by Marc Goodman
Policing the Twenty-First Century
In a world characterized by technologically driven change, we necessarily legislate after the fact, perpetually scrambling to catch up.
WILLIAM GIBSON
It’s not easy policing the Net. Sure, we hear stories about a purportedly omnipotent NSA tracking our every move in cyberspace, and it undoubtedly has amassed a powerful array of tools and techniques. But for the average police officer or detective, the Internet is a difficult place to operate. Cops from the LAPD’s Seventy-Seventh Division, the NYPD’s Midtown South Precinct, and Chicago’s Englewood District have no access whatsoever to the tools employed by espionage agencies; those are all classified and too sensitive to expose in court. Even organizations such as the FBI face notable barriers when conducting cyber-crime investigations, particularly overseas. At the state, local, and federal levels, law enforcement officials find themselves chronically overwhelmed and understaffed as evidenced by the explosive growth in online crime detailed throughout this book. The estimated $400 billion in annual losses to the global economy because of cyber crime demonstrates plainly that police are badly losing the war against Crime, Inc.
Attackers, flush with profits from their adventures in the digital underground, generally benefit from technology long before defenders and investigators ever do. They have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who have to follow the digital evidence trail to investigate the matter? Not so much. As with all government activities, policies, and procedures, regulations must be followed. Transborder cyber attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Dallas has no authority to compel an ISP in Tokyo to provide evidence, nor can he make an arrest in the Ginza district. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, the majority of countries still do not have cyber-crime laws on the books, meaning that criminals can act with impunity. And, just as we saw with narco-traffickers and money launderers, cyber criminals wisely remain in safe-haven countries.
Criminal law is nation based, meant to respect the sovereignty of each country to set its own rules and regulations without outside interference in its internal affairs, and dates back to the Treaty of Westphalia in 1648. While such a system worked well for centuries, it is under relentless and growing pressure from a global Internet that is eroding such boundaries. The legacy of the Treaty of Westphalia is a geographic answer for a nongeographic problem. The technological threat we face is borderless and thus can only be handled via an appropriate international response. An institution such as Interpol, the International Criminal Police Organization, has an important role to play in combating transnational cyber crime and coordinating investigations among its 190 member countries. But Interpol has an operating budget of only $90 million to combat all international crime, from trafficking in human beings to stolen art. By comparison, the NYPD alone has a budget of $4.9 billion, and a single criminal, the narco-leader Joaquín “El Chapo” Guzmán Loera of Mexico, had nearly $200 million in cash in his home at the time of his arrest (more than twice the annual budget of Interpol). Criminal investigations, especially those involving multiple jurisdictions and huge amounts of electronic evidence, are not just labor-intensive but also exceptionally expensive. Without an order of magnitude increase in police budgeting for the problem, we can expect Crime, Inc. to grow unabated in its illegal pursuits.
Yet even a massive increase in law enforcement resources would not solve our cyber-threat problem; there is a cultural component in our criminal justice system that must be addressed as well. In 2012, Janet Napolitano, the secretary of Homeland Security at the time, admitted she did not use e-mail or any other online services “at all.” That is correct: the most senior government official in charge of our nation’s cyber security and critical infrastructure protection didn’t use e-mail—not because of security issues, but because by her own admission she is “somewhat of a Luddite.” In 2013, the U.S. Supreme Court justice Elena Kagan admitted that her fellow justices “are not the most technologically sophisticated people” and that “the court really hasn’t gotten to email yet.” Instead, she said “they communicate with one another through memos printed on ivory paper hand-carried from chamber to chamber by court clerks.” Though undoubtedly the justices and cabinet secretaries working at the very top of our criminal justice system have powerful intellects, their apparent lack of interest in or command of even rudimentary technologies is noteworthy. In a world moving as quickly as ours, how is it possible that government cyber-security policy and technology and privacy law will be shaped by those who don’t use e-mail?
The core elements of our justice system need to be minimally fluent in the language of science and technology. Investigators must not only understand how these tools work but be every bit as creative as those they are pursuing—a near impossibility in any large law enforcement bureaucracy. While criminals are using AI to script and automate crimes, police are responding to each crime manually. Crime is scaling, but law enforcement has not: we have AI crime bots, but where are the AI cop bots to counter them? Where is that level of innovation in government? We need a Department of Mad Scientists at the FBI, a cadre of special agents empowered to forgo starched white shirts and ties in favor of the creative hacker ethos of their opponents. These should be white hat hackers drawn from all segments of society and capable of thinking way outside the box. Let’s encourage creativity and innovation among them in the same way Google does—with a 20 percent time work program enabling agents to pursue special projects one day a week, free from their normal assigned workload. When Google went public, its founders cited 20 percent time as instrumental to the company’s ability to innovate and as leading to “many of our most significant advances,” including Gmail, Google Talk, Google News, and AdSense (currently responsible for 25 percent of the company’s revenue). Most law enforcement agencies are so busy they only have time to focus on the tactical issue before them, leaving near-zero time for the critically important strategic thinking required for problem solving. No matter how much we spend on policing, we will never be able to arrest our way out of the cyber-crime problem.
The need for new approaches is exigent given that our off-line systems of jurisdiction and justice may be fundamentally incompatible with our ever-expanding online world. For example, we have police departments working in cyberspace, but where are the cyber fire departments, as the Internet pioneer Vint Cerf appropriately asks? When your neighbor’s house catches fire and threatens yours, the goal should be not to arrest your neighbor’s house for arson but rather to prevent yours from burning down. While law enforcement is clearly in order for criminal matters, there are a whole host of other options that may work better as a means of dealing with the growing mountain of cyber threats. In particular, it’s time to focus on prevention rather than retrospective investigation and treatment of the problem after the fact. In that regard, there is much we can learn from the world of public health as we struggle to mitigate the risks of our technological insecurity.
Practicing Safe Techs: The Need for Good Cyber Hygiene
We all know what good hygiene looks like in the physical world. It’s reinforced all around us. Signs in restaurant bathrooms remind employees that they must wash hands before returning to work. Your mom tells you to cover your mouth when you sneeze, and colleges, doctors, and b
illboards remind us to use a condom and engage in safe sex. But where are these messages in the virtual world? Mom doesn’t remind you not to accept USB drives from strangers, so we routinely plug these virus-carrying devices in our computers and thereby unwittingly participate in malware propagation, infecting our neighbors and friends. The failure to inoculate my own tech means when I become infected and a slave to the criminal Borg, I am now unknowingly engaging in DDoS attacks and phishing scams against others.
Internet health, like public health, is a shared responsibility, and users must take stewardship over their networks and devices if we are to improve the overall safety of our techno-future. We have an ethical obligation to do so. Each of us must be a good shepherd over our technological flock, protecting our computers, phones, and other digital gadgets from harming others. The good news is that practicing good cyber hygiene is much easier than it seems, and I have included a list of simple techniques in the appendix of this book that can drastically reduce your risk from cyber threats. Though there are many lengthy and complex best practice lists out there, the Australian government brilliantly reduced them to just four key strategies:
• Application white listing—only allow specifically authorized programs to run on your system and block all unknown executable files and installation routines. Doing so prevents malicious software and harmful applications from running.
• Patch all your devices’ applications by automatically running software updates for programs such as MS Office, Java, PDF viewers, Flash, and browsers.
• Patch operating system (OS) vulnerabilities by automatically updating your OS such as Windows, Mac, iOS, or Android, ensuring you are using the very latest fully updated operating system at all times.
• Restrict administrative privileges on your computer and spend the majority of your time logged in as a basic user such as when e-mailing and Web browsing. Only log in as admin to your own machine when you need to, such as to install new software or make system changes. Doing so deprives adversaries of the admin privileges they often need to install malware and rummage through your network.
Just taking these four simple steps mitigates against an amazing 85 percent of targeted intrusions, according to the Australian government research. An in-depth study by Verizon and the U.S. Secret Service revealed similarly good news: “97% of all data breaches were avoidable by implementing simple or intermediate level controls.” Better techno-product design and increased public education can go a long way in helping individuals and businesses alike make the right choices when it comes to cyber hygiene. To tackle those remaining and more persistent threats, however, a more unified, global approach is required, one predicated on the models of epidemiology and disease propagation.
The Cyber CDC: The World Health Organization for a Connected Planet
The language of our technical insecurity is littered with metaphors of disease. We talk about computer viruses and infections to describe self-replicating malicious code, but rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest and prosecute those responsible long after the original harm is done. What if we shifted this paradigm and instead viewed our common global cyber security as an exercise in public health? Organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats, structures and frameworks that are far more developed than those in the cyber-security community. Given the many parallels between communicable human diseases and those affecting the world’s technologies, there is also much we can learn from the public health model, an adaptable system capable of responding to an ever-morphing array of pathogens around the world.
Importantly, in matters of public health, individual actions can only go so far. It’s great if you have excellent techniques of personal hygiene, but if your whole village has Ebola, eventually you will succumb as well. The comparison is relevant to our world of cyber threats. Individual responsibility and action can make a huge difference in cyber security, but ultimately the only hope we have in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to build new institutions to coordinate our response. A trusted international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies—crucial steps required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.
A cyber CDC could go a long way toward counteracting the technological risks we face today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. Indeed, a report sponsored by Microsoft and the EastWest Institute suggested that a cyber CDC could fulfill a number of roles that are carried out today only on an ad hoc basis, including the following:
• education—providing members of the public with proven methods of cyber hygiene to protect themselves
• network monitoring—detection of infection and outbreaks of malware in cyberspace
• epidemiology—using public health methodologies to study digital disease propagation and provide guidance on response and remediation
• immunization—helping to vaccinate the public against known threats through software patches and system updates
• incident response—sending in experts as required and coordinating global efforts to isolate the sources of online infection and treat those affected
While there are many organizations, both governmental and nongovernmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that our cyber risks continue to mount. In particular, an epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the deadly parasitic disease for those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the swamps where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What swamps can we drain in cyberspace to achieve similar results? We haven’t quite yet figured it all out and thus the importance of this work.
There is another major challenge the cyber CDC will face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This important difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised.
The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you are sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others? Addressing these issues will be a key area of import for any proposed cyber World Health Organization and fundamental to our future communal safety and that of our critical information infrastructures.
The cyber-security researcher Mikko Hypponen has pointed out the obvious Achilles’ heel of our modern technology-infused world—the fact that everything is run by computers and that everything is reliant on these computers’ working. The challenge before us is that we must have some way of continuing to work even i
f all computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly go away, what would be humanity’s backup plan? The answer is simply, we do not have one.
Taking the steps outlined in this chapter will go a long way toward protecting us from the panoply of threats we face today, but such a plan of action is far from foolproof. We are at the dawn of a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched. It’s time to build greater resiliency into our global information grid in order to avoid a system crash. If we are to survive the progress offered by our technologies and enjoy their abundant bounty, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats before us. On this most important of missives, there is unambiguously no time to lose.
CHAPTER 18
The Way Forward
Let no one be discouraged by the belief there is nothing one person can do against the enormous array of the world’s ills, misery, ignorance, and violence. Few will have the greatness to bend history, but each of us can work to change a small portion of events. And in the total of all those acts will be written the history of a generation.
ROBERT F. KENNEDY
Our technological genie cannot be put back in its bottle. Whether in cyber, robotics, artificial intelligence, or synthetic biology, massive changes are afoot in our world. These changes have brought us to the knee of an exponential curve—one that will be explosive in its growth in the coming years. Indeed, these breakthroughs will arrive much sooner than most would have anticipated, as one domain of science leads to progress in another. Advances in information technology drive synthetic biology and artificial intelligence drives robotics. Each of these forces affects the other, driving exponentials of exponentials. As noted throughout this book, however, not all of these developments will be for good. In example after example, we’ve documented criminals, terrorists, hackers, and rogue governments subverting technology and using it to harm others. The point of course is not that technology is evil. Fire, the original technology, could be used to keep us warm, cook our food, or burn down the village next door. A knife can be wielded both by a surgeon and by a murderer. In the hands of those of good intent, our rapidly evolving technologies will bring tremendous abundance to the world. But in the hands of a suicide bomber, the future can look quite different.
