Not the Enemy
Any time there's a new administration in power, we're likely to see a renewed effort to address certain problems. And either a brand new approach is tried or we fall right back into the same old habits. And sometimes both of these happen, leading many to conclude that true change is nearly impossible to achieve.
The recently released Obama initiative on "cybersecurity" could really go either way at this point. If promises of dialogue and open-mindedness are held to, we at least have the potential of getting it right. But there are still enough troubling signs overall for us to be seriously worried.
Let's look at policies of the past. In the Clinton years, really the first administration with any sense of computers and connectivity, a lot of potential was lost because common sense was sacrificed to shrill headlines and a sense of panic. Education gave way to crackdowns and prosecution. Rather than foster transparency, Clinton pushed for more control and surveillance under the name of such horrors as the Clipper Chip, CALEA, and the Communications Decency Act. Remarks made by Bill Clinton in 1999 on the subject of "Keeping America Secure for the 21st Century" included this gem: "Last spring, we saw the enormous impact of a single failed electronic link, when a satellite malfunctioned - disabled pagers, ATMs, credit card systems, and television networks all around the world. And we already are seeing the first wave of deliberate cyber attacks - hackers break into government and business computers, stealing and destroying information, raiding bank accounts, running up credit card charges, extorting money by threats to unleash computer viruses." By portraying hackers as sociopaths and by linking them even indirectly to massive technological failures, the seed was planted in many that hackers were the enemy. In this administration we saw more clampdowns and imprisonments of individuals for nebulous computer-related crimes than ever before. Hardly an enlightened approach.
As expected, not much changed in the Bush years. We saw the usual exaggerated statistics to make the public scared of the hacker threat. In the period following September 11, 2001, there were serious fears that the newly formed Department of Homeland Security would treat hackers as if they were equivalent to terrorists. This threat was overshadowed by the attack and wanton disregard of everyone's civil liberties in the name of national security. Hackers were still seen as a threat but now there were so many perceived threats that it wasn't too difficult to prove how ill-conceived the policies were.
So now we have a president who likely understands the Internet better than any of his predecessors. More importantly, he seems to appreciate certain aspects of it that those in power frequently don't get. The concept of network neutrality is one shining example of this. Net neutrality is strongly opposed by the communications giants even though it's how the Internet has worked from the start. It basically puts control in the hands of the users and prevents broadband carriers from discriminating against certain competing applications or content. Obama's position on this remains unchanged as of his May 29th remarks: "I remain firmly committed to net neutrality so we can keep the Internet as it should be - open and free." So far, so good.
This is also an administration that supports, at least on paper, the idea of open-source software and, by extension, full disclosure. Again, promising. But we're not so naive as to think that there won't be contradictions and exceptions invoked that will anger us down the road. It's next to impossible to have this much power and hold onto these lofty ideals. Which is why our vigilance on these matters is especially important. There will be tremendous pressure to stray from this path and it's up to all of us to ensure that mistakes of previous administrations aren't repeated here.
"Our pursuit of cyber security will not - I repeat, will not include - monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans." These are indeed great words but, at the moment, they are only words. Without any doubt, they will be tested at the first sign of a crisis. That's when we see if they remain only words. Already, the Obama administration has opted to protect the NSA's warrantless wiretapping program in the name of national security. Troubling signs like this make us all the more wary of any promises.
What disturbs us in Obama's cybersecurity plan is the continuing jingoistic approach to the perceived hacker threat. We're quite pleased to see no mention at all of hackers in the main report, but Obama's spoken remarks weren't as tempered. Referring to his own experiences during the campaign, he says, "Between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans." As most of us who read these pages already know, it doesn't take a hacker to gain unauthorized access to a system, particularly one that was obviously so high profile. We have seen numerous examples of employees within organizations (phone companies, Internet providers, etc.) who abuse their access and violate privacy. Does this make them hackers? We also see almost daily instances of nonexistent security where thousands or even millions of personal records are left wide open for anyone to stumble upon, whether it be on an insecure website, a misplaced laptop, or even in a garbage dumpster, to name but a few. Yet, when these egregious violations are eventually uncovered, the threat is deemed to be the "hackers" even when no evidence exists that anyone at all even accessed the information, let alone that they were hackers.
"But every day we see waves of cyber thieves trolling for sensitive information - the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services." It's easy to see the negativity in just about all of these entities. But a "lone hacker?" This is now by default a bad thing? We prefer to think of a lone hacker a thousand miles away as a beam of light and quite possibly the person who can help to find solutions to the very same issues being discussed here.
Hackers will figure things out. They will tell other people. They are the epitome of the open environment that Obama claims to support. They are not the miscreants who profit from corporate espionage, send out a universe of spam, or attempt to cause mayhem through viruses and worms. Over the years, the media has created the perception that anyone causing any sort of mischief on the net or involving a computer is ipso-facto a hacker. This, ironically, leads those very individuals who participate in this sort of destructive behavior into proudly labeling themselves as hackers. But they're clearly not and a mere look at the constant dialogue that runs through our pages will show any outsider just how seriously true hackers take this sort of thing. By simply awarding any evildoer with a keyboard this title, we wind up giving them far more credit than they deserve and the people with the real talent are themselves categorized as criminals. This is a surefire way to not only lose the battle but to lose a generation of innovators and freethinkers.
We want to be very clear on this. Many hackers do step over the line. Not so long ago, it was impossible for most curious people to play with a UNIX machine without breaking into one. Communications once were so prohibitively expensive that manipulating one's way around the Bell System was almost a necessity for those who simply wanted to stay in touch and share information. We see how society has changed so that these interests (computer access and free communications) are now encouraged. While mischievous and not completely within the confines of the law, such people were never malicious or destructive. Often they enjoyed and understood the systems they were using far more than the legitimate users and they frequently went on to design better ones. We know that many people have a problem with those who step outside the rules and we don't expect ringing endorsements of their behavior. But what we should expect is for distinctions to be drawn between this sort of thing and the antics of idiots, vandals, profiteers, and con men who have always existed and always will. Just because they use the technology does not mean they appreciate it or comprehend it for anything more than their unimaginative goals.
Terms like "digital war" and "cyberterror" are great for sound bites but we need to avoid the tabloid approach in strengthening security or we'll inevitably wind up with ill-conceived legislation and a lot of misplaced fear. Done properly, our ideals have a chance of surviving and many of our nation's brightest could help steer us in the right direction.