Q&A with authors of The Real Cyber War

PowersF14Shawn Powers and Michael Jablonski are the authors of The Real Cyber War:  The Political Economy of Internet Freedom.

Q: When the phrase “cyber war” is used, is the rhetoric designed to describe the internet as a theater of war: a place where hackers attack people and institutions?

Shawn Powers & Michael Jabolonski: John Arquilla and David Ronfeldt proposed the term “cyber war” in 1993 as a reference to the extension of military strategy and conflict into the realm of electronic networks, or more simply, the use of the internet for various forms of covert, forceful attack. Thus, it is often associated with “hackers,” and conjures images of computer-based attacks on parts of a nation’s critical infrastructure, corporations and political institutions. While cybercriminals may be he most visible soldiers in this conflict, from our perspective, they are secondary.

The Real Cyber War argues that publicized hacks, from the alleged North Korean attack on Sony, to China’s infamous heist of Google’s intellectual property, represent a small element of a broader on-going state-centered battle for information resources. Of course, this real cyber war between states is not new; it is as old as the systematic transfer of information across borders. From the invention of the postal service, to the laying of international telegraph and telephone wires, to the rise of international broadcasting, to the modern day roll out of internet and mobile infrastructure, states have been preoccupied with how to leverage information systems for political, economic, and social power.

We suggest a broader conceptualization of cyber war as the utilization of digital networks for geopolitical purposes, including covert attacks against another state’s electronic systems, but also, and more importantly, the variety of ways the internet is used to further a state’s economic and military agendas. In addition to covert attacks, the internet, and the rules that govern it, shape political opinions, consumer habits, cultural mores and values. Unlike revolutionary communication technologies before it, the internet has the potential to be truly global, interoperable and interactive, thus magnifying its significance.

Despite so much popular attention to these issues, until now, scholarly literature failed to offer a systematic and comparative approach to analyzing the political economy of internet policies. Such an approach makes clear that efforts to create a singular, universal internet built upon Western legal, political and social preferences alongside a “freedom to connect” is driven primarily by economic and geopolitical motivations rather than the humanitarian and democratic ideals that typically accompany related policy discourse. This ubiquitous connectivity movement, led by the US government with the support of many powerful private sector and non-government actors, has rich historical roots and is deeply intertwined with broader efforts to structure global society in ways that favor Western cultures, economies, and governments. Thus, debates over the rules and norms guiding emerging internet policies have emerged as critical sites for geopolitical contest between major international actors, the results of which will shape 21st century statecraft and conflict.

Q: In the book you write that the “real cyber war” between states is not new.  How far does this conflict go back?

Powers & Jabolonski: Control over information flows is central to any state’s longevity. Here, “control” goes beyond regulating (or censoring) information to include the variety of ways governments use various policy and technological instruments to manipulate access to; cost, comprehension, relevance, and value of; and the norms of use surrounding particular bits of information. For example, failure to effectively assert control over printing press technologies facilitated the rise of nation-states through the growth and perfection of local languages, knowledge and history. But these nation-states did not emerge out of thin-air. Rather, they were formed from existing institutions and political actors, eager to exploit new technologies. In the early 20th century, pirate radio emerged, challenging state control over information flows. Unlike the printing press, it was effectively regulated and quickly became a critical tool of statecraft during World War II, and again during the Cold War. Strategic actors have always used control over information flows as a means of exercising power.

In the West, these “controls” are typically framed in the context of freedom expression, protection of intellectual property rights and national security. Foreign policies enacted in non-Western states to better monitor or control the flow of information are oftentimes characterized as efforts at state censorship, anti-democratic and contrary to fundamental human rights codified in international law. Heavy-handed efforts by China, Iran, and Russia, for example, to create state-level information infrastructures are contrasted to “internet freedom.” This framing is, of course, strategic. Portraying efforts to control the flow of information via crude policy mechanisms as censorship normalizes the status quo, portraying the existing communications infrastructures and policies as preserving the global citizen’s freedom to connect.

In reality, all states enact policies to preserve sovereignty, and the emergence of the Information Age and knowledge-based societies requires greater control of information to preserve government legitimation and power projection. In the 1980s and 1990s, the United States, the birthplace of the internet, benefited from a first-mover advantage, establishing the Global Information Infrastructure, driving the Telecommunications Annex to the GATTs Agreement and, for a time, dominating the ascendance of a global, information and data-driven economy. As a result, the US, often through its private sector, drove the information technology policy agenda at the global level. The debates surrounding the 2012 World Conference on International Telecommunications (WCIT) and 2014 NetMundial meeting, both discussed throughout the book, reflect the growing significance and tensions around a foundational and unresolved question in international communication: to what extent should states act to manage the flow of information within their sovereign territory?

Q: Does the “freedom to connect” movement seek to open up the internet to all people? Or does this strategy leave some people behind?

Powers & Jabolonski: While many researchers, politicians, and organizations trumpet the economic benefits of internet connectivity, its import and affect will not be universally enjoyed. In highly developed countries, there is little doubt that connectivity is likely to increase economic productivity and reduce inefficiencies. This is largely attributable to the fact that developed economies are primed to incorporate internet-based services and technology to support existing institutions, organizations, and infrastructure.

The impact of connectivity on the least-developed countries is not necessarily associated with similar trends. Economist Eli Noam argues that improved access to the internet—solving the so-called “digital divide”—could exaggerate the global rich-poor gap. Noting that developing countries only account for 5 percent of commercial websites and receive only 2.4 percent of world internet revenues, Noam predicts that as connectivity increases, “twelve countries will account for almost 85 percent of e-commerce and eight countries will account for 80 percent of e-content.”

This is because e-commerce, and internet-based goods and services, operate on strong economies of scale. Like the telecommunications industry before it, internet industries deviate from several underlying assumptions of perfect market economics in crucial ways. For example, the fixed costs of e-commerce operations are high, resulting in high barriers to entry for new competitors. At the same time, the marginal cost of spreading the service to the world is incredibly low, and can be implemented incredibly fast. Once successfully tested in a sample market, services and products are relatively easy to scale up to broader, transnational markets. Further, on the demand side, there are clear positive network externalities associate with larger user communities, resulting in huge advantages to being large. These three attributes are commonly observed surrounding so-called “natural” monopolies.

Thus, as governments and transnational corporations work furiously to wire the world, increasing connectivity and data transmission speeds, they create “the highways and instrumentalities for rich countries to sell to poor countries.” As a result, “on the internet, the net cash flow flows from the developing South to the developed North.”

Freedom to connect, as a concept, states that everyone has the right to be online. Right is not synonymous with ability. Put another way, exercising your freedom to connect will cost you time and money. To a large extent the “freedom to connect” is a marketing slogan. Hardware, software, cabling, satellites, and literacy are necessary before anyone can enjoy a productive experience online. Purchasing the requisite technology and cultivating sufficient skills, even when subsidized by Western governments and corporations, materially benefits Western companies that manufacture, hardware, software, and content online. This isn’t meant to diminish the importance of gaining access to the Web—some marketing is a good thing, after all—but we do highlight the uneven benefits that result from growing global connectivity. Solving the “digital divide” will only worsen the growing, global, rich-poor gap.

Q: Does the “market dominance” of US internet companies impact efforts to secure cyberspace?

Powers & Jabolonski: This question begs another, less discussed query: protect cyberspace from whom? In the US, cyber security is typically framed in terms of foreign threats. But securing the Web is also about securing user personal information, email communications, search queries, and so on. In other parts of the world, Germany in particular, cyber security isn’t simply about protecting networked communications from hackers, but also from unauthorized government surveillance. In fact, documents leaked by Edward Snowden show that NSA surveillance is simply the first step towards exploiting security weaknesses and disrupting enemy computer systems. From our perspective, cyber security is as much about securing data from foreign hackers as it is from governments around the world. If data is vulnerable to capture from any party, it is vulnerable to all.

It is worth noting that US market dominance in this sector is increasingly challenged by China, which boasts 4 of the top 10 internet companies in the world. Yet, despite Asia’s emerging strength in the technology sector, the fact that the world’s largest internet companies are based in the US and China—two governments known to have a keen interest in actively surveilling global communications—does not bode well for the future of cyber security.

We know, for example, that the NSA (along with Britain’s GCHQ) has already found workarounds to commercial encryption technologies, including VPNs, TLS/SSL, https, SSH, IPSEC, encrypted chat and the protective layer used in 4G smartphones. According a 2010 memo outlining the accomplishments of NSA’s BULLRUN program, “In recent years there has been an aggressive effort, led by the NSA, to make major improvements in defeating network security and privacy involving multiple sources and methods….Cryptanalytic capabilities are now coming online. Vast amounts of encrypted internet data which have up till now been discarded are now exploitable.”

Efforts to defeat encryption go beyond breaking into major service provider systems and de-encrypting known security protocols. They also include “actively engag[ing] the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them more exploitable, including working with chipmakers to build in backdoors into their hardware. According to a 2013 budget request, the NSA’s SIGINT Enabling Project leverages industry relationships, conducts clandestine operations and lobbies professional and government organizations to “covertly influence” encryption technologies around the world. In one case, the NSA persuaded a leading technology manufacturer to insert a back door into its hardware before it was shipped for use by a foreign government. A 2013 internal report bragged about the NSA’s accomplishments, highlighting successes in “deliberately weakening the international encryption standards adopted by developers.” Classified documents confirm that the agency deliberately engineered a fatal weakness of modern encryption standards, discovered by Microsoft researchers in 2007. According to Heninger and Halderman, “there is now credible evidence that the NSA has pushed NIST, in at least one case, to canonize an inferior algorithm designed with a backdoor for NSA use. Dozens of companies implemented the standardized algorithm in their software, which means that the NSA could potentially get around security software on millions of computers worldwide.”

Surveillance represents a far bigger threat to cyber security than market dominance, though the two are related. US technology companies may be more vulnerable to the various legal instruments and policy mechanisms law enforcement and intelligence agencies use to require disclosure of private and confidential information. But moving abroad isn’t necessarily a solution. Foreign governments are also experienced in compelling internet companies to share private user information. And the NSA’s reach is global, as is demonstrated by its tapping directly into the fabric of our global communication networks without permission or warrant.

Q: Do recent rulings on Net Neutrality have a bearing on the state-run technology policy agenda?

Powers & Jabolonski: From the perspective of an average user of the Web, the Federal Communication Commission’s (FCC) recent vote to implement strong net neutrality regulations is crucial to continued innovation online. Despite industry claims to the contrary, net neutrality will not slow investment in internet infrastructure, as is shown by Comcast’s decision to rollout Gigabit Pro—a 2 Gigabit fiber-to-the-home service—after the FCC’s regulations were finalized.

However, from an international/normative perspective, the policy shift reflects a growing trend towards the legitimation of information sovereignty (chapter 6 of The Real Cyber War), or state authority to control information flows within its territory. Here again, control is broadly conceived and asserted in a variety of ways: blocking and filtering; cyberattacks against critics; laws restricting political, religious, or social speech; paid pro-government commentators to online discussions; physical attacks against critics; surveillance; takedown requests and forced deletion of content; blanket blocking of social media and other ICT platforms; intermediary liability; throttling or shutting down internet and mobile service; data localization requirements; and structuring industry-government relations in order to maximize state preferences in privately operated communications systems.

Increasingly, both democratic and non-democratic governments are exploring ways to control access to the internet without losing legitimacy and, ultimately, power. In one camp are governments who boldly proclaim their rights to have unquestioned control over information flows either entering or remaining within their geographical territory. China, Iran, Pakistan, Russia, Syria and Turkey constitute prominent examples of this group, though there are many more, including India, Saudi Arabia, the UAE. Other governments, while less explicit, inch towards greater authority over domestic information flows. For example, despite widespread outrage over the Edward Snowden’s-surveillance revelations, in December 2014, France enacted legislation extending powers to access or record telephone conversations, e-mail, internet activity, personal location data, and other electronic communications. The new law expands surveillance for a range of purposes, including national security, the protection of French scientific and economical assets, and preventing terrorism or criminality, while providing no mechanism for judicial oversight.

From the international perspective, the FCC’s net neutrality ruling is yet another example of a central government asserting authority over the rules governing information flows. While the particular regulation in question is content-neutral, and distinct from censorship, other governments will point to the FCC’s policy as precedent in justifying their own efforts to control domestic information sectors. The ‘content-neutral’ legal distinction historically used in the US legal system as a way of smoothing over the tension between information policy and the first amendment doesn’t translate well into international law.

This is not to say net neutrality is a bad thing. For far too long, Americans have been locked into thinking about information policy in terms of freedom of expression vs. censorship, with almost no grey area in between. This stance, as is stated earlier, is both strategic, and held by a minority of the global citizenry. Rather, it is time to revisit a central question at the center of debates over internet freedom: What authority and responsibility do states have to manage the flow of information into and within their sovereign borders? Current international law is simply too vague and disconnected from existing practice. It is time for us to revisit this question in order to establish shared standards for information regulation among governments that allow for speech protections, checks and balances, and regulatory accountability, while also providing sufficient flexibility to meet the varied needs of governmental actors aiming to prevent crimes online.

 


About michael

Marketing & Sales Manager since 2012