Friday, 2 June 2017

Is 'hacking back' really dangerous, or is something else going on

US Representative Tom Graves has a bill that would allow hacking victims to use defensive measures to strike back at their attackers. Called the Active Cyber Defense Certainty Act - which would alter the 1986 Computer Fraud and Abuse Act - the measure lets individuals and companies use defensive measures beyond their own network to identify, and potentially stop, assailants. The practice is commonly known as "hacking back."

However, US Cyber Command chief Admiral Mike Rogers warned lawmakers against passing such legislation, saying cyber-experts think hacking back will have unintended, dangerous consequences and create even more confusion about who's behind certain digital assaults.

"My concern is be leery of putting more gunfighters out on the street in the Wild West," Adm. Rogers told a House Armed Services subcommittee.

Adm. Rogers isn't the only one sceptical. Everyone seems to think there’s no way this would work. If you fire back, you might be hitting an old granny's computer in Thailand or something. Blah blah blah.

I can’t help being sceptical. Like, I get the technical realities and the criticism is probably real. But I know a turf war when I see it. The US government invented the internet and it got out of hand. Businesses took it away, tinkered with it, and now they won’t give it back. Governments are slowly realising the future of the world will be online, and they’ve effectively been locked out. Everyone bashes the NSA for “spying,” but almost no one worries about companies doing dodgy stuff with your info.

The only difference is people have a reason to be suspicious of governments, but not many philosophical reasons to be suspicious of industry. And the online companies such as Facebook and Google also have direct commercial access to the online news machine. They can bump up or down any story they want. So, of course, the NSA looks like the bad guy and Google looks like a saviour.

And to be honest, the threat of firing back and hitting an “innocent party” isn’t necessarily a limitation. We even have a name for it in the real world: collateral damage. Creating order is dangerous. The entirety of human history suggests it’s impossible to guarantee safety in times of chaos, and we definitely are in a period of chaos online right now. Furthermore, the threat of hitting an innocent party might actually force companies to take cyber-security seriously as it’ll be their bottom line at risk.

Besides, how bad can a misfire-back really be? It’s not like we’re shooting rifles or missiles. Who cares if someone’s computer goes down for a few hours or is taken offline permanently. Insurance can buy more computers. No one’s gonna die. And even if hospitals might be at risk, who said they needed to be online anyway

The biggest danger -- and this is where it really gets interesting -- is creating a scenario in which people decide that all this online stuff is too much of a hassle. Too much risk. The cyber criminals are a pain, but now everyone is actively defending themselves with cyber guns. Woah, slow down there DeadEye Jones. All anyone wants to do is send remittances to family in Tonga or sell a car on TradeMe or play a computer game or chat with a loved one in Spain.

But it all becomes too hard with the constant updates and downtime from attacks. So they log off. They choose to roll back the clock and use other forms of commerce, maybe not dark age methods, but certainly not 21st-century options. You can feel the system tremble even thinking about this. Or worse, someone decides to create a parallel internet so they don’t have these problems -- or at least fewer problems. Perhaps the alternative is an internet based on nation-state borders, as Russia and China are talking about implementing. Even the US Defense Department is discussing, and probably has already started building, a new internet for classified networks using all the lessons of the old internet. The internet is global, but it doesn’t have to be. That’s just the way it is now.

Suddenly, all that effort and money and capital spent to construct the online is wasted. Most of that money is illusory anyway. It’s not like it will just shift between people. Once you take it off the rich people and move it around, poof, it vanishes.

I think that’s the major threat here. It’s why neither governments nor companies are taking cyber-security seriously. The moment they tighten the screws, it becomes less of a global commons and more of a rigid, regulated system in which even the simplest tasks are tough and, quite frankly, not worth doing. After all, the consumer system doesn’t see you as a person, it sees you as a battery. The only thing you’re good for is producing and consuming. This system cannot be set at risk, there is too much money at stake. It will fight fiercely to avoid even approaching this outcome.

The system will even convince us that “the online world is inherently unstable and risky, and you just have to get used to all the cyber-threats.” Hmm, where have I heard that before? Oh yeah, the French prime minister Macron recently described terrorism as an “imponderable problem” which will be “part of our daily lives for the years to come.” He isn’t the only one. This logic is common with elites.

Maybe it’s just the way I am, but it all smells like power. Philip Bobbitt talks about this as a transition from the nation-state – in which it’s the government’s job to facilitate business, but to be in overall control – to a new form called the market state – in which the government’s job is to maximise business, and as a consequence forgo much of its power to the new global businesses. He sees this as a natural transition and doesn’t apply any ethical attributes to it. You don't have to look very hard to see this playing out vociferously in the online world.

No comments: