“The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.” — H.L. Mencken
“The supreme art of war is to subdue the enemy without fighting.”
–Sun Tzu
Constantine Sokloff, a Russian-born computer programmer profiled in the book Flash Boys, thinks he knows why his countrymen make such adept programmers in the world of high-frequency trading.
“All of the Soviet Union,” he says, “for seventy years were people who are skilled at working around the system.” The Soviet command economy was built upon a web of rules that were “horrible and complicated, but riddled with loopholes.” Learning to exploit those loopholes became an invaluable skill.
American lawmakers and law enforcement for decades now have made a dangerous habit of throwing the book at their rulebreakers, weirdos, and technicians, culminating in the FBI’s recent legal action against Apple.
And while this was perhaps at one point only a human tragedy, we now find ourselves having alienated the very people who are best able to protect us against modern threats; this despite the fact that their advice has proven prescient time and time again.
- In the last few years, hacks of the following organizations have either directly or indirectly threatened American national security
- One of our largest health insurers, Anthem, was hacked and millions of personal health records were stolen.
- United Airlines, one of the largest U.S. government contractors, was breached, most likely by Chinese intelligence.
- Criminals committed multiple hacks against several financial institutions, including our largest bank, JPMorgan Chase. (Several hacks have aimed to manipulate financial asset prices. The indictments in the JPMorgan case do a good job of explaining how and of exhibiting the level of sophistication that a relatively small number of attackers can achieve.)
- Iranian hackers infiltrated a U.S. dam and power grid.
- A group of suspected Chinese hackers broke into the Office of Personnel Management and stole the data of millions of federal workers, including sensitive background checks containing personal details considered useful for blackmail.
- A hacker purporting to support Palestinian statehood released the stolen identities of several FBI and Homeland Security agents. (This hack was achieved in part by simply calling an agency help desk.)
These are only the most damaging examples. There are several more. But those hacks alone are enough to emphasize two important points: the age of insecurity is already here; and the remarkable vulnerability of crucial industries and government agencies threatens our national security enormously.
A small number of actors can execute a huge number of known and unknown exploits at incredible speed against high-value targets, and they only have to succeed once. So when cases like those against Apple encourage more vulnerable systems, we are not talking about a simple question like “privacy vs. security,” but something more akin to whether a dubious and minor increase in immediate physical security can reasonably justify purpose-built systemic insecurity.
Apple itself made that case in its Congressional hearing, and many congressmen echoed the sentiment. The standard is already low. Troy Hunt, a security professional with Microsoft, perhaps put it best when he wrote, “Remember folks that this is where the security bar is – 15 year old kids successfully hacking 3 letter law enforcement agencies.” That should give us pause when considering what nation states could do against an even less robust defense.
And the same exploits are available to non-state actors too. Hacks are intangible and so often fail to capture our imaginations in the way the crimes of a D.B. Cooper or a John Dillinger might. But the damage they enable criminals to inflict is no less serious.
People often picture shady people in faraway countries committing fraud with a credit card number or an IRS tax PIN. And while these activities cause significant damage –f raud costs to businesses are noticeably skyrocketing in recent years, for example — they are far from the worst possible result.
Intelligence gathered in hacks can easily be used by criminal organizations to commit violence. Pirates recently hacked a shipping agent in order to identify high-value shipping targets they might rob.
Hacks also provide groups like drug cartels with a huge cache of valuable data they can use to more effectively carry out their operations and evade law enforcement.
The American government is well aware of the seriousness of the threat. President Obama himself recently contributed an op-ed to the Wall Street Journal, writing that “cyberthreats are among the most urgent dangers to America’s economic and national security.”
The President highlighted a number of responsive measures, including increased information sharing between government and private businesses. But he mainly emphasized things like updating old systems and educating new professionals. And while these are certainly important, they miss the point that our biggest vulnerability is not technical but societal.
Law enforcement has now fully adopted the posture of our lawmakers and society at large. They seek to punish and twist the arms of the people most capable of protecting us rather than listening to them and trusting their strategic advice. In the process, they drive those people further from being able or willing to help address the problem.
Two aspects of American law have proven particularly odious to America’s technical community: copyright protections and government surveillance. Both involve overbroad implementations of sound core ideas. Interestingly, the two have operated at opposite purpose despite their shared support among government figures.
Copyright law has attempted to make code more inaccessible and obscure to prevent tinkering and infringement. Perhaps the most notorious example is the way in which John Deere prevents farmers from modifying or repairing their own equipment. Surveillance, on the other hand, aims to install backdoors into software that would make it easier to secretly access large amounts of supposedly secure communications.
While some proponents of both have laudable goals–protecting the intellectual property of innovators and building intelligence that can save lives–the dangers posed by each are significant.
Technologists have warned about both at length. Jennifer Granick, for example, described in excellent detail the risk of creating a world in which black boxes make life-and-death decisions that cannot be reliably audited. Apple and others have described the risk of backdoor exploits being obtained and abused by criminals.
Just as important as the debates about the policies themselves, though, is the way in which they are carried out against even the most innocuous of rulebreakers. Aaron Swartz became practically a martyr, and while his case was in some ways extreme, the overarching dynamic of his case was all too familiar to many people in the technical community.
What the lawmakers and prosecutors often fail to understand is that rule-breaking in itself is not necessarily malicious. A penchant for understanding and breaking systems is in fact part of what makes great programmers. That impulse does not make programmers any less patriotic or their advice any less relevant to national security. Steve Wozniak once taught prisoners how to electrify the bars on their jail cells with wiring from their ceiling fans for fun. He later grew up to be one of our greatest innovators.
What is truly dangerous is that the power structures in our country have broadly adopted the attitude that this sort of thing is a crime that deserves swift and severe punishment. It was surprising to me to see a recent Financial Times piece in which the author noted the fun-killing attitude of millenials, who apparently have a mysterious distaste for office pranks, as if it were new or surprising.
Why is that a surprise? Millenials are coming of age in an broadly humorless and litigious corporate atmosphere, where the smallest offense can get you fired suddenly and without warning. And given the state of the economy and their finances, that is not a risk they can prudently take, even if it strips their work life of much of the humanity and joy that make life worth living.
And while this is sad on a human level alone, that attitude and the policies, prosecutions, and laws it supports are now actively dangerous to the security of the country. Demonizing tinkering and creating an environment toxic to curiosity discourages and ostracizes the exact sort of people we now rely upon to capably protect us. Here is a sample of some quotes from security industry figures:
- Jeremiah Grossman: “If the end result of Apple v. FBI are laws mandating backdoors, all of the work we do in InfoSec suddenly becomes irrelevant.”
- Christopher Soghoian: “Why should every American have the ability to talk & text privately with tools that thwart lawful FBI wiretaps? Two words: President Trump.”
- Jennifer Granick: “Today is the anniversary of @aaronsw’s death. Still no #CFAA reform. Still too much copyright for too long.”
These people are in short supply to begin with. We can’t afford to drive to despair the ones we have with bad policy and witch-hunting prosecutions. If we continue on this path, we are doomed to eventually suffer a dramatic and stunning attack of our own making that will cost lives.
As a final note, it is worth considering that much of our history and tradition favor their point of view as well.
More Americans died during the Revolutionary War than have ever died from terrorism, and that occurred at a time when our population was much smaller; yet despite the loss of life, privacy protections were considered more essential then than they are today, and were even considered synonymous with liberty.
Part of what made revolutionary thought so powerful was that it could be formulated away from the watchful eyes of the British, in colonial pamphlets and coffeehouses and taverns. One has a hard time imagining how that robust and original philosophy ever could have emerged in the first place in a world where the Crown had had access to the Founders’ every communication.
But even in our more recent history, encryption was not considered outlandish or dangerous. Only 20 years ago it was identified as fundamental to safe internet commerce. Having forgotten these lessons, and in our fear, we made some very bad decisions. They have finally come to a head. In the fictional world of The Name of the Wind, it is considered bad luck to insult or harm a tinker. In our own world, it continues to be very bad luck indeed.
