Does Averting Cyberwar Mean Giving Up Web Privacy?
Does Averting Cyberwar Mean Giving Up Web Privacy?
The old challenge of providing public safety while also protecting civil liberties has found a new manifestation in the cyber age.
Cybercrime and espionage are rising rapidly, and the United States and other governments are preparing for the possibility of cyberwar. At the same time, civil libertarians worry about preserving Internet freedom.
Security experts focus on the "attribution problem" -- the challenge of identifying and tracking down the source of a cyberattack. Under current conditions, cybercrime, cyber-espionage, and cyberattacks can be directed remotely, with the perpetrator's identity and location a secret.
Privacy advocates fear the loss of anonymity for Internet users. For both sides, it's a conflict that needs to be resolved.
To bolster their case, cybersecurity experts point back to Cold War days. There was never a nuclear war between the United States and the Soviet Union, in large part because each country was deterred from attacking the other. Both sides knew that doing so would trigger a massive counterattack. The thought of mutually assured destruction actually kept the peace.
But deterrence worked only because a nuclear attack would have been immediately attributable.
"One side couldn't attack the other side without the side being attacked knowing who it is and from where it came," says retired Vice Adm. Mike McConnell, a former director of the National Security Agency and later the director of national intelligence.
McConnell argues that deterrence is needed to prevent countries today from waging cyberwar on each other. An attack on U.S. computer networks could knock out power grids, telecommunications, transportation and banking systems in a matter of seconds.
Such an attack could be deterred if the attacking country knew it would bring immediate retaliation. But first it would be necessary to attribute the attack to someone.
"Some level of confidence that you know from where a transaction originated is a requirement," McConnell says.
For Now, Transactions Largely Untraceable
McConnell highlighted the "attribution problem" in a recent interview with NPR. He advocates "re-engineering the Internet" to make more transactions there traceable.
"There is a need for investment in technology that would allow you to achieve a level of attribution," McConnell says, "[so you could know] who's engaged in this transaction."
The benefits are obvious. China, for example, would presumably be less inclined to launch a cyberattack against the U.S. if it knew the attack would immediately be traced back. Of course, the same goes for the United States.
"I would believe in a dialogue with China we probably could reach some accommodation with regard to how important it is for both our nations to have an information infrastructure in which there's attribution and confidence," McConnell says.
Industry experts, such as Cisco Systems' Donald Proctor, say it's technically possible.
"As we get smarter in our sensor networks and in the way we think about network events and correlation, we'll be able to define attribution with an increasing level of accuracy," says Proctor, a senior vice president and cybersecurity expert at Cisco, a leading provider of Internet network technology.
Do Benefits Outweigh Costs?
There is, after all, another view on the attribution problem. Maybe we don't want all Internet transactions traceable to someone. Think of the dissidents in countries like Iran who depend on anonymity in their Internet postings.
Robert Knake focuses on Internet governance at the Council on Foreign Relations.
Related NPR Stories
"If what you want is an Internet where you can freely discuss human rights in a country in which doing so is not allowed, you don't want to see attribution improve," Knake says.
He has found that the Internet "attribution problem" prompts disagreement between privacy and human rights advocates on one side and cybersecurity experts on the other.
"In many ways, it's the crime fighters versus the freedom fighters," he says.
Some experts, such as Rebecca MacKinnon of Princeton University's Center for Information Technology Policy, argue that improving the attribution of Internet transactions may not produce sufficient security benefits to justify the cost to privacy.
"Criminals and militaries are most likely going to figure out ways to do what they need to do on the Internet and minimize their traceability," says MacKinnon. "The people who are really going to be hurt are dissidents in countries like China or Iran."
Some cybersecurity advocates, including McConnell, say compromise may be possible. Internet transactions involving transportation networks or utilities, for example, could be made more traceable without necessarily ending anonymous Internet postings more generally. But crafting such a compromise won't be easy, says MacKinnon.
"We're at a very early stage right now of figuring out how do we keep the Internet as a space where individuals can be empowered, yet at the same time [make sure that] it doesn't turn into a place where people are just attacking each other and bringing down each other's systems," MacKinnon says. "We don't really have a clear road map."