We Are Dangerously Close to a Dystopian Cyber Security World

cyber security

I try, on this blog, to avoid topics that are purely political. Sure, I spoke strongly in favor of net neutrality, I supported Apple’s position on encryption, and I continue to argue forcefully against the deregulation of the practice of law. Those are all political issues, to be certain. But this post is going to be a little bit different. It’s about the future of cyber security for all small businesses (and even large businesses) who have a legal obligation to protect their clients’ and customers’ data.

The Trump Administration has not officially begun, but with its transition currently underway, several of the decisions already made point toward a dystopian future for cyber security. A future where hacking, including by foreign government and industry interests, is rampant; where the tools to protect ourselves are compromised; and where even our access to information is subject to purely corporate interests.

Let’s take a look at some of the brilliant ideas for technology held by President-Elect Trump’s team:

1) Donald Trump, President-Elect

cyber securityDonald Trump’s campaign comments on cyber security and technology begin at “cringe-worthy” and go down from there. He refers to what I suppose is everything about computers as “the Cyber,” suggesting that we’re terrible at it and must get better. But, based on his other comments, he has no clue at all what “the Cyber” includes… or even means (not unlike ill-fated procedural CSI Cyber, which was objectively terrible). Those comments and positions are as follows:

  • He proposed a boycott of Apple products during the debate between the DOJ and Apple concerning the encryption of a device used by one of the San Bernadino shooters. Bear in mind that even before the FBI found an alternate route into the phone, it appeared that their claim under the dubious All Writs Act of 1789 was headed for failure in the district court.
  • He encouraged (although later claimed it was a joke) the intervention of a foreign power in a U.S. election by hacking his opponent.
  • He then continuously denied that the hacking of the DNC and the DCCC was even done by a foreign power. Unless he thinks the 400 lbs. man doing the hacking was under the employ of the Russian GRU (he didn’t specify).
  • He suggests “shutting down” part of the internet in response to evidence that terrorists, I don’t know, use the internet? Either he has no idea how the internet works (which is frightening), or he’s suggesting actually blocking parts of the internet a la Turkey or China (which is objectively terrifying).
  • Believes that net neutrality, which prohibits telecommunications companies from favoring their content over content produced by others and prohibits the creation of “fast” and “slow” lanes for the internet, is a “top down power grab.”
  • Advocates for a full return of the Patriot Act’s provisions concerning the bulk collection of metadata, which was limited by the 2015 USA Freedom Act. He has suggested that he feels government surveillance of domestic calls is permissible, stating that he assumes that “when I pick up my telephone, people are listening to my conversations anyway.”

2) Jeff Sessions, Attorney General

cyber securityMuch of the discussion about Sessions’ nod for the position of attorney general focuses on the reasons his appointment as a federal judge was rejected by a Republican-controlled Senate Judiciary Committee in 1986 – he’s allegedly quite racist. And he hates marijuana. However, given that he would be our nation’s chief law enforcement officer, overseeing agencies like the FBI who, if you recall, decided to pick a fight against Apple over encryption despite their own incompetence. So how does Mr. Sessions feel about important cyber security issues?

  • Strongly opposed Apple’s position in the encryption debate, even accusing Apple CEO Tim Cook of failing to understand the serious nature of the issue.
  • Favors allowing the government to have nearly unfettered access to data through electronic surveillance. Recently, he proposed an amendment to a bill that would have allowed law enforcement to obtain emails sent by a U.S. citizen without a warrant in the event of an “emergency” (without defining what constituted an emergency).
  • Has not been a proponent of strong anti-trust enforcement.

3) Mike Pompeo, CIA Director

cyber securitySome have regarded the selection of the congressman from Kansas to fill the role of CIA Director as acceptable, and some are screaming about the appointment as though their hair were on fire. So it’s not actually that easy to understand how or if this is a controversial pick. However, as far as technology and privacy issues are concerned, Mr. Pompeo’s selection, particularly given the expanding role of the CIA in the areas of technological and communications surveillance, raise some troubling questions. What has Mr. Pompeo done or said to warrant these questions?

  • He strongly opposed Apple’s position in the encryption debate, even suggesting that Tim Cook was “[standing] in the way of the FBI’s investigation into a dead ISIS terrorist, who has the blood of 14 innocent Americans on his hands.” Hyperbolic, considering the FBI acknowledged during the actual debate that they didn’t believe anything would be found on the phone.
  • Although he has suggested that he doesn’t believe in mandated encryption backdoors, he stated that individuals using encryption was “itself a red flag” that warranted surveillance.
  • Argued in a Wall Street Journal op-ed that not only was the NSA surveillance under the Patriot Act acceptable and reasonable, but that it was insufficient and should be expanded.
  • Oh, and he’s also called for Edward Snowden’s execution.

It should also be noted that President-Elect Trump has proposed eliminating the role of Director of National Intelligence, a role created based on the recommendations of the 9/11 Commission, which oversees and coordinates collaboration between the government’s intelligence agencies. The lack of such a role would likely lead to a more prominent role by the CIA in conducting electronic surveillance, a role dominated by the NSA and the Department of Defense since the inception of the DNI position.

4) Lt. Gen. Mike Flynn (Ret.), National Security Advisor

cyber securityAlthough Gen. Flynn has been hailed as a smart, effective soldier and general, to suggest that his leadership abilities have been called into question would be a gross understatement. Trump proposes placing such a person, who subordinates reported frequently made up his own facts (helpfully called “Flynn Facts”) in charge of coordinating the flow of information from and to our nation’s defense apparatus. How does that impact cyber security?

  • During the campaign, expressed skepticism of Russia’s involvement in hacking the DNC and DCCC, while appearing regularly on RT, an official television station of the Russian government, on Trump’s behalf.
  • Advocates use of offensive cyber weapons against nations who participate in cyber attacks on U.S. government or business networks, despite acknowledging the difficulty in attribution for those attacks.

5) Dr. Jeffrey Eisenach, leading transition team on FCC-related staffing

cyber securityPresident-Elect Trump’s potential staffing decisions have impact beyond just those for the cabinet. One of those, Dr. Eisenach, Trump’s pick to lead the transition team’s actions concerning the FCC, is set to have tremendous impact on technology issues. By reshuffling the FCC, the Trump Administration’s impact on technology, particularly telecommunications technology (broadband internet, wireless, etc.) will be enormous. So what are some of Dr. Eisenach’s positions (formed as a lobbyist for the telecommunications industry in general, and Verizon in specific)?

  • Strongly opposes the FCC’s Open Internet Order (a.k.a. Net Neutrality).
  • Opposed the FCC’s re-classification of “Broadband Internet” as a connection with speeds of 25 MBPS or faster (and supported legislation that would have restored the definition to anything 4 MBPS or faster).
  • Opposes allowing any municipality to establish a broadband internet service provider to compete with existing telecommunications companies, regardless of the quality of service being provided or the number of competitive options available to consumers.
  • Supports legislation authored by telecommunication lobbyists that place significant restrictions and onerous requirements on new entrants to the internet service provider business (i.e. Google Fiber) by preventing new entrants from gaining access to existing infrastructure.

How Will this Impact Cyber Security?

There are a lot of people who believe that the potential impact of Trump’s positions will not be as significant as he (or other doomsayers) believe. However, given the rapid rise of the power of the internet, the approach that Trump’s Administration takes will have a significant impact on its direction. Here are _ ways Trump’s Team could lead us to post-apocalyptic cyber security:

1) Ending the encryption debate… by ending effective encryption.

Forget what you’ve heard politicians say about the encryption debate. There is no such thing as a “middle ground” in the encryption debate. Encryption is either secure or it’s not. And forcing software and hardware manufacturers to maintain backdoor access to encrypted systems creates a vulnerability that anyone can exploit. Once you’ve created a way in, you’re never going to be able to ensure that only the “good guys” use it.

Moreover, if the U.S. mandates backdoors, there are several other governments who will be interested in doing the same. Do they get their own backdoors, or do we give them access to the same ones the U.S. government gets? Talk about the perfect way to guarantee that a backdoor won’t only be used by the “good guys.” It’s not worth the security of everyone’s online data – like bank accounts, credit cards, social security numbers, names, addresses, medical records, photographs, door locks, internal video cameras and microphones built into your computer – to make sure that the government can crack open a phone.

2) Excessive (and irresponsible) use of offensive cyber attacks.

One of the most important characteristics of the cold war was known as Mutually Assured Destruction. Russia, while our enemy, was a largely rational actor that we could trust to act in their own best interest. Knowing that a nuclear attack would result in a full-scale response by the other side meant the U.S. and U.S.S.R. had incentive to avoid doing so. The same, in large part, applies to government-sponsored cyber attacks.

We know that the Chinese and Russian governments routinely engage in cyber attacks of U.S. targets. We also know that U.S. intelligence does the same thing. What nobody in this electronic war has done is use offensive cyber attacks to destroy or cripple significant infrastructure, or cause damage that caused significant loss of human life. Yet.

However, the posturing and aggressive commentary coming out of the Trump camp, particularly from Gen. Flynn, suggests that the U.S. might start engaging in these types of offensive cyber attacks in response to cyber threats. Ignoring the problem of knowing for sure who launched an attack, any such offensive cyber attack would be guaranteed to invite counter-attack. How ready are individuals, small businesses, and even large businesses in the U.S., especially those who rely on electronic systems and communications going to survive? Short answer: they’re not.

3) The Fall of Net Neutrality

At present, the internet remains the largely unregulated marketplace that it’s been since the rise of broadband technology in the early 2000s. However, mass consolidation in the telecom industry, combined with what I would call grossly anti-competitive practices, poses a massive threat to the internet as we know it. Telecoms, such as Verizon, Comcast and AT&T, control your access to the internet itself, and have the ability to slow or stop your connections with sites they would rather you didn’t see.

Net neutrality rules say they’re not allowed to do that. However, if the FCC’s Open Internet Order is struck down, here are a few practices you should get used to seeing:

  1. “Fast lanes” – or higher-speed access for people willing to pay more. In reality, this means that if you’re not willing to pay more, your internet access will be artificially slowed down to incentivize you to pay more.
  2. Data limits. While not prohibited at the moment, they were about to come into question. However, without net neutrality rules, you’ll see your ISP put a cap on your data use every month unless you… guess what… pay more! These limits will be arbitrary, and will interfere with your ability to use the internet on a regular basis.
  3. Preferential treatment. Along with those data limits, you’ll get “preferred” access to certain services that won’t count against your limit. What you should know is that while it might seem good at first – who doesn’t like free data, it’s a scam. First, if the artificial data caps didn’t exist, it wouldn’t even matter! Second, you might not realize that the services that are exempt are usually owned by the ISP. Meaning services not owned by the ISP, especially new and growing companies, might never receive enough business to develop because the cost to use them is too high. Know what services ISPs were desperate to limit your access to so they wouldn’t need to upgrade their networks? YouTube.
  4. Blocking. So you don’t mind throttling, but what about being unable to see certain content. Maybe content that your ISP disagrees with. Verizon has already tried this, creating a news site that did not publish anything negative about Verizon. Think it can’t happen?
  5. Continuing lack of choice. That’s right, it’ll only help perpetuate the system we have, where your options are limited, and even if you have another option, the cost of switching is too high. Our system is built on competition – that’s what capitalism is about. Removing net neutrality regulations is a massive blow against the American ideal of competition, but perfect for the corporate boards for the ever dwindling number of telecoms that can afford to build out their networks.

4) The Return of the NSA Surveillance State (with CIA franchises expected soon!)

There was widespread agreement among citizens and lawmakers in 2015 about the expiration of the portion of the Patriot Act that allowed the NSA to spy on… well… everyone. Hell, through that program they even spied on an American law firm’s communications with their clients. On purpose.

Don’t look now, because it seems that almost every one of the small number of politicians who disagreed with reining in the NSA are all on Trump’s staff. For a guy who claims that he expects all of his phones are being monitored every time he makes a call (paranoid???), I wouldn’t expect much sympathy.

Oh, and don’t forget that one of the ways the NSA spied on everyone was by literally intercepting electronics and adding vulnerabilities they could use to hack in. The only major downside? Everyone else could use them too.

5) Corporate-Sponsored Internet Access

The end of net neutrality isn’t the worst case scenario here, but we’re getting a preview of it in India where Facebook tried to launch their free internet service. The catch? The only sites that were available were ones approved by Facebook. Given their inability to sort out fake news, it’s hard to believe that their decision-making structure is one of the best in the tech industry. Yet we’re on the verge of giving control of internet access to four companies that control the telecommunications industry.

Without enforcement of our anti-trust provisions, and encouragement of robust competition in the ISP industry (including from municipalities who can construct better broadband networks than the current ISPs), that’s where we’re headed. Oh yeah, and with an AG who isn’t much bothered by monopolies and a feckless FCC, you’d better believe things like the Comcast-Time Warner merger would have happened under a Trump presidency. Oh, and despite Trump’s own statement in opposition, AT&T is going to get what it wants. So will Verizon.

All told, we could see massive mergers of telecommunication companies and media companies, meaning your information will be both created AND provided to you by one of three major companies. None of whom have shown much interest in airing the opposing arguments in any debate.

It’s quite a dystopian future to me. But maybe you’ll like a world where ISPs control your access, hackers easily steal your data, small and startup companies die before anyone hears of them, and government agents are listening in on every phone call you make.