I just finished the MOOC on laws surrounding Cyberwar and Surveillance. In the final week we were assigned the task to write down our personal thoughts on the article We Need an Invasive NSA by Prof Goldsmith.
Below this line is my contribution.
Goldsmith is way off
I believe Prof Goldsmith is wrong on a number of crucial points. Most importantly; his argumentation depends on the presumption that only sophisticated (state sponsored) cyber attacks can do real harm to critical infrastructure. That is just plain wrong. Any script kiddie can visit Shodan and find critical infrastructure that is directly connected to the internet and begin to wreak havoc within minutes. These attacks can never be stopped through surveillance, no matter how much tax money you throw at the NSA. The proper way to increase cyber security for critical infrastructure is instead to secure the industrial control systems themselves, and disconnect them from the outside world (air gapping).
More sophisticated attackers can of course jump air gaps, for instance by paying a courier (with proper access) to carry an infected USB stick over the air gap, as was done in the Stuxnet case. But even then I have a hard time believing NSA could do much to stop it. They can monitor internet usage, phone metadata etc of regular Americans 24/7 without picking up any chatter of this kind. Sophisticated attackers knows how to maintain op-sec. Regular citizens on the other hand don’t know the first thing about op-sec; so in the end NSA – and similar organizations – will mostly pick up chatter from regular citizens (people that in most cases aren’t even suspected of doing anything wrong).
Further Prof Goldsmith argues that there exists a proper balance between privacy and security, and he even proposes to reduce privacy even more and to step up surveillance of citizens beyond what is done today. This is right out scary. The following quote (sometimes attributed to Ben Franklin) nails why:
Those who would give up essential Liberty
to purchase a little temporary Safety,
deserve neither Liberty nor Safety.
If you replace Liberty with Privacy the quote really captures what is going on here.
Snowden, Binney et al. have repeatedly shown that the balance between privacy and security is long gone. As Ben Wizner (from ACLU, also Snowden’s lawyer) said in week 6 of the course; anyone who still believes the oversight system is balanced and working well must have had his head in the sand. In theory there are systems for oversight in place. But in practice these oversights do little more than rubber stamping.
Ben Wizner on Oversight:
Money better spent
The solution for better cyber security is not to diminish privacy and throw more tax dollars at organizations like the NSA. Instead; what should be done is to assess critical infrastructure control systems using IT security professionals and pentesters, audit processes and systems to make sure that – at least – unsophisticated attackers, like script kiddies and cyber criminals, can not wreak havoc at will. This may not stop the most sophisticated – state sponsored – APT-attacks. But it will stop most attacks, allowing critical infrastructure to work satisfactory most of the time. Surveillance alone can never accomplish this. Simply put; you get more bang for the buck spending money securing systems compared to throwing the money at the NSA.
In the immortal words of Julian Assange; We live in crucial times. Our generation is perhaps the last one that have a decent chance to stop the surveillance infrastructure from going haywire, paving the way for a future totalitarian dictatorship. Now is the time for real debate about how to put all this fantastic new technology we have created to good use, in harmony and balance with ourselves and in tune to our rights to privacy. Technology is meant to increase the quality of our lives, not to spy on us, scare us into censoring ourselves and fear a global, omnipresent big-brother-style system who may or may not approve* of what we are doing, saying and even thinking.
* Even if you yourself don’t think you are doing anything wrong today, it is no guarantee for that the system – present or future – will think likewise.