by Danielle Kehl
Intelligence agencies around the world are racing to increase their information-gathering and monitoring capabilities, ostensibly in an effort to promote national security and protect against terrorist threats. But in the debate about the privacy and security tradeoffs of cyber espionage, the costs of certain tactics are often overlooked. Indeed, some of the technical methods employed by intelligence agencies to increase digital surveillance capabilities may come at the expense of Internet security. As a result, these modern forms of spying can negatively impact our economic and cyber security interests—exposing both commercial entities and ordinary users to malicious hacking and cybercrime by weakening the overall security of the network.
For most of the twentieth century, espionage consisted primarily of governments spying on the military and political assets of other nations. Ordinary citizens were rarely caught up in the surveillance dragnet unless they were directly communicating with a target or foreign entity. But in the information age, the divisions between military and civilian communications are becoming increasingly blurred. Recent revelations about the National Security Agency’s secret surveillance programs, for example, suggest that the NSA may have deliberately weakened the security of the Internet in a variety of ways in order to facilitate its own signals intelligence capabilities. The documents disclosed by Edward Snowden indicate that for the past two decades, the NSA has been secretly undermining essential encryption tools and standards, covertly inserting backdoors into widely-used computer hardware and software products, stockpiling vulnerabilities it discovers in commercial software, andbuilding a vast network of spyware inserted onto computers and routers around the world.
The United States is not alone in targeting commercial communications products. A few years ago, the Chinese government required that two of its largest telecommunications and device manufacturers, Huawai and ZTE Corporation, insert backdoorsinto products shipped all over the world. These compromised devices potentially give the Chinese government access to more than half of global communications traffic. The decreasing cost of digital surveillance, coupled with the rise in state-sponsored economic espionage, has created powerful incentives for governments to create and maintain security holes in commercial products so that they can scoop up vast amounts of data.
Theoretically, if these weaknesses are only known to intelligence agencies, they are the only ones that can use them. Yet the very existence of backdoors and other critical vulnerabilities makes it possible—albeit sometimes very difficult—for malicious actors and foreign governments to find and exploit them as well. The “Athens Affair” in 2005 demonstrated what happens when outside actors discover a seemingly benign backdoor capability intended only for law enforcement purposes. Unknown attackers were able to surreptitiously listen in on the conversations of the Greek Prime Minister and other high-ranking government officials by compromising the wiretapping capabilities that were built into switches in Greece’s largest commercial cellular network. A recent white paper from the Institute of Electrical and Electronics Engineers explained how the NSA’s technical efforts to facilitate its surveillance capabilities by creating vulnerabilities in encryption standards and commercial technologies “might have compromised both security and privacy in a failed attempt to improve security.”
Moreover, because many intelligence agencies’ targets are also general-purpose, everyday technologies, these tactics can make online transactions less secure. Weaker Internet security tends to make it easier for criminals and other bad actors to break into private computers and networks for the purposes of theft, fraud, and abuse. The Center for Strategic and International Studies estimates that the cost of cybercrime to the global economy ranges anywhere from $375 to $575 billion annually. Beyond direct financial losses to banks, financial institutions, and companies, the CSIS report explains how cybercrime hurts consumers, damages brand reputations, and results in more money being spent to “clean up” after cyber incidents—not to mention increased spending on cybersecurity measures to prevent future attacks.
There’s also growing evidence that offensive hacking can negatively impact human rights and may even undermine long-term international security interests. Both the NSA and Russian authorities have reportedly been trying to find ways to identify users of Tor, an online anonymity tool—partially funded by parts of the U.S. government—that many dissidents and human rights activists in repressive countries rely on for protection from government retaliation. A former U.S. ambassador to the U.N. Human Rights Council, Eileen Donahoe, forcefully warned against the risks of these NSA activities to U.S. national security: “In a global digital world, national security depends on many factors beyond surveillance capacities, and over-reliance on global data collection can create unintended security vulnerabilities.”
While it is unrealistic to expect governments to give up cyber espionage altogether, it does not mean that we have to continue down the current path. Indeed, it is time to broaden the surveillance conversation and start talking seriously about the impact of these activities our economic and cybersecurity interests. Scholars and security researchers have already begun to discuss alternative ways that intelligence and law enforcement agencies can responsibly obtain the information they seek without fundamentally undermining Internet security. We need to weigh those risks more explicitly in the policymaking process going forward.
About the Author
Danielle Kehl is a policy analyst at New America's Open Technology Institute, where she researches and writes about technology policy and how it intersects with broader domestic and foreign policy issues. Her current projects focus on Internet freedom and the impact of U.S. broadband policies on communities and consumers. She previously worked at Access, an international NGO which focuses on digital human rights, and before that served as Fulbright fellow in Rwanda.