On the first day of Wikileaks, my true love sent to me
A cable dump on a CD.
From time to time, the topic of ‘cyberwar’ comes up in the media, usually accompanied by breathless speculation about the impact on our lifestyle when They (whoever They are) finally launch Their attack on Us, and sometimes by a picture of a steely-haired Air Force general who has been charged with keeping us all safe. No one knows exactly what a cyberwar will look like (my best guess: ridiculously long ping times) but everyone is sure that it’s only a matter of time. When the cyber-attack hits, our electronic defenses will be overwhelmed in a heartbeat and the shattered nation - unable to download Justin Bieber clips, shop on Amazon or receive timely Farmville updates - will suffer a collective collapse of morale that will render us easy pickings for foreign invaders. Something like that, anyway.
This kind of thinking is oddly reminiscent of NATO’s picture of a Warsaw Pact invasion of Europe in the 1980’s, except that instead of tank divisions pouring through the Fulda Gap it’ll be rogue Chinese packets flooding across Comcast and Level3.net. But just as the long-expected armored invasion never materialized and we had to hastily retool our war-fighting plans to take on hirsute fanatics in the cities of Iraq and the mountains of Central Asia, it’s possible that the coming cyberwar won’t look exactly the way we expect.
In fact, there seems to be a cyberwar - or at least a cyberskirmish - going on right now and it resembles nothing so much as an extended streetfight. In the red corner, anonymous ‘patriots’, opposed to the dissemination of leaked government information by the Australian whistleblower, seducteur extraordinaire and current guest of Her Majesty, Julian Assange; in the blue corner, an equally anonymous group fighting under the banner of “transparency right or wrong”. Battlegrounds - or collateral damage - include the Wikileaks website and hosting or DNS services that supported it, Paypal, Mastercard, a Swedish law firm, and a Swiss bank. The weapons used include various forms of homebrew DDoS tools, including 4chan’s infamous ‘low orbit ion cannon’ (LOIC), the switchblade of choice for street punks fighting for control of the Intertubes.
Pandalabs has a more detailed description of the current wave of DDoS attacks. Reading it, it’s hard not to think of Matthew Arnold’s line about “where ignorant armies clash by night” … actually, no, it’s very easy not to think of that. I just threw it in because it sounded cool. Seriously, though, it starts to look as if a better model for cyberwar might be the drug-gang wars in Mexico. There too we have ‘non-state actors’ whose identities and objectives are more or less mysterious (and some of whom may be deniable proxies for the state). We have the state intervening as just another combatant, and not necessarily a successful one. And we have a kind of take-no-prisoners ferociousness that threatens to spill over and make life unlivable for everyone.
Looking further back, it’s possible to see analogies in medieval times, where each walled village was pretty much responsible for its own defense. If your website arouses the ire of some angry gang of zealots or the cupidity of professional extortionists, the state isn’t going to leap to your defense. The feudal lord to whom you pay shield money - known these days as an internet service provider - might send troops, but if the action gets too hot and threatens to embroil him in a battle he can’t win, he’ll probably cut you loose.
All this doesn’t offer much scope for steely-haired Air Force generals. They don’t have the interest or the resources to fight in a dozen brushfire wars raging simultaneously. Whatever big guns the state is able to dream up are likely to sit idle most of the time for lack of suitable targets. Cyberwar is asymmetric warfare par excellence: having the most resources or a professional standing army doesn’t guarantee you victory when you have so many weak spots that are vulnerable to hit-and-run attacks by scrappy bands of irregulars.
The Chinese electronic invasion may come one day or it may not. In the meantime, the cyberwars have already started and they aren’t playing out quite the way the media said they would.
Back in 2002, riding the tide of post-9/11 paranoia, the Bush administration briefly flirted with a project to harvest and analyze vast amounts of personal information about American citizens, culled from databases and electronic communications. The project, usually referred to as ‘Total Information Awareness’, but officially known as the Information Awareness Office, was headed up by former Iran-Contra conspirator Admiral John Poindexter, a man so creepily-uncharismatic that you had to wonder if they’d only picked him because Cthulhu couldn’t get the necessary security clearances. Just to make sure that no one could fail to get the message, they then apparently launched an internal competition to see who could come up with the most horrifying logo for the project. The winning entry, depicting a menacing eye-in-a-pyramid turning its baleful gaze on the world over the Latin phrase “Knowledge is Power”, was so repellent that even Congress finally woke from its perpetual slumber and voted to defund the whole vile enterprise.
The cynics among us - myself included - simply commented that TIA would be back, and that next time it would surface in the private sector, where it wouldn’t be subject to the same kind of control or oversight as a government project.
And so, gentle reader, it came to pass. TIA’s new incarnation is called Project Vigilant, and its self-declared mission is to ‘Attribute Actions to Actors’. In case that seems a little vague to you (do they also attribute thoughts to thinkers and speech to speakers, to say nothing of vision to seers, or is that outside their remit?), Glenn Greenwald over at Salon does a fine job of summarizing what we know about Project Vigilant.
Project Vigilant (which should really be written with a final ‘e’) has been in the news recently because it turns out that ex-hacker Adrian Lamo is one of their ‘volunteer members’. And Lamo has been in the news because he was the person who turned in Specialist Bradley Manning, the soldier who (allegedly) provided Wikileaks with large quantities of classified information. Quite how Manning came to be in contact with a man who, in hindsight, was probably one of the worst people in the world that he could have chosen to confide in is probably an interesting story. Greenwald drops some hints, but declines to speculate.
Instead, he focuses on Project Vigilant itself, a ‘volunteer organization’ that “collects vast amount of private data about the Internet activities of millions of citizens, processes that data into usable form, and then … turns it over to the U.S. Government”. You’d think that violating everyone’s privacy on that scale would be a time-consuming and expensive activity, but evidently the patriots of the Project count not the cost. Moreover, according to Greenwald, they enjoy some remarkably privileged access: no less than a dozen US Internet providers are reportedly sharing data with Project Vigilant, data that the Project then massages and supplies in an easily-digestible form to the government. The Project claims to be able to track a quarter of a trillion IP addresses a day, and “develop portfolios on any name, screen name or IP address.”
So we have an ostensibly private organization - wholly immune to any scrutiny or control - with privileged access to data from ISPs, engaged in packaging up information about American citizens and turning it over to the government. I say ‘ostensibly’ because this kind of activity sounds like it would require fairly deep pockets, even if only for the infrastructure needed to process the data. And that’s assuming that the workforce are indeed all ‘volunteers’, and that the ISPs are handing over all their data for free just out of the goodness of their patriotic souls. Call me a cynic, but I can’t help wondering if the relation between Project Vigilant and Poindexter’s old total awareness infowarriors (or their successors) is really quite so hands-off as we are being led to believe. What are the odds, say, that some of that useful ISP data is actually flowing out of those secret wiretap rooms at the telcos and that at least some of Vigilant’s costs are being met, directly or indirectly, by way of a line item in a black budget somewhere?
We may never know. What’s interesting is that, if the Examiner is to be believed, Project Vigilant has been operating for more than a decade, which would mean that it was actually launched before America woke up and smelled the post-9/11 paranoia, and long before Congress ordered that Admiral Poindexter’s unlovely child should be taken out back and quietly suffocated. This is enough to make you wonder if Poindexter’s Information Awareness Office was no more than a distraction, a built-to-fail red herring whose demise would simply accelerate the transfer of state surveillance to the private sector.
If you didn’t like the idea of the government peering into every nook and cranny of your electronic life, you probably won’t feel any more comfortable with the knowledge that the work is being done by a still less accountable private organization. If the idea of government spooks rummaging through your personal data and compiling secret dossiers on you makes you a little queasy, you’re really not going to like the idea of the work being done by anonymous and unsupervised ‘volunteers’ - volunteers such as convicted hacker Adrian Lamo. And while the government almost certainly ‘facilitated’ access to some of the data being scanned by Vigilant - it’s a safe bet that when the Project knocked on the doors of the ISPs and suggested that they might like to hand over their traffic records, they had at least a letter of introduction from someone in Washington - there’s probably nothing in Vigilant’s charter that says that the results of their research have to be shared only with the government.
In many other countries, something like Project Vigilant probably couldn’t (officially) exist, because it would instantly fall foul of strong data protection laws. But US data protection laws are remarkably weak, and there are strong interests that would like to keep them that way. Don’t look for any help from that quarter.Of course, according to Greenwald, Vigilant isn’t the only private-sector entity in a cosy data-sharing arrangement with the government. There’s also Infragard, a ‘partnership’ between some 23,000 businesses and the FBI that gives the Bureau access to all the data those businesses happen to have collected on you. Among its founding members, Infragard counts Chet Uber, executive director of … Project Vigilant. Take a moment now to get over your surprise.
Even allowing for the possibility that Vigilant is exaggerating its capabilities, it’s clear that private sector organizations are now engaged in a data gathering exercise that has no historical precedent. The interested parties, of course, trot out the usual “If you’re not doing anything wrong, you have nothing to fear” line, a phrase that is now recognized as the surveillance state’s formal way of saying “Ha ha, fuck you”.
Because — as experience has shown — even if you aren’t doing anything wrong, there a great many things to fear. And somewhere close to the top of that list are secretive corporate cyber-stasis like Project Vigilant and Infragard, operating in a comfortable gray area outside the law and subject to absolutely no oversight or control.
