When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 8 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

“A strange game, Dr. Falken. The only winning move is not to play.”

– the WOPR, WarGames (1983)

In the last post, we discussed various approaches to an international response to cyber-conflict, including arguments that an international effort is unnecessary or detrimental to U.S. interests. Each approach has its benefits and drawbacks, and none is comprehensive. Current international law is difficult to apply and subject to wide interpretation when it comes to cyber-attacks. Recognizing this, I have been trying to make a normative point with many of my prior posts, setting the stage for why a new framework is needed from the perspective of public policy.

In this eighth and final posting, I’d like to take the time to re-frame the problem more widely, demonstrating why more is needed to protect cyberspace and why a new perspective is necessary.

A Quest for Cyber Peace

In 2011, the International Telecommunication Union and the World Federation of Scientists published a joint report called The Quest for Cyber Peace.[i] No other approach to the problem of cyber-war is as comprehensive, as it unifies many of the theories and approaches outlined in the last post. More importantly, it establishes a needed ethical paradigm which helps to combat troublesome peripheral trends I just mentioned.

The authors of the ITU report argue that an essential notion is missing from most discussions of cyber-war: a concept of “cyber-peace.”[ii] Without a concept of peace, the issues become framed in the negative, “stimulating military thinking patterns” and hardening conceptions of the topic into a “mental automatism.”[iii] This is not an unknown idea in the theory of war,[iv] and it is a position I have been championing here. In an era where countries are increasingly setting up new military command centers in preparation for “cyber-war,” a positive notion of cyber-peace helps counterbalance and de-inflate those efforts.

Cyber peace is the idea of a “universal order of cyberspace.”[v] It views cyberspace as a place of tranquility, without disturbance, violence, or any other constraint by governments on people’s peaceful exchange of knowledge.[vi] Cyber peace resists the use of cyberspace as a tool for “diplomacy by other means”[vii] and other forms of exploitation.

The tenets of cyber-peace are well-supported by internationally endorsed norms, such as Article 19 of the Universal Declaration of Human Rights, which establishes “the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” It also inculcates the WSIS declaration that freedom to communicate is an “essential foundation” of society.

When viewed in this way, a sane and ethical position on many issues becomes clearer.

First, a defensive emphasis is needed—something I alluded to in the last posting. To accomplish this, every party in the global information network (vendors, private companies, international organizations, and governments) must equip themselves with resilient systems which are high in quality. They should be able to adapt and self-heal. International standards bodies must rigorously certify equipment and make standards information open and widely available.  To further promote this, nations should enter into mutual monitoring pacts and non-aggression treaties.[viii]

Complementary to this idea is recognizing that a defensive emphasis is not  the same as a “deterrence” emphasis. A defensive emphasis is not our government’s current posture of defending by threat and counter-attack, because that posture only serves to inflame and escalate other countries to develop better methods of the same. Nations need to recognize that a strategy of deterrence does not work in cyberspace because the problems of attribution are too great and the risk of retaliation against the wrong target too high.[ix]

Next, the priority in any cyber-attack should be the quick restoration of peace and stability rather than attribution and counterattack. Thus, international law should be restrained in the face of calls to expand the Laws of Armed Conflict’s definition of war. Such a position equally views as unacceptable offensive attacks, preemptive attacks used for “defense,” countermeasures, or attacks used to enforce sanctions (like Stuxnet).

Finally, the notion of a peaceful cyberspace is expansive enough to transition beyond the concept of state-on-state cyberattacks to include a state’s attack on its own citizens. Recent trends in surveillance and surreptitious manipulation of the citizen’s computer and data have been very disturbing. These trends are part of what Cory Doctorow calls “a civil war on general purpose computing.” Several recent examples include FinSpy (a commercial cyber-espionage tool used by deposed Egyptian dictator Mubarak, among others); the German government’s “bundestrojan,” (used by German police to conduct surveillance on citizens, with the complicity of several anti-virus software vendors to ensure it would not be discovered); and the Dutch government’s recent proposal to pass a law allowing police to install malware on citizens’ computers and even conduct remote searches on foreign computers.

The Erice Declaration on Principles for Cyber Stability and Cyber Peace[x]

For your perusal, I have included the Erice Declaration below, which has been adopted by the ITU as part of its recommendations:

1. All governments should recognize that international law guarantees individuals the free flow of information and ideas; these guarantees also apply to cyberspace. Restrictions should only be as necessary and accompanied by a process for legal review.

2. All countries should work together to develop a common code of cyber conduct and harmonized global legal framework, including procedural provisions regarding investigative assistance and cooperation that respects privacy and human rights. All governments, service providers, and users should support international law enforcement efforts against cyber criminals.

3. All users, service providers, and governments should work to ensure that cyberspace is not used in any way that would result in the exploitation of users, particularly the young and defenseless, through violence or degradation.

4. Governments, organizations, and the private sector, including individuals, should implement and maintain comprehensive security programs based upon internationally accepted best practices and standards and utilizing privacy and security technologies.

5. Software and hardware developers should strive to develop secure technologies that promote resiliency and resist vulnerabilities.

6. Governments should actively participate in United Nations’ efforts to promote global cyber security and cyber peace and to avoid the use of cyberspace for conflict.

My Own Position

Nations have used international law to outlaw biological and chemical weapons, signed nuclear non-proliferation pacts, and banned the weaponization of space. It is similarly important that we turn our minds toward a new paradigm for cyberspace—one which describes the legal and ethical principles that would undergird a peaceful rather than a war-like cyberspace.

We should do this not merely because of cyber-war’s possible dire consequences or so that cyberattacks will not escalate into a real war, but because the Internet is exactly that – a network which exists because of a desire to interconnect and break down barriers to communication, not to make attacks easier. Thus, cyberspace is a place owned by all nations. All breaches of it should be unlawful; no unlawful act by one party should justify a complementary response by another.

As the WOPR (War Operations Planned Response) computer in the movie Wargames finally recognized after simulating the outcome of every possible attack scenario, only by holding fast to a notion of cyber-peace can we “win.”

---

[i] Dr. Hamadoun I. Touré, SECRETARY-GENERAL OF THE INTERNATIONAL TELECOMMUNICATION UNION, ET AL., THE QUEST FOR CYBER PEACE (2011), available at http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf.

[ii] Id. at 77.

[iii] Id.

[iv] See, e.g., Paul Goodman, A Causerie at the Military-Industrial (Oct., 1967).

[v] Id. at 78.

[vi] Id. at 78.

[vii] Carl von Clausewitz.

[viii] Id. at 84.

[ix] Id. at 96-97.

[x] Erice Declaration on Principles for Cyber Stability and Cyber Peace, World Federation of Scientists, Aug. 2009, www.ewi.info/system/files/Erice.pdf (drafted by the Permanent Monitoring Panel on Information Security of the World Federation of Scientists (WFS), Geneva, and adopted at the 42nd Session of the International Seminars on Planetary Emergencies in Erice (Sicily) on August 20, 2009).

When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 7 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

Hopefully, by now it is clear my own position is that the increasing use of cyber-weaponry will inevitably lead to escalation of capabilities and tactics, to the extreme detriment of human life in general. If one indeed accepts that conclusion (and not all do), what is to be done about it? Not all nations agree that the Laws of Armed Conflict we discussed in Post #2 are applicable; and, as previously noted, the U.S. seems happy to threaten to invoke the self-defense doctrine while at the same time instigating a cyber-attack when it suits our purposes.[i] Many scholars and diplomats argue that a much stronger understanding of the constraints and penalties for nation-state involvement in cyber-attacks needs to be developed. This posting will review some of those approaches, including several arguments against any international legal regime.

A Defense-Emphasis

As previously noted, militaries the world over have an approach toward cyber-attack that emphasizes offensive tactics over defensive ones, resulting in a bias toward building offensive cyber-weaponry over defensive capabilities. Several parties have noted that many of the problems of aggression in cyberspace—attribution and escalation, for example—can be minimized by an increased emphasis on defensive tactics. The first approach, then, is less a legal stance than a practical one; however, it has the advantage of demonstrating a useful principle that will become more important in the next posting.

Security expert Bruce Schneier, for example, has long advocated a posture of reasonable defensive countermeasures. The key to a proper defense, in Schneier’s view, is in open access to security protocols and systems. Today, vendors approach security with the view that maintaining secrecy in security implementations protects them. According to Schneier and others, systems vendors should be more open in detailing how they implement security procedures and key technical details. This allows security researchers to examine the vulnerability of these systems and alert the vendors to weaknesses. Schneier also believes that a rational response to genuine risks in cyberspace is essential—without fear-mongering and saber-rattling—along with improved international cooperation and treaties.[ii]

Schneier’s view is shared by computer expert Peter G. Neumann, who blames the fundamental architecture of the computer operating systems and networks which make up the Internet for many security risks.[iii] The greater defensive posture he recommends is to redesign computer architectures with a “clean slate.”[iv] While he acknowledges that this effort will take years, there is no reason not to start.[v] What has made systems security so bad is that private industry has had little motivation to adopt a security-oriented mindset, even reintroducing fundamental vulnerabilities such as the “buffer overrun” (widely used by malware) into architectures decades after approaches had been developed to ensure against them.[vi] Such efforts in defensive redesign are much more important than building further weapons to exploit vulnerabilities.

A Crime Under the “Law of Aggression”?

One possible formal approach is by punishing cyber-attacks under international law using the new “Law of Aggression.” In 2010, the International Criminal Court (ICC) formally defined the crime of “aggression” and gave the ICC jurisdiction over the crime.[vii] The definition states, in pertinent part, that the crime of aggression is

the planning, preparation, initiation or execution, by a person in a position  effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.[viii]

It is conceivable that this new criminal jurisdiction could serve as an important mechanism for enforcing penalties against aggressive cyber-acts such as Stuxnet.

However, there are several reasons why it is unlikely the new crime will be applied to cyber-attacks. First, jurisdiction is specifically excluded for non-state actors even when committed by a state’s citizens or from within their territory.[ix] Second, the U.N. Security Council controls the assessment of when an act of aggression has occurred.[x] Since many of the nations on the U.N. Security Council are themselves heavily involved in cyber-attacks, including the United States, Russia, and China, it is difficult to see how or when these nations would unanimously recommend an act to the ICC for prosecution. Finally, the act of aggression must be a violation of the U.N. Charter—meaning that it circularly refers back to the same imprecise and heavily-debated U.N. Charter definition of “armed force” discussed in Post #2.[xi]

An “International Law for Information Operations”

One commentator asserts the difficulty of applying the Laws of War to cyberspace by analogy and recommends the formation of an entirely new law of “Information Operations” or ILIO.[xii] By expanding and clarifying definitions, the ILIO could provide guidance on the types of cyber-force that are prohibited, including an understanding of what types of civilian targeting would violate jus in bello principles.[xiii]

The author acknowledges that the major stumbling block to a new body of international law is getting parties to the table to negotiate, when the larger players already have begun offensive operations in cyberspace.[xiv] Another problem is how a set of standards would be implemented—e.g., as a treaty or as self-governing rules—and who would take the initial normative step of first adopting them.[xv] Even with these drawbacks, however, parts of the proposed ILIO have much to recommend them.

Resistance to the Idea of an International Law of Cyber-war

Perhaps unsurprisingly, not everyone agrees that international law is the way to proceed, even if they accept the premise that cyber-attacks are de facto detrimental (unlike the U.S. and several foreign governments).

One critic of international agreements argues that an international law of cyberspace is extremely unlikely and probably detrimental to U.S. interests.[xvi] It is unlikely because “asymmetries” between the values of U.S. targets and those of other countries mean that those countries would never agree to negotiate. It is detrimental because the difficulties of attribution would mean that many nations would continue to attack in cyberspace surreptitiously regardless of whether they signed treaties.

Instead, he argues that the U.S. should create its own framework by publishing a list of cyber-assets along with a strong warning that anyone who attacks those targets will be subject to military attack.[xvii] This approach, in fact, turns out to be very similar to the current US position, without the comprehensive list of war-causing targets. He also advocates that “The American framework should remove the distinction between state and non-state actors where culpability is at issue.  If the United States can present prima facie evidence that a foreign nation had any knowledge of the actions of individual hackers or a cyber militia group in an attack on U.S. assets, the United States should reserve the right to make an equivocal response and seek legal recourse.”[xviii] In short, he claims that the US should use its “big stick” to incentivize states to control their hackers and cyber militias.[xix]

A better argument against such treaties is put forth by Thomas Rid. He postulates that any such attempt to limit cyber-weapons will end up restricting valid political activity in cyberspace.[xx] Such agreements and laws will often be construed widely by governments to target hacktivist activity and other forms of legitimate dissent. This worry is not without precedent: the U.S. Patriot Act’s stated purpose was to improve the FBI’s access to banking and other records in order to help combat terrorism. However, it has been used only 39 times out of over 400 to prosecute crimes related to terrorism; the other prosecutions have been brought for run-of-the-mill crimes. In addition to the standard arguments of difficulty verifying compliance and attribution, Rid argues that the risk of overreaching governments makes the pursuit of cyberarms control agreements dangerous and, ultimately, pointless.[xxi]

Next Time

Next time, in my last post, we will look at what I consider to be the most comprehensive and promising effort to avoid permanent, harmful cyber-war.

---

[i] To a certain extent, this emerges from our military’s current belief that we are the “world leader” in cyberweapons.  One wonders if the attitude would change if we lost our position of superiority.

[ii] See BRUCE SCHNEIER, LIARS AND OUTLIERS (2012).

[iii] John Markoff, Killing the Computer to Save It, N.Y. TIMES (Oct. 29, 2012), http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?pagewanted=1&_r=2.

[iv] Id.

[v] Id.

[vi] Id.

[vii] Int’l Criminal Court [ICC], Assembly of State Parties, Review Conference, the Crime of Aggression, ICC Doc. RC/Res. 6, art. 8 bis (June 11, 2010).

[viii] Id. art. 15 bis.

[ix] Id. art. 15(5) bis.

[x] Id.

[xi] See U.N. Charter, Art. 2(4).

[xii] Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 LEWIS & CLARK L. Rev. 1023, 1023 (2007).

[xiii] See id. at 1040-48.

[xiv] See id. at 1058-61.

[xv] Id. at 1059-60.

[xvi] Lawrence L. Muir, Jr., The Case Against an International Cyber Warfare Convention, 2 WAKE FOREST L. REV. ONLINE 5 (2011), available at http://wakeforestlawreview.com/the-case-against-an-international-cyber-warfare-convention.

[xvii] Id.

[xviii] Id.

[xix] Id.

[xx] Thomas Rid, Think Again: Cyberwar, FOREIGN POLICY (March/April 2012),  http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page=0,5.

[xxi] Id.

Cyber Attacks Have Legal Consequences? – An introduction to some of the national and international legal issues surrounding cyber-offensives.

Many of the posts in the last few months, including the most recent, have centered on the use, by Nation-States, of viruses and other cyberspace centered technology.¹  This post assumes that the reader has read those posts and is at least familiar with the technology as well as its capabilities and recent uses by Nation-States.  This post will focus mostly on the legal issues that arise with the use and defense of technological “attacks” by Nations-States against each other. 

It should be evident from reading the recent posts on this blog that the use of viruses and other types of “technological attacks” can have devastating effects on the operation of vital military and civil targets and infrastructure.  The United States Defense Secretary has said that intelligence has shown an increase in cyber threats and that, “A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” and that type of “cyber terrorist attack could paralyze the nation.”²  What may not be clear from the recent posts is the legal issues that arise out of the use of, and defense of, cyber attacks by Nation-States.

The legal issues that arise center on two distinct plains: the first is the depth created from the balancing of national and international laws and the second is the difference legal issues that arise depending whether the action is an “attack” or in defense of “an attack.”  Putting these two plains together we are presented with four legal quadrants that interact with each other.  

Beginning with the “national level defense of an attack” quadrant the Defense Department is trying to ensure that there is a balance between the rights of citizens and the defense against cyber attacks.  The Department of Defense has realized that there must be more than pure improved defense in order to prevent a cyber attack.  With that information in mind the Department of Defense is finalizing a change, the most comprehensive change in seven years, to their rules of engagement in cyberspace.³  The secretary of Defense, Leon Panetta, said that the new rules state that the Pentagon “has a responsibility not only to defend the DoD’s networks, but also is prepared to defend the nation and our national interests.”⁴  The difficulty with the new rules is to ensure that they are comprehensive and effective but also to ensure that they are structured in a way that does not violate privacy laws or any other citizens’ rights. 

Mr. Panetta feels that it is important that the public knows, and that any “aggressors should be aware that the U.S. has the capacity to locate them and hold them accountable for actions that harm America or its interests.”⁵  Also important and little known is that the Defense Department has already identified thousands of attacks, mostly low level, without taking any action.  These attacks are attributed to Nation-states, criminal groups, and individuals and the reasons that no action has been taken are plentiful but undisclosed. 

Moving from defense of attacks to the use of a cyber-offensive but remaining in the national sphere, there are different legal questions that are presented.  Those readers that are familiar with the recent posts on this blog know of the alleged cyber capabilities of the United States.  What may be unfamiliar to most is the fact that the use of cyber-offensives have been debated by the current administration on more than one occasion over the last few years.⁶ 

The main topics of the discussion were whether or not America’s use of this type of attack would set a negative precedent to other countries such as China and Russia, and whether or not the president has the power to initiate a cyber attack without informing, and ultimately gaining permission from, congress.⁷  This last question, which is similar to the legal issues that are being considered and debated at the international level, depends on whether or not a cyber attack falls under the War Powers Resolution.  Considering the fact that whether or not the use of conventional forces, including bombers, falls under the War Powers Resolution is still debated and not completely settled, it seems clear that the question of cyber-offensives will not be resolved adequately for some time. 

The international issues are similar to the national issues; does a cyber attack constitute an “armed attack” that allows the country under cyber attack to go to war in defense of itself and if so what is a “proportional response” to a cyber attack?  Another question is, at what level does a cyber-offensive constitute an act of war.⁸ 

International laws, from the United Nations Charter to the Geneva conventions, serve as guidelines and provide protection to civilians as well as strive “to save succeeding generations from the scourges of war.”⁹  One on the reasons that there is a lack of clarity in international law as to how to deal with cyber-offensives is the fact that, like the United States’ War Powers Resolution, when the United Nations Charter was written it did not contemplate current technology.

The uncertainty about the legal ramifications of certain actions by Nation-states presents a problem that may have consequences which are as destructive, or more so, than an actual cyber attack itself.  This problem is expressed by Harvard law professor Jack Goldsmith, “If nations don’t know what the rules are, all sorts of accidental problems might arise.”  One of those problems is that, “One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be and act of war.”¹⁰

There are so many legal issues that arise, going into detail about them all is not possible in one post.  Some other issues that may be of interest include; determining where technological espionage lies in the equation of determining what type of technological offensive might be considered an “act of war” or an “armed attack”; and enforcement of international laws designed to protect against cyber-offensives by Nation-states.  Stewart Baker, former National Security Agency general counsel and an assistant secretary of homeland security under President George W. Bush, presented this potential problem with enforcement, “It is a near certainty that the United States will scrupulously obey whatever is written down, and it is almost as certain that no one else will.”¹¹

 ——————————————————————————————————————

[1] See generally “Criminal law in the virtual context” http://virtualcrimlaw.wordpress.com/

[2] Gopal Ratnam, Cyberattacks Could Become as Destructive as 9/11: Panetta, Bloomberg Businessweek (October 12, 2012), http://www.businessweek.com/news/2012-10-12/cyberattacks-could-become-as-destructive-as-9-11-panetta.

[3] Id.

[4] Id.

[5] Id.

[6] Eric Schmitt & Thom Shanker, U.S. Debated Cyberwarfare in Attack Plan on Libya, The New York Times (October 17, 2011), http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html.

[7] Id.

[8] See generally, Nils Melzer, United Nation Institute for Disarmament Research (UNIDIR), Cyberwarfare and International Law, (2011), http://www.isn.ethz.ch/isn/Digital-Library/Publications/Detail/?lng=en&id=134218.

[9] Id. see also Tom Gjelten, Extending The Law Of War To Cyberspace, NPR (September 22, 2010), http://www.npr.org/templates/story/story.php?storyId=130023318.

[10] Tom Gjelten, Extending The Law Of War To Cyberspace, NPR (September 22, 2010), http://www.npr.org/templates/story/story.php?storyId=130023318.

[11] Id.

When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 6 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

Der Spiegel:  You and your company are the winners of a new era in warfare.

Evgeny Kaspersky:  No, because this war can’t be won; it only has perpetrators and victims. Out there, all we can do is prevent everything from spinning out of control. Only two things could solve this for good, and both of them are undesirable: to ban computers — or people.[1]

Human Life on the Run

To open, I ask you to remember the inhabitants of Emeniar-7 from the Star Trek episode mentioned in post #3. The episode presents a rather extreme example of a world where the ongoing belligerent activities of two civilizations’ computers have a radically disproportionate impact on the lives of their citizens. There, the warring computers were set on autopilot and left to duel it out. The only thing left for the people to do was to walk into the incineration machines when they were notified they had died in the virtual attack.

One hopes that the principles of cyber-attack and cyber-defense never take on this automated character, but the fictional scenario serves as a useful outer boundary of the notion of “human life on the run” from its computer technology–of humankind as less the master than the slave of its creations. A less hyperbolic and far more likely scenario for humankind is that over time the escalatory effect which I described in Post #4 makes the Internet into a sort of proxy battleground. Lower-level attacks and counterattacks by various nations and interest groups—all sanctified by a loose reading of what is permissible under international law and fueled by ever-increasing rationalizations about what is acceptable–make the online world into a “Wild West” or Dodge City.

In the “cyber-wild-west”, normal citizens are inconvenienced every day by malware and other forms of online attack. They are denied access to their bank accounts or other needed websites, forced to spend hours clearing malware from their computers, and so on. Over time, the severity of the attacks grows more serious as citizens are harassed with power outages or faced with higher prices when attackers disrupt oil and food distribution systems. Perhaps citizens are injured when attackers surreptitiously tamper with hospital information systems. The mind can conceive of many such scenarios which fall far short of extreme risks like “causing a nuclear plant meltdown,” but which are painful, disruptive, and dangerous to the lives of civilians—many of whom probably don’t agree with the foreign policy of their governments.

As importantly, war conducted in cyberspace becomes an abstraction and objectifies the victims. Like air strikes, missiles, or drone strikes, cyber-attacks lose the personal dimension and turn the victims into mere abstractions to be harassed, injured, or killed. The very idea of conflict loses its immediateness, as now conflict is carried on virtually, albeit with real consequences to faceless victims. A consequence of this viewpoint is that abstraction allows “war” to be conducted without naming it such. Nations can then engage in belligerent acts in cyberspace as an ongoing thrust-and-parry without any sort of national policy debate.

All of these concepts are lurking beneath the surface of the Star Trek episode.  Part of the plot has Kirk staging a coup d’etat on one planet to force its leaders to disobey their obligation to require citizens to walk into the incinerators. This, according to treaty, would enable real weapons to be used by the other side. Kirk insists that only the prospect of actual death, destruction, and misery will serve as the impetus for the warring planet to negotiate (after 500 years) and end the war. It is this more subtle aspect of the Star Trek episode that is salient to the problem of abstraction and objectification. Kirk’s position, then, is that abstraction and objectification helps conflicts persist that might otherwise be negotiated away. In short, abstraction creates a sort of moral buffer zone that lets us justify actions that we might think twice about if the victims were in front of us.

Yes, in Earth’s likely scenario people won’t walk into incinerators, but what we should be asking ourselves is whether we as humans truly want to live life “on the run” from our technology, in fear of the next way it might be turned against us?

The Militarization of Cyberspace

However, modifications to the human experience of cyberspace occur in other ways that are less direct than the daily experience of hacks, denials-of-service, and disruptions to supply chains. Over time, as nations increasingly use cyberspace as a place to spar, a certain view of cyberspace begins to take shape. That viewpoint places military uses and military objectives at the forefront.

As Bruce Schneier has said, “military problems beg for military solutions.” In the past weeks we’ve seen abundant evidence of how a mindset of militarization nibbles away at the Internet’s fundamental character. One major example which bears further discussion is the Cybersecurity Act of 2012, which purported to enlist businesses in “rapid information sharing” programs with government, as well as government certification of its systems.  It also contains language which gives implied authority to the President to “declare a cybersecurity emergency” and “direct the national response,” including, presumably, disconnecting critical networks (a term which is undefined) from the Internet. This is a re-hash of an idea which has been floating around since 2010 called the “Internet Kill Switch.” It would give Executive Branch control over the Internet so that it could be shut down centrally, if necessary.

Military control over the Internet should seem to all but the most trusting citizens like an extreme and frightening power. It gives the government broad authority to turn off the means of communication and dissent in response to its own assessment of a national emergency. The citizenry has seen, on occasion, how a centralized national power such as this begs to be used. A telling recent example occurred last August, when San Francisco’s BART shut down cell phone service in several stations to disrupt civilians from protesting the recent shooting of a homeless man. The action took place the very same day that British Prime Minister Cameron announced he would consider shutting down wireless access in parts of London to disrupt rioting youths. And, perhaps not coincidentally, the “Internet kill switch” idea resurfaced in our Congress early in 2011 on the very same day Egyptians experienced a blackout of the Internet ordered by Mubarak to try to quell the demonstrations which eventually led to his overthrow.

Such is the flavor of a militarized cyberspace. Gradually, the Internet is subtly molded to conform to its own avatar as a place of battle. Cyberspace begins to look less like an utopic international library or Athenian public commons than like Beirut or Jerusalem—where the virtual equivalent of stacked sandbags, barbed wire, and the distant sound of gunfire are omnipresent in the daily civilian experience.

Next Time

It would indeed be regrettable if the long march of technological advance over human history culminated in a reality that, in the end, resembled the same war zones of the past. It is as important to outlaw the militarization of cyberspace as it was to ban the militarization of space itself in the Outer Space Treaty of 1967. Hopefully, some alternative to permanent cyber-conflict can be devised. Next time, we will examine the efforts of scholars and international bodies to create ways of restraining conflict in cyberspace.

---

[1] Recent interview in Der Spiegel

Privacy Is Dead—Long Live Privacy! (A How-To Guide)

It has become a common refrain that privacy is dead, especially online. After all, people give out all manner of personal information on social media—these days, it seems like no one really minds having most of the Internet know where they ate for lunch. “If I’m not doing anything wrong, I have nothing to hide,” right? Well, there are many problems with this attitude.

One problem is the accuracy of the data which large targeted marketing aggregators have assembled about you. Even though these companies claim it has been anonymized, the sheer volume of it forms a total picture of you. That picture can be essentially de-anonymized by large-scale data mining and used to attribute behaviors to you which may or may not be accurate, or anyone’s business. Maybe you don’t care when you get a targeted ad for the “Ronco 250 Pet Hair Vacuum,” even though you own a Mexican Hairless. But, what happens when you become subject to government scrutiny because the “total picture” of data puts you in a group of undesirables?

In addition, this information is often stored insecurely: the companies themselves can’t be trusted with it. In just the latest of a long line of examples, the personal data of 1 million Facebook users was just purchased online by an IT consultant. This data was probably hacked from the network of a third-party Facebook App developer.

Even if you still don’t feel your own privacy is valuable, there are many whose privacy is worth protecting: political activists, human rights workers, victims of domestic violence, and children, to name a few. Privacy and anonymity is not something only lawbreakers want. For at-risk groups, the ability to turn off or resist tracking methods is paramount. Even if a person doesn’t consider himself part of an at-risk group, he might want to write a blog about Stuxnet, for example, without being tagged as a cybercriminal.

In this spirit, I have put together a how-to guide to online privacy. I did this partly to inform those who might want to improve their privacy, and partly to educate people on the extent of the problem. Once I get into the technical details, you will start to understand exactly how many, and how pervasive, are the methods which exist to track you online. Most people are appalled by the level it reaches and how much knowledge it requires to resist the various tracking methods.

That being said, perfect anonymity on the internet is extraordinarily difficult, and probably impossible. This “how to” will stop well short of any attempt of it. Even with all the tools in the world, anonymity requires rigorous discipline and fairly deep technical knowledge. However, with that caveat in mind, a tangible level of personal privacy is achievable with a relatively small amount of effort.

Browser Choice and Settings

Choice of Browser. For maximum control over your privacy settings, you probably need to be running a browser other than the stock default Internet Explorer. IE has some control over privacy settings, but much less flexibility as to add-on tools.

I suggest either Mozilla Firefox or Google Chrome, and, depending on what you want to do, possibly both. Both have great speed, reliability, a rich extension market, and frequent updates to patch security holes quickly. I myself prefer Chrome because it integrates best with several other tools I use, including my Android device. I will use Chrome to illustrate most of the instructions about settings I will talk about, but they have analogues in Firefox, so once you understand the reasons behind them, you can turn on the corresponding features and extensions in Firefox.

Automatic Browser Updates. This is usually set to “on” by default. The setting insures that new updates which patch security holes will be pushed to your machine and installed seamlessly when you restart the browser.

Settings. Once you have installed Chrome, go to the settings page. At the bottom click “show advanced settings” then click “content settings” under “privacy.”

Cookies. The first item in the list will be “Cookies.” Cookies are little bits of data that websites are allowed to put on your computer which help the website identify you as you move between pages on the site (“session state”) or when you return again to the site on a different day (“persistent state”). They might contain your userid, a unique identifier, page settings, your zip code preferences, etc. The positive side of Cookies is that they keep us from having to re-enter preferences and other settings each time we visit. The negative is that they can be, and are, used by websites, advertisers, and other entities to keep track of us as we move around the web. Here’s what the settings mean:

- Allow local data to be set (default). Cookies are accepted from websites and will be persistent throughout restarts of the browser.
- Keep local data only until I quit my browser. Cookies are allowed for session state, but are all cleared when you close the browser; next time you visit the site, it will be as if starting over.
- Block sites from setting any data. Just like it sounds—cookies are not allowed.
- A check box which says “Block third-party cookies and site data.”

The most important of these settings is “block third-party cookies” and it should be checked. Just as the site itself can have a cookie, so can an advertisement. If you visit another website which hosts ads by a large ad network, the cookie in the ad can essentially be shared, allowing the ad network to monitor what you are looking at as you move from site to site around the web (hence, “third-party”). What this setting does is prevent the browser from accepting a cookie from a party that is not from the domain of the website you are visiting. It is the lowest-level privacy you can have from third party commercial tracking. There are many more things you need to do, but this first step is essential.

The other two settings provide higher security than the default, but have a few usability consequences. “Block sites from setting data” can make many modern websites difficult to use. The second option (“keep local data only…”) can be a useful compromise, so long as you don’t mind re-entering passwords and other basic information each time you close your browser. The other thing you can do is choose one of the higher options and then specifically place your favorite, trusted websites (e.g., your bank) in the “Manage Exceptions…” list, which will have the effect of allowing cookies for those websites.

You can also clear all the cookies (or selected ones) from here at any time using the “All cookies and site data” button, which you should do if your system has been unprotected up until now.

Other Settings. Scroll down the “Content settings” list further and you will see several other options, many of which are fairly obvious: One is “Location,” which concerns whether you want websites to track your physical location. You probably want to set that to at least, “ask me.” Other, similar settings allow you to control whether sites can turn on your camera or microphone and so forth. Make intelligent choices here….

Private Browsing Mode. Each browser has a private mode which allows you to surf the web without the browser saving the information to your browsing history. In Chrome, this is called “incognito mode” and in Firefox, “private browsing.” If you forget to use it when surfing something private, you will have to clear history afterward, or, in Chrome, you can go to the history page and manually delete items out of the list without clearing your entire history.

For Google Users

If you use Google for mail or other services, and especially if you also use Chrome, there are several other settings you will want to consider to keep the behemoth from conducting universal tracking and storage. These settings are found on your Google account itself.

Web History. If you like, Google will store (on its servers, not in your browser) your entire web history of every website ever visited while you were logged into Google! In fact, it is probably already doing it. For your privacy, this is something of a bad idea because it means you have no private browsing history if the data is subpoenaed from Google in a lawsuit or other proceeding. Google will probably give up the data immediately, and probably without even notifying you that it has done so. At least if this information were demanded from your local browser web history, you yourself would have to be notified. Privacy buffs should turn it off.

Click the link “Go to Web History.” If it is on, then first click “Delete All,” then turn it off. Note that any “smarter predictions” and “more relevant results” may be impacted. Also, you will not be able to log in from a remote computer and use any saved bookmarks. I myself find this an acceptable trade-off.

Dashboard. Another interesting tool is the Google Dashboard. Click “Products” then select “dashboard.” It allows you to see all the Google products and services you use and to modify and, in some cases, clean up the data which those services store.

Browser Extensions

Browser Extensions are add-on tools, usually developed by third parties, that give you control over your browser’s behavior. A number of these are useful to improve your privacy; remember however, that browser extensions themselves often have full access to your browsing data because they have trusted integration with the browser itself. Don’t install them willy-nilly, read the reviews, and be suspicious. The ones I have listed here are generally considered safe and effective because they are open source or have been rigorously scrutinized. Extensions for Chrome are available in the Chrome Web Store.

Adblock Plus – link. This is an open source tool which blocks advertising and certain other tracking devices employed by websites. Installing it will not only improve your privacy greatly, it will also make most websites far less annoying because advertisements will no longer be popping up, spinning, and distracting you as you view the web. ABP is a generic blocking device which receives its instructions via blocking lists, which are created by user communities. The “EasyList” group is one such community. This model allows blocking to be dynamic and adaptive to changes in advertiser methods.

After installing ABP, go to the subscription page. The first item on the list is called “EasyList.” Click the “Subscribe: EasyList” link and then click the “+ Add” button on the screen that appears. Scroll down to EasyPrivacy and subscribe to this in the same way. Another one you can add is called “Antisocial,” which blocks various forms of social media integration from third-party sites. If you are really into “Like” and “Tweet” buttons, however, you may wish to avoid this one; they will disappear from most sites after enabling this list.

Adblock Plus Options

Note that this mechanism will completely block most ads and will deprive the websites you use of ad revenue resulting from your eyeballs viewing the page. This bothers some people, and it probably should: like property taxes, no one really likes ads—but schools and streetlights have to get paid for somehow. On the other hand, no one wants to have their online life recorded in a massive behavioral profile stored by dozens of web data conglomerates, either.

ABP has two solutions to this moral dilemma. First, keep the “Allow some non-intrusive advertising” checkbox checked. This allows certain “acceptable” ads to continue, which means ads that are static, unobtrusive, and do not interfere with the viewing of page content. Second, you can click on the “Whitelisted domains” tab and selectively add back the websites for which you would like to let through ads. In addition, you can always support your favorite websites by subscribing to their premium services or donating.

Ghostery – link. The problem is that there are more than just visible advertisements tracking you as you move around the web. There are also Analytics, Beacons, and Widgets to help online marketing vendors assemble profiles of your online behavior.

- Analytics. Traditionally, analytics involved using software to process the web server log files. However, log files seldom keep the level of information that advertisers really want and they are prone to error because IP addresses are often shared by ISPs or masked behind proxies. Today, analytics use cookies because they are the most reliable form of keeping track of a user. Earlier, we blocked third-party cookies in the web browser settings, which keeps you safe from some vendors. But, in response to widespread blocking, most vendors now use first-party cookies, so this method is ineffective without extra protection.

- Beacons can be anything, really, but they often take the form of nearly invisible graphic elements such as a gif image which is transparent, or only a single pixel. Some use cookies, but some use cookie-less techniques. They can also be embedded in emails to track who opens and reads them; any time you see an image in a spam email or advertisement, it is probably there track to you.

- Widgets are typically trackers that serve a functional purpose on a web page, such as a social networking button or comment form. An example would be Facebook Connect. Needless to say, if you click one of these, you are tracked. But, you are also tracked if you don’t because most have beacon-like functionality.

Ghostery is an opt-in system. When you install it you first have to select the trackers that you want to block by checking the boxes and clicking save. It updates frequently with new blockers, but all new blockers must be opted-into. Then, when you first go to a page, Ghostery displays a purple pop-up box with a list of the trackers that were blocked and a counter on the Ghostery toolbar button. Prepare to be surprised at how many there are!

Do Not Track Plus – link. Unlike Ghostery, in DNT+ the trackers are usually enabled by default. DNT+ blocks many of the same trackers as Ghostery, but a few are different, and each also analyzes the web page in a slightly different way and updates its tracker list on a different schedule. I run both to be safe.

Install this tool and a browser toolbar icon will appear. Like with Ghostery, the number changes in the icon to show the number of web trackers being blocked. Clicking on the button lets you see exactly which ones.

Collusion – link. This tool is interesting because it displays a graph or map of all the shared marketing data connections between the various sites you have visited. Explore it and see just how pervasive web tracking really is!

“Referer” [sic] Header Control – link. Every time you visit a website, the header for the HTTP request gives the newly visited website information about the last page you were on when you clicked the link. Many websites will log the referring website in an effort to track their users. This control allows you to spoof the referring website or, more usefully for our purposes, to block the referrer on all outbound web requests from your browser. Install the tool and click “Block” on the settings page for the “default referrer.”

Keep My Opt-Outs – link. Permanently sets the browser to opt-out of online ad personalization, so that Google and other advertisers will not display targeted ads.

IBA Opt-out – link. Use this extension to permanently opt out of the DoubleClick cookie, used by Google and others. It will allow the opt-out to remain in force even if you clear all cookies in your browser, since opting-out of the cookie is itself a cookie.

HTTPS Everywhere – link. This extension will automatically redirect your browser to the HTTPS encrypted browsing protocol whenever possible, helping you remember to be secure when browsing over public wifi and keeping your ISP from snooping on your data.

The Next Level: Hiding Your IP

You might think now that, with all the work you’ve done, people and companies wouldn’t be able to track you. Unfortunately, you’d be wrong. We’ve set up the browser to secure you from certain types of behavioral tracking—nothing else. Your Internet Service Provider, the provider of your Domain Naming Services (DNS), and the websites you visit can still log you by IP address.

This kind of tracking happens on multiple levels. Starting at the bottom, each and every website logs visitors to the site by public IP address, which is just a numerical representation of a particular connection you have on the Internet. You get an IP address automatically by assignment from your ISP (the company which provides your connection, e.g., Cox Cable), or by the owner of whatever network you are currently connected to. If you are using public Wifi in a coffee bar, for example, the public IP address will be that of the establishment itself and will be shared among everyone there. We’ve already seen that websites can use this address to analyze traffic, but they will also divulge this information in response to a subpoena or court order—as will the ISP and other parties in the chain of connection.

If you are connected at home, your ISP logs the IP address it assigns you, for what period, as well as the MAC address of the cable modem you connected on. Hence, later when parties wish to know your identity, they can subpoena the ISP to know which particular customer possessed that IP at that time.

Your ISP also can snoop on your traffic in other ways, however. If you conduct your web browsing using unencrypted protocols, such as HTTP instead of HTTPS, they can use filtering tools to dissect and analyze your traffic. This includes the full content of any pages you visit, images you view, or any data you send out, like your credit card number. If your ISP isn’t doing this already, it will be soon: most ISPs have agreed to analyze the traffic of their customers (including over the Torrent network) to help enforce the “six strikes” copyright infringement alert system.

However, even if you encrypt using HTTPS, the ISP still knows which sites you visit. HTTPS, firstly, does not encrypt the website domain name. Secondly, you are probably using the ISP’s DNS server, so the requests are being logged. (DNS is the method by which website addresses locate the server they need to run from. For example, www.amazon.com is really a huge group of web servers running in several data centers around the country. How does your browser find it? By using DNS to route the name to the proper IP address, which then gets routed to the proper group of servers on the proper subnet in cyberspace.)

How to avoid these problems? A few methods exist, but none are flawless. Furthermore, for some people, this level of protection might seem overkill. Feel free to use it or not depending on your desires.

Change your DNS Provider. One fairly easy way to make your DNS more private is to remap from the ISP’s DNS server to a third party, unlogged DNS provider such as OpenDNS. How to do this specifically will vary by router. Take a look at the website for more information.

Anonymous Searching. Of course, Google knows what you’ve been searching for because it logs you by IP. However, you can do anonymous searching using websites which submit the search request through Google for you, maintaining the anonymity of your IP address. A couple of them are Duck Duck Go and IxQuick, but a longer list is available here.

VPNs and Tor. Even so, your ISP can still look at where you visit and even see the traffic if it is unencrypted. And, the websites you visit can still log your IP address. Even further steps are necessary to prevent these two outcomes.

A VPN (virtual private network) creates an encrypted tunnel through your internet connection which hides not only the traffic, but all requests for DNS through it. On the remote website, the IP address will be the one temporarily assigned by the VPN service for that particular connection; each time you connect it will be different. All the ISP or a wireless snooper can see is an encrypted stream of data with no discernible information. On the other hand, a VPN provider has to be trusted for this to work, otherwise the snooping is just moved back a level. Further, if the VPN logs connections, then that information can always be divulged. For that reason, it is important to pick a VPN provider that does not log (usually these are in foreign countries). There is also usually a small cost for a VPN (about $5-10/month).

Tor accomplishes the same goals, but differently. In a nutshell, Tor is a local software application on the user’s machine combined with a worldwide network of volunteers who set up “nodes” to accept traffic. When connecting through the network, traffic is bounced from node to node, with each node encrypting the traffic so that each layer is isolated from the prior and future nodes. Tor is free.

VPNs and Tor serve similar functions in many ways – both provide encryption of the traffic and a certain level of anonymity. Both are subject to drawbacks, however. Various types of attack can be used against Tor, at least in theory. Both are much slower than direct browsing. And, as alluded to, VPNs are subject to the whims of the provider with respect to logging. Of the two, Tor’s encryption and anonymization methods are probably more resistant to attack because of the multiple layers of encryption and multiple points of compromise, but Tor is also far slower than most VPNs.

There’s a Lot More…

Of course, there is a lot more you need to know to keep your information private. You have only secured your internet browsing. The data on your computer is not private unless you encrypt the disk or important files. If your computer is stolen, hacked, or seized—or if you sell it without wiping it—all that data is just sitting there to be taken: the cached pages and images of every website you’ve visited, the data in cookies, and the files themselves.

Your Wireless Router’s security can also be hacked, exposing your computer to further snooping. Not only has WEP encryption not been secure for several years, WPA (with WPS enabled) is also insecure if a hacker has a few hours.

Alas, even your browser has a “fingerprint” which is readily divulged via simple header information your browser hands out with each visit to a web page. The unique combination of fonts, browser plugins, time zone, and screen size exposes a large degree of variability in the browser. This fingerprint can be stored and used by trackers to identify you, regardless of what you do to block cookies. To see how unique yours is, click here on Panopticlick.

And, even if you go back to paper, there are still printer dots – tiny secret codes added by printer manufacturers at the behest of the U.S. government to uniquely identify the printer of origin.

A little awareness can go a long way, but it is difficult to be completely safe regardless of what you do. Further, the methods and the defenses are constantly evolving. Above all, keep educating yourself because knowledge forms the backbone of any movement to resist the downward spiral which ends with us having no reasonable expectation of privacy online. Good luck and hope (not to) see you online!

When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 5 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

“You are the military industrial of the United States, the most dangerous body of men at the present in the world, for you not only implement our disastrous policies but are an overwhelming lobby for them, and you expand and rigidify the wrong use of brains, resources, and labor so that change becomes difficult. Most likely the trends you represent will be interrupted by a shambles of riots, alienation, ecological catastrophes, wars, and revolutions, so that current long-range planning, including this conference, is irrelevant.” – Paul Goodman (1967)[i]

The speech above by Paul Goodman was delivered first as an address to a gathering of the elite of the war industries and later reprinted. While the critical part of this quotation for our purposes is “the wrong use of brains, resources, and labor,” (one topic of today’s post) I thought it important to quote the entire context because it puts forth a perspective that challenges, rather than assumes, the presupposition of constant national readiness for conflict; thus, it represents a viewpoint that is uncommonly heard in the debate over cyber-combat.

Last time, we discussed the dangers and inevitability of escalation in an era of sanctified cyber-conflict. This time, we will consider several additional consequences which are also worth avoiding.

Real and Opportunity Costs to Society

A permanent state of war carried on by computer is wasteful of society’s resources. That it consumes huge sums of real dollars is relatively obvious. I have already (in Post #3) talked at length about the vast cybersecurity-industrial complex which has emerged in response to real and perceived cyber-threats. The real dollar amounts are classified, but most estimates put them at least at $10 billion. Alas, that does not even include the sums spent by commercial enterprises on securing their systems from state-sponsored cyber-attack and espionage; these numbers would be even more difficult to quantify.

Supporters of the military-industrial complex have argued through the decades that conventional war can have a positive effect on the advance of technology, at least in certain areas, such as aerospace, rocket technology, guidance systems, radar, and so on. I won’t attempt to refute that proposition here. However, cyber-weapon development is essentially wasteful and non-productive. It serves only to exploit flaws in existing systems, not to develop new and more advanced technologies. Cyber-defense technologies–which perhaps include such fields as cryptography and new forms of biometric security that need to be developed in response to constant cyber-attack techniques–may represent areas which are advanced by the parry and thrust cyber-attack-and-defend.

However, less obvious than the direct cost is cyber-conflict’s cost in human talent, productivity, and CPU cycles. Thousands, if not hundreds of thousands, of very intelligent people are trained upon the essentially non-productive goals of devising cyber-attacks and defending against them. For example, a recent news story details how the Department of Defense has built a “National Cyber Range” so that operatives can simulate and defend against massive cyber-attacks. Human talent and effort spent in this way has an opportunity cost which ultimately impacts society’s ability to solve other problems. Human beings, so occupied, are not developing new businesses, improving networking speeds or connectivity technology, or writing useful software. No, they are engaged in what is essentially a game–only this game has not even the benefit of recreation.

Even CPU time is wasted. Computers loaded with viruses bog down, wasting both electricity and the time and energy of the person who owns the computers. However, a more subtle point is that, in a “cyber-war world” computers engaging in relentless attack, defense, and monitoring demand massive CPU resources. It is difficult to think of a better example than the NSA’s more than $50 billion effort to capture, record, and analyze the entire traffic of the Internet for up to five years.[ii] While the NSA effort is really cyber-eavesdropping, and hence is somewhat orthogonal to cyber-combat, it is a paragon of society’s resources put to wasteful use. Imagine, if you can, what scientific research, business and industry could do with the surplus computing power that is currently used to intercept, monitor, and record the traffic of the entire Internet.

Erosion of the U.S. Moral Position

Another casualty of our choice to use cyber-weaponry like Stuxnet is our moral position as champions of international law and diplomacy, and as protectors of a free and open internet. It is easy to see why this would be true, and to some extent, we’ve already discussed this unfortunate consequence in prior postings. Saber-rattling about how we would use conventional weapons to counterattack against another nation’s cyberattacks is difficult to reconcile with our own use of these weapons against Iran. It is difficult to convincingly muster moral outrage at attacks which target our power grid when we ourselves have just attacked another country using similar techniques. It is also implausible to target China, for example, for possible state-sponsored espionage using commercial telecom equipment when we conducted espionage with “Flame.”

It does not help our moral position that the U.S. broke several of its own laws in creating and deploying Stuxnet. The U.S. government violated the spirit of the Computer Fraud and Abuse Act, current U.S. law, by accessing and modifying data on a computer, albeit not on a computer inside the United States.  It also likely violated several international laws, and would have violated several proposed laws, such as the Cybersecurity Act, had it passed Congress this year.

Perhaps even more troublingly, U.S. or Israeli operatives (or their agents) likely stole valid digital certificates from the physical offices of a company in Taiwan in order to digitally “sign” the Stuxnet code. This signing process allows the code to seem like valid software to Windows and gives the code heightened security privileges on the machine.[iii] The government would, of course, claim a valid national security purpose for each of these crimes, but it is relatively clear that such acts diminish our credibility when we wag our finger at hackers and other perpetrators of online crimes.

Unexpected Technical Consequences

The release of computer viruses into the wild—even those which were originally written to be targeted at particular computers only—creates a number of risks.  Stuxnet was written to spread via USB stick transfer and over local area networks because the technical exploits used are only really effective in limited environments where the computers have a high degree of trust with one another. Most viruses today, in contrast, spread by using an insecure web server to inject the virus via a browser vulnerability on the machine of a website visitor.

Stuxnet was never meant to be deployed outside of a small network of facilities in Iran, yet it somehow managed to infect over 100,000 computers worldwide. While there is no evidence that it did any damage to computers it was not designed to damage, it still spread. Despite the isolation of the targets, Stuxnet’s creators still lost control of it.

A related danger is that advanced cyber-weapons will be captured, dissected, and their methods used in unintended ways by a rogue third parties, such as criminal organizations or terrorists. The Conficker worm, which infected millions of computers worldwide in 2008-2009, is an example. It had five variants (A-E), each of which were modified to adapt when the exploited vulnerabilities were patched. Strangely, no one could tell what Conficker’s botnet army was really intended to do until variant E, when it was apparently sold to criminal organizations. They put the botnet to use by turning infected machines into email spamming zombies, or trying to trick people into buying “cures” for $50 in response to fake infection warnings. While that was thankfully a relatively innocent use for a powerful piece of malware, it aptly demonstrates the potential of a virus to be used in ways other than intended.

Next Time

Next time, we will examine the impact of increasing militarization of the Internet and how it changes the Internet itself, human freedom, and human life in general.

---

[i] Paul Goodman, A Causerie at the Military-Industrial (Oct., 1967).

[ii] See generally JAMES BAMFORD, THE SHADOW FACTORY (2008).

[iii] Stolen certificates were used because a certificate authenticates the identity of the signer, which the author of malware could hardly do.

Limited Relief for Individuals Affected by a Breach of Personal Information

Even though a private sector entity’s unlawful disclosure of customer’s personal information can subject that entity to liability, that liability does not always mean damages for the affected individuals. The two primary ways private sector entities incur liability as a result of a cyber attack are through either having ineffective personal information protection systems or by failing to properly disclose a breach to affected parties.  Digital personal information protection is a fledgling legal concept with the majority of legislation and precedent arising out of the past decade.  Additionally, the general regulations governing the protection and breach disclosure protocols of personal information exist primarily at the state level. Federal personal information protection regulations apply only to specific entities such as health care providers and financial institutions.

In an effort to prevent the disclosure of personal information stored by private sector entities, a number of states have enacted legislation that requires entities that own or license personal information about a resident of their state to use reasonable care to protect the information.[i]  A handful of states have gone beyond the reasonable care standard to enact legislation with more specific and stringent standards. For example, Massachusetts requires that entities who own or license personal information about a resident of Massachusetts maintain a “comprehensive information security program.”[ii] The regulations set minimum standards for data protection which include; designating staff to maintain an information security program, identifying and assessing reasonably foreseeable internal and external risks, regular monitoring, and contracting with third parties to maintain security protocols.[iii] Additionally, Massachusetts and Nevada require entities to encrypt personal information electrically transmitted outside of a secure network.[iv]

In addition to laws requiring that entities protect personal information there are also laws requiring that entities inform affected individuals when a breach occurs.  In the past decade a majority of states have enacted data security breach notification laws (“SBNLs”). These laws require businesses that maintain computerized personal information to notify within a reasonable amount of time any individuals whose personal information has been compromised. In 2002, California became the first state to enact a SBNL with the passage of the California Security Breach Notification Act.[v] Since, 2002 a total of forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws. [vi]

A majority of the SBNLs that have been subsequently adopted are modeled after California’s original legislation and in general regulate the form and content of notifications.[vii] For instance, in California statutory minimal standards require specific information, written in plain language, to be included in every notice.[viii]

An entity’s liability following a failure to timely disclose a breach of personal information does not necessarily equate to an award of damages because Plaintiffs are substantially limited by the inability to prove actual damages. This is true even in states that specifically allow civil actions. [ix] For example, take the case of Ponder v. Pfizer, Inc., Pfizer was sued by an employee representing a class of approximately 17,000 current and former employees who alleged that Pfizer violated Louisiana’s Security Breach Notification law by waiting nine weeks to notify affected individuals of the breach[x]  The Court avoided the issue of whether the delayed notification violated Louisiana’s SBNL and dismissed the complaint for failure to state a claim for actual damages.[xi] The court found that the cost of “monitoring their credit” and “scrutinizing account statements” were not actual recoverable damages.[xii]

In a majority of states, claims for negligent protection of personal information fail for lack of cognizable damages just the same as similar claims brought under SBNL’s.  For example, in Ruiz v. Gap, Inc., Plaintiffs allege that as a result of Defendants’ negligence Plaintiffs’ personal information was compromised placing them at an increased risk of identity theft.[xiii] As to damages Plaintiffs allege that the breach will cost them time and money to protect and monitor their identities.[xiv] Plaintiffs compared this type of long term monitoring costs to medical monitoring cases where individuals were exposed to toxic substances which increased the probability of developing serious medical conditions and required preventative testing. [xv] . The Court struck this argument down for two reasons; first, Plaintiffs have not adequately proved that lost-data cases should be treated as analogous to medical monitoring cases.[xvi] Second, the test for medical monitoring cases is extensive and Plaintiffs would not be able to pass a version modified to fit data-loss cases.[xvii] In the end, the Court held that, “[a] breach of a duty causing only speculative harm or the threat of future harm does not normally suffice to create a cause of action for negligence.”[xviii]

As long as Courts refuse to recognize the increased risk of harm that results from a breach of personal information, as actual damages, the affected individuals will be forced to bear the burden of personal information breaches.

---

[i] See Md. Code Ann., Com. Law § 14-3503 or Ark. Code Ann. § 4-110-104 for a sample reasonable care statute.

[ii] 201 Mass. Code Regs. 17.03

[iii] See 201 Mass. Code Regs. 17.03 for a complete list of the minimal requirements of the comprehensive information security program.

[iv] 201 Mass. Code Regs. 17.04 and Nev. Rev. Stat. Ann. § 603A.215

[v] http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

[vi] See http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx for a complete list of states with security breach notification laws.

[vii] California’s current security breach notification law states in part that,  “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Cal. Civ. Code § 1798.82 (2012)

[viii] The security breach notification shall include, at a minimum, the following information:

(A) The name and contact information of the reporting person or business subject to this section.

(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.

(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.

(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.

(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.

(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.

Cal. Civ. Code § 1798.82 (2012)

[ix] La. Rev. Stat. Ann. § 51:3075

[x] Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793, 795 (M.D. La. 2007)

[xi] Id. at 798.

[xii]Id. at 798

[xiii] Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 913 (N.D. Cal. 2009) aff’d, 380 F. App’x 689 (9th Cir. 2010)

[xiv] Id.

[xv] Id. at 913-914  See In re Mattel, Inc., 588 F.Supp.2d 1111, 1116-17 (C.D.Cal.2008) and  Potter v. Firestone Tire & Rubber Co., 6 Cal.4th 965, 1009, 25 Cal.Rptr.2d 550, 863 P.2d 795 (1993). for medical monitoring cases.

[xvi] Ruiz at 914.

[xvii] Id.

[xviii] Id. at 913.