So the U.S. security establishment is salivating at the prospect of a new cybersecurity "Cold War." In an over-the-top op-ed in Tuesday's Washington Post, Mike McConnell issues a declaration that we are "fighting a cyber war today" and compares it to the nuclear showdown with the Soviets. McConnell exemplifies the security establishment as much as anyone — former director of the National Security Agency (NSA), former Director of National Intelligence, and currently executive vice president at Booz Allen Hamilton, a private-sector refuge for former U.S. intelligence officials (and a company that stands to make large sums from consulting on cybersecurity).
The Cold War was, among many other things, a bonanza for the military and for security agencies from the NSA to the CIA to the FBI, which saw their budgets skyrocket and their power and reach expand in ways that were unprecedented in a country that had always held a deep suspicion of "standing armies" and government power. With the end of the Soviet Union and talk of a "peace dividend," these institutions faced sharp cutbacks and a loss of mission. In the 1990s there was suddenly a lot of attention paid to China and the threat it was said to pose. Then came 9/11 and — although the nature of the threat was far, far different from the Soviet Union — the security establishment nevertheless had a new raison d'être, and a rationale for not only maintaining all the institutions it had built up against the Soviets, but expanding its powers. Proposals such as the Patriot Act, which Congress had rejected in the 1990s, now sailed through without any examination of whether they actually addressed any of the problems responsible for 9/11 (mostly they did not).
Cybersecurity is many things. It is a genuine problem. It is a threat to civil liberties, especially online privacy and anonymity. And, it is also being pushed as the latest reason to keep shoveling new tax dollars and new powers to the NSA and other security agencies — sometimes with almost comical eagerness, as in McConnell's piece. His op-ed is almost a perfect exhibit in leveraging current events as part of a security-bureaucracy bid for power:
Overdramatic description of the situation as a world-historic "war"? Check.
Focus on centralized, top-down, command-and-control solutions to a problem that is largely a matter of distributed rather than centralized vulnerabilities? Check.
Call for highly ambitious military "grand projects" of dubious attainability but no doubt never-ending budgets? Check. McConnell: "We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds." A proposal to "monitor cyberspace" could mean different things, but when it comes from a former NSA director and intelligence chief, Americans should be afraid.
Ominous desire to gain some control over the Internet and erase Internet anonymity? Check. McConnell: "We need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable."
The Internet has been an amazing engine of freedom, innovation and economic growth precisely because it is not under anyone's control. Its radical decentralized design has permitted it to flourish through the actions of millions of people acting independently and not under anyone's control.
But this kind of decentralized, out-of-control freedom could not be more at odds with the traditional, military, bureaucratic, control-everything security mindset. Sure enough, Mike McConnell, who seems to exemplify this mindset, wants to make "attribution" more "manageable" — seemingly an endorsement of radical calls to end the possibility of anonymity online in the name of cybersecurity. Anonymous speech is recognized as part of our First Amendment rights and is an old American tradition that goes back to the Federalist Papers, which were written anonymously by (we now know) James Madison, Alexander Hamilton, and John Jay.
(By the way, there's an interesting book about the power of decentralized action called The Starfish and the Spider. Its co-author? A man named Rod Beckstrom, who interestingly enough resigned last year in protest from a job in the Department of Homeland Security as Director of the National Cyber Security Center. What he was protesting? NSA control over cybersecurity.)
A significant role for the NSA? Check. "The NSA is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies." The NSA is a military agency not under direct civilian control, it is a spy agency that does everything in secret and is subject to no public oversight, and it has two conflicting missions: breaking security and at the same time supposedly protecting it. We can't trust that when the NSA discovers a vulnerability, it will actually fix it rather than keeping it secret so it can exploit it.
McConnell also asserts that "the lion's share of cybersecurity expertise lies in the federal government." There are many reasons to question this statement, which is unverifiable by ordinary citizens due to the fog of habitual secrecy surrounding agencies such as the NSA — and if it is true at all it's probably because he defines "cybersecurity expertise" as expertise in the kind of centralized "war fighting" that he is talking about.
But if it really were the case that we needed government expertise, we would be better off creating a new center of expertise — by transferring NSA experts out of that agency if necessary — before allowing the NSA partner up with Google and other private companies.
Push to continue expanding the government-corporate "surveillance-industrial complex"? Check. McConnell writes: "The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private — and classified to unclassified — to protect the nation's critical infrastructure." There is a long and sad history of cooperation between government and corporations to deprive individuals of their privacy and other liberties. Cybersecurity must not become the latest fuel for such episodes.
Obviously cybersecurity is important — often, Americans' privacy and security depends upon it. It is a complex topic — and there are legitimate roles for government in protecting computers (from public education and exhortation, to research, to procurement standards to the largely managerial problem of just figuring out how to carry out basic security practices within its own computer systems).
But McConnell's overwrought declaration of war, with its suggestion that we must mobilize a top-down military campaign, should be seen for what it is — less a rational response to the threat than an ominous security-bureaucracy bid for power. What's at stake is Americans' online privacy, anonymity, and whether we allow our security agencies to "re-engineer" the Internet in ways that work for them, not for us.