Jonathan Zittrain, in remarks prepared a few weeks ago, framed Internet protocol standards in a novel way. Specifically, he stated:
Second, it’s entirely fitting for a government to actively subsidize public goods like a common defense, a highway system, and, throughout the Internet’s evolution, the public interest development of standards and protocols to interlink otherwise-disparate systems. These subsidies for the development of Internet protocols, often expressed as grants to individual networking researchers at universities by such organizations as the National Science Foundation, were absolutely instrumental in the coalescence of Internet standards and the leasing of wholesale commercial networks on which to test them. (They also inspired some legislators to advertise their own foresight in having facilitated such strategic funding.) Alongside other basic science research support, this was perhaps some of the best bang for the buck that the American taxpayer has received in the history of the country. Government support in the tens of millions over a course of decades resulted in a flourishing of a networked economy measured in trillions.
Zittrain’s framing of this issue builds on some writing I’ve published around standards. In the executive summary of a report I wrote a few months ago, I stated that,
… the Government of Canada could more prominently engage with standards bodies to, at least in part, guarantee that such standards have security principles baked in and enabled by default; such efforts could include allocating tax relief to corporations, as well as funding to non-governmental organizations or charities, so that Canadians and Canadian interests are more deeply embedded in standards development processes.
To date I haven’t heard of this position being adopted by the Government of Canada, or even debated in public. However, framing this as a new kind of roadway could be the kind of rhetorical framing that would help it gain traction.
(Managed Service Provider image by the Canadian Centre for Cybersecurity)
Matt Tait, as normal, has good insights into just why the Kaseya ransomware attack1 was such a big deal:
In short, software supply chain security breaches don’t look like other categories of breaches. A lot of this comes down to the central conundrum of system security: it’s not possible to defend the edges of a system without centralization so that we can pool defensive resources. But this same centralization concentrates offensive action against a few single points of failure that, if breached, cause all of the edges to fall at once. And the more edges that central failure point controls, the more likely the collateral real-world consequences of any breach, but especially a ransomware breach will be catastrophic, and cause overwhelm the defensive cybersecurity industry’s ability to respond.
Managed Service Providers (MSPs) are becoming increasingly common targets. It’s worth noting that the Canadian Centre for Cybersecurity‘s National Cyber Threat Assessment 2020 listed ransomware as well as the exploitation of MSPs as two of the seven key threats to Canadian financial and economic health. The Centre went so far as to state that it expected,
… that over the next two years ransomware campaigns will very likely increasingly target MSPs for the purpose of targeting their clients as a means of scaling targeted ransomware campaigns.
Sadly, if not surprisingly, this assessment has been entirely correct. It remains to be seen what impact the 2020 threats assessment has, or will have, on Canadian organizations and their security postures. Based on conversations I’ve had over the past few months the results are not inspiring and the threat assessment has generally been less effective than hoped in driving change in Canada.
As discussed by Steven Bellovin, part of the broader challenge for the security community in preparing for MSP operations has been that defenders are routinely behind the times; operators modify what and who their campaigns will target and defenders are forced to scramble to catch up. He specifically, and depressingly, recognizes that, “…when it comes to target selection, the attackers have outmaneuvered defenders for almost 30 years.”
These failures are that much more noteworthy given that the United States has trumpeted for years that the NSA will ‘defend forward‘ to identify and hunt threats, and respond to them before they reach ‘American cybershores’.2 The seemingly now routine targeting of both system update mechanisms as well as vendors which provide security or operational controls for wide swathes of organizations demonstrates that things are going to get a lot worse before they’re likely to improve.
A course correction could follow from Western nations developing effective and meaningful cyber-deterrence processes that encourage nations such as Russia, China, Iran, and North Korea to punish computer operators who are behind some of the worst kinds of operations that have emerged in public view. However, this would in part require the American government (and its allies) to actually figure out how they can deter adversaries. It’s been 12 years or so, and counting, and it’s not apparent that any American administration has figured out how to implement a deterrence regime that exceeds issuing toothless threats. The same goes for most of their allies.
Absent an actual deterrence response, such as one which takes action in sovereign states that host malicious operators, Western nations have slowly joined together to issue group attributions of foreign operations. They’ve also come together to recognize certain classes of cyber operations as particularly problematic, including ransomware. Must nations build this shared capacity, first, before they can actually undertake deterrence activities? Should that be the case then it would strongly underscore the need to develop shared norms in advance of sovereign states exercising their latent capacities in cyber and other domains and lend credence to the importance of the Tallinn manual process . If, however, this capacity is built and nothing is still undertaken to deter, then what will the capacity actually be worth? While this is a fascinating scholarly exercise–it’s basically an opportunity to test competing scholarly hypotheses–it’s one that has significant real-world consequences and the danger is that once we recognize which hypothesis is correct, years of time and effort could have been wasted for little apparent gain.
What’s worse is that this even is a scholarly exercise. Given that more than a decade has passed, and that ‘cyber’ is not truly new anymore, why must hypotheses be spun instead of states having developed sufficient capacity to deter? Where are Western states’ muscles after so much time working this problem?
As a point of order, when is an act of ransomware an attack versus an operation? ↩︎
I just made that one up. No, I’m not proud of it. ↩︎
Roland Paris and Jennifer Walsh have an excellent, and thought-provoking, column in the Globe and Mail where they argue that Western democracies need to adopt a ‘democratic support’ agenda. Such an agenda has multiple points comprising:
States getting their own democratic houses in order;
States defending themselves and other democracies against authoritarian states’ attempts to disrupt democracies or coerce residents of democracies;
States assisting other democracies which are at risk of slipping toward authoritarianism.
In principle, each of these points make sense and can interoperate with one another. The vision is not to inject democracy into states but, instead, to protect existing systems and demonstrate their utility as a way of weaning nations towards adopting and establishing democratic institutions. The authors also assert that countries like Canada should learn from non-Western democracies, such as Korea or Taiwan, to appreciate how they have maintained their institutions in the face of the pandemic as a way to showcase how ‘peer nations’ also implement democratic norms and principles.
While I agree with the positions the authors suggest, far towards the end of the article they delicately slip in what is the biggest challenge to any such agenda. Namely, they write:
Time is short for Canada to articulate its vision for democracy support. The countdown to the 2024 U.S. presidential election is already under way, and no one can predict its outcome. Meanwhile, two of Canada’s closest democratic partners in Europe, Germany and France, may soon turn inward, preoccupied by pivotal national elections that will feature their own brands of populist politics.1
In warning that the United States may be an unreliable promoter of democracy (and, by extension, human rights and international rules and order which have backstopped Western-dominated world governance for the past 50 years) the authors reveal the real threat. What does it mean when the United States is regarded as likely to become more deeply mired in internecine ideological conflicts that absorbs its own attention, limits its productive global engagements, and is used by competitor and authoritarian nations to warn of the consequences of “American-style” democracy?
I raise these questions because if the authors’ concerns are fair (and I think they are) then any democracy support agenda may need to proceed with the presumption that the USA may be a wavering or episodic partner in associated activities. To some extent, assuming this position would speak more broadly to a recognition that the great power has significantly fallen. To even take this as possible–to the extent that contingency planning is needed to address potential episodic American commitment to the agenda of buttressing democracies–should make clear that the American wavering is the key issue: in a world where the USA is regarded as unreliable, what does this mean for other democracies and how they support fellow democratic states? Do countries, such as Canada and others with high rule-of-law democratic governments, focus first and foremost on ‘supporting’ US democracy? And, if so, what does this entail? How do you support a flailing and (arguably) failing global hegemon?
I don’t pretend to have the answers. But it seems that when we talk about supporting democracies, and can’t rely on the USA to show up in five years, then the metaphorical fire isn’t approaching our house but a chunk of the house is on fire. And that has to absolutely be our first concern: can we put out the fire and save the house, or do we need to retreat with our children and most precious objects and relocate? And, if we must retreat…to where do we retreat?
… in the long term, agriculture presents perhaps the most significant illustration of how a warming world might erode America’s position. Right now the U.S. agricultural industry serves as a significant, if low-key, instrument of leverage in America’s own foreign affairs. The U.S. provides roughly a third of soy traded globally, nearly 40 percent of corn and 13 percent of wheat. By recent count, American staple crops are shipped to 174 countries, and democratic influence and power comes with them, all by design. And yet climate data analyzed for this project suggest that the U.S. farming industry is in danger. Crop yields from Texas north to Nebraska could fall by up to 90 percent by as soon as 2040 as the ideal growing region slips toward the Dakotas and the Canadian border. And unlike in Russia or Canada, that border hinders the U.S.’s ability to shift north along with the optimal conditions.
Now, the advantages faced by Canada might be eroded by a militant America, and those of Russia similarly threatened by a belligerent and desperate China (and desperate Southeast Asia more generally). Regardless, food and arable land are generally likely to determine which countries take the longest to most suffer from climate change. Though, in the end, it’s almost a forgone conclusion that we are all ultimately going to suffer horribly for the errors of our ways.
“Hu Xijin, the editor of the Chinese state media outlet the Global Times, weighed in recently on the most recent merger proposal. “The US restructuring of TikTok’s stake and actual control should be used as a model and promoted globally,” remarked Hu on Twitter. “Overseas operation of companies such as Google, Facebook shall all undergo such restructure and be under actual control of local companies for security concerns.”
It’s not exactly a good sign for Chinese state media to tout a U.S. play designed to be “tough on China” as a model for global behavior. The United States may be bumbling its way into a precedent the consequences of which it has yet to anticipate. “
This was exactly the concern that was raised by experts in North America the second after the Trump administration proposed its bumblingly-stupid approach to TikTok. With the American policy in place it’s going to be that much harder for Western companies operating in China to have convincing arguments that they shouldn’t need to partner with Chinese organizations tans engage in manufacturing, technology, or intellectual property disclosures as a condition of doing business in China. And the issue won’t end in China: American (and other countries’) businesses are almost certain to have (now) US-framed arguments thrown at them when operating all around the world whenever there is even a marginal ‘national security’ concern linked to the foreign company’s operations.
The New York Times has a selection of experts’ ‘nightmare scenarios’ for the forthcoming USA election. You can pick and choose which gives you colder sweats—I tend to worry about domestic disinformation, a Bush v. Gore situation, or uncounted votes—but, really, few of these nightmares strike to the heart of the worst of the worst.
American institutions have suffered significantly under Trump and, moreover, public polarization and the movement of parts of the USA electorate (and, to different extents, global electorates) into alternate reality bubbles mean that the supports which are meant to facilitate peaceful transitions of power such that the loser can believe in the outcomes of elections are badly wounded. Democracies don’t die in darkness, per se, but through neglect and an unwillingness of the electorate to engage because change tends to be hard, slow, and incremental. There are solutions to democratic decline, and focusing on the next electoral cycles matters, but we can’t focus on elections to the detriment of understanding how to rejuvenate democratic systems of governance more generally.
Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.
For the past several weeks I’ve been sorting through all of the hundreds of photographs I’ve taken during the current state of pandemic we’re all living within. My photography is often a reflection—often unbeknownst to myself—of my thoughts and attitudes. The earliest weeks of the pandemic saw me making images of the city as though it were empty, grey, or isolated. And while those moods still pervade through later photos, there are increasingly also bursts of colour and joy, though still mixed with an emptiness to the city that calls into question what things will be like in six, twelve, or twenty-four month’s time. Many of the shots I’m taking, now, still feel almost documentary in nature, but at what point does the documentation end, and it simply becomes contemporary street photography?
Inspiring Quotation
More simply, real change only happens when the thing that white supremacists fear becomes true: that the mainstream increasingly becomes rather than simply appropriates the “ethnic.”
-Navneet Alang
Personal Photography Shots
I’ve been going out, once a week or so, to get a walk and make photos while walking around my city. Unlike past months, I’ve contributed a set of these rather than other artists’ images.
ZHU & Tinashe-Only (Single) // Beats by ZHU and vocals by him and Tinashe make for a very danceable track. I’m really hoping that they do more work together or, failing that, that we at least get more work from ZHU for the summer.
Yiruma-Room With A View (EP) // Without a doubt, Yiruma has created some of the most beautiful classical piano work that I’ve heard this year.
Kenlani-It Was Good Until It Wasn’t // The tracks “Can I” and “Everybody Business” are, for me, the real standouts on this album. I admit that I was hopeful that “Grieving”, with James Blake would be really awesome, but their styles just didn’t quite seem to come together. Her work with Tory Lanez, as well as Jhené Aiko, are far more balanced given how their styles compliment Kehlani’s own.
Good Reads
Barton Gellman—Dark Mirror // Gellman was one of three reporters who were directly entrusted with the Snowden archives, and spent years reporting out of the documents. His assessment of what it was like to report on what he learned, the nature of the surveillance apparatus, working with Ed Snowden, and his broader thoughts on the relationship between public government and national security are erudite and fantastically interesting. I’ve just devoured this book and cannot recommend it highly enough.
How Should Biden Handle China? // This piece is less useful, to be honest, in thinking through what policy the United States or its allies should adopt than is assessing engagement strategies that aren’t working. Setting aside the irregularities and chaos associated with the Trump administration’s approach, the assessment of how European efforts have been equally unhelpful are informative for guiding policy makers on what hasn’t worked even when policy activities have been carried out by governments with comparatively competent foreign policy bodies. While an understanding of what doesn’t work isn’t inherently useful in knowing what does work, it at least provides a set of strategies that seem to be unproductive to take up in a new administration.
1989-1996 Canadian Housing Collapse Looks Eerily Similar to Today // Economists around the world have been warning of a Canadian housing bubble for a very long time. But Canadians have ignored the warning and dove into the market on the dual fear that they would otherwise never be able to buy a home, and the notion that renting amounts to throwing money away. The result has been a lot of Canadians owning homes they can’t afford. As the bubble pops, we’re going to see just how much economic havoc is going to follow from these decisions for the housing market as well as the economy more broadly (housing, in Canada, constitutes one of the largest sectors in the economy).
The Jungle Prince of Delhi // I’ve had this article open to read for months and months, but kept not getting to it. That’s a shame, as it is (and remains) a terrific story filled with past dynasties, the histories of British colonialism, the hard task of journalism, and the capability of truth to be creatively imagined into being. I can’t recommend this detective piece highly enough.
Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.
This month’s update is late, accounting for holidays and my generally re-thinking how to move forward (or not) with these kinds of posts. I find them really valuable, but the actual interface of using my current client (Ulysses) to draft elements of them is less than optimal. So expect some sort of changes as I muddle through how to improve workflow and/or consider the kinds of content that make the most sense to post.
Inspiring Quotation
Be intensely yourself. Don’t try to be outstanding; don’t try to be a success; don’t try to do pictures for others to look at—just please yourself.
Ralph Steiner
Great Photography Shots
Natalia Elena Massi’s photographs of Venice, flooded, are exquisite insofar as they are objectively well shot while, simultaneously, reminding us of the consequences of climate change. I dream of going to Venice to shoot photos at some point and her work only further inspires those dreams.
Music I’m Digging
I spent a lot of the month listening to my ‘Best of 2019’ playlist, and so my Songs I Liked in December playlist is a tad threadbare. That said, it’s more diverse in genre and styles than most monthly lists, though not a lot of the tracks made the grade to get onto my best of 2019 list.
Beck-Guero // I spent a lot of time re-listening to Beck’s corpus throughout December. I discovered that I really like his music: it’s moody, excitable,and catchy, and always evolving from album to album.
Little V.-Spoiler (Cyberpunk 2077) (Single) // Cyberpunk 2077 is one of the most hyped video games for 2020, and if all of the music is as solid and genre-fitting as this track, then the ambiance for the game is going to be absolutely stellar.
Neat Podcast Episodes
99% Invisible-Racoon Resistance // As a Torontonian I’m legally obligated to share this. Racoons are a big part of the city’s identity, and in recent years new organic garbage containers were (literally) rolled out that were designed such that racoons couldn’t get into them. Except that some racoons could! The good news is that racoons are not ‘social learners’ and, thus, those who can open the bins are unlikely to teach all the others. But with the sheer number of trash pandas in the city it’s almost a certainty that a number of them will naturally be smart enough and, thus, garbage will continue to litter our sidewalks and laneways.
Good Reads
America’s Dark History of Killing Its Own Troops With Cluster Munitions // Ismay’s longform piece on cluster munitions is not a happy article, nor does the reader leave with a sense that this deadly weapon is likely to be less used. His writing–and especially the tragedies associated with the use of these weapons–is poignant and painful. And yet it’s also critically important to read given the barbarity of cluster munitions and their deadly consequences to friends, foes, and civilians alike. No civilized nation should use these weapons and all which do use them cannot claim to respect the lives of civilians stuck in conflict situations.
Project DREAD: White House Veterans Helped Gulf Monarchy Build Secret Surveillance Unit // The failure or unwillingness of the principals, their deputies, or staff to acknowledge they created a surveillance system that has systematically been used to hunt down illegitimate targets—human rights defenders, civil society advocates, and the like—is disgusting. What’s worse is that democratizing these surveillance capabilities and justifying the means by which the program was orchestrated almost guarantees that American signals intelligence employees will continue to spread American surveillance know-how to the detriment of the world for a pay check, the consequences be damned (if even ever considered in the first place).
The War That Continues to Shape Russia, 25 Years Later // The combination of the (re)telling of the first Russia-Chechen War and photographs from the conflict serve as reminders of what it looks like when well-armed nation-states engage in fullscale destruction, the human costs, and the lingering political consequences of wars-now-past.
A New Kind of Spy: How China obtains American technological secrets // Bhattacharjee’s 2014 article on Chinese spying continues to strike me as memorable, and helpful in understanding how the Chinese government recruits agents to facilitate its technological objectives. Reading the piece helps to humanize why Chinese-Americans may spy for the Chinese government and, also, the breadth and significance of such activities for advancing China’s interests to the detriment of America’s own.
Below the Asphalt Lies the Beach: There is still much to learn from the radical legacy of critical theory // Benhabib’s essay showcasing how the history of European political philosophy over the past 60 years or so are in the common service of critique, and the role(s) of Habermasian political theory in both taking account of such critique whilst offering thoughts on how to proceed in a world of imperfect praxis, is an exciting consideration of political philosophy today. She mounts a considered defense of Habermas and, in particular, the claims that his work is overly Eurocentric. Her drawing a line between the need to seek emancipation while standing to confront and overcome the xenophobia, authoritarianism, and racism that is sweeping the world writ large is deeply grounded on the need for subjects like human rights to orient and ground critique. While some may oppose such universalism on the same grounds as they would reject the Habermasian project there is a danger: in doing so, not only might we do a disservice to the intellectual depth that undergirds the concept of human rights but, also, we run the risk of losing the core means by which we can (re)orient the world towards enabling the conditions of freedom itself.
Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai // This very curious article explores the recent problem of ships’ GPS transponders being significantly affected while transiting the Yangtze in China. Specifically, transponders are routinely misplacing the location of ships, sometimes with dangerous and serious implications. The cause, however, remains unknown: it could be a major step up in the (effective) electronic warfare capabilities of sand thieves who illegally dredge the river, and who seek to escape undetected, or could be the Chinese government itself testing electronic warfare capabilities on the shipping lane in preparation of potentially deploying it elsewhere in the region. Either way, threats such as this to critical infrastructure pose serious risks to safe navigation and, also, to the potential for largely civilian infrastructures to be potentially targeted by nation-state adversaries.
A Date I Still Think About // These beautiful stories of memorable and special dates speak to just how much joy exists in the world, and how it unexpectedly erupts into our lives. In an increasingly dark time, stories like this are a kind of nourishment for the soul.
Cool Things
The Deep Sea // This interactive website that showcases the sea life we know exists, and the depths at which it lives, is simple and spectacular.
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
Rating: ⭐️⭐️⭐️⭐️⭐️
Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon.
Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.
The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.
Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.
The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.
Excited Pixels 