Académique Documents
Professionnel Documents
Culture Documents
1AC
SQ
Cryptowars are coming now. The NSA and FBI want to block
and undermine strong encryption in favor of easy surveillance
of all digital communication, Computer scientists are fighting
back.
Tokmetzi 2015
September 2013 the New York Times, ProPublica and the Guardian published a story on the thorough and persistent
In a prolonged,
operation dubbed BULLRUN, the intelligence agencies used
supercomputers to crack encryption, asked, persuaded or cajoled telecom and web
companies to build backdoors into their equipment and software, used their influence to
plant weaknesses in cryptographic standards and simply stole encryption keys from
individuals and companies. A war is looming But security specialists argue that by
attacking the encryption infrastructure of the Internet, the intelligence agencies
have made us all less safe. Terrorists and paedophiles may use encryption to protect themselves when
planning and committing terrible crimes, but the Internet as a whole cannot function
without proper encryption. Governments cannot provide digital services to their
citizens if they cannot use safe networks. Banks and financial institutions must be able to
communicate data over secure channels. Online shops need to be able to process payments safely.
And all companies and institutions have to keep criminals and hackers out of their
systems. Without strong encryption, trust cannot exist online.
Cryptographers have vowed to fight back. Major web companies like Google and Yahoo!
efforts of the NSA and its British counterpart GCHQ to decrypt Internet traffic and databases.
multi-billion
promised their clients strong end-to-end encryption for email and vowed to improve the security of their networks
and databases. Apple developed a new operating system that encrypted all content on the new iPhone by default.
And hackers started developing web applications and hardware with strong, more user-friendly encryption. In the
past few years we have seen the launch of encrypted social media (Twister), smartphones (Blackphone), chat
software (Cryptocat), cloud storage (Boxcryptor), file sharing tools (Peerio) and secure phone and SMS apps
(TextSecure and Signal). This worries governments. In the wake of the attack on Charlie Hebdo in Paris, UK Prime
Minister David Cameron implied that encryption on certain types of communication services should be banned. In
the US, FBI director James Comey recently warned that the intelligence agencies are going dark because of the
how can we ensure that intelligence and law enforcement agencies have access to communications and data when
they have a legal mandate to do so? Their needs are often legitimate. One the other, how can we ensure strong
data protection for all, not only a techsavvy few? As we shall see, this crypto conflict isnt new, nor is the obvious
question the right question to ask at this moment.
access to communications in todays more complex, global information infrastructure. We find that it
would pose far more grave security risks, imperil innovation, and raise thorny issues
for human rights and international relations. There are three general problems. First, providing
exceptional access to communications would force a U-turn from the best practices
now being deployed to make the Internet more secure . These practices include forward secrecy
where decryption keys are deleted immediately after use, so that stealing the encryption key used by a
communications server would not compromise earlier or later communications. A related technique, authenticated
encryption, uses the same temporary key to guarantee confidentiality and to verify that the message has not been
vulnerabilities. To achieve widespread exceptional access, new technology features would have to be deployed and
tested with literally hundreds of thousands of developers all around the world. This is a far more complex
environment than the electronic surveillance now deployed in telecommunications and Internet access services,
which tend to use similar technologies and are more likely to have the resources to manage vulnerabilities that may
arise from new features.
the last word on weights and measures used for calibrating all manner of tools, industrial equipment, and scientific instruments.
the algorithm was not a secret. Indeed, the agency's involvement lent some credibility to the process. But less than a year after the
standard was adopted, security researchers discovered an apparent weakness in the algorithm and speculated publicly that it could
have been put there by the spy agency. The noted computer security expert Bruce Schneier zeroed in on one of four techniques for
randomly generating numbers that NIST had approved. One of them, he wrote in 2007, "is not like the others:' For starters, it worked
three times more slowly than the others, Schneier observed. It was also "championed by the NSA, which first proposed it years ago
in a related standardization project at the American National Standards Institute. Schneier was alarmed that NIST would encourage
people to use an inferior algorithm that had been enthusiastically embraced by an agency whose mission is to break codes. But
there was no proof that the NSA was up to no good. And the flaw in the number generator didn't render it useless. As Schneier
noted, there was a workaround, though it was unlikely anyone would bother to use it. Still, the flaw set cryptologists on edge. The
NSA was surely aware of their unease, as well as the growing body of work that pointed to its secret intervention, because it leaned
on an international standards body that represents 163 countries to adopt the new algorithm. The NSA wanted it out in the world,
and so widely used that people would find it hard to abandon. Schneier, for one, was confused as to why the NSA would choose as a
backdoor such an obvious and now public flaw. (The weakness had first been pointed out a year earlier by employees at Microsoft.)
that the NSA reportedly struck with one of the world's leading
computer security vendors, RSA, a pioneer in the industry. According to a 2013 report by Reuters,
the company adopted the NSA-built algorithm "even before NIST approved it. The
NSA then cited the early use ... inside the government to argue successfully for NIST
approval:' The algorithm became "the default option for producing random numbers in an RSA security product called the
Part of the answer may lie in a deal
bSafe toolkit, Reuters reported. "No alarms were raised, former employees said, because the deal was handled by business leaders
rather than pure technologists.
backdoor. The algorithm was being sold by one of the world's top security companies, and it had been adopted by an international
Edward Snowden, RSA and NIST both distanced themselves from the spy agency- but neither claimed that the backdoor hadn't been
installed. In a statement following the Reuters report, RSA denied that it had entered into a "secret contract" with the NSA, and
asserted that "we have never entered into any contract or engaged in any project with the intention of weakening RS.A's products,
or introducing potential 'backdoors' into our products for anyone's use." But it didn't deny that the backdoor existed, or may have
existed. Indeed, RSA said that years earlier, when it decided to start using the flawed number-generator algorithm, the NSA had a
trusted role in the community-wide effort to strenghten, not weaken, encryption. Not so much anymore. When documents leaked
by Snowden confirmed the NSAs work, RSA encouraged people to stop using the number generator as did the NIST. The standards
body issued its own statement following the Snowden revelations. It was a model of carefully calibrated language. "NIST would not
deliberately weaken a cryptographic standard," the organization said in a public statement, clearly leaving open the possibilitywithout confirming it - that the NSA had secretly installed the vulnerability or done so against NIST's wishes. "NIST has a long history
of extensive collaboration with the world's cryptography experts to support robust encryption. The [NSA] participates in the NIST
cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA.
The standards body was effectively telling the world that it had no way to stop the NSA. Even if it wanted to shut the agency out of
the standards process, by law it couldn't. A senior NSA official later seemed to support that contention. In an interview with the
national security blog Lawfare in December 2013, Anne Neuberger, who manages the NSAs relationships with technology
companies, was asked about reports that the agency had secretly handicapped the algorithm during the development process. She
neither confirmed nor denied the accusation. Neuberger called NIST an incredibly respected close partner on many things But, she
noted, it is not a member of the intelligence community. All the work they do is ... pure white hat Neuberger continued, meaning
not malicious and intended solely to def end encryption and promote security. "Their only responsibility is to set standards" and "to
make them as strong as they can possibly be. That is not the NSAs job. Neuberger seemed to be giving the NIST a get-out-of-jailfree card, exempting it from any responsibility for inserting the flaw.The 2006 effort to weaken the number generator wasn't an
process of developing the Digital Signature Standard, a method of verifying the identity of the sender of an electronic
communication and the authenticity of the information in it. NIST publicly proposed the [standard] in August 1991 and initially
made no mention of any NSA role in developing the standard, which was intended for use in unclassified, civilian communications
systems according to the Electronic Privacy Infonnation Center, which obtained documents about the development process under
the Freedom of Information Act. Following a lawsuit by a group of computer security experts, NIST conceded that the NSA had
developed the standard, which was widely criticized within the computer industry for its perceived weak security and inferiority to
an existing authentication technology, the privacy center reported "Many observers have speculated that the [existing] technique
was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm. From NSA's perspective, its efforts to
defeat encryption are hardly controversial. It is, after all, a code-breaking agency. This is precisely the kind of work it is authorized,
and expected, to do. If the agency developed flaws in encryption algorithms that only it knew about, what would be the harm? But
the flaws weren't secret. By 2007, the backdoor in the number generator was being written about on prominent websites and by
leading security experts. It would be difficult to exploit the weakness - that is, to figure out the key that opened NSA's backdoor. But
this wasn't impossible. A foreign government could figure out how to break the encryption and then use it to spy on its own citizens,
or on American companies and agencies using the algorithm. Criminals could exploit the weakness to steal personal and financial
information. Anywhere the algorithm was used - including in the products of one of the world's leading security companies it was
vulnerable. The NSA might comfort itself by reasoning that code-breaking agencies in other countries were surely trying to
undermine encryption, including the algorithms the NSA was manipulating. And surely they were. But that didnt answer the
The
NSAs clandestine efforts damaged the credibility of NIST and shredded the NSA's
long-held reputation as a trusted, valued participant in creating some of the most
fundamental technologies on the lnternet, the very devices by which people keep
their data, and by extension themselves, safe . Imagine if the NSA had been in the business of building
question, why knowingly undermine not just an algorithm but the entire process by which encryption standards are created?
door locks, and encouraged every homebuilder in America to install its preferred, and secretly flawed, model. No one would stand
for it. At the very least, consumer groups would file lawsuits and calls would go up for the organization's leaders to resign.
Plan
The United States federal government should fully support and
not undermine encryption standards by making clear that it
will not in any way subvert, undermine, weaken, or make
vulnerable generally available commercial encryption.
Venezia 7-13
Paul Venezia, system and network architect, and senior contributing editor at
InfoWorld, where he writes analysis, reviews and The Deep End blog, Encryption
with backdoors is worse than useless its dangerous, InfoWorld, 7/13/15,
http://www.infoworld.com/article/2946064/encryption/encryption-with-forcedbackdoors-is-worse-than-useless-its-dangerous.html, 7/14/15 AV
On the other side of the pond, U.K. Prime Minister David Cameron has said he wants to either ban strong encryption
or require backdoors to be placed into any encryption code to allow law enforcement to decrypt any data at any
The fact that these officials are even having this discussion is a bald
demonstration that they do not understand encryption or how critical it is for
modern life. They're missing a key point: The moment you force any form of
encryption to contain a backdoor, that form of encryption is rendered useless. If a
backdoor exists, it will be exploited by criminals. This is not a supposition, but a certainty. It's not
time.
an American judge that we're worried about. It's the criminals looking for exploits. We use strong encryption every
single day. We use it on our banking sites, shopping sites, and social media sites. We protect our credit card
information with encryption. We encrypt our databases containing sensitive information (or at least we should ).
Our economy relies on strong encryption to move money around in industries large
and small. Many high-visibility sites, such as Twitter, Google, Reddit, and YouTube, default to SSL/TLS
encryption now. When there were bugs in the libraries that support this type of
encryption, the IT world moved heaven and earth to patch them and eliminate the
vulnerability. Security pros were sweating bullets for the hours, days, and in some
cases weeks between the hour Heartbleed was revealed and the hour they could
finally get their systems patched -- and now politicians with no grasp of the ramifications want to introduce a
fixed vulnerability into these frameworks. They are threatening the very foundations of
not only Internet commerce, but the health and security of the global
economy. Put simply, if backdoors are required in encryption methods, the
Internet would essentially be destroyed, and billions of people would be
put at risk for identity theft, bank and credit card fraud, and any number
of other horrible outcomes. Those of us who know how the security sausage is made are appalled
that this is a point of discussion at any level, much less nationally on two continents. Its abhorrent to consider. The
general idea coming from these camps is that terrorists use encryption to communicate. Thus, if there are
not give the police the keys to their houses. We do not register our bank account passwords with the FBI. We do not
knowingly or specifically allow law enforcement to listen and record our phone calls and Internet communications
lose an enormous cache of extraordinarily sensitive, deeply personal information on millions of its own employees,
one can only wonder what horrors would be visited upon us if it somehow succeeded in destroying encryption as
well.
infrastructure are incomplete. The global trading system does not spell out a consistent, transparent framework for
the treatment of cross border flows of digital goods, services or information, leaving businesses and individuals to
deal with a patchwork of national, bilateral and global arrangements covering significant issues such as the storage,
transfer, disclosure, retention and protection of personal, commercial and financial data. Dealing with these issues
is becoming even more important as a new generation of networked technologies enables greater crossborder
collaboration over the Internet, which has the potential to stimulate economic development and job growth. Despite
the widespread benefits of crossborder data flows to innovation and economic growth, and due in large part to
gaps in global rules and inadequate enforcement of existing commitments, digital protectionism is a growing threat
around the world. A number of countries have already enacted or are pursuing restrictive policies governing the
provision of digital commercial and financial services, technology products, or the treatment of information to favor
domestic interests over international competition. Even where policies are designed to support legitimate public
interests such as national security or law enforcement, businesses can suffer when those rules are unclear,
arbitrary, unevenly applied or more traderestrictive than necessary to achieve the underlying objective. Whats
more, multiple governments may assert jurisdiction over the same information, which may leave businesses subject
to inconsistent or conflicting rules. In response, the United States should drive the development and adoption of
transparent and highquality international rules, norms and best practices on crossborder flows of digital data and
technologies while also holding countries to existing international obligations. Such efforts must recognize and
accommodate legitimate differences in regulatory approaches to issues such as privacy and security between
countries as well as across sectors. They should also be grounded in key concepts such as nondiscrimination and
national treatment that have underpinned the trading system for decades. The U.S. Government should seek
international commitments on several key objectives, including: prohibiting measures that restrict legitimate cross
border data flows or link commercial benefit to local investment; addressing emerging legal and policy issues
involving the digital economy; promoting industry driven international standards, dialogues and best practices; and
expanding trade in digital goods, services and infrastructure. U.S. efforts should ensure that trade agreements
cover digital technologies that may be developed in the future. At the same time, the United States should work
with governments around the world to pursue other policies that support crossborder data flows, including those
endorsed in the Communique on Principles for Internet Policymaking related to intellectual property protection and
limiting intermediary liability developed by the Organization for Economic Cooperation and Development (OECD) in
June 2011. U.S. negotiators should pursue these issues in a variety of forums around the world, including the World
Trade Organization (WTO), Asia Pacific Economic Cooperation (APEC) forum, OECD, and regional trade negotiations
such as the TransPacific Partnership as appropriate in each forum. In addition, the U.S. Government should solicit
ideas and begin to develop a plurilateral framework to set a new global gold standard to improve innovation.
Finally, the U.S. Government should identify and seek to resolve through WTO or bilateral consultations or other
processes violations of current international rules concerning digital goods, services and information. Promoting
CrossBorder Data Flows: Priorities for the Business Community 2 The importance of crossborder commercial and
are also critical to the much larger universe of manufacturers, retailers, wholesalers, financial services and logistics
firms, universities, labs, hospitals and other organizations which rely on hardware, software and reliable access to
the Internet to improve their productivity, extend their reach across the globe, and manage international networks
of customers, suppliers, and researchers. For example, financial institutions rely heavily on gathering, processing,
and analyzing customer information and will often process data in regional centers, which requires reliable and
secure access both to networked technologies and crossborder data flows. According to McKinsey, more than
threequarters of the value created by the Internet accrues to traditional industries that would exist without the
technologies and data flows are particularly important to small businesses, nonprofits and entrepreneurs. Thanks to
the Internet and advances in technology, small companies, NGOs and individuals can customize and rapidly scale
their IT systems at a lower cost and collaborate globally by accessing on line services and platforms. Improved
access to networked technologies also creates new opportunities for entrepreneurs and innovators to design
applications and to extend their reach internationally to the more than two billion people who are now connected to
the Internet. In fact, advances in networked technologies have led to the emergence of entirely new business
platforms. Kiva, a microlending service established in 2005, has used the Internet to assemble a network of nearly
600,000 individuals who have lent over $200 million to entrepreneurs in markets where access to traditional
banking systems is limited. Millions of others use online advertising and platforms such as eBay, Facebook, Google
Docs, Hotmail, Skype and Twitter to reach customers, suppliers and partners around the world. More broadly,
history may be more instructive than ever . While we continue to believe that the Great
Depression is not likely to be repeated, the lessons to be drawn from that period include the harmful
effects on fledgling democracies and multiethnic societies (think Central Europe in 1920s and
1930s) and on the sustainability of multilateral institutions (think League of Nations in the same
period). There is no reason to think that this would not be true in the twenty-first as
much as in the twentieth century. For that reason, the ways in which the potential for greater
conflict could grow would seem to be even more apt in a constantly volatile economic
environment as they would be if change would be steadier. In surveying those risks, the report stressed the
likelihood that terrorism and nonproliferation will remain priorities even as resource issues move up on the
2025, however, the diffusion of technologies and scientific knowledge will place some of the worlds most
dangerous capabilities within their reach. Terrorist groups in 2025 will likely be a combination of descendants
of long established groups_inheriting organizational structures, command and control processes, and training
procedures necessary to conduct sophisticated attacks_and newly emergent collections of the angry and
existed between the great powers for most of the Cold War would emerge naturally in the Middle East with a
conflict and terrorism taking place under a nuclear umbrella could lead
to an unintended escalation and broader conflict if clear red lines between those states involved
are not well established. The close proximity of potential nuclear rivals combined with
underdeveloped surveillance capabilities and mobile dual-capable Iranian missile systems also will produce
inherent difficulties in achieving reliable indications and warning of an impending
nuclear attack. The lack of strategic depth in neighboring states like Israel, short warning and missile
flight times, and uncertainty of Iranian intentions may place more focus on preemption
rather than defense, potentially leading to escalating crises. 36 Types of conflict that the world
continues to experience, such as over resources, could reemerge , particularly if protectionism
grows and there is a resort to neo-mercantilist practices. Perceptions of renewed energy
nuclear Iran. Episodes of low intensity
scarcity will drive countries to take actions to assure their future access to energy supplies. In the worst case, this
For instance, Huawei the Chinese manufacturer of phones, routers and other network equipment is unable to
US companies,
especially cloud storage providers, have lost overseas customers due to fears that
the NSA or other agencies could access client data. Unilateral demands for backdoors could put
gain market access in the US because of fears of Chinese backdoors built into its hardware.
companies in a tight spot. Or, as researcher Julian Sanchez of the libertarian Cato Institute says: An iPhone that
Apple cant unlock when American cops come knocking for good reasons is also an iPhone they cant unlock when
the Chinese government comes knocking for bad ones.
backdoors are a problem for yet another reason. They clash with the end-to-end
argument that is at the very core of the architecture of the internet: the network
should be as simple and agnostic as possible regarding the communications that it
supports. More advanced functionalities should be developed at end nodes (computers, mobiles, wearable
devices). This, argue researchers, allows the network to support new and unanticipated
applications. The end-to-end argument has ignited unprecedented levels of
innovation. The back doors that intelligence agencies are trying to promote would
apply to our communications system as a whole , not only to the end nodes that are the devices
But
change and the scope of how much carbon emissions affects the global atmosphere, we all can agree on one thing: Emitting less carbon is a good thing,
could make some hefty profits from it. Energy consumption's overdue evolution We humans are a fascinating study in inefficiency. We will sit in traffic on
imagine a world where every automobile was able to communicate with the others, giving instant feedback on traffic conditions and providing alternative
routes to avoid traffic jams. This is the fundamental concept of machine-to-machine communications, and it goes way beyond the scope of just
communication between everything -- engines, appliances, generators, automobiles -- allows for instant feedback for more efficient travel routes,
optimized fertilizer and water consumption to reduce deforestation, real-time monitoring of electricity consumption and instant feedback to generators,
and fully integrated heating, cooling, and lighting systems that can adjust for human occupancy. There are lots of projections and estimates related to
carbon emissions and climate change, but the one that has emerged as the standard bearer is the amount of carbon emissions it would take to increase
annual anthropological
greenhouse gas emissions would need to decrease by 15% from recent levels to
keep us under the carbon atmospheric levels. Based on current emissions and the 9.1 gigaton estimate from Carbon
War Room's report, it would be enough to reduce global emissions by 18.6%, well
within the range of the UN's projections . The internet of things is still very much in its infancy,
but it's taking off fast. The pending boom in machine-to machine communication helps explain why Google (GOOG) shelled
out more than $3.2 billion for smart-thermostat company Nest Labs. Its ability allows
customers to better manage heating and cooling in households and instantly
provide feedback to utilities in order to better manage energy demand during peak
load hours.
global temperatures by 2 degrees Centigrade. According to the UN's Environment Programme,
[David, citing the World Bank Reviews compilation of climate studies, If you arent
alarmed about climate, you arent paying attention http://grist.org/climateenergy/climate-alarmism-the-idea-is-surreal]
We know weve raised global average temperatures around 0.8 degrees C so far. We know that 2 degrees C is where
most scientists predict catastrophic and irreversible impacts . And we know that we
are currently on a trajectory that will push temperatures up 4 degrees or more
by the end of the century. What would 4 degrees look like? A recent World Bank review of the science reminds us.
First, itll get hot: Projections for a 4C world show a dramatic increase in the intensity and
frequency of high-temperature extremes. Recent extreme heat waves such as in Russia in 2010 are likely
to become the new normal summer in a 4C world. Tropical South America, central Africa, and all
tropical islands in the Pacific are likely to regularly experience heat waves of
unprecedented magnitude and duration . In this new high-temperature climate regime, the coolest
months are likely to be substantially warmer than the warmest months at the end of the 20th century. In regions such as the
Mediterranean, North Africa, the Middle East, and the Tibetan plateau, almost all summer months are likely to be warmer than
the most extreme heat waves presently experienced. For example, the warmest July in the Mediterranean region could be 9C
reefs: The combination of thermally induced bleaching events, ocean acidification, and sea-level rise threatens large fractions of
coral reefs even at 1.5C global warming. The regional extinction of entire coral reef ecosystems, which could occur well before
4C is reached, would have profound consequences for their dependent species and for the people who depend on them for
food, income, tourism, and shoreline protection. It will also likely lead to a sea-level rise of 0.5 to 1
meter, and possibly more, by 2100, with several meters more to be realized in the coming centuries. That rise wont be spread
evenly, even within regions and countries regions close to the equator will see even higher seas. There are also indications
and agricultural expansion. In Amazonia, forest fires could as much as double by 2050 with warming of approximately 1.5C to
Also loss of
biodiversity and ecosystem services: In a 4C world, climate change seems likely to become
the dominant driver of ecosystem shifts, surpassing habitat destruction as the
greatest threat to biodiversity. Recent research suggests that large-scale loss of
2C above preindustrial levels. Changes would be expected to be even more severe in a 4C world.
biodiversity is likely to occur in a 4C world, with climate change and high CO2
concentration driving a transition of the Earths ecosystems into a state unknown
in human experience. Ecosystem damage would be expected to dramatically reduce the provision of ecosystem
services on which society depends (for example, fisheries and protection of coastline afforded by coral reefs and mangroves.)
research also indicates a rapidly rising risk of crop yield reductions as the
world warms. So food will be tough. All this will add up to large-scale displacement of
populations and have adverse consequences for human security and economic
and trade systems. Given the uncertainties and long-tail risks involved, there is no certainty
that adaptation to a 4C world is possible. Theres a small but non-trivial
chance of advanced civilization breaking down entirely. Now ponder the fact that
New
some scenarios show us going up to 6 degrees by the end of the century, a level of devastation we have not studied and barely
weighing our desires for personal privacy and to safeguard against government abuse against the need for
improved law enforcement. That by itself might be a difficult balance for policymakers to strike, and reasonable
vulnerabilities often allow an attacker to effectively take control over the system, injecting its own software and
taking control over other parts of the affected system.9 The vulnerabilities introduced by access mandates
discussed in the previous section are likely to include many in this category. They are difficult to defend against or
For
better or worse, ordinary citizens, large and small business, and the government
itself depend on the same software platforms that are used by the targets of
criminal investigations. It is not just the Mafia and local drug dealers whose
software is being weakened, but everyones. The stakes are not merely unauthorized
exposure of relatively inconsequential personal chitchat, but also leaks of personal financial and
health information, disclosure of proprietary corporate data, and compromises of
the platforms that manage and control our critical infrastructure . In summary, the
technical vulnerabilities that would inevitably be introduced by requirements for law
enforcement access will provide rich, attractive targets not only for relatively
petty criminals such as identity thieves, but also for organized crime,
terrorists, and hostile intelligence services. It is not an exaggeration to
understand these risks as a significant threat to our economy and to national
security.
contain, and they current represent perhaps the most serious practical threat to networked computer security.
Engineering and the Dept. of Engineering & Public Policy, Served as Chief
Technologist of the Federal Communications Commission, Assistant Director of the
White Houses Office of Science and Technology Policy. "The dangerous policy of
weakening security to facilitate surveillance." Available at SSRN 2350929 (2013).
Weak Security is Dangerous Giving law enforcement and intelligence agencies the ability to conduct electronic
surveillance is part of a strategy to limit threats from criminals, foreign powers, and terrorists, but so is
strengthening the cybersecurity used by all Americans .
they contain. This can be an act of vandalism or protest, or activity undertaken in furtherance of other political
objectives. One of the more common forms is the distributed-denial-of-service (DDoS) attack, which entails flooding
a target computer system with a massive volume of information so that the system slows down significantly.
A notorious
example of a botnet-initiated DDoS attack occurred in April 2007, when government
and commercial servers in Estonia were seriously degraded over a number of days.
Botnets are quite useful for such purposes, as are multiple co-ordinated service requests.
Online banking services were intermittently disrupted, and access to government sites and to online news media
The attacks appear to have originated in Russia and are alleged to have
resulted from the collaboration of Russian youth organisations and Russian
organised-crime groups, condoned by the state, although the degree to which the Russian government was
was limited.
complicit in the attacks is unclear.18 Just as state actors or their agents can use the Internet to pursue what they
for fraud. Imam Samudra, the architect of the 2002 Bali bombings, reportedly called upon his followers to commit
credit-card fraud in order to finance militant activities.19 Jihadist propaganda and incitement messages also abound
the Internet is not used for illicit purposes solely or even primarily by
political actors. Organised-crime groups use it daily on a global scale, engaging in
activities that range from the illicit acquisition, copying and dissemination of
intellectual property (piracy has allegedly cost the software and entertainment industries billions of
dollars)20 to the plundering of banking and credit-card details , commercial trade secrets and
classified information held by governments. This too may begin with unauthorised access to a
in cyberspace. Yet
computer system: indeed, the theft of personal financial details has provided the
basis for thriving markets in such data, which enable fraud on a significant scale .21
regarding the possible mafia involvement in this murder attempt, although it cannot be excluded.
The less known case with strong indications that shady criminal networks may have plotted it happened more
recently in St. Petersburg. On March 18, 2005, Moskovskiye Novosti published an article, in which the author
discussed several high-profile assassinations and murders in Russia and abroad using various methods of poisoning.
One of such killings was reportedly performed with a highly radioactive substance. In September 2004, Head of
Baltik-Escort security company in St. Petersburg and FSB Colonel, Roman Tsepov, died a sudden and mysterious
death as a result of what was suspected to be poisoning. However, according to a source in St. Petersburg Public
Prosecutors Office, the posthumous examination established that the death had been caused by an unspecified
radioactive element. In the past, Tsepov was reportedly in charge of collecting protection money from casinos and
other commercial enterprises in St. Petersburg on behalf of a high-ranking FSB official.[57] These two incidents
demonstrate that some organized crime structures have the knowledge about the characteristics and effects of
specific radioactive materials, have access to these substances, and do not shy away from using them as weapons
of murder, which are hard to trace to the perpetrators. Terrorist Networks and Nuclear Trafficking Terrorism changes
together with society and in order to preserve itself as a phenomenon it must use what society gives it, including
used as a weapon of killing and a threat mechanism, so far, there is no evidence of their successful deployment in
terrorist acts. The only case that comes close to deployment of an RDD, was recorded in Chechnya in 1998, when
the local authorities found a container filled with radioactive substances and emitting strong radiation levels
together with a mine attached to it buried next to a railway line.[60] The local authorities considered the incident as
a foiled act of sabotage. The Chechen fighters are also believed to have made several raids on the Radon
radioactive waste depository, located in the vicinity of Grozny, and stolen several containers with radioactive
substances.[61] In 1996, the director of the Radon facility confirmed that about half of some 900 cubic meters of
waste, with radioactivity levels of 1,500 curies, which had been stored at the Radon facility at the start of the first
Chechen war in November 1994, was missing.[62] The Russian authorities believe the terrorists were planning to
use them in explosions in order to spread contamination. It should be noted that Chechen extremists stand out from
many other terrorist organizations by persistently making threats to use nuclear technologies in their acts of
violence. The notorious burial of a radiation source in the Gorky park of Moscow in 1995 by the now late field
commander Shamil Basayev and the threat by Ahmed Zakayev after the Moscow theater siege in October 2002 that
the next time a nuclear facility would be seized are just two such examples.[63] In January 2003, Colonel-General
Igor Valynkin, the chief of the 12th Main Directorate of the Russian Ministry of Defence, in charge of protecting
Russias nuclear weapons, said operational information indicates that Chechen terrorists intend to seize some
important military facility or nuclear munitions in order to threaten not only the country, but the entire world.[64]
According to an assessment of a Russian expert on nonproliferation, whereas unauthorized access to nuclear
admitted they have knowledge about the intent and attempts by terrorists to gain access to nuclear material. In
the director of the Russian Federal Security Service Nikolay Patrushev told
at a conference that his agency had information about attempts by terrorist groups
to acquire nuclear, biological and chemical weapons of mass destruction.[ 66] Later that
August 2005,
year, the Minister of Interior, Rashid Nurgaliev, stated that international terrorists intended to seize nuclear
materials and use them to build WMD.[67] If terrorists indeed attempted to gain access to nuclear material in
order use them for the construction of WMD, such attempts have not been revealed to the public. Out of almost
1100 trafficking incidents recorded in the DSTO since 1991, only one has reportedly involved terrorists, other than
Chechen fighters. The incident was recorded in India in August 2001, when Border Security Force (BSF) officials
seized 225 gram of uranium in Balurghat, northern West Bengal along the India-Bangladesh border. Two local men,
described as suspected terrorists, were arrested. Indian intelligence agencies suspect that the uranium was bound
for Muslim fighters in the disputed regions of Jammu and Kashmir and that agents of Pakistan's InterServiceIntelligence (ISI) were involved.[68] Whether the arrested suspects were indeed members of a terrorist organization
of these incidents. However, no reliable evidence of the marriages of convenience between all threeorganized
crime, terrorists, and nuclear traffickingcould be found.
Ayson, Professor of Strategic Studies and Director of the Centre for Strategic
Studies: New Zealand at the Victoria University of Wellington, 2010 (After a Terrorist
Robert
Nuclear Attack: Envisaging Catalytic Effects, Studies in Conflict & Terrorism, Volume 33,
Issue 7, July, Available Online to Subscribing Institutions via InformaWorld)
A terrorist nuclear attack, and even the use of nuclear weapons in response by the country attacked in the
first place, would not necessarily represent the worst of the nuclear worlds imaginable. Indeed, there are
reasons to wonder whether nuclear terrorism should ever be regarded as belonging in the category of truly
existential threats. A contrast can be drawn here with the global catastrophe that would come from a massive
nuclear exchange between two or more of the sovereign states that possess these weapons in significant
numbers. Even the worst terrorism that the twenty-first century might bring would fade into insignificance
alongside considerations of what a general nuclear war would have wrought in the Cold War period. And it
complete
surprise, and
American officials refused to believe that a terrorist group was fully responsible (or responsible at all)
suspicion would shift immediately to state possessors . Ruling out Western ally countries
like the United Kingdom and France, and probably Israel and India as well, authorities in Washington would be
U.S. president might be expected to place the countrys armed forces, including its nuclear arsenal, on a
higher stage of alert. In such a tense environment, when careful planning runs up against the friction of
it is just possible that Moscow and/or China might mistakenly read this as a
sign of U.S. intentions to use force (and possibly nuclear force) against them. In that
situation, the temptations to preempt such actions might grow , although it must be
reality,
admitted that any preemption would probably still meet with a devastating response.
rights and adhere to the rule of law in the digital realm has been deeply undermining of some crucial aspects of
heart of national security whether protecting critical infrastructure, confidential information, or sensitive data.
Practices, such as surreptitiously tapping into networks, requiring back doors to encrypted
services and weakening global encryption standards will directly undermine
national and global security, as well as human rights. Meanwhile targeted
malware and crafted digital attacks on human rights activists have become the
modus operandi of repressive governments motivated to undermine human rights
work. Civil society actors increasingly face an onslaught of persistent computer espionage attacks from
governments and other political actors like cyber militias, just as businesses and governments do. So while our
notions of privacy are evolving along with social media and data-capturing technology, we also need to recognize
that its not just privacy that is affected by the digitization of everything . The exercise of all fundamental
freedoms is undermined when governments utilize new capacities that flow from digitization without regard for
encryption
and anonymity are the modern safeguards for free expression. Without them, online
communications are effectively unprotected as they traverse the Internet,
vulnerable to interception and review in bulk. Encryption makes mass surveillance
significantly more costly.187 The human rights benefits of strong encryption have undoubtedly become
more evident since the end of the Crypto Wars. Support for strong encryption has become an
integral part of American foreign policy related to Internet freedom, and since 2010,
the U.S. government has built up a successful policy and programming agenda
based on promoting an open and free Internet .188 These efforts include providing over $120
million in funding for groups working to advance Internet freedom, much of which specifically funds circumvention
tools that rely on strong encryption which makes Internet censorship significantly harder as part of the
the promotion and protection of the right to freedom of opinion and expression,
Encryption, anonymity and the rights to freedom of opinion and expression and
privacy, A/HRC/29/32
14. The human rights legal framework for encryption and anonymity requires , first,
evaluating the scope of the rights at issue and their application to encryption and
anonymity; and, second, assessing whether, and if so to what extent, restrictions may lawfully be placed on the
use of technologies that promote and protect the rights to privacy and freedom of opinion and expression. 15.The
rights to privacy and freedom of opinion and expression have been codified in
universal and regional human rights instruments, interpreted by treaty bodies and regional courts, and
evaluated by special procedures of the Human Rights Council and during universal periodic review. The universal
standards for privacy, opinion and expression are found in the International Covenant on
Civil and Political Rights, to which 168 States are party. Even for those remaining States that are not bound by it ,
the Covenant presents at the very least a standard for achievement and often reflects a
customary legal norm; those that have signed but not ratified the Covenant are bound to respect its object and
purpose under article 18 of the Vienna Convention on the Law of Treaties. National legal systems also protect
privacy, opinion and expression, sometimes with constitutional or basic law or interpretations thereof. Several
global civil society projects have also provided compelling demonstrations of the law that should apply in the
context of the digital age, such as the International Principles on the Application of Human Rights to
Communications Surveillance and the Global Principles on National Security and the Right to Information. Although
holder noted that the rights to privacy and freedom of expression are interlinked and found that encryption and
anonymity are protected because of the critical role they can play in securing those rights (A/HRC/23/40 and Corr.1).
Echoing article 12 of the Universal Declaration of Human Rights, article 17 of the International Covenant on Civil
and Political Rights specifically protects the individual against arbitrary or unlawful interference with his or her
privacy, family, home or correspondence and unlawful attacks on his or her honour and reputation, and provides
The General
Assembly, the United Nations High Commissioner for Human Rights and special
procedure mandate holders have recognized that privacy is a gateway to the
enjoyment of other rights, particularly the freedom of opinion and expression (see
General Assembly resolution 68/167, A/HRC/13/37 and Human Rights Council resolution 20/8). 17. Encryption
and anonymity are especially useful for the development and sharing of opinions ,
that everyone has the right to the protection of the law against such interference or attacks.
which often occur through online correspondence such as e-mail, text messaging, and other online interactions.
Encryption provides security so that individuals are able to verify that their
communications are received only by their intended recipients, without interference or
alteration, and that the communications they receive are equally free from intrusion (see A/HRC/23/40 and
Corr.1, para. 23). Given the power of metadata analysis to specify an individuals behaviour, social relationships,
private preferences and identity (see A/HRC/27/37, para. 19), anonymity may play a critical role in securing
correspondence. Besides correspondence, international and regional mechanisms have interpreted privacy to
involve a range of other circumstances as well. 18. Individu als
http://politicalviolenceataglance.org/2015/07/07/how-can-states-and-non-stateactors-respond-to-authoritarian-resurgence/
Chenoweth: Why is authoritarianism making a comeback? Stephan: Theres obviously no
single answer to this. But part of the answer is that democracy is losing its allure in parts of the
world. When people dont see the economic and governance benefits of democratic transitions, they lose hope.
Then theres the compelling stability first argument. Regimes around the world, including China
and Russia, have readily cited the chaos of the Arab Spring to justify heavyhanded policies and consolidating their grip on power . The color revolutions that toppled
autocratic regimes in Serbia, Georgia, and Ukraine inspired similar dictatorial retrenchment. There is nothing
new about authoritarian regimes adapting to changing circumstances. Their
resilience is reinforced by a combination of violent and non-coercive measures. But
authoritarian paranoia seems to have grown more piqued over the past decade .
Regimes have figured out that people power endangers their grip on power and they are cracking down .
Theres no better evidence of the effectiveness of civil resistance than the measures
that governments take to suppress itsomething you detail in your chapter from my new book.
Finally, and importantly, democracy in this country and elsewhere has taken a hit lately.
Authoritarian regimes mockingly cite images of torture, mass surveillance, and the catering to
the radical fringes happening in the US political system to refute pressures to democratize
themselves. The financial crisis here and in Europe did not inspire much confidence in democracy and we are
seeing political extremism on the rise in places like Greece and Hungary. Here in the US we need to get
our own house in order if we hope to inspire confidence in democracy abroad.
Nuclear,
chemical, and biological weapons continue to proliferate. The very source of life on
Earth, the global ecosystem, appears increasingly endangered . Most of these new and
unconventional threats to security are associated with or aggravated by the weakness or
absence of democracy, with its provisions for legality, accountability, popular sovereignty, and openness.
LESSONS OF THE TWENTIETH CENTURY The experience of this century offers important lessons. Countries that
govern themselves in a truly democratic fashion do not go to war with one another.
They do not aggress against their neighbors to aggrandize themselves or glorify their leaders.
Democratic governments do not ethnically "cleanse" their own populations, and
they are much less likely to face ethnic insurgency. Democracies do not sponsor
terrorism against one another. They do not build weapons of mass destruction to use
on or to threaten one another. Democratic countries form more reliable, open, and enduring trading
partnerships. In the long run they offer better and more stable climates for investment. They are more
environmentally responsible because they must answer to their own citizens, who organize to protest the
destruction of their environments. They are better bets to honor international treaties since they value legal
authoritarian regimes and have utterly corrupted the institutions of tenuous, democratic ones.
obligations and because their openness makes it much more difficult to breach agreements in secret. Precisely
because, within their own borders, they respect competition, civil liberties, property rights,
and
democracies are
security and
Shane, American journalist and author at Foreign Policy magazine. @WAR : the rise
of the military-Internet complex / Houghton Mifflin Harcourt. P.98-100
The targets that are most vulnerable to a devastating zero day attack are the same
ones that the NSA is trying to protect: electrical power plants, nuclear facilities,
natural gas pipelines, and other critical infrastructures, including banks and
financial services companies. Not all of these companies have a system for easily sharing information
about vulnerabilities and exploits that have been discovered and publicly disclosed, often by more defensiveminded hackers who see their job as warning technology manufacturers about problems with their products, rather
than trying to profit from them.
By
buying so many zero day exploits, the NSA is helping to prop up a cyber arms
market that puts American businesses and critical facilities at risk. The
chances are good that if another country or a terrorist group knocks out the lights in
a US city, it will use an exploit purchased from a company that also sells them to
the NSA. The sellers of zero day exploits also bear at least some notional responsibility for making the Internet
updates. Some find doing that for hundreds or thousands of computers in a single facility a daunting task.
less safe. But they tend to blame software manufacturers for building programs that can be penetrated in the first
place. "We don't sell weapons, we sell information;' the founders of exploit seller ReVuln told a reporter for Reuters,
when he asked whether the company would be troubled if some of their programs were used in attacks that
destroyed systems or caused people to die. "This question would be worth asking to vendors leaving security holes
in their products. This line of defense is a bit like blaming a locksmith for a burglary. Yes, the locksmith is supposed
to make a product that keeps intruders from getting into someone's home. But if a burglar manages to break in and
steal a television or, worse, attack the homeowners, we don't prosecute the locksmith. Companies such as ReVuln
aren't burglars, but they are selling the equivalent of lock picks. Surely they bear some measure of responsibility, as
well, for crimes that are committed- if not a legal responsibility, then a moral one. And what about the NSA? In the
world of burglary, there's no equivalent for what the agency is doing. No one is out there buying up lock picks. But
the NSA also wants to be a kind of security guard for the Internet. What would
happen if the guard hired to watch over a neighborhood discovered an open window
but didn't tell the owner? More to the point, what if he discovered a design flaw in the brand of window
that everyone in the neighborhood used that allowed an intruder to open the window from the outside ? If the
security guard didn't alert the homeowners, they'd fire him - and probably try to
have him arrested. They wouldn't accept as a defense that the security guard was keeping the windows' flaw
a secret in order to protect the homeowners. And the police surely wouldnt accept that hed kept that information
to himself so that he could go out and rob houses. The analogy isn't perfect .
An article by Global Security Newswire highlighted how, in light of the unfolding nuclear power plant disaster in
Japan, a nuclear terrorist attack could be carried out. It states that, Nuclear
top homeland-security officials. However, it is interesting to note that not all states share this fear. As Scott Sagan
pointed out recently, there is a lack of consensus among non-nuclear states regarding the potential threat of
nuclear terrorism. Many of the non-nuclear states think that the US exaggerates the threat of nuclear terrorism, and
are therefore unwilling to spend money to protect their nuclear assets in the manner in which the US wants. For
obvious reasons, the lack of investment into protecting against nuclear terrorism for non-nuclear states is
understandable when they dont see it as a direct threat to their national security. However, regional attacks
For years, Helen Caldicott warned it's coming. In her 1978 book, "Nuclear Madness," she said: "As a physician, I
on the inevitable dangers from commercial nuclear power proliferation, besides added military ones. On March 11,
New York Times writer Martin Fackler headlined, "Powerful Quake and Tsunami Devastate Northern Japan," saying:
"The 8.9-magnitude earthquake (Japan's strongest ever) set off a devastating tsunami that sent walls of
water (six meters high) washing over coastal cities in the north." According to Japan's Meteorological Survey, it was
9.0. The Sendai port city and other areas experienced heavy damage. "Thousands of homes were destroyed, many
roads were impassable, trains and buses (stopped) running, and power and cellphones remained down. On
Saturday morning, the JR rail company" reported three trains missing. Many passengers are unaccounted for.
Striking at 2:46PM Tokyo time, it caused vast destruction, shook city skyscrapers, buckled
highways, ignited fires, terrified millions, annihilated areas near Sendai, possibly killed thousands,
and caused a nuclear meltdown, its potential catastrophic effects far exceeding
quake and tsunami devastation, almost minor by comparison under a worst case
scenario. On March 12, Times writer Matthew Wald headlined, "Explosion Seen at Damaged Japan Nuclear
Plant," saying: "Japanese officials (ordered evacuations) for people living near two nuclear power plants whose
cooling systems broke down," releasing radioactive material, perhaps in far greater amounts than reported. NHK
television and Jiji said the 40-year old Fukushima plant's outer structure housing the reactor "appeared to have
blown off, which could suggest the containment building had already been breached." Japan's nuclear regulating
agency said radioactive levels inside were 1,000 times above normal. Reuters said the 1995 Kobe quake caused
$100 billion in damage, up to then the most costly ever natural disaster. This time, from quake and tsunami
damage alone, that figure will be dwarfed. Moreover,
"Chernobyl: Consequences of the Catastrophe for People and the Environment," Alexey Yablokov, Vassily Nesterenko
and Alexey Nesterenko said: "For
but remain very serious. The possibility of an extreme catastrophe can't be discounted .
Moreover, independent nuclear safety analyst John Large told Al Jazeera that by venting radioactive steam from the
inner reactor to the outer dome, a reaction may have occurred, causing the explosion. "When I look at the size of
the explosion," he said, "it is my opinion that there could be a very large leak (because) fuel continues to generate
heat." Already, Fukushima way exceeds Three Mile Island that experienced a partial core meltdown in Unit 2. Finally
it was brought under control, but coverup and denial concealed full details until much later. According to antinuclear activist Harvey Wasserman, Japan's quake fallout may cause nuclear disaster, saying: "This is a very serious
If the cooling system fails (apparently it has at two or more plants), the
super-heated radioactive fuel rods will melt, and (if so) you could conceivably
have an explosion," that, in fact, occurred. As a result, massive radiation
releases may follow, impacting the entire region. "It could be, literally, an
apocalyptic event. The reactor could blow." If so, Russia, China, Korea and most parts of Western Asia will
situation.
be affected. Many thousands will die, potentially millions under a worse case scenario, including far outside East
Asia. Moreover, at least five reactors are at risk. Already, a 20-mile wide radius was evacuated. What happened in
Japan can occur anywhere. Yet Obama's proposed budget includes $36 billion for new reactors, a shocking disregard
for global safety. Calling Fukushima an "apocalyptic event," Wasserman said "(t)hese nuclear plants have to be
shut," let alone budget billions for new ones. It's unthinkable, he said. If a similar disaster struck California, nuclear
fallout would affect all America, Canada, Mexico, Central America, and parts of South America. Nuclear Power: A
Technology from Hell Nuclear expert Helen Caldicott agrees, telling this writer by phone that a potential regional
catastrophe is unfolding. Over 30 years ago, she warned of its inevitability. Her 2006 book titled, "Nuclear Power is
Not the Answer" explained that contrary to government and industry propaganda, even during normal operations,
nuclear power generation causes significant discharges of greenhouse gas emissions, as well as hundreds of
thousands of curies of deadly radioactive gases and other radioactive elements into the environment every year.
nuclear plants are atom bomb factories. A 1000 megawatt reactor produces
500 pounds of plutonium annually. Only 10 are needed for a bomb able to devastate
a large city, besides causing permanent radiation contamination .
Moreover,
Robert, Graduate US Army Airborne School, Ft. Benning, Georgia, Cyber attackers
could shut down the electric grid for the entire east coast 2012,
http://www.examiner.com/article/cyber-attackers-could-easily-shut-down-theelectric-grid-for-the-entire-east-coa
a cyber attack that can take out a civilian power grid, for example
could also cripple the U.S. military. The senator notes that is that the same power grids that supply
To make matters worse
cities and towns, stores and gas stations, cell towers and heart monitors also power every military base in our
backup diesel
generators, within hours, not days, fuel supplies would run out , he said. Which means
military command and control centers could go dark . Radar systems that detect
air threats to our country would shut Down completely. Communication between
commanders and their troops would also go silent. And many weapons systems
would be left without either fuel or electric power, said Senator Grassley. So in a few
short hours or days, the mightiest military in the world would be left scrambling to
maintain base functions, he said. We contacted the Pentagon and officials confirmed the threat of a cyber
country. Although bases would be prepared to weather a short power outage with
attack is something very real. Top national security officialsincluding the Chairman of the Joint Chiefs, the Director
taking all this? Enough to start, or end a war over it, for sure (see video: Pentagon declares war on cyber attacks
President
Shane, American journalist and author at Foreign Policy magazine. @WAR : the rise
of the military-Internet complex / Houghton Mifflin Harcourt. P.98
In any market- gray or otherwise - the biggest buyers have an outsized ability to set
terms and conditions. As the reputedly single largest purchaser of zero day vulnerabilities and exploits,
the NSA could turn the market on its head if it bought up zero days for the
express purpose of disclosing them. The agency has billions of dollars to spend
on cyber security. Why not devote some portion of that to alerting the world to the
presence of fixable flaws? What responsibility does the agency have to warn the
Myriam, Deputy for research and teaching a the Center for Security Studies (CSS)
and Senior Lecturer for Security Politics at ETH Zurich. "Breaking the cyber-security
dilemma: Aligning security needs and removing vulnerabilities." Science and
engineering ethics 20.3 (2014): 701-715.
That said, the security-implications of current actions by state entities go even further.
It has been suspected for a while and is now confirmed that the intelligence services of this world are making
cyberspace more insecure directly; in order to be able to have more access to data, and in order to prepare for
It has been revealed that the NSA has bought and exploited so-called
zero-day vulnerabilities in current operating systems and hardware to inject NSA
malware into numerous strategically opportune points of the Internet infrastructure
(Greenwald and MacAskill 2013). As soon as military and intelligence agencies became
buyers of so-called zero-day vulnerabilities, prizes have skyrocketed (Miller 2007; Perlroth
and Sanger 2013), with several downsides to this: first, exposing these vulnerabilities in order to
patch them, as was the norm not so long ago, is becoming less likely. Second, the competition for
future conflict.
exclusive possession of such vulnerabilities might even give programmers incentives to deliberately create and
then sell them (Schneier 2012b). It is unknown which computer systems have been compromisedbut it is known
that these backdoors or sleeper programs can be used for different purposes
(surveillance, espionage, disruption, etc.) and activated at any time. It also has been
revealed that the US government spends large sums of money to crack existing
encryption standardsand apparently has also actively exploited and contributed to
vulnerabilities in widespread encryption systems (Simonite 2013; Fung 2013; Clarke et al. 2013).
The crux of the matter is that these backdoors reduce the security of the entire systemfor
everyone. The exploitation of vulnerabilities in computer systems by intelligence
agencies and their weakening of encryption standards have the potential to destroy
trust and confidence in cyberspace overall. Also, there is no guarantee that the backdoor-makers
have full control over them and/or can keep them secret in other words, they could be identified and exploited by
Most of the time we are not even aware of how close to violence we are, because
we all grant concessions to avoid it. Like sailors smelling the breeze, we rarely contemplate
how our surface world is propped up from below by darkness. In the new space of the
internet what would be the mediator of coercive force? Does it even make sense to ask this question? In this
otherworldly space, this seemingly platonic realm of ideas and information flow, could there be a notion of coercive
force? A force that could modify historical records, tap phones, separate people, transform complexity into rubble,
and erect walls, like an occupying army? The platonic nature of the internet, ideas and information flows, is debased
by its physical origins. Its foundations are fiber optic cable lines stretching across the ocean floors, satellites
spinning above our heads, computer servers housed in buildings in cities from New York to Nairobi. Like the soldier
who slew Archimedes with a mere sword, so too could an armed militia take control of the peak development of
The new world of the internet, abstracted from the old world of
longed for independence. But states and their friends moved to control
our new worldby controlling its physical underpinnings. The state, like an army
around an oil well, or a customs agent extracting bribes at the border, would soon learn to
leverage its control of physical space to gain control over our platonic realm . It would
Western civilization, our platonic realm.
brute atoms,
prevent the independence we had dreamed of, and then, squatting on fiber optic lines and around satellite ground
relationship expressed or communicated, every web page read, every message sent and every thought googled,
and then store this knowledge, billions of interceptions a day, undreamed of power, in vast top secret warehouses,
forever.
It would go on to mine and mine again this treasure, the collective private
intellectual output of humanity, with ever more sophisticated search and pattern
finding algorithms, enriching the treasure and maximizing the power imbalance between interceptors and
the world of interceptees. And then the state would reflect what it had learned back into the physical world, to start
wars, to target drones, to manipulate UN committees and trade deals, and to do favors for its vast connected
network of industries, insiders and cronies.
total domination.
A hope that with courage, insight and solidarity we could use to resist. A strange property
to create the laws of a new world. To abstract away our new platonic realm from its base underpinnings of satellites,
undersea cables and their controllers. To fortify our space behind a cryptographic veil. To create new lands barred to
those who control physical reality, because to follow us into them would require infinite resources.
And in this
about the world and build it up to be a basic emancipatory building block for the independence of mankind in the
platonic realm of the internet? And as societies merged with the internet could that liberty then be reflected back
into physical reality to redefine the state? Recall that states are the systems which determine where and how
coercive force is consistently applied. The question of how much coercive force can seep into the platonic realm of
the internet from the physical world is answered by cryptography and the cypherpunks ideals.
As states
merge with the internet and the future of our civilization becomes the future of the
internet, we must redefine force relations. If we do not, the universality of the
internet will merge global humanity into one giant grid of mass surveillance and
mass control. We must raise an alarm. This book is a watchmans shout in the night. On March 20,
2012, while under house arrest in the United Kingdom awaiting extradition, I met with three friends and fellow
watchmen on the principle that perhaps in unison our voices can wake up the town. We must communicate what we
have learned while there is still a chance for you, the reader, to understand and act on what is happening. It is time
Myriam, Deputy for research and teaching a the Center for Security Studies (CSS)
and Senior Lecturer for Security Politics at ETH Zurich. "Breaking the cyber-security
dilemma: Aligning security needs and removing vulnerabilities." Science and
engineering ethics 20.3 (2014): 701-715.
From Problem to Solution: Human-Centric Information Ethics. This article has identified and discussed implications
of cyber(-in)-security for human-security concerns, with a main focus on both the representation of the issue as a
The
problem with the current system is that security is underproduced, both
from a traditional state-focused national security and also from a bottom-up, human
security perspective. The reason, so I have argued, is a multidimensional and multi-faceted security
dilemma, produced by the following interlinked issues: First, cyber-security is increasingly presented
in terms of power-struggles, war- fighting, and military action . This is not an inevitable or
(security) political problem and the practices of (mainly state) actors based on such representations.
natural development; rather, it is a matter of choice, or at least a matter of (complicated) political processes that
has produced this particular outcome. The result is not more security, however, but less: states spend more and
more money on cyber-defense and likely also cyber-offense, which is not leading to more, but less security, as
evident by the flood of official documents lamenting the security-deficit. Second, the type of cybersecurity that is
produced is based on economic maxims, often without consideration for the particular security-needs of the
with bearing on cyber-security have mainly been made from a military perspective, following the tradition to
address new forms of warfare and weapons systems under ethical viewpoints (cf. Rowe 2010; Dipert 2010; Barrett
an expansion of environmental ethics towards a less anthropocentric concept of agent, which includes non-human
(artificial) and non-individual (distributed) entities and advances a less biologically-centred concept of patient,
which includes not only human life or simply life, but any form of existence. This ethics is concerned with the
question of an ethics in the infosphere (Floridi 2001) and beyond that, an ethics of the infosphere (Capurro
2006). In information ethics, the lowest possible common set of attributes which characterises something as
intrinsically valuable and an object of respect is its abstract nature as an informational entity (Floridi 1998). In this
view, all informational objects are in principle worth of ethical consideration. However, to ensure that such an ethics
does not involuntarily place the technical over the social, we must make sure that the protection of these data is
The duty
of a moral agent is evaluated in terms of contribution to the growth and welfare of
the entire infosphere (Floridi 1999: 47), but always related to a bodily being in the world .
Any process, action or event that negatively affects the infosphere with relevance to
human life impoverishes it and is an instance of evil (Floridi and Sanders 1999, 2001).
Vulnerabilities are such an evil.
not founded on the dignity of the digital but on the human dimensions they refer to (Capurro 2006).
that increase the governments capability to undermine adversaries also limit our capability to protect ourselves.
But the president also says that, the same sophistication you need for defenses means that potentially you can
engage in offensein other words, that we can use cyber attacks or their possibility as a deterrent against threats.
capabilities has resulted in weaknesses even years after that policy was changed. The FREAK and "Logjam"
attacks on secure browsing technology, discovered respectively in March and May of this year, provide clear
examples. Until 1992 (and in some cases even later), the U.S. government tried to maintain surveillance of
foreigners by requiring American companies to register as arms dealers and to obtain export licenses if they wanted
to sell secure web systems abroad. Instead, companies designed systems with highly secure modes for their
domestic clients, but deliberately weaker cryptography for foreign users. This switching between security levels
ultimately became part of the widely adopted standard for secure web browsing, which is still in use today even
though the government has eased export restrictions on strong cryptography. Attackers discovered how to trick
When the
FREAK attack was discovered, nearly two in five web servers on the Internet were
vulnerable to this trick. The broader Logjam attack applied to up to two-thirds of v irtual
private network connections, both foreign and domestic, making them vulnerable to
surveillance by sophisticated attackers. FREAK and Logjam present object lessons in why
government policies encouraging insecure systems can lead to vulnerabilities even
decades after the policy changes . Secure systems are now easier to export. But a rule proposed by the
systems into using the weaker mode, which is now trivial to defeat thanks to advances in technology.
Department of Commerce's Bureau of Industry and Security may broaden the export-licensing regime long applied
to security software using cryptography to cover nearly all computer security technology. Onerous licensing
requirements for cryptographic products have made U.S. companies less globally competitive. In fact, since it can
be easier to import secure products than to get a license to export them, some companies have outsourced the
development of these products to foreign subsidiaries or inverted their headquarters abroad. These controls stem
from the Wasennaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies,
a multilateral organization of 41 countries that aims to promote global security by restricting trade in conventional
arms and dual-use technologies (those with both a military and a civilian application). There certainly are security
products that might reasonably be subject to export control. Today there is a thriving trade in undisclosed software
vulnerabilities and in surveillance-enabling equipment sold to states with unsavory human rights records. But the
proposed rules are written broadly and could apply to products that are purely defensive in nature, such as tools
meant to assist programmers in avoiding common pitfalls by scanning for common patterns of vulnerability, or even
generic tools for writing large software systems, such as source code editors that are not specific to security
open-ended surveillance as a strategy for security, online or otherwise. And in a speech on May 20, Assistant
Attorney General Leslie R. Caldwell spoke at length about the insufficiency and inadvisability of hacking back as a
As revised policy
emerges, it will be important to remember that increasing overall security for
citizens and the private sector can be effectively balanced with national security,
military, and intelligence goals. We're a long way from complete cybersecurity, but we can move toward
defensive tactic for U.S. companies. Current cybersecurity policy isnt achieving its goals.
a system thats significant more effective than the one we have now.
Solvency
The plan solves - strong encryption key to the internet.
Kehl, 2015
Danielle Kehl is a senior policy analyst at New America's Open Technology Institute,
BA cum laude Yale 6-17-2015, "Doomed To Repeat History? Lessons From The
Crypto Wars Of The 1990s," New America, https://www.newamerica.org/oti/doomedto-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/
Strong encryption has become a bedrock technology that protects the security of
the internet The evolution of the ecosystem for encrypted communications has also enhanced the protection of
individual communications and improved cybersecurity. Today, strong encryption is an essential
ingredient in the overall security of the modern network, and adopting technologies like HTTPS
is increasingly considered an industry best-practice among major technology companies.177 Even the report of the
Presidents Review Group on Intelligence and Communications Technologies, the panel of experts appointed by
President Barack Obama to review the NSAs surveillance activities after the 2013 Snowden leaks, was unequivocal
in its emphasis on the importance of strong encryption to protect data in transit and at rest. The Review Group
Encryption is an essential basis for trust on the Internet; without such trust,
valuable communications would not be possible . For the entire system to work,
encryption software itself must be trustworthy. Users of encryption must be confident, and
wrote that:
justifiably confident, that only those people they designate can decrypt their data. Indeed, in light of the massive
increase in cyber-crime and intellectual property theft on-line, the use of encryption should be greatly expanded to
The report
further recommended that the U.S. government should: Promote security[] by (1)
fully supporting and not undermining efforts to create encryption standards; (2)
making clear that it will not in any way subvert, undermine, weaken, or make
vulnerable generally available commercial encryption; and (3) supporting efforts to
encourage the greater use of encryption technology for data in transit, at rest, in
the cloud, and in storage.179 Moreover, there is now a significant body of evidence that,
as Bob Goodlatte argued back in 1997, Strong encryption prevents crime .180 This has become
protect not only data in transit, but also data at rest on networks, in storage, and in the cloud.178
particularly true as smartphones and other personal devices that store vast amount of user data have risen in
Wenke Lee Professor, Georgia Institute of Technology; Anna Lysyanskaya Professor, Brown University; Tal Malkin
Associate Professor, Columbia University; David Mazires Associate Professor, Stanford University; Kevin McCurley
Fellow, International Association for Cryptologic Research; Patrick McDaniel Professor, The Pennsylvania State
University; Daniele Micciancio Professor, University of California, San Diego; Andrew Myers Professor, Cornell
University; Rafael Pass Associate Professor, Cornell University; Vern Paxson Professor, University of California,
Berkeley; Jon Peha Professor, Carnegie Mellon University; Thomas Ristenpart Assistant Professor, University of
Wisconsin Madison; Ronald Rivest Professor, Massachusetts Institute of Technology; Phillip Rogaway Professor,
University of California, Davis; Greg Rose Officer, International Association for Cryptologic Research; Amit Sahai
Professor, University of California, Los Angeles; Bruce Schneier Fellow, Berkman Center for Internet and Society,
Harvard Law School; Hovav Shacham Associate Professor, University of California, San Diego; Abhi Shelat Associate
Professor, University of Virginia; Thomas Shrimpton Associate Professor, Portland State University; Avi Silberschatz
Professor, Yale University; Adam Smith Associate Professor, The Pennsylvania State University; Dawn Song
Associate Professor, University of California, Berkeley; Gene Tsudik Professor, University of California, Irvine; Salil
Vadhan Professor, Harvard University; Rebecca Wright Professor, Rutgers University; Moti Yung Fellow, Association
"An
open letter from US researchers in cryptography and information security." (2014) .
for Computing Machinery; Nickolai Zeldovich Associate Professor, Massachusetts Institute of Technology;
http://people.csail.mit.edu/rivest/pubs/Ax14.pdf
Media reports since last June have revealed that the US government conducts
domestic and international surveillance on a massive scale, that it engages in deliberate
and covert weakening of Internet security standards, and that it pressures US
technology companies to deploy backdoors and other data-collection features. As
leading members of the US cryptography and information-security research
communities, we deplore these practices and urge that they be changed . Indiscriminate
collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite
society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving
technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy
commerce, and technical innovation.
Back in the 1990s and 2000s, encryption was a complicated, minority interest. Now
it is becoming easy and mainstream, not just for authenticating transactions but for encrypting data
and communications. Back then, it was also mostly a US debate because that was where
most strong encryption was developed. But that's no longer the case: encryption
software can be written anywhere and by anyone, which means no one country
cannot dictate global policy anymore. Consider this: the right to privacy has long been considered a
qualified rather than an absolute right one that can be infringed, for example, on the grounds of public safety, or
to prevent a crime, or in the interests of national security. Few would agree that criminals or terrorists have the right
hard drive or a smartphone correctly, it cannot be unscrambled (or at least not for a few hundred thousand years).
At a keystroke, it makes absolute privacy a reality, and thus rewrites one of the
fundamental rules by which societies have been organised. No wonder the intelligence
services have been scrambling to tackle our deliberately scrambled communications. And our fear of crime
terrorism in particular has created another issue. We have demanded that the intelligence services and law
enforcement try to reduce the risk of attack, and have accepted that they will gradually chip away at privacy in
order to do that. However, what we haven't managed as a society is to decide what is an acceptable level of risk
that such terrible acts might occur.
that cars kill people and yet we still drive. We need to have a better discussion about what is an acceptable level of
safety that we as a society require, and what is the impact on our privacy as a result. As the University of Surrey's
Woodward notes: "Some of these things one might have to accept. Unfortunately there might not be any easy way
around it, without the horrible unintended consequences. You make your enemies less safe but you also make your
to say, this is how free societies should come at this." But he doesn't underestimate the scale of the problem,
either.
University, where he works on computer security and public policy issues at the
universitys Center for Information Technology Policy, 6-1-2015, "The Cyber
Conundrum," American Prospect, http://prospect.org/article/cyber-conundrum
Moving to Protect-First Three months after NIST withdrew the DRBG standard, a review initiated by President Barack Obama
called for a shift in policy. Regarding encryption, the Presidents Review Group on Intelligence
and Communications Technologies recommended that the U.S. Government
should: (1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally
available commercial software; and (3) increase the use of encryption and urge U.S.
companies to do so. But there were few visible signals that policy had changed. No foreign nation, no hacker, Obama said in his 2015
State of the Union speech, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families. But the
nearly $14 billion requested for cybersecurity in the presidents fiscal year 2016
budget proposal effectively supports and reinforces current undermine-first policy, a
policy that has failed to stop the flood of attacks on American businesses and the government itself by foreign intelligence services, weekend hacktivists,
browsing.
A website is delivered securely when that sites address starts with httpsthe s stands for secureand your browser puts a lock or
key icon next to the address. Browsers can load and display secure pages, guaranteeing that while the pages are in transit from server to user, the pages
remain confidential and are protected from tampering, and that the users browser verifies that the server is not an impostor. At present, secure browsing
private information. Two-thirds of the websites on the Internet were vulnerable, along with countless computers embedded in cars, wireless routers, home
appliances, and other equipment. Because exploitation via Heartbleed usually did not leave a record, the full consequences of Heartbleed will almost
piece of our cyber infrastructure. Yet it has been maintained by a very small team of developersin the words of one journalist, two guys named Steve
and the foundation supporting it never had a budget reaching even $1 million per year. Despite its central role in web security, OpenSSL had never
undergone a careful security audit. Matthew Green, a cryptographer at Johns Hopkins University and an outspoken critic of OpenSSL, said after Heartbleed
that the OpenSSL Foundation has some very devoted people, it just doesnt have enough of them, and it cant afford enough of them. Since the
Heartbleed attack, a consortium of companies, including some of the biggest names in the Internet business, pledged contributions of a few million dollars
to start the Core Infrastructure Initiative (CII), a grant-making process for security audits of important infrastructure components like OpenSSL. CIIs budget
A more
proactive government policy would provide ample funding for security
audits. By leaving OpenSSL to its own devices, government perpetuates the
status quo and implicitly rejects a protect-first strategy . A similar situation applies to
of a few million dollars is nowhere near the few hundred million now devoted to the NSAs SIGINT Enabling program, but it is a start.
encrypted email, the state of which is well conveyed by a recent ProPublica headline: The Worlds Email Encryption Software Relies on One Guy, Who is
Going Broke. Werner Koch, the author and maintainer of the software Gnu Privacy Guardthe most popular tool for encrypted email and a piece of critical
security infrastructure used to verify the integrity of operating system updates on the most popular operating system for web servershad been getting
by on donations of $25,000 per year since 2001, and a new online fund drive was bringing only modest donations. The ProPublica piece brought attention
to Kochs plight, and a few hundred thousand dollars of donations poured in, enabling Koch to keep maintaining GPG. It was a success, of a sort. But
passing the digital hat for donations is not a sustainable way to fund a critical security infrastructure. The Limitations of Surveillance Meanwhile, although
precise numbers are hard to come by, one estimate is that 0.64 percent of U.S. gross domestic product is lost to cyber crime, an over$400 billion global
growth industry. Despite the fact that a cyberattack can decimate a companys operations and pry loose its secrets, and despite billions of dollars in
annual direct losses to foreign governments and criminals, the most popular systems for secure web page delivery and encrypted email get only crumbs
coming into the public eye only through leaks and investigative journalism. Some happens more openly, under the guise of information sharing between
companies and government. Surveillance of adversaries, both overseas and domestically with an appropriate court order, is prudent and necessary to
Pictures hack, intelligence and investigation were critical in connecting the dots after the attack had happened, even though they did very little to prevent
users and more than a few Americanswant to steer clear of products and companies that might be complicit in surveillance. Foreign companies market
Analysts
estimate that U.S. companies will lose at least tens of billions of dollars of business
due to users surveillance concerns. At the same time, news of U.S. government demands for data emboldens demands for
themselves as more trustworthy because, unlike American companies, they can defy information demands from U.S. authorities.
similar access by other governmentsincluding countries with much weaker civil liberties records. Anything that facilitates U.S. government access will
facilitate access by other governments. Industry worries, too, about direct government attacks on their infrastructures. That is exactly what happened
when the NSA tapped into the private communications lines that Google, Yahoo, and other major Internet companies use to move data internally, enabling
the NSA to capture information on the users of those systems without any request or notification. Consequently, the Internet companies are seen as either
complicit or vulnerableor both. The rift between government and industry was visible at the White House Summit on Cybersecurity and Consumer
Protection, held at Stanford University on February 13. Obama called for new legislation to promote greater information sharing between government and
private sector, including liability protections for companies that share information about cyber threats, and announced that our new Cyber Threat
Intelligence Integration Center [will be] a single entity thats analyzing and integrating and quickly sharing intelligence about cyber threats across
To the
president, cyber defense means collecting more information and using it more
aggressivelya policy of undermining and surveillance.
government so we can act on all those threats even faster. After the speech, he signed an executive order implementing these proposals.
SQ CrytpoWars
SQ - Encryption
The NSA weakened encryption and created vulnerabilities in
commercial software compromising the security of the entire
internet.
Harris, 2014
Shane, American journalist and author at Foreign Policy magazine. @WAR : the rise
of the military-Internet complex / Houghton Mifflin Harcourt. P.88-93
For the past ten years the NSA has led an effort in conjunction with its British counterpart, the Government
Communications Headquarters, to defeat the widespread use of encryption technology by
inserting hidden vulnerabilities into widely used encryption standards . Encryption is simply the
process of turning a communication - say, an e-mail - into a jumble of meaningless numbers and digits, which can only be deciphered using a key
possessed by the e-mail's recipient. The NSA once fought a public battle to gain access to encryption keys, so that it could decipher messages at will, but
The agency then turned its attention toward weakening the encryption
algorithms that are used to encode communications in the first place. The NSA is
home to the world's best code makers, who are regularly consulted by public
organizations, including government agencies, on how to make encryption algorithms stronger.
That's what happened in 2006 - a year after Alexander arrived - when the NSA helped developed an
encryption standard that was eventually adopted by the National Institute of Standards and
Technology, the US government agency that has the last word on weights and measures used for calibrating all manner of tools, industrial equipment,
and scientific instruments. NIST's endorsement of an encryption standard is a kind of Good
Housekeeping Seal of approval. It encourages companies, advocacy groups, individuals, and government agencies around the
it lost that fight.
world to use the standard. NIST works through an open, transparent process, which allows experts to review the standard and submit comments. That's
show that the NSA claimed it merely wanted to "finesse" some points in the algorithm's design, but in reality it became the "sole editor" of it and took over
the process. But less than a year after the standard was adopted, security researchers discovered an apparent weakness in the algorithm and speculated
publicly that it could have been put there by the spy agency. The noted computer security expert Bruce Schneier zeroed in on one of four techniques for
randomly generating numbers that NIST had approved. One of them, he wrote in 2007, "is not like the others:' For starters, it worked three times more
slowly than the others, Schneier observed. It was also "championed by the NSA, which first proposed it years ago in a related standardization project at
the American National Standards Institute. Schneier was alarmed that NIST would encourage people to use an inferior algorithm that had been
enthusiastically embraced by an agency whose mission is to break codes. But there was no proof that the NSA was up to no good. And the flaw in the
number generator didn't render it useless. As Schneier noted, there was a workaround, though it was unlikely anyone would bother to use it. Still, the flaw
set cryptologists on edge. The NSA was surely aware of their unease, as well as the growing body of work that pointed to its secret intervention, because it
leaned on an international standards body that represents 163 countries to adopt the new algorithm. The NSA wanted it out in the world, and so widely
used that people would find it hard to abandon. Schneier, for one, was confused as to why the NSA would choose as a backdoor such an obvious and now
that the
NSA reportedly struck with one of the world's leading computer security vendors,
RSA, a pioneer in the industry. According to a 2013 report by Reuters, the company adopted the NSAbuilt algorithm "even before NIST approved it. The NSA then cited the early use ...
inside the government to argue successfully for NIST approval :' The algorithm became "the default
public flaw. (The weakness had first been pointed out a year earlier by employees at Microsoft.) Part of the answer may lie in a deal
option for producing random numbers in an RSA security product called the bSafe toolkit, Reuters reported. "No alarms were raised, former employees
built an obvious backdoor. The algorithm was being sold by one of the world's top security companies, and it had been adopted by an international
RSA and NIST both distanced themselves from the spy agency- but neither claimed that the backdoor hadn't been installed. In a statement following the
Reuters report, RSA denied that it had entered into a "secret contract" with the NSA, and asserted that "we have never entered into any contract or
engaged in any project with the intention of weakening RS.A's products, or introducing potential 'backdoors' into our products for anyone's use." But it
didn't deny that the backdoor existed, or may have existed. Indeed, RSA said that years earlier, when it decided to start using the flawed numbergenerator algorithm, the NSA had a trusted role in the community-wide effort to strenghten, not weaken, encryption. Not so much anymore. When
documents leaked by Snowden confirmed the NSAs work, RSA encouraged people to stop using the number generator as did the NIST. The standards
body issued its own statement following the Snowden revelations. It was a model of carefully calibrated language. "NIST would not deliberately weaken a
cryptographic standard," the organization said in a public statement, clearly leaving open the possibility- without confirming it - that the NSA had secretly
installed the vulnerability or done so against NIST's wishes. "NIST has a long history of extensive collaboration with the world's cryptography experts to
support robust encryption. The [NSA] participates in the NIST cryptography development process because of its recognized expertise. NIST is also required
by statute to consult with the NSA. The standards body was effectively telling the world that it had no way to stop the NSA. Even if it wanted to shut the
agency out of the standards process, by law it couldn't. A senior NSA official later seemed to support that contention. In an interview with the national
security blog Lawfare in December 2013, Anne Neuberger, who manages the NSAs relationships with technology companies, was asked about reports that
the agency had secretly handicapped the algorithm during the development process. She neither confirmed nor denied the accusation. Neuberger called
NIST an incredibly respected close partner on many things But, she noted, it is not a member of the intelligence community. All the work they do is ...
pure white hat Neuberger continued, meaning not malicious and intended solely to def end encryption and promote security. "Their only responsibility is
to set standards" and "to make them as strong as they can possibly be. That is not the NSAs job. Neuberger seemed to be giving the NIST a get-out-of-
It
was part of a broader, longer campaign by the NSA to weaken the basic standards
that people and organizations around the world use to protect their information .
Documents suggest that the NSA has been working with NIST since the early 1990s
to hobble encryption standards before they're adopted . The NSA dominated the process of developing the
jail-free card, exempting it from any responsibility for inserting the flaw.The 2006 effort to weaken the number generator wasn't an isolated incident.
Digital Signature Standard, a method of verifying the identity of the sender of an electronic communication and the authenticity of the information in it.
NIST publicly proposed the [standard] in August 1991 and initially made no mention of any NSA role in developing the standard, which was intended for
use in unclassified, civilian communications systems according to the Electronic Privacy Infonnation Center, which obtained documents about the
development process under the Freedom of Information Act. Following a lawsuit by a group of computer security experts, NIST conceded that the NSA had
developed the standard, which was widely criticized within the computer industry for its perceived weak security and inferiority to an existing
authentication technology, the privacy center reported "Many observers have speculated that the [existing] technique was disfavored by NSA because it
was, in fact, more secure than the NSA-proposed algorithm. From NSA's perspective, its efforts to defeat encryption are hardly controversial. It is, after
all, a code-breaking agency. This is precisely the kind of work it is authorized, and expected, to do. If the agency developed flaws in encryption algorithms
But the flaws weren't secret. By 2007, the backdoor in the number generator was
It would be difficult to exploit the
weakness - that is, to figure out the key that opened NSA's backdoor. But this wasn't
impossible. A foreign government could figure out how to break the encryption and then use it to spy on its own citizens, or on American
companies and agencies using the algorithm. Criminals could exploit the weakness to steal personal and
financial information. Anywhere the algorithm was used - including in the products
of one of the world's leading security companies it was vulnerable . The NSA might comfort itself
that only it knew about, what would be the harm?
by reasoning that code-breaking agencies in other countries were surely trying to undermine encryption, including the algorithms the NSA was
manipulating. And surely they were. But that didnt answer the question, why knowingly undermine not just an algorithm but the entire process by which
Backdoors FYI
What is a backdoor?
Zetter, 2014
Kim Zetter, ward-winning, senior staff reporter at Wired covering cybercrime,
privacy, and security. 12-11-2014, "Hacker Lexicon: What Is a Backdoor?," WIRED,
http://www.wired.com/2014/12/hacker-lexicon-backdoor/
A backdoor has multiple meanings. It can refer to a legitimate point of access embedded in a system or software
program for remote administration. Generally this kind of backdoor is undocumented and is used for the
system. Malware installed on systems for this purpose is often called a remote access Trojan, or a RAT, and can be
Cryptowar Brink
New Crypto Wars coming now.
Kehl, 2015
Danielle Kehl is a senior policy analyst at New America's Open Technology Institute,
BA cum laude Yale 6-17-2015, "Doomed To Repeat History? Lessons From The
Crypto Wars Of The 1990s," New America, https://www.newamerica.org/oti/doomedto-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/
Unfortunately,
in the past few years the consensus that strong encryption is good for
security, liberty, and economic growth has come under threat . The June 2013
revelations about the U.S. National Security Agencys pervasive surveillance
programs not to mention the NSAs direct attempts to thwart Internet security to
facilitate its own spying dramatically shifted the national conversation,
highlighting the vulnerabilities in many of the tools and networks on which we now
rely for both everyday and sensitive communications . While ordinary individuals, civil liberties
advocates, and major technology companies have since embraced greater use of encryption as a necessary step to
address a wide range of modern threats from both government and nongovernment actors, intelligence agencies
and law enforcement officials have also become increasingly outspoken against measures to strengthen these
systems through encryption. To make their case, they have revived many of the arguments they made about
encryption in the 1990s, seeming to have forgotten the lessons of the past. In response, encryption proponents
have countered with many of the same arguments that they made in the 1990s, along with a few new ones.195
It
seems like we may once again be on the verge of another war: a Crypto War 2.0.
But it would be far wiser to maintain the peace than to begin a new and
unnecessary conflict. We already had a robust public debate that resolved this
dispute, and nothing has changed since the 1990s that would cast doubt on the
policy conclusions we reached then; indeed , the post-war period has only
reinforced those conclusions. Although there are numerous individual lessons from
the Crypto Wars, the overarching takeaway is that weakening or otherwise
undermining encryption is bad for our economy, our economic security, and our civil
liberties and there is no reason to repeat our previous mistakes.
most ironic hacks of recent years. Matthew Green, assistant professor at John Hopkins university, and a couple of international
colleagues exploited a nasty bug on the servers that host the NSA website. By forcing the servers to use an old, almost forgotten
and weak type of encryption which they were able to crack within a few hours, they managed to gain access to the backend of the
NSA website, making it possible for them to alter its content. Worse still, the cryptographers found that the same weak encryption
was used on a third of the 14 million other websites they scanned. For instance, if they had wanted to, they could have gained
this
weak encryption was deliberately designed for software products exported from the
access to whitehouse.gov or tips.fbi.gov. Many smartphone apps turned out to be vulnerable as well. The irony is this:
enraged the security community. In September 2013 the New York Times, ProPublica and the Guardian published a story on the
In a
prolonged, multi-billion operation dubbed BULLRUN, the intelligence agencies used
supercomputers to crack encryption, asked, persuaded or cajoled telecom and web
companies to build backdoors into their equipment and software, used their
influence to plant weaknesses in cryptographic standards and simply stole
encryption keys from individuals and companies. A war is looming But security specialists
argue that by attacking the encryption infrastructure of the Internet, the intelligence
agencies have made us all less safe. Terrorists and paedophiles may use encryption to protect themselves
when planning and committing terrible crimes, but the Internet as a whole cannot function without
proper encryption. Governments cannot provide digital services to their citizens if they cannot use safe networks. Banks
thorough and persistent efforts of the NSA and its British counterpart GCHQ to decrypt Internet traffic and databases.
and financial institutions must be able to communicate data over secure channels. Online shops need to be able to process
Without
strong encryption, trust cannot exist online. Cryptographers have vowed
to fight back. Major web companies like Google and Yahoo! promised their clients strong end-to-end encryption for email
payments safely. And all companies and institutions have to keep criminals and hackers out of their systems.
and vowed to improve the security of their networks and databases. Apple developed a new operating system that encrypted all
content on the new iPhone by default. And hackers started developing web applications and hardware with strong, more userfriendly encryption. In the past few years we have seen the launch of encrypted social media (Twister), smartphones (Blackphone),
chat software (Cryptocat), cloud storage (Boxcryptor), file sharing tools (Peerio) and secure phone and SMS apps (TextSecure and
Signal). This worries governments. In the wake of the attack on Charlie Hebdo in Paris, UK Prime Minister David Cameron implied
that encryption on certain types of communication services should be banned. In the US, FBI director James Comey recently warned
that the intelligence agencies are going dark because of the emergence of default encryption settings on devices and in web
the needs of all concerned? One the one hand, how can we ensure that intelligence and law enforcement agencies have access to
communications and data when they have a legal mandate to do so? Their needs are often legitimate. One the other, how can we
ensure strong data protection for all, not only a techsavvy few? As we shall see, this crypto conflict isnt new, nor is the obvious
question the right question to ask at this moment.
Tokmetzi 2015
Dimitri, Data Journalist at the Correspondent (Netherlands) Think piece: How to
protect privacy and security? Global Conference on CyberSpace 2015 16 - 17 April
2015 The Hague, The Netherlands
https://www.gccs2015.com/sites/default/files/documents/How%20to%20protect
%20privacy%20and%20security%20in%20the%20crypto%20wars.pdf
Up until the seventies, the use of cryptography was limited to
governments, big corporations and some math enthusiasts. With the rise of
electronic networks like the Internet, the demand for encryption grew. Academics started
Crypto to the people
to develop new cryptography methods, but were warned by intelligence agencies to refrain from publishing about
them, according to Bart Preneel, a long-time professor of cryptography at the Belgian University of Leuven. The first
encryption products were built into hardware and exporting them was prohibited by most countries. These export
controls were outdated the moment encryption became available in software products in the late eighties, Preneel
says. Phil Zimmermann developed his encryption product Pretty Good Privacy (PGP) that made it fairly simple to
encrypt email traffic. Once uploaded onto the Internet, there was no stopping it, according to Preneel. The US
authorities tried to stop Zimmermann from exporting his code, but PGP had already found its way onto the nascent
network. Zimmermann also published the raw code in a book, making the export of his work a free speech issue.
contentious. Export controls were subsequently relaxed. The same happened on the other side of the Atlantic.
In 1995 the Wassenaar Arrangement was signed, restricting the export of cryptography and many other products. In
2000 these restrictions were lifted. Strong democratised encryption was unstoppable. Preneel said: We thought we
the proponents of
strong encryption had probably lost the war . However, the war is certainly not over as far as FBI
had won the war. We turned out to be wrong. The Crypto War was lost If anything,
director James Comey is concerned. In a speech at the Brooking Institution in October 2014 he told the audience
that perhaps its time to suggest that the post-Snowden pendulum has swung too far in one directionin a
direction of fear and mistrust. Comey thinks that tech companies overreacted to the Snowden revelations.
Encryption isnt just a technical feature; its a marketing pitch. He objected to the term backdoor. We want to
use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely
comfortable with court orders and legal process front doors that provide the evidence and information we need to
investigate crimes and prevent terrorists attacks. These comments by the FBI Director sound legitimate and
certainly seem reasonable. But there are at least three objections to installing decryption technology in
Making everyone less secure The first objection is: who gets to
decide who uses a backdoor? The famous cryptographer Bruce Schneier has often warned
that modern computer technology is fundamentally democratising. Today's NSA
secret techniques are tomorrow's PhD theses and the following day's cybercrime
attack tools. In other words, if you install a backdoor, you can never be sure whether or
not someone else will find it and use it for nefarious purposes . A strong case in point is the
infrastructure and software.
so-called Vodafone hack that was discovered in Athens, Greece in late 2005. A lawful wiretapping device, used by
the countrys law enforcement agencies, was compromised and more than a hundred people were spied on,
possibly for two years prior to the discovery. The culprits remain unknown until this day. The targets were
journalists, Arab individuals, senior government and secret service officials and an American embassy worker.
Similar major security breaches were discovered in other countries too. Theoretically it might be feasible, as current
NSA director Michael Rogers argues, to build a backdoor that only his agency can use. The NSA actually came close
to building a very secure backdoor with DUAL_EC_DRBG, the Dual Elliptic Curve Deterministic Random Bit
The
Snowden files showed that in the early 2000s the NSA exploited a weakness in the
code, through which only they could guess the outcome of the generator, and with
that knowledge were able to break the widely-used encryption keys. The only
problem is that even years before Snowden blew the whistle, cryptographers knew
that there was something wrong with the code, but couldnt find definite proof. And
the leak shows that even the single most advanced intelligence agency
cannot keep its secrets. The real world keeps disproving the theory.
Generator. This piece of software is one of the few international standards used to generate encryption keys.
for giving law enforcement the best possible tools to investigate crime, subject to due process and the rule of law.
But a careful scientific analysis of the likely impact of such demands must distinguish what might be desirable from
are not really taken seriously. We have shown that current law enforcement demands for exceptional access would
If policy-makers
believe it is still necessary to consider exceptional access mandates, there are
technical, operational, and legal questions that must be answered in detail before
legislation is drafted. From our analysis of the two scenarios and general law
enforcement access requirements presented earlier in the paper, we offer this set of
questions.
likely entail very substantial security risks, engineering costs, and collateral damage.
Fed insecure
Feds shouldnt hold our data, they get hacked all the time.
Andrea Castillo, 5-20-2015, "Americas schizophrenic anti-encryption
cybersecurity strategy," Medium, https://readplaintext.com/america-sschizophrenic-anti-encryption-cybersecurity-strategy-2d10375a982
The back doors for which encryption antagonists pine are more the stuff of dream
than reality. Even the mightiest microchip Merlin will be hard-pressed to bend the rules of mathematics to suit
the G mens whimsies. But the move to weaken encryption does not just fail technically, it
would fail strategically. Bad guys could use back doors, too . The federal
government would perhaps be one of the worst entities to secure the keys
to our digital kingdom. Over the past 9 years, the rate of reported federal
information security failures increased by 1,169%. Federal employees routinely
download malware onto network computers , lose track of office equipment and computers, and
expose critical information to outside groups for months at a time without notice. Even agencies
ostensibly dedicated to cybersecurity preparedness, like DHS and DOD, report thousands of such failures each year.
It is entirely possible that skilled hackers could wrest a golden key from federal
agents sleepy grasp and earn a golden ticket into all encrypted US data.
Encryption Good
Joxean Koret, a researcher with Coseinc, a Singapore-based information security consultancy. If you write an exploit
for an anti-virus product youre likely going to get the highest privileges (root, system or even kernel) with just one
shot, Koret told The Intercept in an email. Anti-virus
reverse engineer it to find ways to neutralize the problem. Doing so required obtaining a
warrant. Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge
to GCHQs CNE [Computer Network Exploitation] capability and SRE is essential in order to be able to exploit such
software and to prevent detection of our activities, the warrant renewal request said. Examination of Kaspersky
and other such products continues. The warrant renewal request also states that GCHQ reverse engineers antivirus programs to assess their fitness for use by government agencies. The requested warrant, provided under
Section 5 of the U.K.s 1994 Intelligence Services Act, must be renewed by a government minister every six months.
The document published today is a renewal request for a warrant valid from July 7, 2008 until January 7, 2009. The
request seeks authorization for GCHQ activities that involve modifying commercially available software to enable
interception, decryption and other related tasks, or reverse engineering software. Software reverse engineering,
or reversing, is a collection of techniques for deciphering and analyzing how a program operates. The process can
be as simple as observing the flow of data into and out of the program, or as complex as analyzing the machine
code 1s and 0s to look into the softwares inner workings, including portions of the code that are not explained
in the manual or other program documentation. Put simply, it often means taking thousands of commands that
instruct the computer exactly what to do and working backwards to translate them into a format thats more
intelligible to a human being. Reversing is a common, often benign practice among software developers that can be
used to enable software from different companies to interoperate or to identify security vulnerabilities before they
can be exploited by third parties. Software makers, fearing piracy, hacking and intellectual property theft, often
forbid the practice in licensing agreements and sometimes protect the most sensitive inner workings of their
software with encryption. Governments have passed laws, with digital media in mind, that strictly circumscribe
tampering with this encryption. Software companies have also sued to block reverse engineering as copyright
infringement, arguing that it is illegal to make a copy of a program in violation of their restrictions on such copying.
GCHQ felt it needed legal cover to conduct reverse engineering, writing in the warrant renewal application that the
practice could otherwise be unlawful and amount to a copyright infringement or breach of contract. As we
explore in a related story today, the warrant is legally questionable on several grounds, in that it applies ISA section
5 to intellectual property for the first time, and GCHQ may be applying ISA section 5 to certain categories of
User-Agent strings included in the headers of Hypertext Transfer Protocol, or HTTP, requests. Such headers are
typically sent at the beginning of a web request to identify the type of software and computer issuing the request.
According to the draft report, NSA researchers found that the strings could be used to uniquely identify the
computing devices belonging to Kaspersky customers. They determined that Kaspersky User-Agent strings contain
encoded versions of the Kaspersky serial numbers and that part of the User-Agent string can be used as a machine
identifier. They also noted that the User-Agent strings may contain information about services contracted for or
User-Agent strings could be used against its customers. The information is depersonalized and cannot be
attributed to a specific user or company, the statement read. We take all possible measures to protect this data
from being compromised, for example through strong encryption. But Kasperskys measures sometimes appear to
fall short. In 2012, Twitter user @cryptoOCDrob posted a screenshot of Kaspersky software leaking unencrypted
data while checking website reputation. Two years later, another Twitter user, Christopher Lowson, claimed that his
email address, license key and other details were being sent by Kaspersky without encryption. Testing performed by
The Intercept last month on a trial copy of Kaspersky Small Business Security 4 determined that, while some
traffic was indeed encrypted, a detailed report of the hosts hardware configuration and installed software was
relayed back to Kaspersky entirely unencrypted. By the time of publication, Kaspersky told The Intercept via email,
email flagging a malware file, which was sent to various anti-virus companies by Franois Picard of the Montrealbased consulting and web hosting company NewRoma. The presentation of the email suggests that the NSA is
reading such messages to discover new flaws in anti-virus software. Picard, contacted by The Intercept, was
unaware his email had fallen into the hands of the NSA. He said that he regularly sends out notification of new
viruses and malware to anti-virus companies, and that he likely sent the email in question to at least two dozen
such outfits. He also said he never sends such notifications to government agencies. It is strange the NSA would
show an email like mine in a presentation, he added. The NSA presentation goes on to state that its signals
intelligence yields about 10 new potentially malicious files per day for malware triage. This is a tiny fraction of the
hostile software that is processed. Kaspersky says it detects 325,000 new malicious files every day, and an internal
GCHQ document indicates that its own system collect[s] around 100,000,000 malware events per day. After
presentation lists 23 additional AV companies from all over the world under More Targets! Those companies
include Check Point software, a pioneering maker of corporate firewalls based Israel, whose government is a U.S.
ally. Notably omitted are the American anti-virus brands McAfee and Symantec and the British company Sophos.
There is a certain logic to monitoring reports flowing into anti-virus companies. Such reports include new malware,
which can potentially be re-purposed, and intelligence about hostile actors. Whats more, information about security
vulnerabilities in the AV software itself can be harvested. Anti-virus companies commonly, though not always,
respond slowly to such reports, leaving a window in which spy agencies can potentially exploit these flaws. A 2012
report from Google security engineer Tavis Ormandy documented how, after alerting Sophos to multiple security
vulnerabilities in its anti-virus software, the firm estimated it would require six months to patch all of the bugs. That
estimate was later revised down 60 days for the entire set of fixes, according to Ormandy. Its not clear exactly how
many reports like Ormandys have been piling up at anti-virus companies. But Koret, the security researcher,
suggests that most AV companies have serious problems in this area. During a period of ~1 year I researched
more or less 17 AV engines, he wrote in an email. I found vulnerabilities in 14 AV engines. Anti-virus firms vs.
long as 14 to 19 years, burrowing into the hard drive firmware of sensitive computer systems around the world,
according to Kaspersky. Governments, militaries, technology companies, nuclear research centers, media outlets
and financial institutions in 30 countries were among those reportedly infected. Kaspersky estimates that the
Equation Group could have implants in tens of thousands of computers, but documents published last year by The
Intercept suggest the NSA was scaling up their implant capabilities to potentially infect millions of computers with
malware. Kasperskys adversarial relationship with Western intelligence services is sometimes framed in more
sinister terms; the firm has been accused of working too closely with the Russian intelligence service FSB. That
accusation is partly due to the companys apparent success in uncovering NSA malware, and partly due to the fact
that its founder, Eugene Kaspersky, was educated by a KGB-backed school in the 1980s before working for the
Russian military. Kaspersky has repeatedly denied the insinuations and accusations. In a recent blog post,
responding to a Bloomberg article, he complained that his company was being subjected to sensationalist
conspiracy theories, sarcastically noting that for some reason they forgot our reports on an array of malware that
trace back to Russian developers. He continued, Its very hard for a company with Russian roots to become
successful in the U.S., European and other markets. Nobody trusts us by default. Kaspersky Lab openly
cooperates with multiple international law enforcement agencies on cybercrime cases, but no inappropriate links to
the FSB have ever been proven. Meanwhile, cozy relationships with intelligence agencies are not uncommon among
Western technology companies. The CIA-backed venture capital firm In-Q-Tel has helped build over 200 tech startups, including cybersecurity firms FireEye and ReversingLabs and big data intelligence firms Palantir and Recorded
Future. Previous reporting from the Snowden archive has shown that Microsoft, Google, Yahoo, Facebook, Apple, AOL
No stranger to targeted
cyberattacks, Kaspersky Lab announced earlier this month that it had been the
victim of a sophisticated intrusion. In an email, Kaspersky Lab told The Intercept,It
is extremely worrying that government organizations would be targeting us instead
of focusing resources against legitimate adversaries, and working to subvert
security software that is designed to keep us all safe. However, this doesnt come as
a surprise. We have worked hard to protect our end users from all types of
and PalTalk all actively participated in the NSAs PRISM surveillance program.
the program's leader, Stacy Stevens, said during a June 9 public meeting of cybersecurity professionals organized
by the Department of Homeland Security in Cambridge, MA. The FBI official's comments, as well as documents
obtained by Inside Cybersecurity under the Freedom of Information Act, shed new light on how U.S. authorities view
cyber risks in industry, a subject shrouded in secrecy that some argue is excessive. An Obama administration
adviser, Richard Danzig, last year urged greater disclosure of cyber risks facing various sectors in the interest of
enabling better policymaking. Stevens told Inside Cybersecurity that the FBI and DHS have a shared understanding
of which sectors are associated with the greatest cyber-related national security risks. This hierarchy enables the
FBI cybersecurity outreach unit to prioritize its resources. The unit has focused on banking and finance, energy,
transportation, information technology and communications since it was established in 2013 and added public
health to the list more recently, she said. President Obama has repeatedly urged improvements in cybersecurity for
critical infrastructure, including in an executive order issued in 2013. Obama's speech at the White House
cybersecurity summit in February mentioned most of the sectors cited by Stevens. " Much
of our critical
infrastructure -- our financial systems, our power grid, health systems -- run on networks connected
to the Internet, which is hugely empowering but also dangerous, and creates new
points of vulnerability that we didn't have before ," Obama said. "Foreign governments
and criminals are probing these systems every single day. We only have to think of
real-life examples -- an air traffic control system going down and disrupting flights,
or blackouts that plunge cities into darkness -- to imagine what a set of systematic
cyber attacks might do." But DHS has been tight-lipped about which infrastructure sectors and assets face
the most significant cyber risks. In response to Obama's 2013 executive order, the agency produced an unclassified
"for official use only" report in July 2013 to identify critical infrastructure where a cybersecurity incident could cause
"catastrophic" regional or national damage to public health or safety, economic security or national security. Inside
Cybersecurity obtained a redacted version of the report through the Freedom of Information Act. It omits the names
sectors, subsectors, or modes, where a cybersecurity incident on a single entity would not be expected to result in
catastrophic regional or national effects." "A cybersecurity incident is possible in all sectors ," DHS
wrote in its 2013 report, "but not all cybersecurity incidents would generate the catastrophic consequences
required for consideration under [Obama's February 2013 executive order]." "As technology and business practices
change, greater cyber dependence will likely increase the impact of potential consequences of cybersecurity
incidents," the report states, noting the agency would annually re-evaluate the list of infrastructure at greatest risk
from a cybersecurity incident. Non-catastrophic risks can still be significant. The electrical grid, finance sector,
water supply, and telecommunications systems are the "big four targets" of cyber attacks intended to have a
distinct and immediate impact, Richard Bejtlich, chief security strategist for FireEye, recently testified before
Congress. But the water sector was not on the catastrophic list in the 2013 report, according to the Environmental
Protection Agency. Increased frankness about cyber risks could enable better policymaking, according to Danzig, an
adviser to the White House and a former Navy secretary from the Clinton administration. Last year, he urged DHS to
publicly release more details from the July 2013 assessment of catastrophic cyber risks. "Because industries greatly
vary in their incentives and disincentives, degrees of concentration, resiliency, cyber budgets and cyber
sophistication, action plans need to vary industry by industry," he wrote in a report published by the Center for a
New American Security. "They also need to be accepted, indeed championed, by relevant oversight agencies, and
Backdoors aren't new. The security industry has long worried about backdoors left in software by hackers, and has
of it is done with the knowledge and consent of the manufacturers involved, and how much is done surreptitiously
by either employees secretly working for the government or clandestine manipulation of the company's master
source code files. We also don't know how well it has succeededthe documents don't give us a lot of detailsbut
we know it was funded at $250 million per year. We also don't know which other countries do the same things to
systems designed by companies under their political control. We know of a few examples. In Chapter 6, I talked
belonging to members of the Greek governmentthe prime minister and the ministers of defense, foreign affairs,
and justiceand other prominent Greek citizens. Swedish telecommunications provider Ericsson built this
wiretapping capability into Vodafone products, but enabled it only for governments that requested it. Greece wasn't
one of those governments, but some still-unknown partya rival political group? organized crime?figured out how
to surreptitiously turn the feature on. This wasn't an isolated incident. Something similar occurred in Italy in 2006. In
2010, Chinese hackers exploited an intercept system Google had put into Gmail to comply with US government
surveillance requests. And in 2012, we learned that every phone switch sold to the Department of Defense had
security vulnerabilities in its surveillance system; we don't know whether they were inadvertent or deliberately
The NSA regularly exploits backdoors built into systems by other countries
for other purposes. For example, it used the wiretap capabilities built in to the Bermuda phone system to
inserted.
secretly intercept all the countrys phone calls. Why does it believe the same thing won't be done to us?
regularly quoted in the press. Schneier is a fellow at the Berkman Center for
Internet and Society at Harvard Law School, a program fellow at the New America
Foundation's Open Technology Institute, a board member of the Electronic Frontier
Foundation, an Advisory Board Member of the Electronic Privacy Information Center,
and the Chief Technology Officer at Resilient Systems, Inc., 3/2/15, Data and Goliath:
The Hidden Battles to Collect Your Data and Control Your World.
Aside from
directly breaking into computers and networking equipment, the NSA masquerades
as Facebook and Linkedln (and presumably other websites as well) to infiltrate target
computers and redirect Internet traffic to its own dummy sites for eavesdropping
purposes. The UK's GCHQ can find your private photos on Facebook, artificially increase traffic to a website,
disrupt video from a website, delete computer accounts, hack online polls, and much more. In addition to the
extreme distrust that all these tactics engender amongst Internet users, they
require the NSA to ensure that surveillance takes precedence over security . Instead
of improving the security of the Internet for everyone's benefit, the NSA is
ensuring that the Internet remains insecure for the agency s own
convenience. This hurts us all, because the NSA isn't the only actor out there that
thrives on insecurity. Other governments and criminals benefit from the subversion
of security. And a surprising number of the secret surveillance technologies revealed by Snowden aren't
Hacking the Internet. In Chapter 5, I talked about the NSA's TAO group and its hacking mission.
exclusive to the NSA, or even to other national intelligence organizations. They're just better-funded hacker tools.
Academics have discussed ways to recreate much of the NSA's collection and analysis tools with open-source and
commercial systems. For example, when I was working with the Guardian on the Snowden documents, the one topsecret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is
called packet injectionbasically, a technology that allows the agency to hack into computers. Turns out, though,
that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack
computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government
willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. All of
these existed before I wrote about QUANTUM. By using its knowledge to attack others rather than to build up the
Internet's defenses, the NSA has worked to ensure that anyone can use packet injection to hack into computers.
Even when technologies are developed inside the NSA, they don't remain exclusive
for long. Todays top-secret programs become tomorrow's PhD theses and the next
day's hacker tools. Techniques first developed for the military cyberweapon Stuxnet have ended up in
criminal malware. The same password-cracking software that Elcomsoft sells to governments was used by hackers
to hack celebrity photos from iCloud accounts. And once-secret techniques to monitor people's cell phones are now
of noted cryptographers and security researchers warned in a new report this week. The report, from the
Massachusetts Institute of Technologys Computer Science and Artificial Intelligence Lab, incorporates the views of
more than a dozen top security researchers, including noted cryptologists like Bruce Schneier, Whitfield Diffie, and
Ronald Rivest. It expresses alarm over growing efforts by the FBI and other U.S. law enforcement agencies to get
data and communication services companies to engineer backdoors in their systems so law enforcement can have
access to encrypted data when needed. Government officials have claimed they need such access in order to be
able to pursue criminals conducting transactions online under the cover of encryption and anonymizing services like
Tor. In testimony before Congress only earlier this week, FBI director James Comey warned about the ongoing and
significant impact that such technologies were having on the governments ability to track, pursue, and prosecute
criminals. But according to the researcher, enabling exceptional access to systems of the sort being demanded by
the government will have devastating security consequences for the rest of the Internet. These
proposals
are unworkable in practice, raise enormous legal and ethical questions, and would
undo progress on security at a time when Internet vulnerabilities are causing
extreme economic harm. Here, according to the security researchers are three reasons why:
The first reason is that providing exceptional access means abandoning many of the best
practices that have been deployed or are being deployed to make the Internet safer .
As one example, the researchers pointed to technologies like perfect forward secrecy, a practice
where decryption keys are destroyed immediately upon use, so as not to
compromise the integrity of data that was encrypted earlier or later. A related technique,
authenticated encryption, uses the same temporary key to guarantee confidentiality and to verify that the message
nature, security testing would become far more difficult and less effective as well. This is a far more complex
environment than the electronic surveillance now deployed in telecommunications and Internet access services,
Management as one example of what can happen when a single organization is entrusted with a lot of data.
Enabling exceptional access would create a similar set of concentrated targets for bad actors to go after, the
security researchers said. If law enforcements keys guaranteed access to everything, an attacker who gained
access to these keys would enjoy the same privilege. Richard Blech, CEO of Secure Channels, said the government
finds itself between a rock and a hard place on the encryption issue. You
statement. Unfortunately, sensitive data is vulnerable if the agencies are left a backdoor. As a result, due process
may continue to be the only way forward, he said. If there are concerns, go to court and get a warrant.
Encryption US Leadership
US should take the lead on encryption.
Ranger, 2015
Steve Ranger, UK editor of TechRepublic, 3-23-2015, "The undercover war on your
internet secrets: How online surveillance cracked our trust in the web,"
TechRepublic, http://www.techrepublic.com/article/the-undercover-war-on-yourinternet-secrets-how-online-surveillance-cracked-our-trust-in-the-web/
Back in the 1990s and 2000s, encryption was a complicated, minority interest. Now
it is becoming easy and mainstream, not just for authenticating transactions but for encrypting data
and communications. Back then, it was also mostly a US debate because that was where
most strong encryption was developed. But that's no longer the case: encryption
software can be written anywhere and by anyone, which means no one country
cannot dictate global policy anymore. Consider this: the right to privacy has long been considered a
qualified rather than an absolute right one that can be infringed, for example, on the grounds of public safety, or
to prevent a crime, or in the interests of national security. Few would agree that criminals or terrorists have the right
hard drive or a smartphone correctly, it cannot be unscrambled (or at least not for a few hundred thousand years).
At a keystroke, it makes absolute privacy a reality, and thus rewrites one of the
fundamental rules by which societies have been organised. No wonder the intelligence
services have been scrambling to tackle our deliberately scrambled communications. And our fear of crime
terrorism in particular has created another issue. We have demanded that the intelligence services and law
enforcement try to reduce the risk of attack, and have accepted that they will gradually chip away at privacy in
order to do that. However, what we haven't managed as a society is to decide what is an acceptable level of risk
that such terrible acts might occur.
to say, this is how free societies should come at this." But he doesn't underestimate the scale of the problem,
either. Speaking at an event organised by the Information Technology and Innovation Foundation, he said: "Working
at the White House, we don't get easy problems, easy problems get solved someplace else, they don't come to us.
This is one of the hardest problems I know about, certainly that's anywhere close to my job. And I think it's clearly
worth remembering the Cavaliers and the Confederates both won the first battles of the English and American civil
US Standards Key
The USFG has a history of cryptographic expertise, it
understands the importance of creating new encryption
standards.
Davis et al 2014 (Risking it All: Unlocking the Backdoor to the Nation's
Cybersecurity Terry Davis is with MicroSystems Automation Group. Jon M. Peha is a
professor at Carnegie Mellon University. Eric Burger is a professor at Georgetown
University. L. Jean Camp is a professor at Indiana University Bloomington - School of
Informatics and Computing. Dan Lubar is with RelayServices. Social Science
Electronic Publishing, Inc, (http://papers.ssrn.com/sol3/papers.cfm?
abstract_id=2468604)
An indirect way to undermine the security of products and services is to influence national or international
standards bodies since many developers build systems that comply with the resulting standards, even when the
languages, and nations. Standards are required for hardware and software to communicate with other hardware and
could use the precedent of U.S. leadership to deliberately weaken standards. The impact of weakening a standard
may be even greater than weakening a specific product or service because that one standard may be used in so
many different products and services.
Economy/Innovation
Cybersecurity - Economy
Undermining the security of the digital economy will unravel
the global economy.
Bankston, 2015
It would cost the American economy untold billions of dollars. Experts estimated
during the original Crypto Wars that building and operating the kind of key escrow
infrastructure desired by the government would have cost the government and
industry many billions of dollars.21 Since then, the number of computer and Internet
users, and computer and Internet devices, has grown exponentially; so too has the
complexity and cost of such a scheme to give the government the universal decryption capability it apparently
Thats not even counting the many more billions of dollars that would be
lost as consumers worldwide lost confidence in the security of American computing
products and online services. American technology companies, which currently
dominate the global market, have already been wrestling with diminished consumer
trust in the wake of revelations about the scope of the N ational Security Agencys
programs, a loss of trust already predicted to cost our economy billions of dollars .23
Any new requirement that those companies guarantee that the U.S. government
have the technical capability to decrypt their users data would give foreign users
including major institutional clients such as foreign corporations and governments that especially rely
on the security of those products and serviceseven more incentive to avoid American products
and turn to foreign competitors. It would also likely diminish trust in the security of
digital technology and the Internet overall, which would slow future growth of the Internet
and Internet-enabled commerce and threaten the primary economic engine of the 21st
century. To put it bluntly, foreign customers will not want to buy or use online services, hardware products,
desires.22
software products or any other information systems that have been explicitly designed to facilitate backdoor access
for the FBI or the NSA.24 Nor will many American users, for that matter. Instead, they will turn to more secure
products that are available for purchase or for free download from sources outside of the United States, which is a
major reason why
One recent study says that estimates of these costs range from $24
billion to $120 billion per year in the U.S.3 Weakened security can only increase
the high cost of cybercrime. Of course, some technically sophisticated organizations are challenging
been breached.
the security of American computer and communications systems for reasons other than mere financial gain. Finding
and exploiting security vulnerabilities is part of how international espionage is conducted in the 21st century, as is
clearly demonstrated by recent revelations about the activities of the Chinese government. In addition to economic
advantage, foreign governments that compromise the security of contractors to the U.S. Defense Department may
use what they learn to improve their offensive and defensive military capabilities. Moreover, as we saw from
cyberattacks in Estonia and Georgia, cyberattacks on civilian systems can be highly disruptive to nations, and
possibly a force multiplier for military action. The more foreign powers can learn about security vulnerabilities in
critical systems in the U.S., the more vulnerable we are. Worse yet, this is no longer just the domain of nation
states. Terrorist organizations could also launch cyberattacks against critical systems. Perhaps they will time a
cyberattack with a bombing to maximize the damage and the panic. Weakened security can only increase the risk
InformationWeek, http://www.informationweek.com/the-impact-of-cyberwarfare/d/did/1055702?
Cyberwarfare: What will it look like, how will we defend against it? Those questions have taken on new urgency, as
the possibility becomes more real. Recently, the Baltic nation of Estonia suffered several weeks of distributed
denial-of-service attacks against both government and private-sector Web sites. And late last month, a report from
the Department of Defense said the People's Liberation Army of China is building up its cyberwarfare capabilities,
even creating malware that could be used against enemy computer systems in first-strike attacks. To date, there
cyberwarfare is
treated among most nations with much the same reverence as Cold
War players treated the idea of nuclear winter, mainly because of the potential large-scale
economic disruption that would follow, says Howard Schmidt, a former White House cybersecurity
adviser and former chief security officer at eBay and Microsoft. This would include shortages of
supplies that could affect both citizens and the military , he says. The cyberattacks
against Estonia primarily targeted the government, banking, media, and police sites, and they
have been no proven, documented cases of one nation attacking another via cyberspace. Yet
a chilling prospect that's
"affected the functioning of the rest of the network infrastructure in Estonia," the European Network and
Information Security Agency, or ENISA, reported on its Web site. As a result, targeted sites were inaccessible
outside of Estonia for extended periods in order to ride out the attacks and to try and maintain services within the
country. Distributed denial-of-service attacks are particularly difficult to prevent and require a lot of coordination to
contain the damage when multiple sites are hit. In order to weather the 128 strikes launched against its
cyberinfrastructure, Estonia sought help from not only its Computer Emergency Readiness Team, established late
last year, but also the Trans-European Research and Education Networking Association and Computer Emergency
systems. This is a significant issue in the United States, given that the private sector
owns more than 85% of the critical infrastructure . Communication and cooperation between
government officials and private-sector critical infrastructure owners is essential because the military is more
knowledgeable and better prepared to respond to a cyberattack. "When it comes to information warfare,
corporations in general are no match for a trained intelligence officer," says David Drab, a 27-year veteran of the
FBI who retired in 2002 and is now principal for information content security with Xerox Global Services. These
officers have an objective, they have resources, and often they have the element of surprise on their side, he says.
by businesses to deliver advertisements, cyber criminals to steal personal information, or oppressive states to
censor and control access to information. Hijacking techniques work by exploiting security vulnerabilities within the
Internets Domain Name System (DNS) and resolution process. The DNS is a fundamental technology for Internet
operation, yet because of its technological complexity and associated jargon, many people do not understand its
importance. To simplify, the DNS can be thought of as the Internets address book because it contains Internet
names (www.google.com) and associated IP addresses (8.8.8.8 for Google Public DNS) for everything online. It
functions by matching the names that people use to the numbers that computers use, so that a users device can
find the information they wish to access on the network. Hijacking occurs when a third party intercepts the DNS
look-up function and injects fake information into the process. What are appropriate government interventions in
Internet technology for achieving economic or political goals? Malicious hackers will often use these techniques to
redirect users to fake websites such as a fake bank login page to collect personal or financial information from
techniques are one of the many censorship tools built in to the system to control access to content that is uploaded
and shared online. Hijacking is a highly effective technique and can be extremely difficult to detect. When users
access most websites, the DNS will tell a computer where to go and the computer will automatically connect to the
address without verifying the information. The original design of the DNS predated the global expansion and growth
of the Internet, and verification was not an issue because the DNS was created in an environment where there was
a certain degree of trust among parties using the technology. This has created a number of security challenges for
the modern-day reality of the Internet. The NSAs IRRITANT HORN pilot project really strikes an important chord:
what are appropriate government interventions in Internet technology for achieving economic or political goals?
If
internet, today it also means governance using the architecture of the internet. In that second notion the internet
becomes a policy instrument to achieve other (national) policy goals. Such interventions may have huge
implications for the backbone of internet infrastructures and protocols and in turn, for the digital lives that we have
internet. If the
internet ceases to operate, many processes and routines, from the trivial our Facebook
status to the essential payment transactions will grind to a halt. If the backbone
protocols of the internet are corrupted, the internet becomes unreliable. Who would
risk online banking in that case? If we cannot be sure that data will be sent and
arrive at its intended destination, that will influence the kinds of economic and
social processes that we do or do not entrust to the internet. Would we let the internet
handle our private and work-related communications in that case? If we know that security gaps
are deliberately being built into internet standards, protocols, and
hardware and software to guarantee foreign intelligence and security
services access, then our confidence in the internet will gradually crumble .
If more and more countries withdraw behind digital borders, the internet will no
longer operate as an international infrastructure as it has done so far. And in the
worst-case scenario, the exploitation of vulnerabilities in the backbone
protocols and infrastructures could lead to serious breakdowns in society
and economy.
built on top of it. Such interventions can undermine the integrity and the functionality of the
Stifle Innovation
Tokmetzi, 2015
Dimitri, Data Journalist at the Correspondent (Netherlands) Think piece: How to
protect privacy and security? Global Conference on CyberSpace 2015 16 - 17 April
2015 The Hague, The Netherlands
https://www.gccs2015.com/sites/default/files/documents/How%20to%20protect
%20privacy%20and%20security%20in%20the%20crypto%20wars.pdf
Backdoors can stifle innovation. Even
until very recently, communications were a matter for a few big companies, often
state-owned. The architecture of their systems changed slowly, so it was relatively cheap and easy to build a
wiretapping facility into them. Today thousands of start-ups handle communications in one
form or another. And with each new feature these companies provide, the architecture of the systems
changes. It would be a big burden for these companies if they had to ensure that
governments can always intercept and decrypt their traffic. Backdoors require
centralised information flows, but the most exciting innovations are moving in the
opposite direction, i.e. towards decentralised services. More and more web services
are using peer-to-peer technology through which computers talk directly to one
another, without a central point of control. File storage services as well as payment processing and
communications services are now being built in this decentralised fashion. Its extremely difficult to
wiretap these services. And if you were to force companies to make such
wiretapping possible, it would become impossible for these services to continue to
exist. A government that imposes backdoors on its tech companies also risks harming their export opportunities.
Unsound economics The second argument is one of economics.
For instance, Huawei the Chinese manufacturer of phones, routers and other network equipment is unable to
US companies,
especially cloud storage providers, have lost overseas customers due to fears that
the NSA or other agencies could access client data. Unilateral demands for backdoors could put
gain market access in the US because of fears of Chinese backdoors built into its hardware.
companies in a tight spot. Or, as researcher Julian Sanchez of the libertarian Cato Institute says: An iPhone that
Apple cant unlock when American cops come knocking for good reasons is also an iPhone they cant unlock when
the Chinese government comes knocking for bad ones.
But backdoors are a problem for yet another reason. They clash with the end-to-end
argument that is at the very core of the architecture of the internet: the network
should be as simple and agnostic as possible regarding the communications that it
supports. More advanced functionalities should be developed at end nodes
(computers, mobiles, wearable devices). This, argue researchers, allows the network
to support new and unanticipated applications. The end-to-end argument has
ignited unprecedented levels of innovation. The back doors that intelligence
agencies are trying to promote would apply to our communications system as a
whole, not only to the end nodes that are the devices with which we send the
messages. This violates the end-to-end argument and undermines trust in the
internet as a communications system. Such backdoors would undermine the
generative internet as we know it, reducing every users capacity to innovate and
disseminate products of innovation to billions of people in a secure and sustainable
way.
Stifle innovation
Tokmetzi 2015
Innovation
Julian Sanchez, 9-23-2014, "Old Technopanic in New iBottles," Cato Institute,
http://www.cato.org/blog/old-technopanic-new-ibottles
Thirdleast obviously, but perhaps most importantlyany
requiring cellular phone manufacturers to enable police access to their devices, he tacitly presupposes that the
manufacturer is in control of the software running on the device. That may describe Apples notoriously tightly
Apple or Google, with teams of lawyers on retainer to comply with lawful orders and subpoenas, by a tiny startup,
by a lone developer working from his basement, or by a dispersed global community of open source coders. As
writer Cory Doctorow explains in his insightful essay Lockdown: The Coming War on General-Purpose Computing,
the only real way to make mandates of the kind Kerr discusses effective is to prohibit computers (and smartphones,
of course, are just small computers with embedded cellular radios) that are truly controlled by their lawful owners:
We dont know how to build a general-purpose computer that is capable of running any program except for some
program that we dont like, is prohibited by law, or which loses us money. The closest approximation that we have
to this is a computer with spyware: a computer on which remote parties set policies without the computer users
knowledge, or over the objection of the computers owner. Digital rights management always converges on
centralized, but theres not much point in requiring Google to release an insecure version of Android if any user can
just install a patch that removes the vulnerability .
No facebook.
Rodriguez, 2015
The implications of
this for innovation are dire. Could Mark Zuckerberg have built Facebook in his dorm
room if he'd had to build in surveillance capabilities before launch in order to avoid
government fines? Would the original Skype have ever happened if it had been
forced to include an artificial bottleneck to allow government easy access to all of
your peertopeer communications? This has especially serious implications for the
open source community and small innovators . Some open source developers have already taken a
propose would amount to a technology mandate and a draconian regulatory framework.
foot the bill: the providers will pass those costs onto their customers.
http://download.springer.com/static/pdf/416/bok%253A978-3-642-20898-
2011
The Internet will be a catalyst for much of our innovation and prosperity in the
future. It has enormous potential to underpin the smart, sustainable and inclusive
growth objectives of the EU2020 policy framework and is the linchpin of the Digital Agenda for Europe. A
competitive Europe will require Internet connectivity and services beyond the capabilities offered by current
technologies. Future Internet research is therefore a must. Since the signing of the Bled declaration
in 2008, European research projects are developing new technologies that can be used for the Internet of the
Future. At the moment around 128 ongoing projects are being conducted in the field of networks, trustworthy ICT,
Future Internet research and experimentation, services and cloud computing, networked media and Internet of
things. In total they represent an investment in research of almost 870 million euro, of which the European
Commission funds 570 million euro. This large-scale research undertaking involves around 690 different
organizations from all over Europe, with a well-balanced blend of 50% private industries (SMEs and big companies
with equal share), and 50% academic partners or research institutes. It is worth noting that it is a well-coordinated
initiative, as these projects meet twice a year during the Future Internet Assembly, where they discuss research
issues covering several of the domains mentioned above, in order to get a multidisciplinary viewpoint on proposed
solutions. Apart from the Future Internet Assembly, the European Commission has also launched a Public Private
Partnership program on the Future Internet. This 300- million-euro program is focused on short- to middle-term
research results developed over the past few years, and will be tested on large-scale use cases. The use cases that
are part of the Public Private Partnership all have the potential to optimize large-scale business processes, using the
properties of the core Future Internet platform .
burdened many major cities, countries, and companies with the increasing total cost of ownership of maintaining
single purpose networks, built with proprietary technologies with limited performance. These challenging networks
suppress innovation and lack the ability to unlock the economic value of the data generated by their systems.
challenges are faced regardless of the mode of transportation, whether rail, roadway, aviation, maritime, freight
and logistics, connected vehicle or mass transit. This weeks Connected Rail Solution announcement demonstrates
how Ciscos expertise in connecting the unconnected can be used to tackle the issues facing one mode of
transportation. Rail systems, regardless of whether they are freight, passenger or mix mode, deal with many
technical challenges such as varying speeds, through put requirements, redundancies and applications. But today,
thanks to the increasing capability and capacity of IP networks and the economic
leverage of the Internet of Everything, we can now see the opportunity for a
technology revolution in railroading not seen in more than a generation. Some early
adopter railways have already begun to implement a strategy based on the Internet of Everything. These early
adopters are transforming their organizations and providing new experiences for their customers and passengers.
Whether freight railroads looking to gain a competitive advantage by delivering new insights for freight and logistics
customers, or passenger rail systems looking to provide new and differentiated services to their customers to
time to learn what the Internet of Everything can do to transform organizations and
meet these challenges head on.
Affairs to poll 1,500 senior executives and business decision-makes across the United States and Europe about the
data
analytics are important to companies of all types and sizes -- including an
overwhelming majority (60 percent) of small businesses with 50 or fewer employees .
Second, data analytics can contribute to job growth. Sixty-one percent of senior
executives in the US and 58 percent in Europe say data analytics are important to
their companies' plans to hire more employees. Third, eight out of 10 respondents
overall say data analytics are important to their companies' plans to better serve
their customers' needs. It's clear that data innovation will be increasingly important to
how companies across the economy do business. The question is: how do we ensure
we are maximizing the opportunities? Data is inherently borderless, making the
digital economy a global economy. That is why it is critical that we have global trade rules that
role of data analytics in their companies. We found a number of things that were surprising: First,
promote data innovation. But currently there are no global standards in place to ensure that data can move freely
across borders. Chief negotiators from 12 countries are converging this week in Washington to continue
hammering out the terms of the Trans-Pacific Partnership (TPP). That agreement -- and the ongoing US-EU
Transatlantic Trade and Investment Partnership (TTIP) -- present important opportunities to establish 21st century
trade standards that enable data to flow across borders. That's why BSA is urging trade negotiators to seize the
moment and create the beginnings of a global framework to promote open markets and prevent protectionist
measures such as server-location requirements that could undermine the architecture of the Internet and stifle data
enormous payoff.
encryption," http://www.csmonitor.com/World/Passcode/2015/0707/The-battlebetween-Washington-and-Silicon-Valley-over-encryption#
The American business community worries such a policy, if enacted, would threaten
the competitiveness of their businesses. They are concerned it would unnecessarily
put their customers personal security and privacy at risk as criminal hackers grow
increasingly sophisticated and governments seek to eavesdrop. At the same time,
many companies are already trying to estimate the high cost of dealing with any
regulation that would mandate access to encryption including potential losses in
revenue and the tougher-to-measure consumer trust. As such, some are already
contemplating how to find loopholes and other ways around any new US rules to
build back doors, including by taking business overseas.
of Internet administration are increasingly recognized as sites of power, and are being altered for purposes beyond
to infect user devices with malware. The pilot project codenamed IRRITANT HORN would identify smartphone
traffic and inject malware into downloads, which could then be used to collect users data without knowledge or
consent. These types of hijacking techniques are not new. They are a somewhat common alteration used by
businesses to deliver advertisements, cyber criminals to steal personal information, or oppressive states to censor
and control access to information. Hijacking techniques work by exploiting security vulnerabilities within the
Internets Domain Name System (DNS) and resolution process. The DNS is a fundamental technology for Internet
operation, yet because of its technological complexity and associated jargon, many people do not understand its
importance. To simplify, the DNS can be thought of as the Internets address book because it contains Internet
names (www.google.com) and associated IP addresses (8.8.8.8 for Google Public DNS) for everything online. It
functions by matching the names that people use to the numbers that computers use, so that a users device can
find the information they wish to access on the network. Hijacking occurs when a third party intercepts the DNS
look-up function and injects fake information into the process. What are appropriate government interventions in
many censorship tools built in to the system to control access to content that is uploaded and shared online.
Hijacking is a highly effective technique and can be extremely difficult to detect. When users access most websites,
the DNS will tell a computer where to go and the computer will automatically connect to the address without
verifying the information. The original design of the DNS predated the global expansion and growth of the Internet,
and verification was not an issue because the DNS was created in an environment where there was a certain degree
of trust among parties using the technology. This has created a number of security challenges for the modern-day
accidentally leaked to the rest of the world in 2010; numerous US residents were temporarily blocked from
accessing popular social media websites and other content that was blocked by the Chinese government. A similar
incident occurred in 2008 when the Pakistani government ordered a local telecom to block YouTube by redirecting
local traffic away from the site. However, the new routing information was not contained within the country and
eventually everyone who tried to access YouTube was directed to the Pakistan network block .
At the same
time, NSA disclosures and technological interventions are precipitating nationspecific policies geared toward circumventing surveillance or achieving other
objectives. Russia has called for an alternative DNS; countries are pursuing policies
around data localization; and others have discussed routing around the US by
building their own Internet submarine cables. These interventions are politicizing technical design
choices rather than reflecting fundamental qualities of the Internet, such as interoperability, efficiency and
that it can continue to foster economic growth, access to knowledge, and innovation.
The United States benefited greatly from its role as a trusted provider of information and communications
agencies
that are considering methods of weakening the security of commercial products and
services must consider the full range of implications . Similarly, companies that benefit from user
data as part of their marketing revenue strategies should consider how their tactics could be abused. Weakened
security in standards and mass-market technology can facilitate the authorized
surveillance of criminals and terrorists. However, these weaknesses also introduce
risk to innocent people, organizations and government agencies, as they become
more vulnerable to attack from organized crime, terrorists and foreign powers. If
policies to weaken products from the United States are discovered, or even merely
suspected, U.S. products and services will suffer significant losses in reputation
and business where trust is critical. Both supporters and critics of policies to introduce backdoors
technology across the globe. This role cannot be taken for granted. Intelligence and law enforcement
have presupposed that the alleged activities have reduced privacy to improve security. With that premise, they then
argue about whether the nation wins or loses from such a trade. While the debate over how we should value both
privacy and security is important, it misses a critical point: The United States might have compromised both
security and privacy in a failed attempt to improve security. A thorough, technically informed, and documented
process of risk assessment with balanced stakeholders from all sides is needed to ensure the resilience and
security of Americas cyberinfrastructure, including the Internet and cyberphysical systems.
The American business community worries such a policy, if enacted, would threaten the competitiveness of their
businesses. They are concerned it would unnecessarily put their customers personal security and privacy at risk as
many
companies are already trying to estimate the high cost of dealing with any
regulation that would mandate access to encryption including potential losses in
revenue and the tougher-to-measure consumer trust. As such, some are already
contemplating how to find loopholes and other ways around any new US rules to build back doors, including by
taking business overseas.
criminal hackers grow increasingly sophisticated and governments seek to eavesdrop. At the same time,
Venezia 7-13 (Paul Venezia, Encryption with backdoors is worse than useless
its dangerous, InfoWorld, 7/13/15, Paul Venezia is a veteran *nix system and
network architect, and senior contributing editor at InfoWorld, where he writes
analysis, reviews and The Deep End blog,
http://www.infoworld.com/article/2946064/encryption/encryption-with-forcedbackdoors-is-worse-than-useless-its-dangerous.html, 7/14/15 AV)
On the other side of the pond, U.K. Prime Minister David Cameron has said he wants to either ban strong encryption
or require backdoors to be placed into any encryption code to allow law enforcement to decrypt any data at any
The fact that these officials are even having this discussion is a bald
demonstration that they do not understand encryption or how critical it is for
modern life. They're missing a key point: The moment you force any form of
encryption to contain a backdoor, that form of encryption is rendered useless. If a
backdoor exists, it will be exploited by criminals. This is not a supposition, but a certainty. It's not
time.
an American judge that we're worried about. It's the criminals looking for exploits. We use strong encryption every
single day. We use it on our banking sites, shopping sites, and social media sites. We protect our credit card
information with encryption. We encrypt our databases containing sensitive information (or at least we should ).
Our economy relies on strong encryption to move money around in industries large
and small. Many high-visibility sites, such as Twitter, Google, Reddit, and YouTube, default to SSL/TLS
encryption now. When there were bugs in the libraries that support this type of
encryption, the IT world moved heaven and earth to patch them and eliminate the
vulnerability. Security pros were sweating bullets for the hours, days, and in some
cases weeks between the hour Heartbleed was revealed and the hour they could
finally get their systems patched -- and now politicians with no grasp of the ramifications want to introduce a
fixed vulnerability into these frameworks. They are threatening the very foundations of
not only Internet commerce, but the health and security of the global
economy. Put simply, if backdoors are required in encryption methods, the
Internet would essentially be destroyed, and billions of people would be
put at risk for identity theft, bank and credit card fraud, and any number
of other horrible outcomes. Those of us who know how the security sausage is made are appalled
that this is a point of discussion at any level, much less nationally on two continents. Its abhorrent to consider. The
general idea coming from these camps is that terrorists use encryption to communicate. Thus, if there are
not give the police the keys to their houses. We do not register our bank account passwords with the FBI. We do not
knowingly or specifically allow law enforcement to listen and record our phone calls and Internet communications
lose an enormous cache of extraordinarily sensitive, deeply personal information on millions of its own employees,
one can only wonder what horrors would be visited upon us if it somehow succeeded in destroying encryption as
well.
Cyber Crime
weighing our desires for personal privacy and to safeguard against government abuse against the need for
improved law enforcement. That by itself might be a difficult balance for policymakers to strike, and reasonable
of the realities of how modern software applications are integrated into complete systems.
vulnerabilities often allow an attacker to effectively take control over the system, injecting its own software and
taking control over other parts of the affected system.9 The vulnerabilities introduced by access mandates
discussed in the previous section are likely to include many in this category. They are difficult to defend against or
contain, and they current represent perhaps the most serious practical threat to networked computer security.
For
better or worse, ordinary citizens, large and small business, and the government
itself depend on the same software platforms that are used by the targets of
criminal investigations. It is not just the Mafia and local drug dealers whose
software is being weakened, but everyones. The stakes are not merely unauthorized
exposure of relatively inconsequential personal chitchat, but also leaks of personal financial and
health information, disclosure of proprietary corporate data, and compromises of
the platforms that manage and control our critical infrastructure . In summary, the
technical vulnerabilities that would inevitably be introduced by requirements for law
enforcement access will provide rich, attractive targets not only for relatively
petty criminals such as identity thieves, but also for organized crime,
terrorists, and hostile intelligence services. It is not an exaggeration to
understand these risks as a significant threat to our economy and to national
security.
finally agree to speak to me. After a long and perilous hunt, his conditions are finally mine. Our interview takes
place online, in the middle of the night in Moscow, and on an Internet Relay Chat one of many online
communications protocols. Our exchanges are protected by the cryptography protocol Off-the-Record Messaging
(OTR). This is the essential prerequisite to our conversation, and the token of his trust. "X311" writes in unusual but
decent French. The hacker found refuge in France when his "personal situation became way too dangerous" for him
to stay one more week in Russia, he says. He agrees to unveil some aspects of his country's cybernetic underworld,
only because he's now joined "the white side of the force." In the hacker community, people are clearly divided in
five different color groups. The deep web's golden era First off, there are the "black hats" hackers driven by profit
and the desire to wrong the market's actors. These are criminals who are either isolated or organized in mafia. On
the opposite end are the "white hats," the cyberspace avengers who track down pirates and those threatening their
interests "the grey hats." Then come the "blue hats," who specialize in Windows hacking, and the "red hats,"
experts in the UNIX operating system. None of them ever says what color group they identify with. "A real hacker
never discloses he's one," X311 says. Our man did, out of choice and necessity. The Moscovite was a 15-year-old
high school student when he first entered the "black hat" Russian underworld. He studied programming in Moscow
and developed secured software during his spare time. "Back then, you had to find mentors to learn and practice,"
he says. X311 found these code masters with questionable ethics on IRC chats. These are all solitary and
experienced souls, navigating the deep web. Up to 90% of online content slips through the pages of classic search
engines. This is what we call "the deep web," the submerged part of the digital iceberg where the "black hats" hide
and thrive. These hackers buy, sell and trade sensitive data debit cards, confidential information, hacking
programs. They do so via the Tor network (an acronym for The Onion Router), which provides them with secured
protection of information. Quickly, X311 built a solid reputation, earning respect among other hackers. "I was young,
experienced, I was a good worker," he says via chat. Trading data and sensitive information with another "black hat"
just for the love of risk, he quickly became an expert in "cracking" and "phreaking." These practices consist of
breaking into security safeguards to hack debit cards, or phones. "Back then, it was heaven," the hacker says.
"There wasn't as much security on debit cards or on logins." He could easily hack into news websites or user
accounts of large hosting service providers. Apart from the "American and European banks," things were easy for
young hackers like him. "When I saw a growing interest for the competition of this data, I started selling it," he
acknowledges. But he won't say for how much. "A
these cliches. Let's start by talking about how young these hackers are. Hackers younger than 25 gravitate to Saint
Petersburg and its universities. The area is the most dense "black hat" community in the country. "They tend to be
pushed toward the city because of a shortage of legal job opportunities," says Sergueyv Vishnyakov, a 24-year-old
information security researcher at a Russian bank. He is an expert of the "black hats." He is featured as an
"hacktivist" on a website that hosts the largest database of IT flaws and weaknesses to date. In Moscow, these
cowboys of the web are lured by money. The majority of them earn more than 17,000 rubles a month about
$550. "The best hackers earn 10 times more," adds Vishnyakov, "but they only represent about 1% of the Russian
"black hats." And the game is definitely worth it:
these hackers. To find out how they operate, we head to the Moscow area headquarters of security company
Kaspersky. The firm competes with U.S. companies such as Symantec and McAfee fighting cyber crime. Inside the
headquarters, elite teams relentlessly battle new IT attacks. More than 315,000 are registered every day, coming
from and targeting Russia. Russia has the dubious distinction of ranking No. 3 globally in generating cyber attacks,
after China and Brazil. Aleks Goltsev, a 37-year-old Ukrainian, heads the company's security unit, and with the help
of international police forces, he investigates the Russian "black hat" underworld and tracks down its members.
Each country, he says, has its own specialty. "The Chinese hack online gaming platforms," he says. Brazilians take
whose tasks are clearly defined. Two developers design the spy software, and then try to sell it on IRC forums. The
market runs on two economic models. "They either sell the entire program for $10,000, or rent it weekly," Goltsev
With
the conflict in eastern Ukraine, Goltsev has become even busier. Russia and Ukraine
are engaged in an intense data cyber war. The security expert is convinced that
denial-of-service (DOS) attacks, which aim at taking down Internet servers, come
from "Russian and Ukrainian patriots." They could also originate from the Russian
government. Back in 2007 and 2008, Estonia and Georgia, then in conflict with the Kremlin, were given the
says. Some clients are Russian, but most of them are foreign Chinese and Thai. Russia's ambivalent stance
same treatment from Moscow as Ukraine is today. This is what makes Moscow so ambiguous about cyber defense
and security matters. The country, known for training the best IT experts, granted asylum to Edward Snowden, a
former computer engineer who disclosed revelations about the U.S. spying program. At the same time, Russia
stands among the most Internet-censoring countries around the world. The Kremlin recruits its Internet soldiers in
the Siberian city of Novosibirsk. Not far from there, authorities established a scientific city named the "Silicon Taiga"
in 1957. Russia has an impressive and feared cyber army. The GRU, the Main Intelligence
Directorate, is the largest supplier of cybersoldiers. Highly trained, they develop new protection systems and
manage Russia's listening stations across the globe. At the government level are the Russian Federation Federal
Security Service (FSB) and its 76,000 contributors. The organization, the main successor of the KGB, has an entire
center devoted to fighting cyber crimes. There is also a special unit in charge of protecting the government's
Internet. The NSA has nothing on the FSB. The Russian service created one of the most powerful
systems in communications interception, the one used during the Sochi Olympic Games in February. Russia can also
count on its Foreign Intelligence Service (SVR), a 15,000-person organization that is particularly active in economic,
industrial and technological spying. Back in the Moscow night, behind the screen of our encrypted chat, X311
declines to elaborate on what led him to flee Russia for France. "At some point, you need to think about settling
down," he says. "I was going on a bad path." He won't say if he was arrested. "Sorry, but I wont answer any
question. What do you think?" The 28-year-old Russian now works for a French IT security company. Maybe a former
victim of his hacking? He replies with a smiley emoticom and suddenly leaves the chat
At the
same time, transnational criminal networks in Russia are establishing new
ties to global drug trafficking networks to raise quick capital. Nuclear
material trafficking is an especially prominent concern in the former
Soviet Union, the report stated, adding that the US would continue to cooperate with Moscow and
the nations of the region to combat illicit drugs and organized crime. The report singled out the Russian mob
run by Semion Mogilevich. He is wanted by the US for fraud, racketeering, and money laundering
and was recently added to the FBIs Ten Most Wanted list. Mogilevich and
several members of his organization were charged in 2003 in the Eastern District of
Pennsylvania in a 45-count racketeering indictment with involvement in a sophisticated securities fraud and money-
Ten Most Wanted listMogilevich has continued to expand his operations. Mogilevich was arrested by Russian police
on tax charges in January 2008 and was released pending trial in July 2009. Other members of his organization
remain at large. Mogilevichs criminal empire currently operates in Europe (including Italy, Chech Republic,
Switzerland and Russia) the United States, the Ukraine, Israel and the United Kingdom. He also allegedly has ties
governmental anti-corruption organization Transparency International has persistently rated Russia as one of the
most corrupt nations on earth, and the worst among the BRIC nations Brazil, Russia, India and China. In the 2010
Corruption Perception Index, Russia was ranked ahead of all three big emerging markets, on par with Libya and
Pakistan.
used as a weapon of killing and a threat mechanism, so far, there is no evidence of their successful deployment in
terrorist acts. The only case that comes close to deployment of an RDD, was recorded in Chechnya in 1998, when
the local authorities found a container filled with radioactive substances and emitting strong radiation levels
together with a mine attached to it buried next to a railway line.[60] The local authorities considered the incident as
a foiled act of sabotage. The Chechen fighters are also believed to have made several raids on the Radon
radioactive waste depository, located in the vicinity of Grozny, and stolen several containers with radioactive
substances.[61] In 1996, the director of the Radon facility confirmed that about half of some 900 cubic meters of
waste, with radioactivity levels of 1,500 curies, which had been stored at the Radon facility at the start of the first
Chechen war in November 1994, was missing.[62] The Russian authorities believe the terrorists were planning to
use them in explosions in order to spread contamination. It should be noted that Chechen extremists stand out from
many other terrorist organizations by persistently making threats to use nuclear technologies in their acts of
violence. The notorious burial of a radiation source in the Gorky park of Moscow in 1995 by the now late field
commander Shamil Basayev and the threat by Ahmed Zakayev after the Moscow theater siege in October 2002 that
the next time a nuclear facility would be seized are just two such examples.[63] In January 2003, Colonel-General
Igor Valynkin, the chief of the 12th Main Directorate of the Russian Ministry of Defence, in charge of protecting
Russias nuclear weapons, said operational information indicates that Chechen terrorists intend to seize some
important military facility or nuclear munitions in order to threaten not only the country, but the entire world.[64]
According to an assessment of a Russian expert on nonproliferation, whereas unauthorized access to nuclear
admitted they have knowledge about the intent and attempts by terrorists to gain access to nuclear material. In
the director of the Russian Federal Security Service Nikolay Patrushev told
at a conference that his agency had information about attempts by terrorist groups
to acquire nuclear, biological and chemical weapons of mass destruction.[ 66] Later that
August 2005,
year, the Minister of Interior, Rashid Nurgaliev, stated that international terrorists intended to seize nuclear
materials and use them to build WMD.[67] If terrorists indeed attempted to gain access to nuclear material in
order use them for the construction of WMD, such attempts have not been revealed to the public. Out of almost
1100 trafficking incidents recorded in the DSTO since 1991, only one has reportedly involved terrorists, other than
Chechen fighters. The incident was recorded in India in August 2001, when Border Security Force (BSF) officials
seized 225 gram of uranium in Balurghat, northern West Bengal along the India-Bangladesh border. Two local men,
described as suspected terrorists, were arrested. Indian intelligence agencies suspect that the uranium was bound
for Muslim fighters in the disputed regions of Jammu and Kashmir and that agents of Pakistan's InterServiceIntelligence (ISI) were involved.[68] Whether the arrested suspects were indeed members of a terrorist organization
of these incidents. However, no reliable evidence of the marriages of convenience between all threeorganized
crime, terrorists, and nuclear traffickingcould be found.
financial markets and banks have become new targets of criminal opportunity for ROC, as witness two recent
prosecutions:
businesses are used for money laundering. Money laundering is also at the heart of one of the best known and most
U. S. government indictment
last year of four individuals and two companies in connection with the laundering of
more than $7 billion (some estimates range up to $10 billion) through the Bank of
New York (BONY). The case exemplifies a number of economic resource issues. First,
the monies laundered represent a mix of income from criminal activity in Russia and
money being hidden to avoid regulation by the Russian government . How much is of each
recent cases of ROC activity in the United States. That case involves the
kind has not been established. Russian organized crime uses financial institutions such as the BONY to launder
criminal money, and also assists Russian businesses and individuals to move their own assets out of Russia so as to
to tap professional know-how in the financial schemes of ROC. And, as this case, and the stock fraud cases
illustrate, some of those associated with ROC work primarily in the legitimate sector of the economy.
An overarching national
security concern is the involvement of Russian organized crime in the nuclear black
market. Russian organized crime groups pose a unique law enforcement challenge,
jeopardizing public safety throughout the world through their transnational criminal
enterprises. Worldwide money laundering activity from Cyprus to the Cayman
Islands and from Vanuatu in the Pacific to Venezuela; the assassination of American
businessman Paul Tatum in Moscow; financial scams in New York; car theft rings in
Europe; narcotics trafficking and money laundering alliances with Colombian and
Nigerian druglords and the Italian mafia represent but a few of the tentacles
extended by Russian organized crime networks throughout the world . Currently 200 large
flight and the wholesale plundering of its natural resources by its oligarchs.
Eurasian criminal organizations operate worldwide and have formed alliances with their criminal counterparts in 50
countries (including 26 U.S. cities).
assets controlled by
organized crime give it enormous economic power, and hence political power as well.
These assets enable criminal organizations (in various guises) to deal directly with
the stateon behalf of their own economic interestsfrom a position of parity.
in what has become the enormously lucrative scheme of privatization. As a result, the
Organized crime has also attempted to assume certain governmental functions, such as dividing territories among
developments is as much political and economic as it is criminological, and it is unlike anything we have ever seen
power and seeks to create and regulate markets to exercise economic power. The following are some specific
silent partners in criminal enterprises that they, in turn, protect. The criminalization of the privatization process
smuggling transactions pay fees upfront and the business transaction and contact with the recruiter ends at the
border (Grubb, 2009). Immigrants rarely have any additional interaction with the group that assisted them and are
not obligated to the organization financially. They are expected to find their own work and accommodations once
they have arrived at their destination. Transnational human trafficking is believed to have become one of the least
when distinct ethnic groups dominated during different time periods, organized crime has no prejudice at present.
Many different criminal groups all over the world work together and often share
profits, which makes controlling human trafficking next to impossible for law
enforcement. Asian Gangs and Human Trafficking China has experienced economic growth
within urban areas of southeastern provinces; however, the rural areas have
suffered with little agricultural progression. Most available jobs are reserved for
those who are well educated and living in the city . Migrant workers who live a transient life
quickly fill factory jobs that pay low wages and require long hours. The United States is seen as the ultimate escape
where there are no limits on family size and citizens have endless opportunities for employment. Due to poor
economic conditions in China, the business of trafficking Chinese citizens into the United States has become a
lucrative business for organized crime. One specific Asian crime organization is referred to as the Triads. The
group has been very successful in the United States creating cells in New York, Miami, San Francisco, Los Angeles,
what it should be resulting in rancid conditions onboard vessels. Traffickers may charge as much as $35,000 per
home base for the Triad organized crime group is believed to be in Hong Kong; however, they have heavy control of
Taiwan where billions in profit flow through legitimate businesses. In Spain, the Triad gangs have infiltrated a small
Chinese community and have corrupted both law enforcement and government agencies. When someone dies in
this town, the Triad gangs simply give the person a new identity by recycling their legal citizenship documents.
Nobody ever questions why the population is skewed and there are no deaths year after year. Triad groups are
masters in exploiting foreign government and often pay large sums to agencies masked as donations to the military
or economic development when the money is actually bribe money for access to ports and facilities needed for their
operations. Although there are many hierarchical groups within Asian organized crime it is decentralized making it
difficult to obtain information regarding international connections when an arrest is made (Logan et.al. 2009).
Russian Mafia and Human Trafficking Human trafficking mainly for the purpose of
prostitution has also become the preferred crime for the Russian mafia due to the
high profit margin. The majority of women who fall victim to trafficking are from
poor economic countries such as the Ukraine and Romania who do not offer many job opportunities for
young women even if they are educated (Zalisko, 2000). Women are recruited using appealing
advertisements in newspapers and magazines. The advertisements promise big money and
free housing for employment as a nanny, go-go dancer, or waitress in the United
States. Many victims are assured they will meet rich men in the big city eager for
marriage (Walker-Rodriguez & Hill, 2011). Victims are provided transportation and travel
papers but are quickly stripped of identification once they arrive at their destination.
Once the women realize they have been tricked into what some call modern-day slavery, they
often fight or attempt to escape. Mafia thugs subdue the women with violence and
isolation. Narcotics such as heroin and methamphetamine are given to the women
routinely to get them hooked and dependent on the gang members to feed their habit. In
typical mafia fashion, the mob photographs the sex slaves with clients and
threatens to send the photographs to their family members if they step out of line
(Abadinksy, 2010).
When discussing Chinese military capability, it is necessary to point out that despite significant increases, albeit
arguably not sufficient, in the Chinese military budget, not much is directed towards Greater Central Asia. Rather
the focus of Chinese military development has been on bolstering the navy and developing anti-ship cruise missiles,
Asian states, Beijing has failed to establish more effective security cooperation.
Chinese
economic expansionism if it fails to deliver benefits to the working population and
enriches only certain political families could become a liability. Charges of
corruption, elitism and colonialism would cause Chinas international reputation to
suffer as well. Central Asias socio-economic and political problems make it prone to
and build infrastructure that connects the landlocked region to world markets. But, equally,
turmoil and vulnerable to extremist organisations , both foreign and domestically generated.
Beijings cautious engagement on security matters will likely have to become more robust. China is reluctant to act
unilaterally, but the SCO provides it with a multilateral option for both Central Asia and Afghanistan. However, the
for Beijing and Moscow to view each other with less suspicion.
which Russia retains significant control compared to China and the United States. Despite some inroads from
Washington (military bases) and Beijing (weapon sales and exercises), Russia maintains close military links with
Cooperation (ICMEC) forms part of the strategy for closer integration of the military-industrial complexes in the
figures and military control, it has been hard and will continue to be difficult for Central Asia to escape the Russian
grip. Notwithstanding,
democratic systems, Chinas is based on a meritocracy and strong institutions (even with high levels of corruption)
but Russias is increasingly succumbing to kleptocracy and institutional decay. The separation between Russia and
China will increase as the differences in society and governments increases exponentially
their criminal
activities are not particularly sophisticated, although the Fuk Ching may be becoming more complex
in their organizational structure as they become more heavily engaged in human trafficking.
In his research, Chin (1996) found that Chinese gangs were quite active in
legitimate businesses in New York Citys Chinatown. For example, they owned or operated
restaurants, retail stores, vegetable stands, car services, ice cream parlors, fish markets, and video stores. On a
higher, more professional level, they also owned or operated wholesale supply
firms, factories, banks, and employment agencies. In addition, on the West Coast Chinese gangs
generally much younger than, for example, LCN or Russian organized crime figures. Also,
Internet Freedom
central pillar for security, development and freedom in the 21st century digital
environment.
technology companies' response to such demands have not always been exemplary. Rebecca Mackinnon's 2012
Yet, without
question, the role of Internet firms, especially those based in America, is a net plus
for democracy abroad. Having Twitter in the U.S. helped when the U.S. State Department asked it in 2009
book details corporate complicity with repressive regimes' censorship and surveillance.
to delay its regularly scheduled maintenance to ensure activists can communicate during the Iranian elections. It is
much harder to say no to a foreign government when a business has employees and data in that country. In this
way, the EU push for local data storage plays right into what some have called the "cyber sovereignty movement,"
an effort by many nations for more national control over the Internet within their own borders. But unlike current
discussions in Europe, those demands are not motivated by a desire to protect civil liberties. To the contrary,
authoritarian countries want to censor, spy on, and control Internet access within
their own borders. These nations -- Russia, China, the United Arab Emirates, Sudan,
Saudi Arabia, and others -- unsuccessfully pushed for changes to the Internet's
infrastructure at the International Telecommunications Union meeting last December in
Dubai. The growth of cyber-sovereignty would be a serious blow to the
spread of liberal democracy worldwide. The U.S. government's fervor for
Internet surveillance has now provided advocates for such cyber-sovereignty with
new privacy-motivated allies and a great set of talking points. President Obama recently
chided Americans concerned with NSA surveillance for our navete, saying "you can't have 100 percent security and
also then have 100 percent privacy." But this administration's rhetoric is short-sighted and depressing when, in fact,
The right to hold opinions without interference also includes the right to form
opinions. Surveillance systems, both targeted and mass, may undermine the right to
form an opinion, as the fear of unwilling disclosure of online activity , such as search and
browsing, likely deters individuals from accessing information , particularly where such
surveillance leads to repressive outcomes . For all these reasons, restrictions on encryption
and anonymity must be assessed to determine whether they would amount to an
impermissible interference with the right to hold opinions.
21.
susceptible to attack, even if access is provided with the sole intention of allowing
government or judicial control. Governments certainly face a dilemma when their
obligation to protect freedom of expression is in conflict with their obligations to
prevent violations of the right to life or bodily integrity , which are put at risk by
terrorism and other criminal behaviour. But other recourses are available to States to
request the disclosure of encrypted information, such as through judicial warrants. In such
situations, States must demonstrate that general limitations on the security provided by
encryption would be necessary and proportionate. States must show, publicly and transparently, that other
less intrusive means are unavailable or have failed and that only broadly intrusive measures, such as backdoors, would achieve the
legitimate aim. Regardless, measures that impose generally applicable restrictions on massive numbers of persons, without a caseby-case assessment, would almost certainly fail to satisfy proportionality.
building support across the political spectrum through organizations like the non- profit Internet Caucus Advisory
Committee192 and the Americans for Computer Privacy.193 The success of this campaign during the Crypto Wars
has informed a number of subsequent advocacy campaigns, including the Internet blackout and coordinated
protests that stopped the 2012 Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) as well as the monthslong push to get the Federal Communications Commission to adopt strong net neutrality rules after the 2014
Verizon v. FCC court decision. Organizers of both the SOPA/PIPA and net neutrality campaigns employed a number
of similar tactics to convince policymakers to heed their advice, bringing together broad coalitions of stakeholders
from both the public interest and the private sector and emphasizing the technical, legal, and economic impacts of
phenomenon collateral freedom, which refers to the fact that, When crucial business activity is inseparable from
Internet freedom, the prospects for Internet freedom improve.191
human rights have certainly benefited from the rapid expansion of encryption in the
past two decades.
including the United States, are trying to institute restrictions on encryption, arguing that it jeopardizes their efforts
to protect national security and bring criminals to justice. [Although law enforcement is asking for "indulgence on
the subject of encryption," cloud providers, mobile device manufacturers, and lawmakers aren't ready to oblige. See
"States should promote strong encryption and anonymity" [emphasis added]. Some of the reasons it's so important:
The report points out that while freedom of expression gets plenty of attention,
greater attention must be paid to freedom of ideas, because "the mechanics of
holding opinions have evolved in the digital age and exposed individuals to
significant vulnerabilities." Whereas ideas might once have just been stored in one's mind or jotted down
in a bedside diary or private letters, now ideas are scattered around places like browser
histories, e-mail archives, and mandatory surveys on web registration pages. Ideas
thus become concrete, instead of abstract, which changes the scope of surveillance,
criminalization, harassment, and defamation that can happen in relation to opinions.
Encryption and anonymity technology could help individuals protect their rights;
and by proxy, help the nations that are obligated to help them protect those rights.
The International Covenant on Civil and Political Rights not only protects individuals against "arbitrary or unlawful
interference with his or her privacy ... or correspondence" and "unlawful attacks on his or her honour and
reputation," it also states that everyone has the right to the protection of the law against such interference or
attacks. "Such protection must include the right to a remedy for a violation," the report states. "In order for the
right to a remedy to be meaningful, individuals must be given notice of any compromise of their privacy through,
for instance, weakened encryption or compelled disclosure of user data." The report also points out that some
countries base their censorship efforts on keyword searches, and that encryption enables individuals to avoid that
kind of filtering. "The trend lines regarding security and privacy online are deeply worrying," the report says. "States
often fail to provide public justification to support restrictions. Encrypted and anonymous communications may
frustrate law enforcement and counter-terrorism officials, and they complicate surveillance, but State authorities
have not generally identified situations even in general terms, given the potential need for confidentiality
where a restriction has been necessary to achieve a legitimate goal. States downplay the value of traditional nondigital tools in law enforcement and counter-terrorism efforts, including transnational cooperation ... "Efforts to
restrict encryption and anonymity also tend to be quick reactions to terrorism, even when the attackers themselves
are not alleged to have used encryption or anonymity to plan or carry out an attack." The UN Human Rights Council,
in the report, advises against any restrictions on encryption and anonymity technologies, but acknowledges that if
restrictions must happen, they meet several requirements: Any restriction must be "precise, public, transparent and
avoid providing State authorities with unbounded discretion to apply the limitation." Limitations must only be
justified to protect specified interests. States must prove any restriction is "necessary" to achieve and legitimate
objective, and release that restriction as soon as that objective is complete. By "necessary," the report means that
the restriction must be the least intrusive measure available and proportional to the severity of the objective.
Rights Watch, 7-8-2015, "Why encryption back doors threaten human rights,"
TheHill, http://thehill.com/blogs/congress-blog/technology/247145-why-encryptionback-doors-threaten-human-rights)
In recent years, pro-democracy and pro-human rights protesters from Egypt and Tunisia to Thailand and Hong Kong
have used social media and mobile phones to organize and broadcast their message to fellow citizens and the
Fear of heavy
monitoring and the reprisals that can follow has led human rights activists to adopt
services that support encryption. To them, encryption is a critical security tool to
avoid being identified, arrested, harassed, or worsemerely for criticizing
government policy. The U.S. government supports Internet freedom abroad as a pillar of its human rights
world. But governments are ratcheting up their surveillance capabilities in response.
foreign policy. In recognition of the link between encryption and human rights, Congress has appropriated over $125
million to the State Department and US AID since 2008 to promote Internet freedom, including through programs
counterterrorism division, testified before the House Committee on Homeland Security that technology companies
like Apple and Google should prevent encryption above all else because terrorists are increasingly using the
companies secured tools to shield communications and access to their activity is going dark. Privacy, above all
other things, including safety and freedom from terrorism, is not where we want to go, Steinbach said. FBI Director
James Comey is likely to make the same argument before two hearings at the Senate Judiciary and Intelligence
uprisings, Facebook, a crucial platform for the activists, began receiving reports that Tunisian Facebook accounts
had been compromised or deleted. Facebook soon discovered that the government had launched a large-scale
attack to steal social media passwords of activists and journalists and access their private communications and
contacts. So Facebook turned to encryption, enabling HTTPS, a secure communication protocol, automatically to
thwart the attack in Tunisia. Facebook now deploys HTTPS automatically for its 1.4 billion users. In 2014, Apple and
Google announced they would go further and begin encrypting data stored on mobile devices used by activists
worldwide, with even the companies unable to decrypt locally stored data. WhatsApp, a group chat application, is
also rolling out end-to-end encryption for its 800 million users. These measures can help protect the safety of
protest organizers in places like Hong Kong, Thailand, and the Middle East, along with millions of other, even if they
The FBI insists that they dont want a back door into secured
services, but rather a requirement that companies design their services so they can
still decrypt data with a lawful court order. But whatever label you use, the nearly
universal view within the digital security community is that there is no technical
solution that would allow the FBI to decrypt all communications, but wouldnt leave
may not realize it.
internet users exposed to actors (government and non-government) that would try
to uncover that vulnerability for malicious purposes. Repressive regimes will exploit
back doors to identify troublemakers and throw them in jail. And if the FBI forces
tech companies to weaken their security, then why wouldnt every other
government demand the same, including those that equate dissent with terrorism .
How comfortable would we be if Russia, China, and Saudi Arabia had back door access to Apple and Google
devices? Indeed, China has already started down this road in a counter-terrorism bill introduced earlier this year
about a report issued yesterday by panel of other distinguished cryptographers and privacy experts. The report and
Kochers commentary make good arguments for caution before granting backdoor powers to law enforcement
disadvantage selling anywhere outside the U.S., Kocher says, and asks whether a potential corporate customer in
A law requiring
backdoors for products used in the U.S. and authorizing use of those backdoors
would likely inspire similar laws in other countries , he says. Potential decryption of
private-message content would quickly broaden . Given the international nature of product
Germany want to buy encryption technology that the FBI could defeat. Probably not.
manufacture, distribution, use and movement after sale, a simple email could fall subject to multiple jurisdictions.
Kochers example: A Gmail sent to Japan from France by a laptop bought in Canada and made in China could be
subject to decryption by law enforcement in five different countries. Technical challenges to create products that
meet requirements of multiple laws would be daunting. Legal decryption of communications would force bad actors
to avoid using the technology. They would build their own, backdoor-free technology readily available how-to
resources, Kocher says. That would violate proposed laws, but theyre already engaged in criminal activity so whats
browsed supposedly secure websites vulnerable to hacking for over a decade was the fault of a US ban on strong
Encryption and
anonymity, separately or together, create a zone of privacy to protect opinion and belief .
For instance, they enable private communications and can shield an opinion from
outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where
States impose unlawful censorship through filtering and other technologies, the use of encryption and
anonymity may empower individuals to circumvent barriers and access information
and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely
business proprietary documents and investigations into online crime itself.4 12.
on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and
The ability to search the web, develop ideas and communicate securely
may be the only way in which many can explore basic aspects of identity, such as
ones gender, religion, ethnicity, national origin or sexuality. Artists rely on encryption and
anonymity to safeguard and protect their right to expression, especially in situations where it is not
only the State creating limitations but also society that does not tolerate
unconventional opinions or expression.
harassment.
right to freedom of opinion and expression, clinical professor of law at the University
of California, Irvine, 5-22-15, Report of the Special Rapporteur on the promotion
and protection of the right to freedom of opinion and expression UN Human Rights
Council, Twenty-ninth session https://www.scribd.com/doc/266938105/A-HRC-29-32AEV
A. Privacy as a gateway for freedom of opinion and expression
16. Encryption and anonymity provide individuals and groups with a zone of privacy
online to hold opinions and exercise freedom of expression without arbitrary and
unlawful interference or attacks. The previous mandate holder noted that the rights
to privacy and freedom of expression are interlinked and found that encryption
and anonymity are protected because of the critical role they can play in securing
those rights (A/HRC/23/40 and Corr.1). Echoing article 12 of the Universal
Declaration of Human Rights, article 17 of the International Covenant on Civil and
Political Rights specifically protects the individual against arbitrary or unlawful
interference with his or her privacy, family, home or correspondence and unlawful
attacks on his or her honour and reputation, and provides that everyone has the
right to the protection of the law against such interference or attacks. The General
Assembly, the United Nations High Commissioner for Human Rights and special
procedure mandate holders have recognized that privacy is a gateway to the
enjoyment of other rights, particularly the freedom of opinion and expression (see
General Assembly resolution 68/167, A/HRC/13/37 and Human Rights Council
resolution 20/8).
17. Encryption and anonymity are especially useful for the development and sharing
of opinions, which often occur through online correspondence such as e-mail, text
messaging, and other online interactions. Encryption provides security so that
individuals are able to verify that their communications are received only by their
intended recipients, without interference or alteration, and that the communications
they receive are equally free from intrusion (see A/HRC/23/40 and Corr.1, para. 23).
Given the power of metadata analysis to specify an individuals behaviour, social
relationships, private preferences and identity (see A/HRC/27/37, para. 19),
anonymity may play a critical role in securing correspondence. Besides
correspondence, international and regional mechanisms have interpreted privacy to
involve a range of other circumstances as well.8
18. Individuals and civil society are subjected to interference and attack by State
and non-State actors, against which encryption and anonymity may provide
protection. In article 17 (2) of the International Covenant on Civil and Political
Rights, States are obliged to protect privacy against unlawful and arbitrary
interference and attacks. Under such an affirmative obligation, States should ensure
the existence of domestic legislation that prohibits unlawful and arbitrary
interference and attacks on privacy, whether committed by government or nongovernmental actors. Such protection must include the right to a remedy for a
violation.9 In order for the right to a remedy to be meaningful, individuals must be
given notice of any compromise of their privacy through, for instance, weakened
encryption or compelled disclosure of user data.
Democracy Promotion
Cybersurveillance hurts promotion of democracy.
NaM, 2015
MoiseS , distinguished fellow at the Carnegie Endowment for International Peace,
chief international columnist for El Pas, Spains largest newspaper, 9-11-2001, "Why
Cyber War Is Dangerous for Democracies," Carnegie Endowment for International
Peace, http://carnegieendowment.org/2015/06/25/why-cyber-war-is-dangerous-fordemocracies/ib20
Maybe so. I am glad that my privacy is now more protected from meddling by U.S. and European democracies. But
frankly,
cite just four recent examples: Hackers have stolen personal information from 83 million JPMorgan Chase accounts,
56 million Home Depot payment cards, 110 million Target customer records, and 80 million accounts belonging to
Anthem, one of Americas largest health-insurance companies. Our information systems are attacked multiple
times a day, every day, the president of one of the worlds largest electricity companies told me. Nowadays, he
added, We spend 10 times more protecting ourselves from cyber attacks than we did three years ago. And despite
recent Verizon report on data breaches in the United States, the main victims are the government and the financialservices and information and technology industries, with the healthcare sector, and especially hospitals and health-
example, the U.S. Justice Department indicted five Chinese military hackers for computer hacking, economic
espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products
industries. The U.S. military is also active in cyberspace and surely trying to breach the cyber defenses of other
governments. But in contrast to their rivals in China or Russia, U.S. companies cannot rely on their nations spy
agencies to steal the commercial secrets of foreign competitors. The 9/11 attacks popularized a concept that until
then was mostly found in reports by war planners or in academic texts on geopolitics: asymmetric warfare. Its the
kind of conflict in which one side has far less power and resources than the other, but still manages to score
important victories and may even win the war. Al-Qaeda was far weaker than the United States, but by using
disruptive tactics and unconventional tools (suicide bombers, box cutters, and jetliners) succeeded in inflicting
Free Expression
Backdoors undermine freedom of expression the plan solves.
Bankston,2015
Hearing on Encryption Technology and Possible U.S. Policy Responses Statement
of Kevin S. Bankston Policy Director of New Americas Open Technology Institute &
Co-Director of New Americas Cybersecurity Initiative Before the U.S. House of
Representatives Subcommittee on Information Technology of the Committee on
Oversight and Government Reform April 29, 2015
https://static.newamerica.org/attachments/2982-at-crypto-hearing-best-argumentsagainst-backdoor-mandates-come-from-members-of-congressthemselves/Bankston_Written_Testimony.5876d326c5fc4e0cbd17b59e8d53384f.pdf
It would threaten First Amendment rights here and free expression around the
world. Repeated court challenges to export controls on encryption during the Crypto Wars illustrate how any
7.
attempt by the government to limit the distribution of encryption software code, which is itself speech, would raise
serious First Amendment concerns. As one federal district court held when considering a First Amendment challenge
to 90s-era encryption export controls, This court can find no meaningful difference between computer language
and German or French. All participate in a complex system of understood meanings within specific communities {in
this case, that of programmers and mathematicians}.... Contrary to defendants' suggestion, the functionality of
language does not make it any less like speech.... Instructions, do-it-yourself manuals, recipes, even technical
information about hydrogen bomb construction, are often purely functional; they are also speech.57 The Ninth
Circuit Court of Appeals agreed, holding that the challenged encryption export regulations constituted a prior
restraint on speech that offends the First Amendment. 58 Therefore ,
must assume that their online communications are not secure but may instead be acquired by the U.S. government
or by anyone else who might exploit an encryption backdoor, they will be much less willing to communicate freely.
against-backdoor-mandates-come-from-members-of-congressthemselves/Bankston_Written_Testimony.5876d326c5fc4e0cbd17b59e8d53384f.pdf
It would encourage countries with poor human rights records to demand backdoor
access of their own. The governments of countries like China, India, and the United
Arab Emirates have proposed a variety of measures that would require companies to
implement key escrow systems or other forms of backdoors or stop doing business in those
countries, proposals that the United States government has criticized . Yet how can
the United States credibly criticize, for example, the Chinese government for proposing
an anti-terrorism bill that would require U.S. companies to hand over their
encryption keys, if we impose a similar requirement here at home? And how are U.S.
8.
companies to argue that they cannot implement such requirements and hand over the keys to foreign governments
even those with a history of human rights abusesif they have already had to do so for the U.S. government? As
multinational
companies will not be able to refuse foreign governments that demand [the same]
access. Governments could threaten financial sanctions, asset seizures, imprisonment of employees and
Marc Zwillinger has pointed out, if the U.S. mandates backdoor access to encrypted data,
prohibition against a companys services in their countries. Consider China, where U.S. companies must comply
with government demands in order to do business.
Totalitarianism
Totalitarianism
Assange, 2012
Julian Assange, an Australian computer programmer, publisher and journalist.
Editor-in-chief of the website WikiLeaks. Jacob Appelbaum, American independent
journalist, computer security researcher and hacker. A core member of the Tor
project; Andy Muller-Maguhn, member of the German hacker association Chaos
Computer Club; Jrmie Zimmermann, French computer science engineer cofounder of the Paris-based La Quadrature du Net, a citizen advocacy group
defending fundamental freedoms online. Cypherpunks: Freedom and the Future of
the Internet. Singapore Books, 2012.
JULIAN: But it just happens to be a fact about reality, such as that you can build atomic bombs, that there are math
problems that you can create that even the strongest state cannot break. I think that was tremendously appealing
to Californian libertarians and others who believed in this sort of democracy locked and loaded idea, because here
was a very intellectual way of doing itof a couple of individuals with cryptography standing up to the full might of
protection of top secret US military communications, and if there was some kind of back-door in them soon enough
the Russians or the Chinese would find it, with severe consequences for whoever made the decision to recommend
an insecure cipher. So the ciphers are fairly good now, were pretty confident in them. Unfortunately you cant be
youre a security expert its very hard to actually secure a computer. But cryptography can solve the bulk
interception problem, and its the bulk interception problem which is a threat to global civilization. Individual
targeting is not the threat. Nevertheless, I have a view that we are dealing with really tremendously big economic
that have gone into the cave, or traditional tribes-people who have none of the efficiencies of a modern economy
so their ability to act is very small. Of course anyone can stay off the internet,
but then its hard for them to have any influence . They select themselves out of being influential
by doing that. Its the same with mobile phones; you can choose not to have a mobile
phone but you reduce your influence. Its not a way forward.
and
Hacktivism good
Invasion of internet freedoms impairs hacktivist groups which
are key to tackling oppressive regimes.
Jornod 14
omens of governmental
behavior oscillating between incapacity to react and brutal repression, take shape in
the Hacktivismo Declaration. This group is an offshoot of the organization Cult of the Dead Cow,
which bases its hacktivism on the observation of a governmental attitude that is
hostile toward freedom on the web. The group states that it defends rights
mentioned in the Universal Declaration of Human Rights and applied to the internet,
like the right to information and to freedom of opinion and expression. This will to
act forces states to face their own commitments and their relative incapacity to
respect them. The values defended by hacktivist movements are actually more or less the same from one
group to another. The defense of personal freedom characterizes these individuals motivation. As they realize
the potential of their knowledge, they refuse to remain idle before the inertia of the
State. The Germans from the Chaos Computer Club promote freedom of
information, transparency in governments, and communication as a human right.
Telecomix distinguished itself by protecting freedom of expression throughout the
Arab Spring. In particular, it made it possible to preserve the digital imprint of these
revolutions. The Internet can no longer be considered , in an oversimplified way, as just
another place, as an emerging heterotopia, isolated from the rest of the world. It should be
perceived as a continuation of reality, where all extend their identity and have the
right to the same protection of their freedom. The hacktivists computer knowledge
enables them to control the network of a whole country (as with the hijacking of the
entire Syrian network by Telecomix in September 2011, in order to show the Syrians
how to bypass censorship). This knowledge applied to defending common values gives them a
new potentiality of political action. Voices are raised in unity against censorship and
oppression, ready to defy any kind of tyranny and fight for the freedom of each and
every person. The Internet, a potential place of repression, becomes a battlefield for the
defenders of freedom. This possible threat gives power to the crypto-anarchist
movement. Beyond rejecting the governmental entity, it calls for the use of
cryptography to make individuals knowledge inaccessible and stop feeding the power of a
minority. Crypto-anarchism calls for even stronger anonymity on the web, in order to
protect private life. Beyond the questionable promotion of an almost complete anonymity on the internet
network if the latter is considered as a continuation of reality the tools developed and used by the
movement (like GNU privacy guard, which ensures the confidentiality of communications) were
particularly relevant in the conflicts of the Arab Spring. The use of cryptography
allows some revolutionaries to escape the heavy-handed repression of their
authorities, who attempt to control or even crush the hackers free thought. These
governments and to share with the world the abuses suffered. The relevance of these
coded communications made it possible to mobilize international opinion and
organize resistance, like in Egypt or Syria, where the governments, no longer aware of their
citizens activities, could not accurately target their actions anymore and stop them from
happening. The promotion of cryptography and anonymity has a very particular application in the Anonymous
movement*. The political action of Anonymous takes a different form , as it is no longer possible to
discern with accuracy a groups way of thinking or outer limit. Anonymous is everyone, and everyone
is Anonymous. The authorities, flustered by this structure or lack thereof uselessly attempt to
annihilate a so-called destabilizing and threatening group . Bewildered governments flail about
in vain, as the contemptuous lulz of Anonymous rain down upon them. Anonymous is no hacktivist
group. Anonymous is a hacktivist consciousness. Across ideologies and frontiers,
Anonymous echoes the nebulous fury of individuals who refuse to be told what to do
by a self-interested elite, to acknowledge the impunity of the state or to suffer
infringements of their liberty, and who claim: We know, therefore we can. We can,
therefore we know. Fear us! Foucaults hypothesis of the panopticon (see our previous
article on hacktivism) seems to have been reversed.
Jumpstarting a Human Rights Jurisprudence for the Internet, JUNE 03, 2011,
https://cdt.org/blog/jumpstarting-a-human-rights-jurisprudence-for-the-internet/
Today, the UN Special Rapporteur on freedom of opinion and expression Frank La Rue presented his
report on freedom of expression and the Internet to the Human Rights Council in
Geneva (see CDTs official statement on the report). The report declares that the Internet is one
of the most powerful instruments of the 21st century for increasing transparency in
the conduct of the powerful, access to information and for facilitating active citizen
participation in building democratic societies, in part due to its unique architectural
characteristics. The report also reaffirms the full applicability of Article 19 of the Universal Declaration of Human
Rights and the ICCPR to the Internet, a technology that has become increasingly essential to many aspects of daily
Rapporteur held five regional consultations with Internet experts, human rights defenders, and new media
journalists to better understand their experiences and priorities in different countries. I had the pleasure and
privilege of attending these consultations and hearing firsthand the challenges faced by Internet activists and
Old-fashioned techniques of
violence and intimidation of Internet writers, expanded criminalization of expression
(often aggravated by the Internets borderless nature), and increasing Internet
filtering continue to present barriers to expression . But participants also expressed how
intermediary liability laws, cyberattacks, unreasonable surveillance, and inadequate
data privacy protections both in law and in practice among online service
providers create very real chilling effects on expression and association. Participants
human rights defenders using networked technologies in their daily work:
also wanted to know whether and how companies who provide the platforms for their activism will respond to
government demands to censor expression or violate individual privacy. And of course ,
meaningful access
to ICTs remains a serious barrier to billions. But many open questions remain about how to apply
and interpret existing human rights norms in light of these new challenges. The Rapporteurs report documents
these trends, situates them within existing human rights jurisprudence, and makes a number of recommendations
consultations, I was also the focus of many questions at the consultations about how western democratic nations
are beginning to regulate the Internet. Will the US enforce meaningful rules to promote Internet neutrality? Will the
US expand CALEA-like technology mandates to enable surveillance of new kinds of online communications tools?
And will other countries follow Frances lead in enacting graduated response laws that could lead to disconnection
of Internet access for copyright violations? Even in regions where Internet penetration rates are at their lowest,
advocates were worried about what kind of Internet they would have access to once the infrastructure was in place,
To ensure the
broadest extension of human rights protections, stakeholders must continue to put
forth progressive interpretations of human rights norms for the digital age.
expression, the Internet also facilitates the realization of a range of other human rights.
remain unclear, however, in part because the available inequality and discrimination data are insufficient for
reliable cross-national analysis. Abuses of personal integrity rights are closely associated with conflict escalation.
The causal link between repression and conflict seems strong, although other political
factors are crucial. Denial of political participation rights is a conflict risk factor insofar
that established democracies experience less conflict , but it is unclear whether the causal link
between intermediate regimes and conflict is repression, or instability, or something else. The association between
democracy and domestic peace does not mean, however, that democratization necessarily reduces conflict, since
regime transition is also a major risk factor. Indeed, stable autocracies experience less political violence on average
than democratizing countries. Possible remedies for these risk factors are complicated, since some remedial
discrimination and group rights can, under certain circumstances, avert conflict. Democratization, moreover, may
do more harm than good. Even efforts to restrain the states appetite for repression can backfire and contribute to
conflict, by creating intermediately repressive regimes that are too harsh to accommodate dissent, but insufficiently
building efforts cautiously and in conjunction with efforts to reduce the political uncertainties associated with
regime transition. Finally, it is clear that more research and data development is needed to answer the questions
posed in this article. Review of the literature suggests that systematic research is required on the conflict
implications of inequality, discrimination, and violations of economic and social rights. Importantly, researchers
urgently need better comparative indicators of economic and social rights, and state discrimination. More research
is needed on the human rights and conflict implications of regime transition, state-building, and governance reform.
crises. When rights to adequate food, housing, employment, and cultural life are denied, and large groups of people
are excluded from the society's decision-making processes, there is likely to be great social unrest. Such
conditions often give rise to justice conflicts, in which parties demand that their
basic needs be met. Indeed, many conflicts are sparked or spread by violations of human rights. For
example, massacres or torture may inflame hatred and strengthen an adversary's determination to continue
Violations may also lead to further violence from the other side and can
contribute to a conflicts spiraling out of control. On the flip side, armed conflict often
leads to the breakdown of infrastructure and civic institutions, which in turn
undermines a broad range of rights. When hospitals and schools are closed, rights to adequate health
fighting.
and education are threatened. The collapse of economic infrastructure often results in pollution, food shortages,
institutions results in denials of civil rights, including the rights to privacy, fair trial, and freedom of movement. In
many cases, the government is increasingly militarized, and police and judicial systems are corrupted. Abductions,
In cases
where extreme violations of human rights have occurred, reconciliation and
peacebuilding become much more difficult. Unresolved human rights issues can
serve as obstacles to peace negotiations.[ 22] This is because it is difficult for parties to move
arbitrary arrests, detentions without trial, political executions, assassinations, and torture often follow.
toward conflict transformation and forgiveness when memories of severe violence and atrocity are still primary in
their minds.
End-to-end user encryption makes it much harder for the FBI or the NSA to intercept
users communications as they pass through the communication provider or device manufacturer,
forcing would-be eavesdroppers to bug individual devices of targeted users. Other
encryption tools, such as TOR, mask individual IP addresses, helping users to communicate anonymously on the
If Comey is able to convince lawmakers to force Google and Apple to give the
FBI backdoors into their encryption tools, people working against governments in
places like Iran could face arrest or worse. FBI backdoor in encryption used in many
essential online services available to Iranians, such as Gmail, could provide reason
to censor such services in favor of Iranian alternatives, which would offer far less
protection of user privacy and security, Fereidoon Bashar, an Iranian expatriate and
Web.
one of the directors of the site ASL19 told Defense One in an email. ASL19 is a technology lab that provides
End-to-end user encryption makes it much harder for the FBI or the NSA to intercept
users communications as they pass through the communication provider or device manufacturer,
forcing would-be eavesdroppers to bug individual devices of targeted users. Other
encryption tools, such as TOR, mask individual IP addresses, helping users to communicate anonymously on the
If Comey is able to convince lawmakers to force Google and Apple to give the
FBI backdoors into their encryption tools, people working against governments in
places like Iran could face arrest or worse. FBI backdoor in encryption used in many
essential online services available to Iranians, such as Gmail, could provide reason
to censor such services in favor of Iranian alternatives, which would offer far less
protection of user privacy and security, Fereidoon Bashar, an Iranian expatriate and
Web.
one of the directors of the site ASL19 told Defense One in an email. ASL19 is a technology lab that provides
centrality of digital communication, has increasingly focused its attention on controlling online content as well. It
blocks millions of websites, monitors and hacks into private citizens online communications, is intensifying its
development of the countrys National Intranet and other tools that will give the authorities control over Internet
access inside Iran, criminalizes the use of social media, and targets IT and social media professionals for
Sattar Beheshti within a few days of his detainment in November 2012, refects the perceived stakes in this
battle.21
of juvenile offenders. "At least 160 juvenile offenders were reportedly on death row as at December 2014," while
eight individuals "below the age of 18 at the time of their offence were reportedly executed in 2014." The UN report
noted that "in the majority of cases that involve capital punishment, due process guarantees were often violated in
proceedings that fell short of international fair trial standards," while expressing concern "about a number of death
about 48,580 girls between the age of 10 and 14 were married; and in 2012, there were at least 1,537 girls under
the age of 10 who were reportedly married." The report also drew attention to the plight of women in Iran, where
66 per cent of whom "had reportedly experienced domestic violence. " "According to
article 1117 of the Civil Code, a husband may prevent his wife from occupations or technical work deemed
incompatible with family interests or his own dignity or that of his wife. The law may even prevent women from
10 days and two months, or a fine. "Approximately 30,000 women were reportedly arrested between 2003 and
2013, with many others subjected to expulsion from university or banned from entering public spaces, such as
protestors who had gathered in front of parliament on October 2014 to denounce recent acid attacks against
women for allegedly wearing improper hijab. "Journalists and activists were detained, including members of the Iran
Human rights
campaigners were also reportedly being targeted by the Iranian authorities, as the
report noted a "shrinking space for human rights defenders, who continue to risk
harassment, intimidation, arrest and prosecution for defending rights and speaking
up against violations and abuse." Some of them were sentenced to prison terms ranging from six
Student News Agency, who were reportedly interviewing victims and photographing the protest."
months to more than 20 years, while "one individual was sentenced to 50 lashes, and another to death. Many of the
trials had been marred by procedural irregularities, including deprivation of legal representation and exclusion from
attending ones own sentencing." The UN expressed concern at reports about the situation of religious and ethnic
minorities in Iran. "Members
The technology has also been used -- by both sides in the war -- as a modern means of disseminating old-fashioned
CyberWar
Cyber War
Cyberwar goes global.
Gerwitz 2015
David Gerwitz CBS Interactives Distinguished Lecturer, U.S. policy advisor, and
computer scientist Instructional faculty at the University of California, Berkeley , 622-2015, "Why the next World War will be a cyberwar first, and a shooting war
second," ZDNet, http://www.zdnet.com/article/the-next-world-war-will-be-acyberwar-first-and-a-shooting-war-a-distant-second/?
utm_content=buffer1ac68&utm_medium=social&utm_source=twitter.com
&utm_campaign=buffer
Everything we do revolves around the Internet. Older technologies are finding themselves
eclipsed by their Internet-based substitute solutions. Even technologies historically unrelated to networking (like
medical instruments) are finding themselves part of the Internet, whether as a way to simply update firmware, or
using the network to keep track of telemetry and develop advanced analytics. Whether we're talking about social
networking, financial systems, communications systems, journalism, data storage, industrial control, or even
anger. When a war begins, the initial aggressor wants something, whether to own a critical path to the sea or
strategic oil fields, or "merely" to cause damage and build support among certain constituencies. At first, the
defender defends, protecting whatever has been attacked. Over time, however, the defender also seeks strategic
benefit, to not only cause damage in return, but to gain footholds that will lead to an end to hostilities, a point of
leverage for negotiation, or outright conquest. Shooting wars are very expensive and very risky .
Tremendous amounts of material must be produced and transported, soldiers and sailors must be put into harm's
way, and incredible logistics and supply chain operations must be set up and managed on a nationwide (or multi-
possible to conduct a cyberwar without the victims knowing (or at least being able to prove) who their attackers
are. Cyberwar can be brutal, anonymous -- and profitable. One of the big reasons the U.S. won
the Cold War (and scored highly in many of its other conflicts) is because it had the economic power to produce
goods for war, whether capital ships or food for troops. A economically strong nation can invest in weapons R&D,
creating a technological generation gap in terms of leverage and per-capita effectiveness compared to weaker
the playing field, forcing highly connected nations to thrash, to jump at every digital shadow while attackers can coopt the very resources of the defending nation to force-multiply their attacks. Sony is still cleaning up after the hack
that exposed many confidential aspects of its relationship with stars and producers. Target and Home Depot lost
millions of credit cards. The Snowden theft, while not the result of an outside hack, shows the economic cost of a
national security breach: nearly $47 billion. Cyberwar can also cause damage to physical systems, ranging from
electric power stations to smart automobiles. And when a breach can steal deeply confidential information of a
government's most trusted employees, nothing remains safe or secret. The U.S. Office of Personnel Management
was unwittingly funneling America's personnel data to its hackers for more than a year. Can you imagine? We think
China was responsible for the OPM hack. Despite the gargantuan nation's equally gargantuan investments in
America (or, perhaps, because of them), China has been accused of many of the most effective and persistent
penetrations perpetrated by any nation. Providing additional reason to worry, Russia and China have recently inked
an agreement where they agreed to not launch cyberattacks against each other. They have also agreed to share
cyberwarfare and cyberdefense technology, creating an Asian axis of power that can split the world in half.
On
the other side of the geopolitical spectrum are the American NSA and British GCHQ, two
organizations who share signals intelligence and -- if the screaming is to be believed -- spy as much upon
their own citizens as enemies of the state . It is important to note that the destabilization of Allied
intelligence can be traced to Edward Snowden, who ran to and is currently living in Russia after stealing a vast trove
of American state secrets. Ask yourself who gained from the Snowden affair. Was it America? No. Was it Snowden?
Not really. Was it Russia? You betcha. China, of course, supplies us with most of our computer gear. Every iPhone
and every Android phone, nearly all our servers, laptop computers, routers -- heck, the entire technological core of
American communications -- has come from China. The same China that has been actively involved in breaching
American interests at all levels. Russia and China. Again and again and again. In the center of all this is the main
body of Europe, where the last two incendiary world wars were fostered and fought. Nations fall when they are
economically unstable. Greece is seeing the writing on the wall right now. It is but one of many weak European
Union members. Other EU members are former Soviet states who look eastward towards Putin's Russia with a
mixture of fear and inevitability. This time, Germany isn't the instigator of unrest, but instead finds itself caught in
the middle -- subject to spying by and active in spying on its allies -- the only nearly-super power of the EU.
Financial systems are hit and we suffer a recession worse than the
Great Recession of 2008-2009. Our budget for just about everything (as well as our will) craters.
Industrial systems (especially those that might post a physical or economic threat to our attacker) are hit
next. They are shut down or damaged in the way Stuxnet took out centrifuges in Iran. Every step America takes to
and financial systems.
respond is anticipated by the enemy -- because the enemy has a direct pipeline to every important piece of
communication America produces, and that's because the enemy has stolen enough information to corrupt an army
of Snowdens. While this is all going on, the American public is blissfully in the dark. Citizens just get angrier and
angrier at the leadership for allowing a recession to take hold, and for allowing more and more foreigners to take
Europe, which has always relied on America to keep it propped-up in the worst of times, will be
on its own. Russia will press in from the north east. ISIS will continue to explode in
the Middle East. China will keep up its careful dance as it grows into the world's leading economic power.
India, second in size only to China and a technological hotbed itself, remains a wild card, physically
surrounded by Europe, the Middle East, China, and Russia. India continues to live in
conflict with Pakistan, and with Pakistan both unstable and nuclear-tipped, Indo-Pak,
too, is on the precipice. A world war is about huge nations spanning huge
geographic territories fighting to rewrite the map of world power . Russia,
China, ISIS (which calls itself the Islamic State), India, Pakistan, the US, the UK, and all of the
strong and weak members of the EU: we certainly have the cast of characters for
another global conflict. I could keep going (and, heck, one day I might game the full scenario). But you can
see how this works. If enemy nations can diminish our economic power, can spy on our
strategic discussions, and can turn some of our key workers, they can take us out of
the battle -- without firing a single shot.
American jobs.
One important caveat to the foregoing discussion of the lack of data is in order: We should understand that this
data (and the attendant conclusions) are only relevant to the extent that the analysis is generally limited to
assessing the economic impacts of cybercrime and cyber espionage. No fair estimate can be made about the
websites (like the website for Georgia's Ministry of Foreign Affairs) as well as website defacement. According to the
U.S. Cyber-Consequences Unit (a study group set up Ito access cyber events), the attacks were the work of civilians
who, though not directed by the Russian military, had advance knowledge of the attack so that they were able to
pre-plan and organize the cyber effort. The civilian hacktivists used social media to organize their efforts. It is
measuring aspects of threat, vulnerability, and consequence. The little data we have addresses, inferentially, the
We may also
collect some data about consequence, especially when the effect on the
infrastructure can be measured, but that data is difficult to quantify. What, for
example, were the consequences to society of the Anonymous attack on PayPal,
Mastercard, and Amazon? And, in the end, no solid data on the threat exists; we measure only
capabilities, and then only by educated guesswork. We have no clear sense of true intent. As a result, we lack a
solid quantifiable risk assessment of the cyber threat to national security and this
leaves policymakers only with a speculative guess as to the extent of our risk from a
cyber attack by a willful cyber opponent.
vulnerability aspect of that question; from intrusions, we can learn where the loopholes are.
For technology that was supposed to ignore borders, bring the world closer together, and sidestep the influence of
national governments, the Internet is fostering an awful lot of nationalism right now. We've started to see increased
concern about the country of origin of IT products and services; U.S. companies are worried about hardware from
China; European companies are worried about cloud services in the U.S; no one is sure whether to trust hardware
and software from Israel; Russia and China might each be building their own operating systems out of concern
The
major nations of the world are in the early years of a cyberwar arms race, and we're all being
hurt by the collateral damage. Our nationalist worries have recently been fueled by a media
frenzy surrounding attacks from China. These attacks aren't new -- cyber-security experts have been writing
about using foreign ones. I see this as an effect of all the cyberwar saber-rattling that's going on right now.
about them for at least a decade, and the popular media reported about similar attacks in 2009 and again in 2010 -and the current allegations aren't even very different than what came before. This isn't to say that the Chinese
attacks aren't serious. The country's espionage campaign is sophisticated, and ongoing.
And because they're in the news, people are understandably worried about them. But it's not just China.
International espionage works in both directions, and I'm sure we are giving just as good as we're getting. China is
certainly worried about the U.S. Cyber Command's recent announcement that it was expanding from 900 people to
almost 5,000, and the NSA's massive new data center in Utah. The U.S. even admits that it can spy on non-U.S.
called the "cyber sovereignty movement," and gained traction at the International Telecommunications Union
meeting last December in Dubai. One analyst called that meeting the "Internet Yalta," where the Internet split
between liberal-democratic and authoritarian countries. I don't think he's exaggerating. Not that this is new, either.
Remember 2010, when the governments of the UAE, Saudi Arabia, and India demanded that RIM give them the
ability to spy on BlackBerry PDAs within their borders? Or last year, when Syria used the Internet to surveil its
going on between countries ever since countries were invented. What moves public opinion is less the facts and
more the rhetoric, and the rhetoric of war is what we're hearing.
a severe loss of trust, not just amongst nation-states but between people and
nation-states. We know we're nothing more than pawns in this game, and we figure we'll be better off sticking
with our own country. Unfortunately, both the reality and the rhetoric play right into the
hands of the military and corporate interests that are behind the cyberwar arms
race in the first place. There is an enormous amount of power at stake here: not only power within
governments and militaries, but power and profit amongst the corporations that supply the tools and infrastructure
Wallace 14 (Ian Wallace, The Risks of Cyber Insecurity, The Fletcher Forum of
World Affairs, 8/17/14, Ian Wallace is a visiting fellow in cyber security with the
Center for 21st Century Security and Intelligence in the Foreign Policy program at
Brookings. He was previously a senior official at the British Ministry of Defence
where he helped develop U.K. cyber strategy as well as the U.K.s cyber relationship
with the United States. His research is focused on the international dimensions of
cyber security policy, including the implications of cyber for military forces and the
appropriate roles of the public and private sectors. Ian Wallace has written one
article for the Fletcher Forum. http://www.fletcherforum.org/2014/08/17/wallace/,
7/14/15 AV)
Around the world governments are experiencing a growing sense of cyber
insecurity. The threat is real, and few nations are adequately prepared . Progress is being
made. But the overall sense of insecurity still seems to be growing, not helped by the
light shone by Edward Snowden on to what is possible through this domain . Wherever
you stand on Snowden or any of the other vexed questions of international cybersecurity, it is hard to deny
the sense of vulnerability felt by many governments. And the trouble with
governments that feel scared, confused, and helpless is that, just like people, they
are prone to do foolish things. Three trends serve to illustrate this point: The first trend relates to a
tendency to over-militarize responses to overseas cyber threats. There is
undoubtedly an in extremis cyber defense role for the military, to prevent attacks
aimed at causing physical damage and loss of life. In fact, however, the worlds
most troublesome cyber operatorslike the groups responsible for the attacks to
the U.S. financial systemseem adept at calibrating their attacks in a way that falls
in the grey area above traditional law enforcement and below the justification for a
military response. By looking to militaries to defend this space though, governments risk missing the true
national security challenge of the information age: working out how the government can best support cyber
defenders working in the private sector. A second trend, which parallels the tendency to over-militarize
assumption that the security solutions of the last century will work for this century. True, cyber activity is at root a
comfortable with the new technologies, will be to adopt policies that help prevent or mitigate the fear and confusion
they engender. Some nations will seek to exploit that fear and confusion, and that will need to be managed too.
But that just makes it more important for countries that appreciate the
economic and social value of a free and open Internet to consciously seek
to ensure favorable conditions for it. No doubt for some, especially in national security
establishments of countries like the United States who see the threats more clearly than most, that will require
tough trade-offs. But it is a transition that must be made. The alternative may be worse.
Passcode: In your assessment, who are the main countries and/or players in a future
global conflict and what do their digital capabilities have to do with their chances at "winning" such a war? Are
a la the United States' Cyber Command. But just as there are over 100 Air Forces and only few able to carry out an
the number of countries able to fight a sustained cyber war is much more
limited. Youre talking less than 10, with the focus of the book being on the two big powers that have lined up
air war
against each other and are engaged in an arms race right now in both physical weapons like warships and now
cybercapabilities: The US and China. But it is not just the official states that matter. It could be Chinas massive
cyber militia tied into its universities. Or private companies that can play an active role in 21st century conflicts,
including in cyberspace, which means you might see new versions of Cyber Blackwaters." Or hacktivist collectives
such as Anonymous. In any case, they represent a very different kind of power than we saw the last time the great
powers went to war, and one that could be the key to winning or losing. Passcode: What does winning or losing,
for that matter look like in a future cyberconflict? Singer: Its a lot like any other conflict, using the tool to achieve
your aims and preventing your foe from reaching their goals. What is interesting, and scary, about cyberconflict is
how it allows certain trusted strengths to be turned into weaknesses, and how success or failure in this realm can
decide winning or losing in other realms. Passcode: People warn all the time about the potential of a "Cyber Pearl
Harbor." But countries have so far showed real restraint in the use of destructive or potentially fatal
cyberoperations. Science fiction aside, what do you think are the realistic chances we'll see a cyberattack of this
scale in the future? What kind of scenarios would you predict have to happen for the cyberespionage and hacks
we're seeing today to escalate to that level? Singer: Cows killed more Americans last year than ISIS. And the
hackers linked to the OPM breach only stole digital information rather than caused physical damage. But that
doesnt, however, mean that ISIS is not a real security risk in way that cows are not nor that there will never be
the global politics in the 2020s, or it could happen just because two warships accidentally scrape paint over some
reef in the South China Sea no one can find on a map.
Siboni et al 4-29 (Gabi Siboni, Daniel Cohen and Aviv Rotbart, THE IMPACT
OF CYBERSPACE ON ASYMMETRIC CONFLICT IN THE MIDDLE EAST Georgetown
Journal of International Affairs, 4/29/15, Dr. IDF-Colonel (Res.) Gabi Siboni is Senior
Research Fellow, Director of Military and Strategic Affairs Program, and Director of
the Cyber-Security Program at the Institute for National Security Studies (INSS) at
Tel Aviv University. He is also the editor of the Military and Strategic Affairs Journal
at the INSS. Dr. Siboni is the CEO of G. Bina Ltd., a consulting firm for cybersecurity
and operational and ICT risk management. http://journal.georgetown.edu/theimpact-of-cyberspace-on-asymmetric-conflict-in-the-middle-east/ , 7/14/15 AV)
The source of instability in the Middle East has changed. Non-state organizations are at
the fore of this change, as they grow significantly in potency and create enhanced security challenges previously
seen only among state actors. Hezbollah, for example, continues to grow stronger while building a powerful rocket
and missile arsenal. Its collaboration with Syria and Iran further augments instability by polarizing geopolitical
factions in the region. Hamas in 2014 found itself isolated but determined to continue military buildup in order to
maintain the struggle against Israel, particularly in the wake of Operation Protective Edge. Egypt under El-Sisi is
working to suppress the Muslim Brotherhood and Hamas, while jihadi and salafi organizations such as the Anssar
Bayt al-Maqdis cause the Egyptian army heavy losses on the Sinai Peninsula. Qatar, until recently a loyal Hamas
supporter, now turns its back on the group and has reportedly increased ties with Iran. Finally, Sunni jihadi
organizations led by the Islamic State (IS), have entered the governmental vacuum in Iraq and Syria and work to
establish a radical Islamic caliphate. As conflicts between states and non-state organizations become more
Asymmetrical warfare
has caused significant and detrimental impact to the stability of the Middle
East within the past few decades. A threat previously emanating from state
armies now includes non-state and terrorist organizations operating against
states, which diversify and complicate the regions threat matrix. The
increasing use of cyber weapons by non-state organizations also adds
complexity to the issue by obscuring attribution while attacking state
infrastructure. However, while the role of cyberspace is increasing in frequency and strength, it will
pervasive, the strategy of asymmetrical warfare has also increased in prevalence.
nevertheless continue to be a complementary field of operations in the asymmetric conflict in the Middle East, with
physical space occupying the main field of action. The concept of asymmetry between adversaries typically attests
to disparities in military power among forces. Small guerrilla forces attempt to damage, wear down, and disrupt the
activity of the regular army in the area without confronting it head-on due to relative military inferiority. In terms of
military tactics, state armies generally fight in an orderly framework while non-state organizations use guerrilla and
terror methods due to these disparities in overt power. Terrorist organizations attempt to decrease asymmetry in a
conflict by operating outside the constraints of international law. They use high-trajectory fire and commit war
crimes by indiscriminately firing on concentrations of civilians, causing high civilian damage. National armies, in
contrast, have a greater incentive to operate within international legal limitations due to the positive benefits
As the rise of
non-state actors and utilization of terrorist methods alter the nature of
conflict in the Middle East, cyberspace has similarly impacted asymmetrical
warfare. Cyberspace provides a broad platform for terrorist and non-state
organizations to act, and it particularly enables them to obscure the source
of an asymmetric attack. This is the result of a number of basic
characteristics unique to cyberspace. First, states are more exposed to
attacks in cyberspace than are non-state organizations. States generally
have a broader technological infrastructure than terrorist and non-state
organizations, and are thus affected via cyberattacks to a greater degree
than non-state organizations. Second, cyber capabilities are becoming more
afforded by abiding by treaties and diplomatic agreements that non-state actors do not share.
prevalent and accessible for use by non-state actors. Israel faces a number of terrorist
organizations that have developed significant cyber capabilities. During Operation Protective Edge, Israel
confronted Hamas cyberattacks that were allegedly backed by Iran. According to a senior Israel Defense Forces
(IDF) J6-C4I Corps officer, during the operation, there was an attack that was unprecedented in its scope and in the
quality of its targets. The attack was carried out against civilian Internet infrastructures in Israel and against the IDF
spokesmans Twitter account and the Home Front Commands web site. Some of the attacks were apparently
carried out by the Syrian Electronic Army (SEA), which is ostensibly believed to be an Iranian proxy for all intents
and purposes. Cyberattacks by Hamas are not new. They were carried out in previous rounds of fighting in the Gaza
Strip during the last seven years. Although the complexity and severity of these attacks has increased, they all had
a minimal impact. The lack of symmetry is also expressed in the difficulty for states, regardless of technological
expertise, to attack non-state organizations via cyberattack in a way that can produce anything but a marginal
effect in the overall battle outcome. It often seems that the lack of symmetry between states and organizations in
the resources allocated to military and security force-building creates an incentive for non-state organizations to
seek ways of operating in cyberspace where the cost-benefit ratio and price of entry are significantly lower.
However, we are unlikely to see the development of significant cyber capabilities by non-state organizations,
particularly those lacking support from states. [i] As we examine this issue, three significant capabilities become
requisite to carry out significant action in cyberspace. Intelligence capabilities. For a pinpoint action that can
create a significant effect, high-quality intelligence must be collected about the target. In order to introduce
malicious code without going through the Internet, human intelligence is needed and those who work for the
organization or any other authorized personnel will need to install the malware. Likewise via an internet-based
infiltration, intelligence-gathering and social engineering operations must be conducted to make computer
infiltration possible. High-level technological capability. Recent years show a proliferation in cyberattack capabilities, particularly in the
deep net where there is an illegal trade in services and tools for cyber-crime and cyber-fraud. However, developing technological tools for
attacking state infrastructures nonetheless requires an especially high level of technological capabilities that are based on the state technological
infrastructure and human resource development. Operational capabilities. Planning and commanding an operations that is aimed for significant
results requires a deep operational and organizational infrastructure such as: experienced operation officers, command and control capabilities
and covert and complex operation capabilities. Thus, it appears that it will take more time until independent terrorist organizations can produce a
significant operation in cyberspace. Nevertheless, we should remember that many countries direct, assist, and run terrorist and non-state
organizations as proxies in cyberspace. State-sponsored activity allows terrorist organizations to reduce the disparities in
these basic capabilities. In recent decades, the Middle East has been a global laboratory for examining asymmetric
conflicts. The area is full of non-state actors and various terrorist organizations fighting Israel. There are also Sunni
jihadist organizations, first and foremost Islamic State, which operates against the West and the other infidels.
The development of capabilities in cyberspace has not fundamentally changed the nature of the violent struggle,
which continues to be primarily a struggle that relies on physical and kinetic tools and methods. While cyberspace
gives these organizations further room to maneuver, its impact is not yet substantial, and currently we have not
seen significant results of a cyberattack. For example, none of the cyber operations by states and terrorist
organizations have created an effect that is even similar to that of a physical terrorist attack such as the September
proof of concept. Therefore, everything must be kept in proper proportion. While non-state actors use cyberspace as
a tool to balance asymmetrical conflict, their ability to launch an impactful cyberattack rests in the hands of statesponsorship. Until then, non-state organizations will have to rely on kinetic methods to upset the imbalance of
asymmetrical warfare.
Cyberterrorism Likely
Cyber insurgency is likely
Rosenzweig 13 (Paul Rosenzweig, 2013 Cyber warfare: how conflicts in
cyberspace are challenging America and changing the world, pg 49)
The same cannot, unfortunately, be said of cyber intrusions by nonstate actors. Unconstrained
by the limits of sovereignty, devoid of any territory to protect, and practically
immune from retaliation, these groups pose a significant danger to stability . We might
think of them as cyber terrorists, but perhaps a better conception is that of a cyber insurgent . A good way to
look at this is through the prism of the challenge to social and governmental
authority by WikiLeaks and its founder, Julian Assange, and its support by the hacktivist group Anonymous. Their
story is one of both enhanced information transparency and, more significantly for our purposes, the ability to
wage combat in cyberspace.
This description of the correlation of forces in cyberspace is, in many ways, congruent with similar analyses of the
physical world. Terrorists enabled by asymmetric power (IEDs and box cutters) have likewise challenged traditional
mailing a letter. The service provider acts as an electronic carrier that sends the message through routers and
disguise its locations by circuitous routing or by masking the message's source identification, similar to fudging a
unnecessary one. As the scope of conflicts in cyberspace develops, governments around the world will use all
techniques in their arsenal to exploit the weaknesses of the nonstate actors who are part of the threat.
Cyberterrorism Nuclear
Cyberterrorists could break into computers and launch an
attack on a nuclear statetriggers global nuclear war
Fritz 09
There are approximately 20,000 active nuclear weapons in the world. The vast
majority of these belong to the US and Russia, stemming from the Cold War.
Nuclear command and control has inherent weaknesses in relation to cyber warfare.
The concept of mutually assured destruction means a state must have the capability to launch
nuclear weapons in the event of a decapitating strike. This requires having nuclear weapons spread out
in multiple locations (mobility and redundancy), so an enemy could not destroy all of their
capabilities. Examples of this include land based mobile launch platforms and submarine-launched ballistic
state.
missiles (SLBM). This provides terrorists with multiple locations for attaining access to these weapons. Further,
under NATO nuclear weapons sharing, the US has supplied nuclear weapons to Belgium, Germany, Italy, the
control of the US, but the operational plans of terrorists may include items such as reconnaissance, social
engineering, and crossing borders which remain unique between states. The potential collapse of a state also
presents a challenge. Following the collapse of the Soviet Union, Belarus, Kazakhstan, and Ukraine were in
possession of nuclear weapons. These have since been transferred to Russia, but there was, and still is,
considerable concern over the security and integrity of those weapons, especially in the face of a destabilized
SLBMs increased this high pressure tension, as the ability of a submarine to sneak up close to a states border
use of computers in nuclear command and control, or lead to the introduction of fail-deadly and autonomous
systems. This chapter is by no means comprehensive, However it sheds some light on the operations of nuclear
command and control and the difficulties in defending those systems from cyber terrorism. Many of the details of
nuclear command and control are classified, so the information provided below may be outdated. However it points
towards a pattern, and there is no certainty these systems and procedures have been updated since entering open
source knowledge. Further, terrorists do not have to restrict themselves to unclassified data, and therefore may be
able to obtain up to date information. The United States The US employs a nuclear deterrence triad consisted of
nuclear-capable long range bombers, SLBMs, and land based intercontinental ballistic missiles (ICBMs), as well as
an arsenal of nonstrategic (tactical) nuclear weapons. US nuclear command and control covers a geographically
dispersed force with the US President, as Commander in Chief, being the highest authority in the decision to make a
nuclear launch. There is a hierarchy of succession in the event the President cannot perform this duty, such as if the
President were killed in an attack. Additionally, once the order to launch is given, it travels down a chain of
command; the President does not press the button, so to speak, nor is the President physically present at the
launch location. These locations would be targets in a nuclear war, so it is imperative that the leader not be there.
Additionally, multiple independent launch locations make this impossible (except for cases in which multiple
missiles are tied together in a Single Integrated Operational Plan). So it is theoretically possible to subvert this
control by falsifying the order at any number of locations down that chain of command. The infrastructure that
supports the President in his decision to launch nuclear weapons is the Nuclear Command and Control System
(NCCS). The NCCS must support situation monitoring, tactical warning and attack assessment of missile launches,
senior leader decision making, dissemination of Presidential force-direction orders, and management of
geographically dispersed forces (Critchlow 2006). Key US nuclear command centres include fixed locations, such
as the National Military Command Center (NMCC) and the Raven Rock Mountain Complex (Site R), and mobile
platforms, such as the E-4B National Airborne Operations Center (NAOC) and the Mobile Consolidated Command
Center (MCCC). The US seeks to integrate its nuclear forces into its vision of command, control, computers,
communications, intelligence, surveillance, and reconnaissance (C4ISR) hinting towards a greater reliance on
computer technology in maintaining and upgrading its nuclear force, not only to combat against Cold War style
nuclear war, but also against perceived emerging threats from China, Iran and North Korea. In particular the US
recognises these states potential to use nuclear weapons detonated at high altitude to create an electromagnetic
pulse (EMP). The threat of EMP was known during the Cold War, and a considerable amount of attention has been
paid to hardening nuclear systems (Critchlow 2006). The Minimum Essential Emergency Communications Network
(MEECN) links to the ICBMs, bombers, and submarine forces. Information widely available on the internet shows the
US is seeking to upgrade the MEECNs satellite communications capability through Advanced Extremely High
Frequency and the Transformational Communications Satellite programs. Cyber terrorists may use this knowledge to
research these new forms, or to expose weaknesses in the old system before upgrades are completed. Early
warning systems and communications are essential to assessing whether a nuclear launch has been made and
communicating the orders to launch a retaliatory strike. Falsifying the data provided by either of these systems
would be of prime interest to terrorists. Commands emanating from the NAOC for example, include Extremely High
Frequency and Very Low Frequency/Low Frequency links, and its activation during a traditional terrorist attack, as
happened on 9/11, could provide additional clues as to its vulnerabilities. Blogging communities have also revealed
that the 9/11 terrorist attacks revealed insights into the US continuity of operations plan as high level officials were
noted heading to specific installations (Critchlow 2006). One tool designed by the US for initiating a nuclear launch
is the nuclear football. It is a specially outfitted briefcase which can be used by the President to authorize a
nuclear strike when away from fixed command centres. The President is accompanied by an aide carrying the
nuclear football at all times. This aide, who is armed and possibly physically attached to the football, is part of a
rotating crew of Presidential aides (one from each of the five service branches). The football contains a secure
satellite communication link and any other material the President may need to refer to in the event of its use,
sometimes referred to as the playbook. The attack options provided in the football include single ICBM launches
and large scale pre-determined scenarios as part of the Single Integrated Operational Plan. Before initiating a
launch the President must be positively identified using a special code on a plastic card, sometimes referred to as
the gold codes or the biscuit. The order must also be approved by a second member of the government as per
the two-man rule (Pike 2006). In terms of detecting and analysing a potential attack, that is, distinguishing a
missile attack from the launch of a satellite or a computer glitch, the US employs dual phenomenology. This means
two different systems must be used to confirm an attack, such as radar and satellite. Terrorists trying to engage a
launch by falsifying this data would need to determine which two systems were being used in coordination at the
target location and spoof both systems. Attempting to falsify commands from the President would also be difficult.
Even if the chain of command is identified, there are multiple checks and balances. For example, doctrine
recommends that the President confer with senior commanders. The Chairman of the Joint Chiefs of Staff is the
primary military advisor to the President. However, the President may choose to consult other advisors as well.
Trying to identify who would be consulted in this system is difficult, and falsification may be exposed at any number
of steps. The 2006 Quadrennial Defense Review emphasizes that new systems of command and control must be
survivable in the event of cyber warfare attacks. On the one hand, this shows that the US is aware of the potential
danger posed by computer network operations and are taking action to prevent it. On the other hand, this shows
that they themselves see computer network operations as a weakness in their system. And the US continues to
research new ways to integrate computer systems into their nuclear command and control, such as IP-based
communications, which they admit, has not yet been proven to provide the high degree of assurance of rapid
The US nuclear
arsenal remains designed for the Cold War. This means its paramount feature is to
survive a decapitating strike. In order to do so it must maintain hair-trigger posture
on early warning and decision-making for approximately one-third of its 10,000
nuclear weapons. According to Bruce G. Blair, President of the Center for Defense Information, and a former
Minuteman launch officer: Warning crews in Cheyenne Mountain, Colo., are allowed only three
minutes to judge whether initial attack indications from satellite and ground sensors
are valid or false. Judgments of this sort are rendered daily, as a result of events as diverse as missiles being
message transmission needed for nuclear command and control (Critchlow 2006).
tested, or fired for example, Russias firing of Scud missiles into Chechnya peaceful satellites being lofted into
space, or wildfires and solar reflections off oceans and clouds. If an incoming missile strike is anticipated, the
president and his top nuclear advisors would quickly convene an emergency telephone conference to hear urgent
briefings. For example, the war room commander in Omaha would brief the president on his retaliatory options and
their consequences, a briefing that is limited to 30 seconds. All of the large-scale responses comprising that briefing
are designed for destroying Russian targets by the thousands, and the president would have only a few minutes to
pick one if he wished to ensure its effective implementation. The order would then be sent immediately to the
underground and undersea launch crews, whose own mindless firing drill would last only a few minutes (Blair 2003).
These rapid response times dont leave room for error. Cyber terrorists would not
need deception that could stand up over time; they would only need to be
believable for the first 15 minutes or so. The amount of firepower that could be
unleashed in these 15 minutes, combined with the equally swift Russian response,
would be equivalent to approximately 100,000 Hiroshima bombs (Blair 2008).
conducted in the 21st century, as is clearly demonstrated by recent revelations about the activities of the Chinese
Cybersecurity China
Chinas already attacking US systems- its only a matter of
time
Rosenzweig 13 (Paul Rosenzweig, 2013 Cyber warfare: how conflicts in
Indeed, recently, RSA completed its own analysis of the intrusion. At a conference in London in October 2011, their
Chairman said: There were two individual groups from one nation state, one supporting the other. One was very
2011 involving "joint information offensive and defensive operations:' According to the report ,
the People's
Liberation Army (PLA) is likely to focus its cyber targeting in a tactical way rather
than a strategic one. Thus, they estimate that an initial focus would be on
transportation and logistics networks or command-and-control systems just before an
actual conflict to try to delay or disrupt the United States' ability to fight. The capabilities being developed are
significant. in short, as the report concludes: "Chinese
India
India is unprepared for cyberattacks
Das 14 (Purba Das, India Unprepared For Cyber Warfare, Business Insider India,
10/16/14, Purba Das is a senior correspondent for Business Insider India,
http://www.businessinsider.in/India-Unprepared-For-CyberWarfare/articleshow/44834375.cms, 7/16/15 AV)
At a time when the world is preparing for possible cyber warfare, India is not fully prepared for cyber
attacks in defense and security. According to studies done by various research organizations, cyber attacks on
Indian government organizations rose by an alarming rate of 136% last year. "India is way behind the
international standards of defence against cyber attacks practiced across the world ,"
said Ashish Soni, founder and CEO of Orkash Services Pvt Ltd, a high technology, market intelligence and
operational risk management services company, at the 10 th Indo-US Economic Summit organized by Indo America
Chamber of Commerce (IACC). On the other hand, market reports suggested that the cyber attacks on financial
services organizations surged by 126% last year. "According to reports, sophisticated cyber assaults like
ransomware and spear-phishing has cost Indian individuals and companies some $4 billion," said Asoke K Laha,
National President of IACC. He added that the most common form of cyber threats includes malware and Internet
attacks among others. "Last year brought a marked increase in the frequency of cyber attacks on Indian assets,
systems was set up in 2004. It is primarily responsible for collection, analysis and alert of cyber security among
other. Another such agency is NCIIPC whose primary function is to protect critical information infrastructure against
cyber terrorism, warfare and other threats. "National Technical Research Organisation (NTRO) is a technical
intelligence agency which falls under National Security Adviser in the Prime Minister's Office while National Cyber
Coordination Centre is supposed to scan through the entire cyber traffic and alert government organization against
plausible cyber threats and attacks," stated Laha. Interestingly, India and the US have collaborated to cyber
terrorism and had set up India US Cyber Security Forum in 2001. In 2010, a new India-US Counter Terrorism
Cooperation Initiative was signed between the two countries to provide cyber security and critical infrastructural
protection.
Airplanes
Airplanes are susceptible to cyberattack
Pasztor 6-29 (Andy Pasztor, U.S. Panel Aims to Shield Planes From
Cyberattack, The Wall Street Journal, 6/29/15, http://www.wsj.com/articles/u-spanel-aims-to-shield-planes-from-cyberattack-1435537440?
mod=pls_whats_news_us_business_f, 7/16/15 AV)
U.S. aviation regulators and industry officials have begun developing
comprehensive cybersecurity protections for aircraft, seeking to cover everything
from the largest commercial jetliners to small private planes. A high-level advisory
committee set up by the U.S. Federal Aviation Administrationincluding representatives of plane makers, pilots and
parts suppliers from around the globewas scheduled to meet for the first time this month amid rising concern
over potential industry vulnerability to computer hackers. The panels meetings are private. On
June 21, operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines said was a cyberattack on
flight-planning computers. Ten LOT flights were canceled and some 15 others were grounded for several hours,
affecting roughly 1,400 passengers. Though airline officials said safety was never affected, LOTs chief executive
was quoted saying that such a cyberattack can happen to anyone, anytime. The goal of the FAA initiative,
according to Jens Hennig, the panels co-chairman, is to identify the seven or eight most important risk areas and
then try to reach consensus on international design and testing standards to guard against possible cyberattacks.
The industry needs a set of graduated requirements, he said in an interview, based on the types of software and
of product development for Boeings commercial-airplane unit, said certification of the flagship 787 Dreamliner
required Boeing to purposely allow such teams inside the first layer of protection to demonstrate resilience. When it
comes to protecting flight-critical software from hackers, Mr. Sinnett said, the systems can accept only specific bits
of information at specific preordained times, and it is all preprogrammed. As a result, he added, theres no way for
the flight-control system to pull in something from an unauthorized source. Such software and cockpit interfaces
aboard commercial jets are tested extensively and have such a wide array of embedded safeguards that they are
considered virtually impregnable to direct attack by industry outsiders, according to these experts. Yet that hardly
of the European Aviation Safety Agency, is in ensuring that a maintenance or air-traffic control system cant be
hacked and used as a conduit to get at aircraft. What is not being done today, he said, is to have a view of
aircraft operations in their entirety, recognizing all the potential outside hazards. Airbus Group SE and most of its
suppliers continue to rely on a secure computer platform to protect their manufacturing operations, with some
European experts advocating more aggressive efforts to expand the network to additional companies. Every
time you introduce another connection in the form of a new supplier, its another
way to potentially attack the aircraft itself, says Alain Robic, a partner in Deloitte Consultings
French unit who works with industry clients on data security. Mr. Robic says that ideally all of the different levels of
security among suppliers to Airbus and Boeing would conform to an information-system policy self-regulated by
industry leaders. Neither LOT nor Polish authorities have identified the source of this months disruption.
Prosecutors may also be looking at internal-software failures or other explanations for the problem, which was
resolved after roughly five hours. Whatever the exact cause, the incident points to the kind of computer problem
that security experts worry about most in aviation and consider among the hardest to prevent: Attacks on
maintenance or air-traffic control systems, which routinely interface with aircraft, as opposed to direct intrusions by
passenger Wi-Fi connections and entertainment options, for example, is physically separated from onboard-safetysystem servers, and even electrical conduits are designed so that information doesnt bleed between the two. In
interviews at the Paris International Airshow days before the Warsaw incident, more than a dozen international
cyber experts and industry officials stressed that despite various high-profile and public allegations, they werent
aware of a single verified instance of hackers breaching flight-control or engine-control systems on any modern
jetliner while it was in the air. The current system is working pretty well and aviation software generally has been
pretty difficult to infiltrate, Mr. Hennig, vice president of operations for the General Aviation Manufacturers
Association, said. But most cyberprotection systems for planes are certified using case-by-case risk assessments
requiring regulators to expend a lot of resources, rather than the industrywide technical standards the FAA and Mr.
Hennig foresee. European regulators are expected to eventually create a similar advisory board to coordinate future
stressing the importance of sharing details about cyber events the same way specifics of safety incidents are now
distributed and analyzed world-wide. One of the things that is absolutely critical is to have very robust
mechanisms for information sharing among regions, including threats, potential incidents and mitigations, Mr.
Huerta said in an interview. The specifics of the cyber threat require us to be sharing on a broader scale than we
have done in the past. Industry officials at all levels are increasingly vigilant about chasing down any suspicions or
allegations of unauthorized attempts to penetrate computer systems. Today, people try to get in your cellphone ...
they like to test the security of all kinds of electrical devices, according to Carl Esposito, a senior aerospace official
at Honeywell International Inc., who emphasized that aviation designs understand that trend. A major question is
whether the global industry, which relies on software development cycles that sometimes stretch into years, can
remain nimble enough to stay ahead of hackers who can shift quickly from region to region and work on much
shorter timelines. I see a lot of sharing [of data security threats], maybe not between countries but at least within
countries, said Marc Darmon, head of the cybersecurity unit for Frances Thales SA, which helps safeguard banking
and a huge chunk of the worlds credit-card transactions. In the past, he said, aircraft makers and airlines believed
it was enough to ensure that safety systems were isolated from accidental intrusions, but now almost every
industry has adopted identification and responses to cyberattacks as major design criteria. That was not the case
10 years ago, he said. It has to be the case today.
Privacy
and eventually the forces of free speech won. But Crypto War II will be a far more grueling slog pitting privacy and free speech
There are, however, several concrete actions that we can take to prevent us from heading down this trajectory. Three key tactics are
discussed below. First, ensure that the locus of control over communications is in the hands of end users and within edge devices.
these
reforms would change a trajectory that is rapidly hurling us toward Crypto War II
and help ensure that Democracy in the 21st century remains true to the inalienable
rights it is predicated upon. To accomplish this peace, we need to overcome both entrenched business interests as
well as the ever-prevalent fear of the unknown. Our privacy and free speech rights will not survive if
we lose these coming battlesand with this corporate-government alignment
against encryption, the fight will be harder than ever before .
Papers, to anonymous comments in online forums. It is essential to free speech and a free society. Taken together,
doors, really wants, is a society that caters to their fears at the expense of others privacy. While we individually
choose to trust the law enforcement we come in contact with, government only works if we inherently and
collectively distrust it on a public level. Our public policies and standards should distrust those we have put in a
why they used encryption. In fact, because of their own example in concealing correspondence, one can make an
even stronger case supporting encryption as an instrument of free speech. The constitution is the highest law of the
land its above all other laws. Historically, our founding fathers guarded all instruments available that protect our
freedom as beyond the laws reach: The Press, Firearms, Assembly. These things provided information, teeth, and
Zero Days
When the NSA discovers (or buys) a vulnerability, it can either alert the vendor
and get a still-secret vulnerability fixed, or it can hold on to it and use it to
eavesdrop on target computer systems. Both tactics support important US policy
goals, but the NSA has to choose which one to pursue in each case. Right now, the
USboth at the NSA and at US Cyber Commandstockpiles zero-day vulnerabilities .
How many it has is unclear. In 2014, the White House tried to clarify the countrys policy on this in a blog post, but
didn't really explain it. We know that a single cyberweapon, Stuxnet, used four zero-days. Using up that many for a
In congressional testimony,
former NSA director Michael Hayden introduced the agency jargon NOBUS, "nobody
but us"that is, a vulnerability that nobody but us is likely to find or use. The NSA has a
single cyberattack implies that the government's stockpile is in the hundreds.
classified process to determine what it should do about vulnerabilities. The agency claims that it discloses and
closes most of the vulnerabilities it finds, but holds back some we don't know how manythat it believes are
each use runs the risk that others will learn about the vulnerability and use it for themselves. And they come in
families; keeping one secret might mean that an entire class of vulnerabilities remains undiscovered and
The US and other Western countries are highly vulnerable to zerodays, because of our critical electronic infrastructure, intellectual
property, and personal wealth. Countries like China and Russia are less
vulnerableNorth Korea much lessso they have considerably less incentive to get
vulnerabilities fixed.
unpatched.
Shane, American journalist and author at Foreign Policy magazine. @WAR : the rise
of the military-Internet complex / Houghton Mifflin Harcourt. P.98-100
The targets that are most vulnerable to a devastating zero day attack are the same
ones that the NSA is trying to protect: electrical power plants, nuclear facilities,
natural gas pipelines, and other critical infrastructures, including banks and
financial services companies. Not all of these companies have a system for easily sharing information
about vulnerabilities and exploits that have been discovered and publicly disclosed, often by more defensiveminded hackers who see their job as warning technology manufacturers about problems with their products, rather
than trying to profit from them.
By
buying so many zero day exploits, the NSA is helping to prop up a cyber arms
market that puts American businesses and critical facilities at risk. The
chances are good that if another country or a terrorist group knocks out the lights in
a US city, it will use an exploit purchased from a company that also sells them to
the NSA. The sellers of zero day exploits also bear at least some notional responsibility for making the Internet
updates. Some find doing that for hundreds or thousands of computers in a single facility a daunting task.
less safe. But they tend to blame software manufacturers for building programs that can be penetrated in the first
place. "We don't sell weapons, we sell information;' the founders of exploit seller ReVuln told a reporter for Reuters,
when he asked whether the company would be troubled if some of their programs were used in attacks that
destroyed systems or caused people to die. "This question would be worth asking to vendors leaving security holes
in their products. This line of defense is a bit like blaming a locksmith for a burglary. Yes, the locksmith is supposed
to make a product that keeps intruders from getting into someone's home. But if a burglar manages to break in and
steal a television or, worse, attack the homeowners, we don't prosecute the locksmith. Companies such as ReVuln
aren't burglars, but they are selling the equivalent of lock picks. Surely they bear some measure of responsibility, as
well, for crimes that are committed- if not a legal responsibility, then a moral one. And what about the NSA? In the
world of burglary, there's no equivalent for what the agency is doing. No one is out there buying up lock picks. But
the NSA also wants to be a kind of security guard for the Internet. What would
happen if the guard hired to watch over a neighborhood discovered an open window
but didn't tell the owner? More to the point, what if he discovered a design flaw in the brand of window
that everyone in the neighborhood used that allowed an intruder to open the window from the outside ? If the
security guard didn't alert the homeowners, they'd fire him - and probably try to
have him arrested. They wouldn't accept as a defense that the security guard was keeping the windows' flaw
a secret in order to protect the homeowners. And the police surely wouldnt accept that hed kept that information
to himself so that he could go out and rob houses. The analogy isn't perfect .
cyber attackers are numerous and persistentfor every one you see
there are a hundred you dontthose developments should sound alarms among executives at
Considering that
companies using industrial controls and with the people responsible for protecting American citizens from attacks.
To their credit, both businesses and the U.S. government have begun to take action; however, neither is adequately
addressing the core of the issue. Businesses continue to believe that cybersecurity issues can be addressed solely
through technology. The problem was created by technology so the solution must be more technology, they reason,
ignoring the spirit of Einsteins observation that no problem can be solved from the same level of consciousness
that created it. Technology is static and the threat is not. Hackers will always find a way to beat technology-based
solutions. Thats why we have to do more than create barriers to keep out intruders. We have to man our digital
borders with people who have the same skill and determination as the attackers. Similar to the use of technology,
the ability to regulate a solution is inherently limited. Regulation creates a compliance mentality in which policies
and investments are based on achieving and maintaining compliance. Compliance is predictable, which makes it
the hackers best friend. Legislation (HR 3696) has been introduced in the U.S. Congress that would increase the
sharing of information related to control system breaches to better arm security professionals to prevent future
breaches. That is a worthwhile goal; unfortunately, there is a dire lack of security professionals with an
understanding of both digital security and control system technology to benefit from this information sharing. Filling
this gap is where the lions share of the cybersecurity effort must go. It is estimated in the latest Project SHINE
the United States has more than half a billion control system devices
connected to the Internet. The SANS Institute, the largest cybersecurity training organization in the world,
report that
estimates that in the U.S. power industry alone thousands of new or existing control systems security professionals
must be deployed or further developed in the next five years to adequately address the challenge of control system
security within the electric sector.
the scope of recently reported cyber attacks against several American financial institutions, Joshua Campbell,
of Seculert, told SCMagazine.com in a Thursday email correspondence. Lucas Zaichkowsky, enterprise defense
architect with AccessData, told SCMagazine.com in a Thursday email correspondence that Eastern European
attackers are well-known for exploiting web application security flaws to gain initial
access into corporate environments. That's because web applications tend to be
riddled with these types of vulnerabilities unless a Security Development Lifecycle (SDL) is strictly
followed and the developers are highly skilled in secure coding practices, Zaichkowsky said . Gigabytes of
sensitive data were stolen in the attacks, including information from employee
computers and information that could be used to drain funds from accounts , according
to the report, which adds that there have been no signs of money being moved from accounts or other fraud. The
motivations for the attacks are unclear in a Thursday email correspondence, Armond Caglar, senior threat
specialist with TSC Advantage, told SCMagazine.com that checking and savings account information could have
been the reason these financial institutions were targeted, and Zaichkowsky agreed.
newsletter, at least eighteen organizations in the agency were secretly collecting vulnerability data on technology
exploits to middlemen, which are mostly large defense contractors. Raytheon and Harris Corporation are two major
players in the zero day market. They also design traditional weapons systems for the military and are two of the
bestestablished and largest Pentagon contractors. Their ties to the military and to the NSA are deep and longstanding. Also collecting and selling zero days are smaller boutique firms, a number of which are run by former
military officers or intelligence officials. Once the middlemen have the zero days, they sell them to their customer the NSA. But the supply chain begins with the hacker. To be a good zero day hunter, a hacker has to put himself in
the original programmer's shoes and find the flaws in his design. Automated technology can help. "Fuzzing, for
instance, is a technique that throws unexpected or random data into the inputs of a computer program, hoping to
make it crash. Then the hacker looks for the flaw in the system that caused it to fail. But to find the deepest cracks,
a hacker has to devise novel and more clever techniques that force the computer to show him where ifs weak. For
instance, in 2005 a PhD student at UCLA discovered that by measuring the "smaII, microscopic deviations,, in the
internal docks of computers, he could uniquely identify one computer out of a network of thousands. The technique
would be especially useful, he later wrote in a research paper, to "adversaries thousands of miles,, away from the
targeted machine who wanted to overcome software meant to hide the machine's physical location - software such
as Tor, the anonymizing router system that the NSA was so keen to disrupt. A year after the paper was published, a
researcher at Cambridge University discovered that one could, in fact, find which server in a network was actually
running Tor's anonymizing software, thus def eating its all-important feature. He did this by sending an anonymous
Tor server an especially intensive request for information that literally forced the machine to heat up because it was
working so hard. The heat changed the rate at which electrons in the computer moved, which in turn affected the
accuracy of the clock. He still didn't know where the anonymous server was located, but he took the unique "dock
skew,, and queried computers on the public Internet to see if he could find a match. He did. The clock skew gave
away the location of the supposedly hidden Tor server. The classified NSA document, "Tor Stinks;' which shows how
the NSA tried to defeat the network, indicates that the agency studied both these clock-skew techniques in an
attempt to find routers on a network. The ingenious ability to suss out such an obscure, barely discernible flaw is
what separates good hackers from great ones and leads to the discovery of zero days.
Hackers charge a
high price for zero day exploits. If they come in "weaponized form, that is, ready to use against a
system, exploits start at around $50,000 and run to more than $100,000 apiece ,
according to experts. But some exploits command a higher price because their targets are
more valuable or harder to penetrate. The going rate on an exploit for Apple's iOS
operating system, used on the iPhone and the company's other mobile devices , is half a million dollars,
says one expert. And more complicated exploits such as those that rely on flaws in the internal mechanics of a
piece of hardware, can cost millions. Those exploits are so expensive because they target the engineering of the
The only
organizations with the means and the motive to buy such a weapon are
organized criminal groups and governments. Serious buyers of zero days,
such as the NSA, don't procure them in one-off fashion. They make stockpiles to use
in future attacks. The NSA has stored more than two thousand zero day exploits for
machine itself, which cannot be patched in the way software can, with new lines of code.
potential use against Chinese systems alone, according to a former highranking government official who was told
about the cache in a classified meeting with NSA officials.
number of exploits. The Stuxnet computer worm, which the United States built in conjunction with Israel
to disable the Iranian nuclear facility, contained four zero day exploits, which is itself a lot for one attack. A
collection of two thousand zero day exploits is the cyber equivalent of a
nuclear arsenal. It also puts people around the world at risk. If the NSA is hoarding
those vulnerabilities, rather than telling the makers of technology products that they
have found flaws in their hardware and software, then the agency is arguably covering up
valuable information that could be used to defend against malicious hackers . To be
sure, the NSA does use knowledge of zero day exploits to plug holes in technology that it's using or that might be
agency's eventual targets in China or Iran might be tipped off if the NSA alerted technology companies to flaws in
their technology.
cybersecurity and privacy, for Reuters, SPECIAL REPORT - U.S. cyberwar strategy
stokes fear of blowback, May 10, 2013,
http://in.reuters.com/article/2013/05/10/usa-cyberweaponsidINDEE9490AX20130510?type=economicNews)
Even as the U.S. government confronts rival powers over widespread Internet
espionage, it has become the biggest buyer in a burgeoning gray market where
hackers and security firms sell tools for breaking into computers. The strategy is spurring
concern in the technology industry and intelligence community that Washington is in effect
encouraging hacking and failing to disclose to software companies and customers
the vulnerabilities exploited by the purchased hacks. That's because U.S. intelligence and
military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate
computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage
who previously worked for the National Security Agency. A spokesman for the NSA agreed that the proliferation of
hacking tools was a major concern but declined to comment on the agency's own role in purchasing them, citing
the "sensitivity" of the topic. America's offensive cyber-warfare strategy - including even the broad outlines and the
total spending levels - is classified information. Officials have never publicly acknowledged engaging in offensive
cyber-warfare, though the one case that has been most widely reported - the use of a virus known as Stuxnet to
disrupt Iran's nuclear-research program - was lauded in Washington. Officials confirmed to Reuters previously that
the U.S. government drove Stuxnet's development, and the Pentagon is expanding its offensive capability through
Computer
researchers in the public and private sectors say the U.S. government, acting
mainly through defense contractors, has become the dominant player in fostering
the shadowy but large-scale commercial market for tools known as exploits , which
the nascent Cyber Command. Stuxnet, while unusually powerful, is hardly an isolated case.
burrow into hidden computer vulnerabilities. In their most common use, exploits are critical but interchangeable
components inside bigger programs. Those programs can steal financial account passwords, turn an iPhone into a
listening device, or, in the case of Stuxnet, sabotage a nuclear facility. Think of a big building with a lot of hidden
doors, each with a different key. Any door will do to get in, once you find the right key. The pursuit of those keys has
privately.
Paganini 13 (Pierluigi Paganini, Zero-day market, the governments are the main
buyers, Security Affairs, 3/21/13, Pierluigi Paganini is Chief Information Security
Officer at Bit4Id, firm leader in identity management, member of the ENISA
(European Union Agency for Network and Information Security) Threat Landscape
Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance
Writer. Editor-in-Chief at "Cyber Defense Magazine",
http://securityaffairs.co/wordpress/14561/malware/zero-day-market-governmentsmain-buyers.html, 7/14/15 AV)
Governments, and in particular US one, are principal buyers of zero-day
vulnerabilities according a report published by Reuters. Zero-days exploits are considered a
primary ingredient for success of a cyber attack, the knowledge of zero-day flaw
gives to the attacker guarantee of success, state-sponsored hackers and cyber
criminals consider zero-day exploits a precious resources around which is grown a
booming market. Zero-day exploits could be used to as an essential component for the design of a cyber
weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested
entities for the use of these malicious code. Recent cyber attacks conducted by Chinese hackers might lead us to
think Chinese Government is primary buyer/developer for zero-day vulnerabilities, but a report recently published
new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by the need to
preserve the security in the cyberspace. NSA chief General Keith Alexander told Congress that the US Government
is spending billions of dollars every year on cyberdefense and constructing increasingly sophisticated
cyberweapons this led to the birth of more than a dozen offensive cyber units, designed to mount attacks, when
necessary, at foreign computer networks. Popular hacker Charlie Miller, security researcher at Twitter, with a past
collaboration with NSA confirmed the offensive approach to cyber security: The only people paying are on the
researcher to try to tell many individuals about the discovery in an attempt to find a buyer with obvious risks. Value
cannot be demonstrated without loss One of the most fascinating problems a researcher attempting to sell
vulnerability information or a 0-day exploit may face is proving the validity of the information without disclosing the
information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in
some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher
exposed to losing the intellectual property of the information without compensation. Exclusivity of rights The final
hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs, the
researcher must be willing to sell all rights to the information to the buyer. However, the buyer has no way to
protect themselves from the researcher selling the information to numerous parties, or even disclosing the
information publicly, after the sale. Current approaches to zero-day vulnerabilities are to be bought up exploits
avoiding that they could be acquired by governments opponents such as dictators or organized criminals, many
security firms sell subscriptions for exploits, guaranteeing a certain number per year. The trend to exploit zero-day
for offensive purposes has been followed by intelligence agencies and also private companies, both actors have
started to code their own zero-day exploits. Private companies have also sprung up that hire programmers to do
the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around
$50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software
is and how long the zero-day is expected to remain exclusive. The Reuters report also revealed the participation of
government representatives to the Secret Snoop Conference for Government and law enforcement spying, clearly
with the intent to acquire new technologies to conduct cyber espionage through malware based attacks able to
compromise target networks. The choice of a government to acquire a zero-day exploit to use it against a foreign
governments hide serious risks for its country, cyber terrorist, cyber criminals or state-sponsored hackers could
reverse engineer the source code to compose new malicious agent to use against the same authors. The most
popular example is the case of Duqu malware, a powerful spyware designed to steal industrial-facility designs from
Iran. which code was adopted by cybercrime industry to be the active components in popular Blackhole and Cool
exploit kits. In many cases the efficiency of these zero-day exploits has a long life due the presence of not updated
target systems, typical zero-day attack has an average duration of 312 days and once publicly disclosed it is
observable an increases of 5 orders of magnitude of the volume of attacks. Zero day Analysis Reuters reported to
have reviewed a product catalogue from one large contractor, it contained various applications for cyber espionage
purposes. The article refer of a product to turn any iPhone into a room-wide eavesdropping device and another
one was a system for installing spyware on a printer or other device and moving that malware to a nearby
computer via radio waves, even when the machines arent connected to anything. The product portfolio is very
wide including tools for getting access to computers or phones and tools for grabbing different categories of data,
its clear that majority of these products exploits zero-day vulnerabilities on various application and OSs . most of
the programs cost more than $100,000. Based from my experience the cost of a zero day-day depends on a
multitude of factors such as the product target, its diffusion level and of course the scope of use, a zero-day sold to
a government could have a price up to 100 times an exploit kit sold to private industry. Which are the principal
mediators for zero-day sale? The Grugq is the famous one but also small firms like Vupen and Netragard and other
defense contractors such as Northrop Grumman operate this growing market. Netragards founder Adriel Desautels
says hes been in the exploit-selling game for a decade, and describes how the market has exploded in just the
last year. He says there are now more buyers, deeper pockets, that the time for a purchase has accelerated from
months to weeks, and hes being approached by sellers with around 12 to 14 zero-day exploits every month
the explosion in demand for zeroday leaves little doubt about the true intentions of governments and the impact is
certainly not confined to just cyberspace.
compared to just four to six a few years ago. Prepare for the worst,
VULNERABILITYTRADE:APRELIMINARYANALYSIS6/3/15,
http://moritzlaw.osu.edu/students/groups/is/files/2015/06/FidlerSecondReviewChangesMade.pdf)
The gray market for zero-days causes concern beyond its size and global reach. The gray market also raises
national and international security worries.
Heartbleed: computer users would have been at risk if the U.S. government had known about the vulnerability and
chosen to keep it secret for exploitation. U.S. non-disclosure of zero-days also leaves global users at risk, because
Government participation
helps catalyze gray-market expansion, which has potentially harmful ramifications.
Vulnerability sellers may offer information to multiple sources. The U.S.
governments willingness to purchase vulnerabilities has spurred growth of
vulnerability-selling firms, encouraging gray-market expansion and increasing
availability and mobility of gray-market products, which actors unfriendly to the U.S.
may be able to access. Soghoian, a cybersecurity expert at the American Civil Liberties Union (ACLU),
states that, as soon as one of these weaponized zero-days sold to governments is
obtained by a bad guy and used to attack U.S. infrastructure bad things will
happen; gray-market sellers will drag the entire security industry into a world of
pain.24 Even without duplicitous vulnerability sellers, the very nature of zero-days means they
undisclosed vulnerabilities affect anyone using globally disseminated software.
could independently find their way into the hands of both the U.S. government and
bad actors. Howard Schmidt, former White House cybersecurity coordinator, explained that, its pretty nave to
believe that with a newly discovered zero-day, you are the only one ... thats discovered it.25 Government
participation in the gray market could affect the black market. U.S. involvement in
the gray market bankroll[s] dangerous R&D and build[s] the black market, a U.S.
militaryintelligence official stated. 26 Michael Hayden, former Central Intelligence Agency (CIA) and NSA Director,
tax dollars used to purchase vulnerabilities on the gray market may benefit
the black market for instance, if spent with a company that also supplies bad
actors.27 Or, a buyer participates in the gray market using a front company, but is
actually a criminal organization. This crossover effect exists in the traditional arms trade, where
legitimate arms transfers end up with renegade groups.28 A robust gray market expands access to
advanced cyber tools to states that would otherwise not be able to independently
develop them. Before the gray market, the ability to discover zero-days in-house
was largely a boutique capability, the privilege of a few capable governments or
those with access to skilled hackers.29 Colonel John Adams, head of the Marine Corps Intelligence
Integration Division, states that gray-market sellers provide cyber-power to hostile
governments that would otherwise lack the expertise to attack an advanced
countrys computer systems.30 Easier access to zero-days by non-state actors is also a security
argues that
concern. Eric Rosenbach, Deputy Assistant Secretary of Defense for Cyber Policy, said that the prospect of non-state
actors accessing zerodays on the market keeps me awake at night. 31
cybersecurity and privacy, for Reuters, SPECIAL REPORT - U.S. cyberwar strategy
stokes fear of blowback, May 10, 2013,
http://in.reuters.com/article/2013/05/10/usa-cyberweaponsidINDEE9490AX20130510?type=economicNews)
Former White House cybersecurity advisors Howard Schmidt and Richard Clarke
said in interviews that the government in this way has been putting too much
emphasis on offensive capabilities that by their very nature depend on leaving U.S.
business and consumers at risk. "If the U.S. government knows of a vulnerability that can be exploited,
under normal circumstances, its first obligation is to tell U.S. users," Clarke said. " There is supposed to be
some mechanism for deciding how they use the information, for offense or defense.
But there isn't." Acknowledging the strategic trade-offs, former NSA director Michael Hayden said: "There has
been a traditional calculus between protecting your offensive capability and strengthening your defense. It might be
time now to readdress that at an important policy level, given how much we are suffering." The issue is sensitive in
the wake of new disclosures about the breadth and scale of hacking attacks that U.S. intelligence officials attribute
Top U.S.
officials told Congress this year that poor Internet security has surpassed terrorism
to become the single greatest threat to the country and that better information-sharing on risks
is crucial. Yet neither of the two major U.S. initiatives under way - sweeping
cybersecurity legislation being weighed by Congress and President Barack Obama's
February executive order on the subject - asks defense and intelligence agencies to
spread what they know about vulnerabilities to help the private sector defend itself. Most
to the Chinese government. Chinese officials deny the allegations and say they too are hacking victims.
companies, including Microsoft, Apple Inc (AAPL.O) and Adobe Systems Inc
(ADBE.O), on principle won't pay researchers who report flaws, saying they don't
want to encourage hackers. Those that do offer "bounties", including Google Inc
(GOOG.O) and Facebook Inc (FB.O), say they are hard-pressed to compete
financially with defense-industry spending . Some national-security officials and security executives
say the U.S. strategy is perfectly logical: It's better for the U.S. government to be buying up exploits so that they
don't fall into the hands of dictators or organized criminals.
Zero-day exploits will work even when the targeted software is up to date, and experts say the use of even a single
zero-day in a program signals that a perpetrator is serious. A well-publicized hacking campaign against Google and
scores of other companies in early 2010, attributed by U.S. officials and private experts to Chinese government
such factors as how widely installed the targeted software is and how long the zero-day is expected to remain
It's a global market that operates under the radar, often facilitated by other
companies that act as brokers. On the buy side are U.S. government agencies and
the defense contractors that fold the exploits into cyber-weapons. With little or no
regulation, it is impossible to say who else might be purchasing zero-days and to what
exclusive.
end, but the customers are known to include organized crime groups and repressive governments spying on their
citizens. Even one of the four exploits used by Stuxnet may have been purchased. Swedish Defense Research
Agency expert David Lindahl said the same trick employed by the exploit in question was used in a piece of Russian
that with a newly discovered zero-day, you are the only one in the world that's discovered it," said Schmidt, who
retired last year as the White House cybersecurity coordinator. " Whether
a guidelinesonly approach has inherent weaknesses. First, the guidelines would be formulated,
implemented, and enforced by the very department with the most interest in
creating exceptions to the rule, and that most pays the cost when the tools it develops and uses are
neutralized. Such conflicts of interest rarely end up with the strongest possible
protections for the public. 176 Therefore, a legislative approach may be more
appropriate. Perhaps as part of the appropriations bill that funds the exploit discovery effort, Congress
could mandate that any vulnerabilities the unit discovers be reported; alternatively,
a reporting mandate could be added to the wiretap statute. This second approach
has the advantage that it is more permanent; however, amending the Wiretap Act has
proven to be a long and contentious process. Regardless, and as noted above, such legislation would need
to be carefully drafted to capture a range of different circumstances.
circumstances promulgated by the administration, likely the Department of Justice.256 However,
Solvency US Leadership
US leadership solves international cooperation on zero-days.
Fidler 2014
Mailyn Fidler, Marshall Scholar, Department of Politics and International Relations
May 2014 Anarchy or Regulation: Controlling the Global Trade In Zero-Day
Vulnerabilities A Thesis Submitted To The Interschool Honors Program in
International Security Studies, Center for International Security and Cooperation,
Freeman Spogli Institute for International Studies, Stanford University
https://decryptedmatrix.com/wp-content/uploads/2014/06/Fidler-Zero-DayVulnerability-Thesis.pdf
International cooperation is needed on the zero-day issue, but U.S. leadership is
required to catalyze such cooperation. Snowdens disclosures have caused significant problems for
the United States, reducing receptivity to cooperation with the United States on cyber issues. This problem is
exacerbated by the need to have the United States, as a major cyber player,
involved in international negotiations . Existing confusion and controversy over
national U.S. policies towards zero-day vulnerabilities create further obstacles to
addressing these issues at an international level. The United States needs to
establish policy clarity at a national level to set the stage for collective action,
signaling to other nations its seriousness about the problem and the nature of
American interests towards it. Richard Clarke and Peter Swire agree: we create a more secure and
useful global Internet if other nations, including China and Russia, adopt and implement similar policies to what the
This thesis argues that the U.S. government must do more to strengthen its own zero-day policies as a necessary
element of addressing the need for collective action.
Obama, in an interview with Re/codes Kara Swisher after the Stanford event, recognized this tension, saying, I lean probably further in the direction of
strong encryption than some do inside of law enforcement. But I am sympathetic to law enforcement because I know the kind of pressure theyre under to
keep us safe. Now, in fairness, I think the folks who are in favor of airtight encryption also want to be protected from terrorists. It would be a great
achievement if we could somehow provide strong encryption against every adversary, except for a loophole only usable with a valid warrant. The same
hope has been expressed by FBI Director James Comey, by British Prime Minister David Cameron, and by The Washington Posts editorial board, which
famously asked for a secure golden key for law enforcement. But if there is a virtual access port that can be opened by a technology vendor on seeing a
warrantas Comey has called forthe same port can be opened by the same vendor without a warrant. The technology cannot tell whether the employee
requesting access has been compelled by a lawful court order, or by a blackmailer, or by an extortionist, or by a foreign government. As far as the
technology is concerned, access under a court order is the same as access to data by an insider. And misbehaving insiders often have privileged access
that makes their attacks devastating. Consider Snowdens attack on the NSA or the electronic thefts revealed in February in which thieves impersonating
insiders took hundreds of millions of dollars from banks around the world. If we want to lock out insiders, we will also have to lock out those with warrants.
We cannot avoid the choice between access and security. The largest Internet companies have been moving to adopt encryption for several years. Google
switched its website over to secure access by default in 2010 and 2011. Microsofts outlook.com email service followed suit in 2012, Facebook in 2013,
and Yahoo Mail in 2014. Many of these products later went further, requiring secure access and disabling insecure access. The pace picked up after the
Snowden revelations. Apple and Google beefed up encryption of data stored on iPhones and Android devices in 2014. In August 2014, Google announced
that it would boost the position of secure pages in search results, treating encryption as an indicator that a site is serious about security. Meanwhile,
citizens who went to Whitehouse.gov to read the text of the presidents Cybersecurity Summit speech could not do so on a secure page because the White
House website did not offer even the option of secure browsing. Visitors to https://whitehouse.gov received a sternly worded security warning from their
browsers and had to go to another site such as Googles YouTube if they wanted to experience the presidents speech on a secure site. Closing the Gap
which dominates in industry, wants to strengthen systems, using tools such as encryption to protect privacy. The two communities come down on different
there any escape from the cyber conundrum? The way out, if we can find it, will strive to bolster security of common technical infrastructure, while finding
In 2013, Obamas own review group urged the government to put its weight behind a secure Internet, even at the
tech firms if the U.S. intelligence system continues to follow policies that threaten their citizens and businesses .
As
a result, it is incumbent on the Congress and the Obama administration to take the
lead in showing the world the best standards for transparency, cooperation, and
accountability. First, the U.S. government should be forthcoming and transparent about its surveillance
practices and clearly inform the public about the data it collects domestically and abroad. The U.S. government
should set the gold standard for international transparency requirements, so that it is clear what information both
U.S. and non-U.S. companies are disclosing to governments at home and abroad. The U.S. government should then
work with its allies to create an international transparency requirement that illuminates when countries conduct
President Obama, or his successor, should sign an executive order formalizing this policy as well. In addition, when
U.S. government agencies discover vulnerabilities in software or hardware products, they should responsibly notify
Solvency Kehl
The plan solves - strong encryption key to the internet.
Kehl, 2015
Danielle Kehl is a senior policy analyst at New America's Open Technology Institute,
BA cum laude Yale 6-17-2015, "Doomed To Repeat History? Lessons From The
Crypto Wars Of The 1990s," New America, https://www.newamerica.org/oti/doomedto-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/
Strong encryption has become a bedrock technology that protects the security of
the internet The evolution of the ecosystem for encrypted communications has also enhanced the protection of
individual communications and improved cybersecurity. Today, strong encryption is an essential
ingredient in the overall security of the modern network, and adopting technologies like HTTPS
is increasingly considered an industry best-practice among major technology companies.177 Even the report of the
Presidents Review Group on Intelligence and Communications Technologies, the panel of experts appointed by
President Barack Obama to review the NSAs surveillance activities after the 2013 Snowden leaks, was unequivocal
in its emphasis on the importance of strong encryption to protect data in transit and at rest. The Review Group
Encryption is an essential basis for trust on the Internet; without such trust,
valuable communications would not be possible . For the entire system to work,
encryption software itself must be trustworthy. Users of encryption must be confident, and
wrote that:
justifiably confident, that only those people they designate can decrypt their data. Indeed, in light of the massive
increase in cyber-crime and intellectual property theft on-line, the use of encryption should be greatly expanded to
The report
further recommended that the U.S. government should: Promote security[] by (1)
fully supporting and not undermining efforts to create encryption standards; (2)
making clear that it will not in any way subvert, undermine, weaken, or make
vulnerable generally available commercial encryption; and (3) supporting efforts to
encourage the greater use of encryption technology for data in transit, at rest, in
the cloud, and in storage.179 Moreover, there is now a significant body of evidence that,
as Bob Goodlatte argued back in 1997, Strong encryption prevents crime .180 This has become
protect not only data in transit, but also data at rest on networks, in storage, and in the cloud.178
particularly true as smartphones and other personal devices that store vast amount of user data have risen in
If the
balance is wrong, a well-intentioned government agency can severely undermine
security rather than strengthen it, and endanger the very American citizens that the
agency hopes to protect. Based on recent press reports regarding the alleged activities of the National
Security Agency (NSA), it is time for a reevaluation of this balance. Individual computer users, large
corporations, and government agencies all depend on the security features built
into information technology products and services that they buy on the open
market. If the security features of these widely available products and services are
weak, everyone is in greater danger. There have recently been allegations that U.S. government
agencies have engaged in a number activities deliberately intended to weaken this widely available technology .
Weakening commercial products and services does have the benefit that it becomes
easier for U.S. intelligence agencies to conduct surveillance on targets who use the
weakened technology, and if it is occurring, this is probably the motivation. However,
this strategy also inevitably makes it easier for criminals, terrorists, and foreign
powers to infiltrate these systems for their own purposes . Moreover, everyone who
uses this technology is vulnerable, and not just the handful who may be surveillance
targets for U.S. intelligence agencies. No government agency should act to reduce
the security of a product or service sold on the open market without first conducting
a careful risk assessment.1 If the recent allegations in the press are correct, and no such risk assessment
occurred, the White House should make sure that a thorough review is conducted now,
and that policies are changed as needed based on this assessment.
two needs are entirely compatible, but there are occasionally issues on which a balance must be struck.
The
consistent message from the technical community has been clear: backdoors
reduce security, they are trivially engineered around, they dont work, and there will
always be methods to easily create or obtain software without backdoors. We gladly
Encryption, and an expert report in 2013 entitled CALEA II: Risks of Wiretap Modifications to Endpoints.
signed on to this effort to support strong encryption and to reject mandates that would weaken security. The letter
organized by The Open Technology Institute at New America points out that officials in President Obamas
administration have been arguing tech companies should weaken security and encryption controls in recent
Im especially heartened to see such a strong showing of top security experts including two of the inventors of
modern public key cryptography (Diffie and Rivest). At CDT we believe strongly that domain experts should be
involved in policy conversations, and we helped coordinate expert sign-on to this letter by cryptographers,
computer scientists, and computer and network security experts. There should be no mistaking the statements
K Stuff
Myriam, Deputy for research and teaching a the Center for Security Studies (CSS)
and Senior Lecturer for Security Politics at ETH Zurich. "Breaking the cyber-security
dilemma: Aligning security needs and removing vulnerabilities." Science and
engineering ethics 20.3 (2014): 701-715.
That said, the security-implications of current actions by state entities go even further.
It has been suspected for a while and is now confirmed that the intelligence services of this world are making
cyberspace more insecure directly; in order to be able to have more access to data, and in order to prepare for
It has been revealed that the NSA has bought and exploited so-called
zero-day vulnerabilities in current operating systems and hardware to inject NSA
malware into numerous strategically opportune points of the Internet infrastructure
(Greenwald and MacAskill 2013). As soon as military and intelligence agencies became
buyers of so-called zero-day vulnerabilities, prizes have skyrocketed (Miller 2007; Perlroth
and Sanger 2013), with several downsides to this: first, exposing these vulnerabilities in order to
patch them, as was the norm not so long ago, is becoming less likely. Second, the competition for
future conflict.
exclusive possession of such vulnerabilities might even give programmers incentives to deliberately create and
then sell them (Schneier 2012b). It is unknown which computer systems have been compromisedbut it is known
that these backdoors or sleeper programs can be used for different purposes
(surveillance, espionage, disruption, etc.) and activated at any time. It also has been
revealed that the US government spends large sums of money to crack existing
encryption standardsand apparently has also actively exploited and contributed to
vulnerabilities in widespread encryption systems (Simonite 2013; Fung 2013; Clarke et al. 2013).
The crux of the matter is that these backdoors reduce the security of the entire systemfor
everyone. The exploitation of vulnerabilities in computer systems by intelligence
agencies and their weakening of encryption standards have the potential to destroy
trust and confidence in cyberspace overall. Also, there is no guarantee that the backdoor-makers
have full control over them and/or can keep them secret in other words, they could be identified and exploited by
Myriam, Deputy for research and teaching a the Center for Security Studies (CSS)
and Senior Lecturer for Security Politics at ETH Zurich. "Breaking the cyber-security
dilemma: Aligning security needs and removing vulnerabilities." Science and
engineering ethics 20.3 (2014): 701-715.
From Problem to Solution: Human-Centric Information Ethics. This article has identified and discussed implications
of cyber(-in)-security for human-security concerns, with a main focus on both the representation of the issue as a
The
problem with the current system is that security is underproduced, both
from a traditional state-focused national security and also from a bottom-up, human
security perspective. The reason, so I have argued, is a multidimensional and multi-faceted security
dilemma, produced by the following interlinked issues: First, cyber-security is increasingly presented
in terms of power-struggles, war- fighting, and military action . This is not an inevitable or
(security) political problem and the practices of (mainly state) actors based on such representations.
natural development; rather, it is a matter of choice, or at least a matter of (complicated) political processes that
has produced this particular outcome. The result is not more security, however, but less: states spend more and
more money on cyber-defense and likely also cyber-offense, which is not leading to more, but less security, as
evident by the flood of official documents lamenting the security-deficit. Second, the type of cybersecurity that is
produced is based on economic maxims, often without consideration for the particular security-needs of the
national security because of vulnerabilities in critical infrastructures. The reason why vulnerabilities persist and
with bearing on cyber-security have mainly been made from a military perspective, following the tradition to
address new forms of warfare and weapons systems under ethical viewpoints (cf. Rowe 2010; Dipert 2010; Barrett
an expansion of environmental ethics towards a less anthropocentric concept of agent, which includes non-human
(artificial) and non-individual (distributed) entities and advances a less biologically-centred concept of patient,
which includes not only human life or simply life, but any form of existence. This ethics is concerned with the
question of an ethics in the infosphere (Floridi 2001) and beyond that, an ethics of the infosphere (Capurro
2006). In information ethics, the lowest possible common set of attributes which characterises something as
intrinsically valuable and an object of respect is its abstract nature as an informational entity (Floridi 1998). In this
view, all informational objects are in principle worth of ethical consideration. However, to ensure that such an ethics
does not involuntarily place the technical over the social, we must make sure that the protection of these data is
The duty
of a moral agent is evaluated in terms of contribution to the growth and welfare of
the entire infosphere (Floridi 1999: 47), but always related to a bodily being in the world .
Any process, action or event that negatively affects the infosphere with relevance to
human life impoverishes it and is an instance of evil (Floridi and Sanders 1999, 2001).
Vulnerabilities are such an evil.
not founded on the dignity of the digital but on the human dimensions they refer to (Capurro 2006).
Perm
Encryption perm hospitality to the other.
Seemann, 2015,
Michael Seemann studied Applied Cultural Studies in Lnebur, Now he blogs at
mspr0.de and writes for various media like Rolling Stone, TIME online, SPEX, Spiegel
Online, ct and the DU magazine Digital Tailspin Ten Rules for the Internet After
Snowden The Network Notebooks series March 2015 http://networkcultures.org/wpcontent/uploads/2015/03/NN09_Digital_Tailspin_SP.pdf
ENCRYPTION AS HOSPITALITY
Encrypted communication also obeys end-to-end principles . Asymmetric encryption generally
means that the message you want to send will be encrypted while still on your computer (or mobile phone), and will
State Violence
The universe believes in encryption it is critical to counter
dystopian state violence.
Assange, 2012
The new world of the internet, abstracted from the old world of
longed for independence. But states and their friends moved to control
our new worldby controlling its physical underpinnings. The state, like an army
around an oil well, or a customs agent extracting bribes at the border, would soon learn to
leverage its control of physical space to gain control over our platonic realm . It would
Western civilization, our platonic realm.
brute atoms,
prevent the independence we had dreamed of, and then, squatting on fiber optic lines and around satellite ground
relationship expressed or communicated, every web page read, every message sent and every thought googled,
and then store this knowledge, billions of interceptions a day, undreamed of power, in vast top secret warehouses,
forever.
It would go on to mine and mine again this treasure, the collective private
intellectual output of humanity, with ever more sophisticated search and pattern
finding algorithms, enriching the treasure and maximizing the power imbalance between interceptors and
the world of interceptees. And then the state would reflect what it had learned back into the physical world, to start
wars, to target drones, to manipulate UN committees and trade deals, and to do favors for its vast connected
network of industries, insiders and cronies.
total domination.
A hope that with courage, insight and solidarity we could use to resist. A strange property
to create the laws of a new world. To abstract away our new platonic realm from its base underpinnings of satellites,
undersea cables and their controllers. To fortify our space behind a cryptographic veil. To create new lands barred to
those who control physical reality, because to follow us into them would require infinite resources.
And in this
to create regions free from the coercive force of the outer state. Free from mass
interception. Free from state control. In this way, people can oppose their will
to that of a fully mobilized superpower and win. Encryption is an embodiment
of the laws of physics, and it does not listen to the bluster of states, even
transnational surveillance dystopias. It isnt obvious that the world had to work this way. But
somehow the universe smiles on encryption. Cryptography is the ultimate form of nonviolent direct action. While nuclear weapons states can exert unlimited violence
over even millions of individuals, strong cryptography means that a state, even by
exercising unlimited violence, cannot violate the intent of individuals to keep secrets
from them. Strong cryptography can resist an unlimited application of
violence. No amount of coercive force will ever solve a math problem. But could we take this strange fact
about the world and build it up to be a basic emancipatory building block for the independence of mankind in the
platonic realm of the internet? And as societies merged with the internet could that liberty then be reflected back
into physical reality to redefine the state? Recall that states are the systems which determine where and how
coercive force is consistently applied. The question of how much coercive force can seep into the platonic realm of
As states
merge with the internet and the future of our civilization becomes the future of the
internet, we must redefine force relations. If we do not, the universality of the
internet will merge global humanity into one giant grid of mass surveillance and
mass control. We must raise an alarm. This book is a watchmans shout in the night. On March 20,
the internet from the physical world is answered by cryptography and the cypherpunks ideals.
2012, while under house arrest in the United Kingdom awaiting extradition, I met with three friends and fellow
watchmen on the principle that perhaps in unison our voices can wake up the town. We must communicate what we
have learned while there is still a chance for you, the reader, to understand and act on what is happening. It is time
A2
AT Terror DA
Encryption does not make the government go dark. It must be
protected to ensure public safety.
Crockford 2015
Kade Crockford, Director, Technology for Liberty Project, ACLU Massachusets, 7-82015, "The FBI's attack on encryption and the misleading phrase "lawful
interception", http://privacysos.org/node/1767
Transparency reports from major communications providers routinely show that law
enforcement uses the lowest possible standard of demandthe subpoena, often
never even seen by a judge, let alone approved by one when it asks these corporations for
our information. Then there are the court orders Tom Cotton referenced today at the senate hearing
on the FBIs plot to destroy internet security. Court orders are not the same as warrants. The
most commonly used court order, called a (d) order, does not require the
government show probable cause that the information obtained in the search will be evidence of a
crime. Probable cause is the gold standard of American justice spelled out in the
Fourth Amendment's warrant requirement. Agencies from the FBI all the way down to local police
have been obtaining not just our purchasing and communications records but the actual content of our
Privacy Act (ECPA) of 1986. And then theres the highly secretive, accountability-free, so-called foreign intelligence
surveillance regime, which feeds programs like PRISM and the NSAs Google, X-KEYSCORE. So when Jim Comey or
pro-FBI congressmen tell you not to worry about expanded FBI surveillance powers because the FBI only conducts
lawful interception, pursuant to lawful orders, remember that the legal regime in place to govern those
that the FBI has a legitimate concern that criminals and terrorists will
gravitate to communications technologies that are more difficult to surveil.
However, taken as a whole, the digital revolution has made more data about us
available than ever before, and the government has more tools to obtain and
analyze that data than ever before. The volume of government surveillance increases almost every
year. The claim that companies increasing adoption of strong encryption by default
will suddenly lead to government going dark and unable to access critical
others, and
information is speculative. Encryption is not new: Products and software with strong
encryption have been freely available to the public including criminals for many
years, and have not rendered law enforcement helpless to investigate crimes. By recently choosing to encrypt
popular smartphones by default, companies are making this security feature easier to use
and more accessible to regular smartphone users who do not seek out increased
security protection. This change will reduce overall crime by protecting all
smartphone users, rather than just those who are already security-conscious . No cases
where backdoors have been necessary: The government has not yet produced an actual case in
which decrypting a device was essential to attaining a conviction . In his recent speech,
Director Comey cited several terrible crimes where cell phone evidence came into play, but in every one of
these cases the evidence on the phone was not critical to the conviction and the
government had other ways of obtaining the data it sought . When a reporter asked
Director Comey for a real-life instance when ability to access data on a phone was
critical to rescuing an individual, he responded, I havent found one yet despite
canvassing state and local law enforcement for examples . Government has multiple options:
If information is encrypted in one place, it is often available from another source . For
example, emails or text messages on an encrypted phone can be retrieved from the email service provider or the
phone company. Many smartphones are backed up to the cloud, where the data can be obtained from the service
A2 Terror DA
Bad police work.
Hugo Zylberberg, Master in Public Policy candidate at Harvards Kennedy School
of Government, 3-12-2015, "The Return of the Crypto Wars," Kennedy School
Review, http://harvardkennedyschoolreview.com/the-return-of-the-crypto-wars/
if the intelligence agencies have it their way and win the Second Crypto Wars,
we are headed towards a post-Golden Age of Surveillance, with unprecedented
levels of eavesdropping (your TV, seriously?) and governments keeping records on everyone just in case.
Now
In addition to the scary resemblance that such a situation would have with Orwells 1984 or Huxleys Brave New
such easy access to our data records would prevent the police forces from
developing the investigative skills that they used to have. As Jonathan Zdziarski bluntly
puts it, Im all for getting some of the fat [cops] whove spent too much time
behind a desk back on the treadmill and out in the field . Indeed, we want the police
to have investigation skills so that they are able to catch the bad guys, even if they
dont use any wired stuff.
World,
A2 Terror DA
Obfuscation arms race
Meinrath & Vitka 2014
Sascha Meinrath is Director of X-Lab, Sean Vitka is Federal Policy Manager of the
Sunlight Foundation, Crypto War II Critical Studies in Media Communication Vol.
31, Iss. 2, 2014
These surveillance efforts have inspired a dramatic increase in the array of services
and applications that are encrypted end-to-end (Hern, 2013). This response from
privacy oriented constituencies is a response to both data discrimination and
government surveillanceand also indicates that we are entering a new online era
epitomized by a growing data-obfuscation arms race. Left unchecked, the relevant
surveillance mechanisms will shift from network-based to device-based. That is, one
can imagine a CALEA II that creates mandates that devices themselves integrate
mechanisms that enable surveillance. In essence, the hardware and software
integrated into our smart cars and homesand even our bodies themselveswill be
legally required to be insecure, to the financial benefit of parties seeking to control
our communications.
A2 Terror DA
Encryption is inevitable. Bad actors will have access inevitably.
Bankston,2015
Hearing on Encryption Technology and Possible U.S. Policy Responses Statement
of Kevin S. Bankston Policy Director of New Americas Open Technology Institute &
Co-Director of New Americas Cybersecurity Initiative Before the U.S. House of
Representatives Subcommittee on Information Technology of the Committee on
Oversight and Government Reform April 29, 2015
https://static.newamerica.org/attachments/2982-at-crypto-hearing-best-argumentsagainst-backdoor-mandates-come-from-members-of-congressthemselves/Bankston_Written_Testimony.5876d326c5fc4e0cbd17b59e8d53384f.pdf
4. It would not succeed at keeping bad actors from using unbreakable encryption .
Encryption technology and the ability to create it was already becoming widespread during the original Crypto
Wars,25 and at this point is nearly ubiquitous. And, as was true then ,
A government
mandate prohibiting U.S. companies from offering products or services with
unbreakable encryption is of little use when foreign companies can and will offer
more secure products and services, and when an independent coder anywhere on
the planet has the resources to create and distribute free tools for encrypting your
communications or the data stored on your mobile devices. As former Homeland Security
Secretary Michael Chertoff recently put it, [T]hat genie is not going back in the bott le.27
oppressive governments censorship regimes and allow for anonymous online browsing.26
Doctorow 14 (Cory Doctorow, Crypto wars redux: why the FBI's desire to
unlock your private life must be resisted, The Guardian, 10/9/14, Cory Doctorow is
an activist, science fiction author and co-editor of the blog Boing Boing,
http://www.theguardian.com/technology/2014/oct/09/crypto-wars-redux-why-thefbis-desire-to-unlock-your-private-life-must-be-resisted, 7/14/15 AV)
Eric Holder, the outgoing US attorney general, has joined the FBI and other law
enforcement agencies in calling for the security of all computer systems to be
fatally weakened. This isnt a new project the idea has been around since the early 1990s, when the NSA
classed all strong cryptography as a munition and regulated civilian use of it to ensure that they had the keys to
tabloid press will cause those cops successors to sell out access to the worlds computer systems, too, only the
numbers of people who are interested in these keys to the (United) Kingdom will be much larger, and theyll have
for having the odd conversation with your friends nor is it merely a tool for plotting crime though it does duty in
Your phone, and all the other computers in your life, they are your digital
nervous system. They know everything about you. They have cameras,
microphones, location sensors. You articulate your social graph to them, telling
them about all the people you know and how you know them. They are privy to
every conversation you have. They hold your logins and passwords for your bank
and your solicitors website; theyre used to chat to your therapist and the STI clinic
and your rabbi, priest or imam. That device tracker, confessor, memoir and ledger
should be designed so that it is as hard as possible to gain unauthorised access to.
both cases.
Because plumbing leaks at the seams, and houses leak at the doorframes, and lie-lows lose air through their valves.
Making something airtight is much easier if it doesnt have to also allow the air to all
leak out under the right circumstances. There is no such thing as a vulnerability in
technology that can only be used by nice people doing the right thing in accord with
the rule of law. The existing back doors in network switches, mandated under US
laws such as CALEA, have become the go-to weak-spot for cyberwar and industrial
espionage. It was Googles lawful interception backdoor that let the Chinese
government raid the Gmail account of dissidents. It was the lawful interception
backdoor in Greeces national telephone switches that let someone identity still unknown
listen in on the Greek Parliament and prime minister during a sensitive part of the
2005 Olympic bid (someone did the same thing the next year in Italy). The most shocking
Snowden revelation wasnt the mass spying (we already knew about that, thanks to whistleblowers
like Mark Klein, who spilled the beans in 2005). It was the fact that the UK and US spy agencies
were dumping $250,000,000/year into sabotaging operating systems, hardware,
and standards, to ensure that they could always get inside them if they wanted to.
The reason this was so shocking was that these spies were notionally doing this in
the name of national security but they were dooming everyone in the nation (and
in every other nation) to using products that had been deliberately left vulnerable to
attack by anyone who independently discovered the sabotage. There is only one
way to make the citizens of the digital age secure, and that is to give them systems
designed to lock out everyone except their owners. The police have never had the power to
listen in on every conversation, to spy upon every interaction. No system that can only sustain itself by arrogating
these powers can possibly be called just.
A2 T Surveillance
Meinrath & Vitka 2014
Sascha Meinrath is Director of X-Lab, Sean Vitka is Federal Policy Manager of the
Sunlight Foundation, Crypto War II Critical Studies in Media Communication Vol.
31, Iss. 2, 2014
In a world where surveillance capabilities are increasingly baked into the fabric of
the internet's architecture, end-to-end encryption is a last line of defense . The
knowledge that everyone's data is susceptible to sweeping government surveillance is pushing more people,
companies, and organizations to use additional measures to secure their information (Robinson, 2013). But these
measures may soon become the casualty of bad policymaking and over-exuberant law enforcement mandates.
Internet service providers are increasingly focused on prioritizing certain internet traffic and degrading specific
services and applications (Brodkin, 2014). Previously, open internet rules stopped providers from degrading peer-topeer traffic, but those rules were thrown out in 2014 when the D.C. Circuit Court of Appeals ruled against the
Federal Communications Commission (FCC) (Zajac & Shields, 2014). The court found that the FCC had failed to
promulgate net neutrality regulations under the proper legal framework. Without net neutrality, network
treat personal encryption as a target and sometimes go so far as to depict opponents of surveillance as anti-social
agitators (Brooks, 2013).
The
argument was familiar: law enforcement felt it needed to be able to access
communications to ensure public safety and national security. Even today, the NSA
views the use of encryption as a targetable offense (Goodin, 2013). While the
government eventually lost Crypto War I, the Snowden files document a massive,
secret conspiracy to undermine strong encryption by introducing back doors into
numerous hardware and software products that has persisted since that defeat
battle) and, finally, that a third party keep backdoor keys in escrow in case the government needed them.
(Simonite, 2013).
A2 Circumvention
Assange, 2012
look at the Blackberry phone for example, it has a built-in encryption system for use within the Blackberry network.
Research In Motion, the Canadian company that runs it, can decrypt the traffic of regular users and it has data
centers in Canada and the UK, at least, and so the Anglo-American intelligence sharing alliance can get at the
Western
governments were fine with this until it spread beyond corporations and to
individuals, and then we saw exactly the same hostile political reactions as we saw in Mubaraks Egypt.65 I
think that the only effective defense against the coming surveillance
dystopia is one where you take steps yourself to safeguard your privacy,
because theres no incentive for self-restraint by the people that have the
capacity to intercept everything. A historical analogy could be how people
learned that they should wash their hands. That required the germ theory of disease
to be established and then popularized, and for paranoia to be instilled about the
spread of disease via invisible stuff on your hands that you cant see, just as you
cant see mass interception. Once there was enough understanding, soap
manufacturers produced products that people consumed to relieve their fear. Its
necessary to install fear in to people so they understand the problem before they
will create enough demand to solve the problem.
worlds Blackberry to Blackberry communications. But big companies are using it in more secure ways.
Plan Popular
The plan is popular, backdoors are a non-starter in Congress.
Geller, 2015
Eric Geller, Deputy Morning Editor, The Daily Dot, 7-10-2015, "The rise of the new
Crypto War," Daily Dot, http://www.dailydot.com/politics/encryption-crypto-warjames-comey-fbi-privacy/
Still, there might be other ways to mandate backdoors in practice without writing a law that did so explicitly, though
security experts werent sure what such a mandate would look like. They noted that the
FBI has been careful to avoid suggesting it wants such a mandate; instead , it has suggested that it
hopes the tech industry will come around of its own volition . Given the rhetoric from
companies like Appleand the peer pressure that the loudest voices implicitly exert on the quieter ones
voluntary industry cooperation seems unlikely. It is also unclear whether there is an
appetite in Congress for taking any action on this issue. The offices of Senate Majority Leader
Mitch McConnell (R-Ky.) and Minority Leader Harry Reid (D-Nev.) did not respond to requests for
comment about the tech companies May 19 anti-backdoors letter. Theres no
official proposal or request or anything in front of Congress, Rep. Hurd said. I think
anybody whos even entertaining this idea recognizes that this is a non-starter.
A2 XO CP
The executive does not solve perceptually less trusted.
Fidler 2014
Mailyn Fidler, Marshall Scholar, Department of Politics and International Relations
May 2014 Anarchy or Regulation: Controlling the Global Trade In Zero-Day
Vulnerabilities A Thesis Submitted To The Interschool Honors Program in
International Security Studies, Center for International Security and Cooperation,
Freeman Spogli Institute for International Studies, Stanford University
https://decryptedmatrix.com/wp-content/uploads/2014/06/Fidler-Zero-DayVulnerability-Thesis.pdf
executive branch oversight can be opaque, and it may not increase public
trust in how zero-days are handled. Oversight of U.S. government use and
procurement of zero-days also has no international reach . It cannot address actions of graymarket buyers and sellers beyond U.S. borders. The zero-day market is manifestly a global
problem, and the United States would have no guarantee that allies or foes would
follow U.S. restraint.441 The next chapter will address this weakness of domestic mechanisms, investigating
However,
the prospects for international strategies to control the zero-day vulnerability trade.
Neg
technologies and policies to implement that control. The 1990s view of cyberspace as a global commons 2
foreclosed some policy options for cybersecurity.
Nation-states are defining their borders in cyberspace and will now move to
they simply did not exercise them. In the last few years, nations have discovered that they can, in fact, extend their
sovereign control into cyberspace. The reason: cyberspace is a physical, man-made creation, not a natural domain.
It is created by an assembly of interconnected computers. The speed at which these computers connect gave the
national territory are still subject to the jurisdiction of some nation. Cyberspace has borders within which nations
supportive of a largely unregulated space dominated by the private interests and the political and cultural norms of
a few countries). The Internet will be no more balkanized than any physical terrain is now. We are unaccustomed to
the exercise of sovereign control in cyberspace; once such control is in place, clearly the Internet and its users will
adjust. What nations do within their own territories and on the networks and infrastructures located within those
territories is their own business, subject to their international commitments on interstate relations and human
this weakness, and governments are seeking to exercise their responsibilities for public safety and national security
purposes. The second is the discomfort with the implicit extension of American norms and values across
cyberspace. Cyberspace was shaped and governed by American beliefs, particularly on the freedom of speech (and
governments were largely absent and where private actors exercised control been able to deliver security, the
intelligence agencies are formidable opponents, employing thousands of people and spending hundreds of millions
of dollars to penetrate online defenses. They have decades of experience and have access to sophisticated
technologiesnot just supercomputers unavailable to the private sector. They are also not bound by the laws of
their foreign targets.
That the
United States faces intractable opponents has serious implications for policy . This
situation was not anticipated by the American designers of the Internet and poses
unanticipated problems for security and for governance . The political foundation of cyberspace
spies do not need a black market to find flaws or use supply chain attacks to build in backdoors.
reflects the thinking of the 1990s about the future of international relations: the end of inter-state conflict and
borders, a globalized economy based on shared political values, the decline of the Westphalian state, and the belief
Politics Link
Congress is more likely to support law enforcement.
Meinrath & Vitka 2014
Sascha Meinrath is Director of X-Lab, Sean Vitka is Federal Policy Manager of the
Sunlight Foundation, Crypto War II Critical Studies in Media Communication Vol.
31, Iss. 2, 2014
Such battles are likely to migrate to one of the most powerful, and least prepared,
venues for technological debate on the planetthe U.S. Congress. Within this arena,
law enforcements influence is more powerful. The consistent argument is that
encryption and anonymity endanger society (Clapper, 2013). With this new
corporate interest, industry lobbyists will simultaneously argue that encryption is
undermining their intellectual property and other business interests, and that users
freely accept surveillance via the purchase of their products and use of their
applications. Their narrative regarding consumer discontent is that unhappy users
could always vote with their feet and switch providers.
XO CP
Geller, 2015
Eric Geller, Deputy Morning Editor, The Daily Dot, 7-10-2015, "The rise of the new
Crypto War," Daily Dot, http://www.dailydot.com/politics/encryption-crypto-warjames-comey-fbi-privacy/
As Comey, Rogers, and other national-security officials campaign for backdoors, one
important voice has been largely absent from the debate. I lean probably further in the
direction of strong encryption than some do inside of law enforcement, President Barack Obama told Recodes Kara
Swisher on Feb. 15, shortly after Obama spoke at the White House summit on cybersecurity and consumer
civil libertarians who were encouraged by his historic 2008 election and disappointed by his subsequent embrace of
the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. The report also
warned of serious economic repercussions for American businesses resulting from a growing distrust of their
capacity to guarantee the privacy of their international users. It was a general warning about the use of electronic
surveillance, but it nevertheless applies to the potential fallout from a backdoor mandate. The White Houses own
reports on cybersecurity and consumer privacy suggest that the president generally supports the use of encryption.
To the extent that youve heard anything from the White House and from the president, its in favor of making sure
that we have strong encryption and that were building secure, trustworthy systems, said Weitzner, who advised
Obama as U.S. deputy chief technology officer for Internet policy from 2011 to 2012. Weitzner pointed out that the
president had subtly quashed a push for backdoors by the previous FBI director, Robert Mueller. Mueller hoped that
the administration would end up supporting a very substantial [Internet-focused] expansion of CALEA, Weitzner
said. That didnt happen, and despite the fact that you had the FBI director come out very strongly saying
[criminals] were going dark, the administration never took a position as a whole in support of that kind of statutory
amount of independence when theyre out in the public-policy debate advocating for whatever they think is
Weitzner said that Obama may also be waiting until the latest round of the Crypto Wars has progressed further.
The White House tends to get involved in debates once theyve matured , he said. If
you jump in on everything right up front, the volume can become unmanageable. I know that theres a lot of