Skating on Stilts

--Stewart Baker

For decades, information technology has been driven by Moore’s Law. One version of the law holds that the number of transistors that can be cheaply placed on a chip will double every 18 to 24 months.

It’s true. A computer that cost $1 million in 1970 could be duplicated for $500,000 in 1972 and for $10,000 in 1984. By the end of the 1980s, personal computers were giving individuals capabilities that were once available only to government and the Fortune 500; electronic spreadsheets, word processors, contacts files, and email began changing the way we all do business.

Surely one of the oddest results of going to work for the National Security Agency was my initiation into the vanguard of this trend. NSA controlled encryption, and especially exports of encryption. But as cheap home computers made the Internet a potential source of mass electronic commerce, Microsoft and other software companies wanted to build encryption into their products. They rightly saw a need for more security if computer networks were going to carry large transactions.

So, to defend NSA’s encryption policy, I had to understand the Internet, and the changes it would bring. While I never fully accepted their encryption policy proposals, I came to believe that the Internet revolution was coming. After leaving government I built a law practice around that technology, representing Netscape before its IPO launched the revolution and dozens of other Silicon Valley firms.

That meant I had a ringside seat as Moore’s Law worked its magic. By the late 1990s, computing power that had cost $1 million in 1970 could be had for a hundred dollars.

Cheap computing and telecommunications (not to mention a gradually softening policy on encryption exports) did indeed create a mass market Internet. We were able to search the accumulated wisdom and folly of humanity in seconds. We could download books, music, and movies – what we wanted when we wanted it. We could bank, play games, trade securities, salute friends, trash enemies, and gossip, build businesses, lose and find lovers, all on line.

Oh, and a few more things: we could be defrauded, robbed, extorted, and blackmailed with stolen secrets on line, too. The effort to export strong encryption turned out to be a red herring. Crooks easily found ways around even the strongest encryption.

But, as with commercial jet travel, it took a while for the bad news about information technology to arrive.

Some of the first hackers discovered that they could obtain free phone service by fooling AT&T’s computers in the 1970s, and the first computerized “worm” to clog the Internet wasn’t launched until 1988. Computer viruses emerged in 1980s, passed from disk to disk. They were an annoyance, but little more. Most were written to show off the skills of the author, a twentieth century version of “counting coup.”

But as we moved our lives on line, criminals followed. Hackers discovered that there was money in compromising other people’s computers. Spammers could use those machines to send messages without fear of being shut down. Nigerian spammers learned to defraud gullible men and women who had never traveled out of the country.

Networks of compromised machines were marshaled into vast zombie armies that could attack a single website together, knocking it off line. For some sites, being off line even for an hour was so costly that they’d pay extortionate fees to stop the attack.

Suddenly, exploiting computer security holes wasn’t the cyberspace equivalent of spraypainting graffiti on subway cars. It was a new form of organized crime. It paid well enough to attract real talent. And that talent found new ways to make insecurity pay.

Compromising the computers of credit card processors and merchants allowed identity theft and credit card fraud on a massive scale. Sending booby trapped emails to known individuals, in contrast, might only compromise a single machine, but it would allow the criminal to steal every name and password used on the machine – and to empty the bank account of the victim.

As the criminals demonstrated what could be done on line, governments followed their example. Governments didn’t steal money, though. They stole secrets. Protected from prosecution and motivated by patriotism, government hackers turned out to be even more effective than the crooks. Countries that depended on computer networks began to wonder whether they had any secrets left.

Bad as it was to lose secrets, that wasn’t the worst threat from government hacking. Once a system has been compromised, the attacker can choose its fate; he can keep the system alive and milk it of its secrets or he can kill it – shut it down for an indeterminate period. This meant that government attackers could exploit critical adversary systems for intelligence purposes for years, and then, in a crisis, they could shut the systems down.

The tools to infiltrate our information systems grow more sophisticated every year. The United States is the most at risk. It is probably among the top five intelligence targets of every government on earth. Why? Because our unique global military reach means that no government on earth can safely ignore the likely US reaction to its actions. Put another way, every tinpot president-for-life who wants to attack a neighbor has to worry first about whether he can beat the neighbor and second about whether the U.S. will stop him. So every government wants to know how we will react to what it does, and ideally it wants a weapon that can persuade us not to get in its way.

For many governments, hacking US information systems serves both purposes. Hostile nations can gather intelligence about our view of them while they plan attacks on a neighbor. And once the attack is launched, if the US interferes, the code that once spied on us can be used to shut our systems down. Electricity, aviation, communications, and banking can be disrupted, perhaps even sabotaged irreversibly. Without a shot being fired, without even a clear sense of who the attacker is, much of the United States could find itself living in post-Katrina New Orleans, but without hope of a rescue any time soon.

How effectively this weapon could be deployed today is in dispute. But there is little dispute that the attackers have been gaining on the defenders by leaps and bounds. Two nations have already suffered serious, coordinated cyberattacks originating in Russia during disputes with that country. The attacks were effective, but not crippling. So perhaps foreign nations cannot use information technology to kill or harm Americans on a large scale today. But it seems likely that they will have that capability soon. Just as it took decades for terrorists to cause catastrophic failures in the air transport system, it will take decades to find and exploit the most damaging holes in our information networks. So far, there is no sign that the spies and the crooks who are trying to do that are running out of ideas or money.

And what are we doing as this threat gathers?

More or less what border officials were doing in the 1980s. We are embracing information networks with the same enthusiasm we have displayed since the 1970s, and doing very little to close the security holes this technology opens.

We are up on the bike and flying downhill. Only now, as the scenery begins to blur, are we starting to understand that maybe this technology, too, will find a way to kill us.