Friday, January 28, 2011

Kill-switch: Egypt vs. the US

In response to protests, the Egyptian government took the unprecedented step of disconnecting its Internet from the rest of the world. Egyptians can no longer reach Twitter, Facebook, or other "subversive" websites. While Iran and Tunisia partially restricted the Internet during their protests, they did not go to this extreme of turning it off completely.

While extreme, this is exactly the ability our president wants (it's unfair to blame it on the current president -- our previous president wanted the same ability). The proposed "Protecting Cyberspace as a National Asset Act" would give the president broad powers to disable the Internet after declaring a "cyber emergency", specifically, shutting down links to the outside world.

Such things are always well intentioned, but often become a bigger problem than the threat they are designed to address.

Egypt is a good example. It has been under a near continuous "state of emergency" since 1967. Under their Emergency Law, constitutional rights are temporarily suspended, censorship legalized, and police powers extended. Most countries have similar laws for temporary states of emergency. However, Egypt's "state of emergency" has been permanent -- it was declared by president cum dictator Hasni Mubarak when he took power in 1981. Mubarak used the  powers enabled by this law to turn off the Internet.

You'd like to imagine that this could not happen here, but you'd be wrong. The U.S. passed similar (in nature, but not degree) laws in response to the 9/11 terrorist attacks. These laws have been in continuous action ever since, the temporary emergency has become permanent. The "terrorist threat level" chart has never been below "Yellow - Elevated". Continued abrogations of our civil liberties in the Patriot Act (now up for renewal) are justified by this ongoing emergency. Reasonable sounding laws, such as the "Terrorist No Fly" list, are as often used to track petty criminals and political dissidents (like hackers Jacob Applebaum and Moxie Marlinspike) as they are to used to stop terrorists.

The populace supports such laws because they believe in the competence of government. This belief is misplaced. I know from personal experience that federal networks are the least secure on the Internet. It's irrational to believe that, if given more authority, that they would be any better at securing our networks. I'm all for passing cybersecurity legislation -- but that legislation should start with the government's own networks. Only when the legislation proves effective at securing government networks should it be extended to protecting everybody else's.

In his farewell address, President Eisenhower warned about the "unwarranted influence, whether sought or unsought, by the military industrial complex". Unlike the later hippies, Eisenhower didn't believe that there was some sort of conspiracy in the "military industrial complex". According to Eisenhower, the military and arms industry honestly believed they were acting in America's best interests -- they were just wrong.

We see why this is wrong in the current Egypt conflict. Our interests are tied with the current government. For one thing, we have troops stationed in Egypt, and provide them $1.3 billion a year in military aid. Therefore, we are caught in the impossible position of not being able to choose sides. Whereas the U.S. unequivocally supported the protesters in Iran, they equivocate with regards to Egypt. Vice President Biden recently supported Mubarak, saying that Mubarak is not a dictator, and questioned what it is the protesters really want. Biden is wrong, our government is wrong, Mubarak is an evil dictator and must go. If we didn't have military interests in Egypt, we would be able to unambiguously support the protesters.

The comparison I'm trying to make is with the "cybersecurity industrial complex". The above bill is supported by the cybersecurity industry from Symantec to SANS. While such organizations will benefit from cybersecurity regulation, there is no conspiracy here: they honestly believe the Internet will be better with more regulation.

But it won't be. It much the same way that a stronger military does not lead to greater prosperity, a more secure Internet will not lead to greater prosperity. A strong military spread throughout the world has instead mired us in conflicts of interests for which there is no easy answer.

Take, for example, the Wikileaks-inspired DDoS attacks. After companies like MasterCard and Visa refused to process donations for Wikileaks, activists bombarded their servers with attacks from all over the Internet. It's exactly the sort of attack against the financial system that might justify "emergency" powers. I agree to some extent, the DDoS attacks were a little bit like terrorism. But on the other hand, I would also say that they are a little bit like free speech protests. Our government is put into a difficult situation: is it protecting MasterCard because it's enforcing the law? Or is it trying to suppress Wikileaks?

It was Senator Joe Lieberman who drafted the cybersecurity bill. It was also Lieberman who called up companies like Amazon and MasterCard and suggested (aka. threatened) them to stop doing business with Wikileaks. There is no conspiracy here, Lieberman honestly believes his actions will lead to a more prosperous America. But it serves as a great example how the drive to "secure the Internet" can be conflated with "suppress dissent".


We will have nothing as bad as the dictator Hosni Mubarak, but similar sorts of things can happen here. We put too much trust in our government to protect our interests, when in fact it's the government itself that is a threat to those interests.

What makes the Internet a force for freedom in the world is precisely because it's outside the control of any government -- even a benign and friendly government as our own. We should keep it that way.


Unknown said...

The funny thing about the no-fly list is that it is *never* used to stop suspected terrorists, because our intelligence agencies would prefer that they not know that they are being watched.

Nondeterministic Finite Automaton said...

Spot on analysis and analogies!

Nondeterministic Finite Automaton said...

This is related and really cool: