ISIS authority to post pro-ISIS messages from their Twitter accounts. This enables ISIS to leverage hundreds of online accounts to coordinate campaigns and get its own hashtags trending.
- The US State Department has a Digital Outreach Team, consisting of Arabic, Punjabi, Somali and Urdu speakers who try to get out the US administration’s message to Muslims through BBC, Al Jazeera and Arabic language forums. (A recent poll has shown that their efforts have had little impact to moderate anti-Americanism.)
Détente in Cyberspace?
- Beijing and Moscow have signed a non-aggression pact, agreeing not to attack each other in cyberspace.
- The United States and Russia met secretly in 1996 to discuss disarmament in cyberspace. The United States never agreed, blaming, in part, Russian definitions of “information terrorism” which the U.S. said was intended to help the Russian establishment suppress any domestic dissent. It is very likely, however, that since the U.S. has the most advanced digital assault capabilities, it had more to lose than gain by signing onto any treaties like this one.