Bruce Schneier’s recent fantastic article about the rhetoric and reality of cyber war (and the surprising gap between the two) is worth a read. Though I’ve yet to mention it here because it’s a bit outside this blog’s focus, intelligence and security are huge interests of mine (and possible career options; I learned four languages thinking I’d grow up to be a federal agent). Schneier is one of the greatest voices of reason in the security field–a true expert who calls it like he sees it with a no-nonsense, common sense approach that’s keenly aware of the great cost of civil liberties. The internet, according to Schneier, is the most massive surveillance system the world has ever seen; each of us feed into the Big Data database every time we Google something, buy a product, ‘check in’ somewhere, or willfully give away personal details via social media.
I’ve written about privacy online before, but largely in terms of individuals or small organizations. Yet the dangers of ineffective privacy controls and security breaches also effect entire nations. Even as a casual public radio listener, I’ve gleaned quite a bit about the Chinese attacks on U.S. media and technology targets, most notably the New York Times. Even Google was targeted. While this is clearly a major story, it’s new only to the public. Security analysts have been aware of the problems with Chinese hackers for years, and the Chinese government hasn’t exactly been shy about its desire to dominate cyberspace. But is it really appropriate to use the rhetoric of warfare, with all its real-world costs, when we are not getting the full story, nor the full impression of our own involvement? Or is the rhetoric surrounding this controversy, and others about online privacy/security, misinformed to the point of being misleading?
Schneier, a prominent expert in physical and online security, speculates this may be the early years of a public arms race between the U.S. and China. As with arms races of the past, and invocations of warfare in general, much of the conversation takes a tone of solemnity and terror. This quality makes the rhetoric surrounding cyber-security and cyber-warfare one big argument imbued with a pathos of fear that is toxic, inflammatory, and potentially dangerous.
Espionage, while undeniably scandalous and terrifically fun to read about, is certainly not a new game. While the techniques and access points may be more sophisticated, the legwork of espionage hasn’t changed much since the Cold War. If anything, the advent of the internet has Even allied countries spy on one another regularly, and news of intelligence flubs comes to light from time to time (I’m looking at you, Mossad).
Remember Spy vs. Spy? It was a comic strip built around the premise of two virtually identical spies, each always scheming to foil the other while trying to anticipate the other’s traps. Invariably, the bulk of their effort to outsmart each other is useless and victory is uncertain, fleeting, and generally meaningless.
It’s a beautiful metaphor for politics (work, academic, and actual politics alike) and interpersonal conflict, but in this instance, we’re talking about an actual game of Spy vs. Spy with two superpower nations that, despite both having a fair share of experts in security, technology, and just about every related field, have yet to realize that historically this game doesn’t have a winner. The United States and China likely are in a malware/hacking/security arms race that will likely prove to be fruitless, and the heated ‘war’ rhetoric both fails to accurately describe the situation and certainly escalates tensions. The discussion alone about the back-and-forth attacks might very well result in real world problems for the global economy and international relations.
So what can an individual user learn from these security failures? Simply that information is only as protected as its weakest link. Significant entities like the New York Times and Google can be breached by hackers because of a single individual’s failure to create secure passwords and encrypt/protect sensitive data. As individuals, we can learn from their mistakes by not giving out any more information than necessary, being aware of the extent of internet surveillance, and beefing up our own security. For those interested in this story and security generally, I couldn’t recommend Sneier’s various essays on the subject more highly.