U.S. on CyberSecurity: Rules for Them, not Us

War and Peace

There’s been quite a bit of chatter lately concerning cyberspace and security: China and Google are at it again after some White House staffer’s Gmail accounts were hacked; the U.S. Pentagon officially declared that a cyberattack on U.S. infrastructure would be grounds for real war; and last month, Michael Posner, the U.S. assistant secretary of state for human rights, announced that the U.S. would allocate $30 million to fund new technology that would break Internet censorship in repressive regimes around the world.

Smack in the middle of all this cyber-commotion, the U.S. unleashed its new policy strategy for securing cyberspace on May 16th, 2011.

The policy paper, all-emcompassingly titled “International Strategy for Cyberspace,” is an ambitious plan of global cooperation laid out with seven basic goals to make the Internet safer, more reliable, and secure. Naturally, the first goal focuses on economic priorities and “promoting international standards and innovative, open markets.” Next is promoting security, law enforcement, and military preparation. And then the advancement of effective Internet governance, international development, and, lastly, supporting Internet freedom. These concerns are vastly important to the future of the world’s digital dealings and communications, and the U.S. administration is taking a bold step in laying out these “series of prescriptions,” as U.S. Secretary of State Hillary Clinton has called them.

But there is also a bit of “same as it ever was” underneath these recommendations. The double-standard-ness the U.S. has become known for in various parts of the world is present in this new policy. For instance, the U.S. wants an international framework to support freedom of expression and commerce via the Internet but then calls for denying those benefits to terrorists and criminals. How to parse the criminal from the citizen is not explained, and, due to the dizzying complexity of cyberspace, most likely impossible.

More generally, almost every U.S. speech and policy paper released since 2008 having to do with securing the Internet—from President Obama’s speeches in 2008 and May 2009, to Hillary Clinton’s Internet freedom speeches of January 2010 and February 2011, to comments on the Arab Spring—has seemed to have two major assumptions as their starting point: 1) that the U.S. is a major victim of cyber-shenanigans rather than a contributor to the problem and 2) that American cyber-activities abroad (espionage, theft, malicious activity, etc.) are legit while similar foreign cyber-acts in the U.S. are not. Neither assumption is accurate. And the U.S.’s adherence to these positions greatly affects its ability to cooperate internationally.

This latest Google hack by, reportedly, Chinese actors is a great example of assumption number one. People were manipulated when unknown Chinese hackers spoofed Google’s Gmail—or set up a fake login page. Information is stolen, the victim card is played. But, on the surface, there’s not a big difference in this act from the one announced on May 12 (linked above) from the U.S.’s Michael Posner. This combating Internet censorship initiative includes mining into foreign networks and “sling-shotting” content censored by a government (like China’s or Iran’s) back on to the web for users to find. This is all wonderful and causes feelings of good will, so the U.S. plays its benign card. But to a country like, say, China it’s still an example of the U.S. miring itself in other countries’ networks.

Furthering the assumptions above is the fact that the U.S. is one of the major sources of cyberattacks across the world. Its botnets—a web of infected “zombie” computers whose processing power and Internet connections are used to push spam and other malicious code around the globe—are some of the largest ever known, and very little has been done domestically about them. Even more, U.S. companies, like McAfee (the computer security firm) and Cisco (major technology company)—as well as a few Canadian companies—produce, distribute, and make a profit from selling censorship and filtering software to the governments of Bahrain, Saudi Arabia, Oman, Sudan, Kuwait, Yemen, and Syria (see here for more) with very little to no word from the U.S. government. And then since May 2010 the U.S.’s own Cyber Command has been operational and has what is purportedly some of the most sophisticated offensive cyber-weaponry available. How is the world supposed to meet the U.S.’s “prescriptions” for securing cyberspace when it itself refuses to make reciprocal compromises?

But even if the U.S. gave up some of its cyber-power in the name of an international mutual effort to secure the world’s digital infrastructure, a true cooperation would still be incredibly hard to achieve. The main issue is the attribution problem that is highlighted by this latest China/Google hack, where being able to pinpoint where, from whom, and why a cyber act was launched is nearly impossible. And then even if the perpetrator was found, the needle in the stack of needles, then real international law comes into play, as pointed out in this Reuters article. If the hackers are in China, there is no extradition treaty between them and the U.S. The problems here are many and complicated.

The other obstacle standing in the way of international cooperation is the fact that the majority of the real-world framework that allows people to get online (cables, towers, nuts, bolts, etc.) is owned by private companies. This is addressed in the U.S. policy paper at length and associated with words like “partnership” and “cooperation” between public and private entities. But the main issue here is that these private companies are going to walk the line between providing just enough security, but not so much that it slows things down. Online commerce is booming. In the U.S. alone, Internet advertising revenues hit the $7.3 billion mark for the first quarter of 2011 (Jan.-March), a 23% increase over the same quarter in 2010. To secure cyberspace is to slow that down, and my guess is you’d be hard pressed to find a company willing to kill that golden egg-laying goose.