Monday, November 02, 2015

Arms Control for Cyberwarfare Weapons

Say you're a high-tech software security firm in the U. S. that sells a spyware application that lets your corporate customers monitor all the encrypted traffic going through their servers.  A benign reason that a customer of yours wants to buy your software is to catch encrypted malware that might otherwise mess up the customer's system operations.  But that's not the only way your software product could be used.

Say a repressive government wants to ferret out members of an opposition group who are trying to organize a grass-roots protest campaign.  The protesters use encrypted Internet communications to do so, and using the software your company makes, the repressive government finds out who the protest ringleaders are, rounds them up, and decapitates them all at sunrise.  Should you have sold your software to that government?

Quandaries like these are at the heart of a dispute between the U. S. Department of Commerce and Silicon Valley computer-security-software firms.   According to a recent New York Times report, back in May the Commerce Department proposed new export restrictions on a wide variety of security software.  Following howls of protest by software firms, the proposal was shelved, but the Obama administration has continued to prosecute isolated cases of software showing up in Iran or Syria, which are the only two countries that are currently subject to export bans specifically targeted at surveillance technology. 

Unfortunately, such bans are not that difficult to evade, given enough resources.  Modern-day gun runners (code runners?) can have the stuff sent to dummy firms in non-banned countries, and then turn around and send it from there through a few more countries to its true banned destination.  According to the report, that is exactly what a couple of alleged smugglers from the United Arab Emirates did to get products from computer-security firm Blue Coat Systems to Syria, where the use of that software by the Syrian government was detected and published by a Canadian firm, which told the U. S. Commerce Department about it. 

A number of my recent blogs have dealt with aspects of cyberwarfare, and the increasing arms trade in software such as Blue Coat's products is one more sign that warfare and its associated activities such as spying are moving rapidly into the cyber arena.  Trade restrictions on conventional arms are a familiar part of the diplomatic landscape, but deciding which physical weapons to keep to ourselves is easier than dealing with certain kinds of security software.  A nuclear weapon is good for only one thing, for instance, but the type of security system that companies like Blue Coat sell can be used for either good or bad reasons, as my example shows. 

The current compromise restricts direct sales of such software to Iran and Syria, but as we've seen, it's pretty easy to evade even those restrictions.  The fact of the matter is that small countries can buy pretty much anything they want, given enough time and determination, and larger countries such as China have enough resources to develop their own spyware.

So it looks like the most realistic position these days is to realize that one way or another, bad governments (whatever your criterion of "bad" is) will probably be able to spy on Internet traffic and do other things online that we would wish they couldn't do.  In such an environment, what are the prospects for free speech, freedom of association, and other democratic activities that presume citizens are not under the constant baleful glare of Big Brother, whose cybernetic eye never closes?

A little historical perspective is in order here.  Things like the U. S. Constitution's Bill of Rights are fairly recent innovations.  For most of recorded history, nobody except maybe a few favored upper-class rich people had anything resembling what we consider to be legal rights.  Even in peacetime, if you were a peasant or a slave, and the king or some rich guy came along and took away your donkey, your land, or even your life, there wasn't much you could do about it.  In the West, the rise of Enlightenment ideas about universal rights took centuries to develop, and it was by no means clear when the founders of the United States wrote them into the Constitution, that the experiment would work.  But work it did, and recognition of these rights achieved a high point in 1948 when the United Nations adopted its Universal Declaration of Human Rights, which includes the right to freedoms such as privacy and speech.

As the old saying goes, the price of liberty is eternal vigilance.  And lately, even in the U. S., we have seen actions at the highest levels of government that smack of the suppression of free speech.  I have not read The Silencing:  How the Left Is Killing Free Speech, a book by conservative commentator Kirsten Powers, but reports of the book cite incidents in which the Obama White House banned conservative Fox News correspondents from certain press briefings.  These are isolated incidents, but they indicate that at least in some circles, the fundamental right of free speech has lost some of its appeal when other urgent issues come to the fore.

It's a far cry from disinviting reporters to spying on everyone's Internet traffic, but the idea is the same:  control of what people are saying to other people.  The Silicon Valley contingent has a lot to say about open-source software and the idea that "information wants to be free."  But the fact that repressive governments can use computer-security products for suppression of freedom is a grim reminder that engineers have to use their imaginations when they make new tools.  Imagining how you, a presumably nice guy or gal, would use your newly invented computer-security product is one thing.  But you should also try the experiment of thinking about how some evil genius could use your product—and then maybe try to do something that would make it harder for the bad guys to succeed.

Sources:  The New York Times report by James Risen, "Battle Heats Up over Exports of Surveillance Technology" appeared on Oct. 31, 2015 online at  I also referred to a discussion of Kirsten Powers' book at RealClearPolitics,, and the U. N.'s Universal Declaration of Human Rights at 

No comments:

Post a Comment