Tag: cyber security

Algorithmic Bias: How the Clinton Campaign May Have Lost the Presidency or Why You Should Care

This post is a co-authored piece:

Heather M. Roff, Jamie Winterton and Nadya Bliss of Arizona State’s Global Security Initiative

We’ve recently been informed that the Clinton campaign relied heavily on an automated decision aid to inform senior campaign leaders about likely scenarios in the election.  This algorithm—known as “Ada”—was a key component, if not “the” component in how senior staffers formulated campaigning strategy.   Unfortunately, we know little about the algorithm itself.  We do not know all of the data that was used in the various simulations that it ran, or what its programming looked like.   Nevertheless, we can be fairly sure that demographic information, prior voting behavior, prior election results, and the like, were a part of the variables as these are stock for any social scientist studying voting behavior.  What is more interesting, however, is that we are fairly sure there were other variables that were less straightforward and ultimately led to Clinton’s inability to see the potential loss in states like Wisconsin and Michigan, and almost lose Minnesota.

But to see why “Ada” didn’t live up to her namesake (Ada, Countess of Lovelace, who is the progenitor of computing) is to delve into what an algorithm is, what it does, and how humans interact with its findings. It is an important point to make for many of us trying to understand not merely what happened this election, but also how increasing reliance on algorithms like Ada can fundamentally shift our politics and blind us to the limitations of big data.   Let us begin, then, at the beginning.

Continue reading

Empathy, Envy and Justice: The Real Trouble for Algorithm Bias

Rousseau once remarked that “It is, therefore, very certain that compassion is a natural sentiment, which, by moderating the activity of self-esteem in each individual, contributes to the mutual preservation of the whole species” (Discourses on Inequality).  Indeed, it is compassion, and not “reason” that keeps this frail species progressing.   Yet, this ability to be compassionate, which is by its very nature an other-regarding ability, is (ironically) the different side to the same coin: comparison.  Comparison, or perhaps “reflection on certain relations” (e.g. small/big; hard/soft; fast/slow; scared/bold), also has the different and degenerative features of pride and envy.  These twin vices, for Rousseau, are the root of much of the evils in this world.  They are tempered by compassion, but they engender the greatest forms of inequality and injustice in this world.

Rousseau’s insights ought to ring true in our ears today, particularly as we attempt to create artificial intelligences to overtake or mediate many of our social relations.  Recent attention given to “algorithm bias,” where the algorithm for a given task draws from either biased assumptions or biased training data yielding discriminatory results, I would argue is working the problem of reducing bias from the wrong direction.  Many, the White House included, are presently paying much attention about how to eliminate algorithmic bias, or in some instance to solve the “value alignment problem,” thereby indirectly eliminating it.   Why does this matter?  Allow me a brief technological interlude on machine learning and AI to illustrate why eliminating this bias (a la Rousseau) is impossible.

Continue reading

Deterrence in Cyberspace and the OPM Hack

I have yet to weigh in on the recent hack on the Office of Personnel Management (OPM).   Mostly this is due to two reasons.  First is the obvious one for an academic: it is summer! But the second, well, that is due to the fact that as most cyber events go, this one continues to unfold. When we learned of the OPM hack earlier this month, the initial figures were 4 million records. That is, 4 million present and former government employees’ personal records were compromised. This week, we’ve learned that it is more like 18 million.   While some argue that this hack is not something to be worried about, others are less sanguine.   The truth of the matter is, we really don’t know. Coming out on one side or the other is a bit premature.   The hack could be state-sponsored, where the data is squirreled away in a foreign intelligence agency. Or it could be state-sponsored, but the data could be sold off to high bidders on the darknet. Right now, it is too early to tell.

What I would like to discuss, however, is what the OPM hack—and many recent others like the Anthem hack—show in relation to thinking about cybersecurity and cyber “deterrence.”     Deterrence as any IR scholar knows is about getting one’s adversary to not undertake some action or behavior.   It’s about keeping the status quo. When it comes to cyber-deterrence, though, we are left with serious questions about this simple concept. Foremost amongst them is: Deterrence from what? All hacking? Data theft? Infrastructure damage? Critical infrastructure damage? What is the status quo? The new cybersecurity strategy released by the DoD in April is of little help. It merely states that the DoD wants to deter states and non-state actors from conducting “cyberattacks against U.S. interests” (10).   Yet this is pretty vague. What counts as a U.S. interest?

Continue reading

It’s the Biggest National Threat and We Can’t Help You

The Department of Defense’s (DoD) new Cyber Strategy is a refinement of past attempts at codifying and understanding the “new terrain” of cybersecurity threats to the United States.   While I actually applaud many of the acknowledgements in the new Strategy, I am still highly skeptical of the DoD’s ability to translate words to deeds. In particular, I am so because the entire Strategy is premised on the fact that the “DoD cannot defend every network and system against every kind of intrusion” because the “total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities (13).

Juxtapose this fact to the statement that “from 2013-2015, the Director of National Intelligence named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001.” (9).   What we have, then, is the admission that the cyber threat is the top “strategic” –not private, individual or criminal—threat to the United States, and it cannot defend against it. The Strategy thus requires partnerships with the private sector and key allies to aid in the DoD’s fight. Here is the rub though: private industry is skeptical of the US government’s attempt to court it and many of the US’s key allies do not trust much of what Washington says. Moreover, my skepticism is furthered by the simple fact that one cannot read the Strategy in isolation. Rather, one must take it in conjunction with other policies and measures, in particular Presidential Policy Directive 20 (PPD 20), H.R. 1560 “Protecting Cyber Networks Act”, and the sometimes forgotten Patriot Act.

Continue reading

Not What We Bargained For: The Cyber Problem

Last week the New America Foundation hosted its launch for an interdisciplinary cybersecurity initiative. I was fortunate enough to be asked to attend and speak, but the real benefit was that I was afforded an opportunity to listen to some really remarkable people in the cyber community discuss cybersecurity, law, and war.   I listened to a few very interesting comments. For instance, Assistant Attorney General, John Carlin, claimed that “we” (i.e. the United States) have “solved the attribution problem, and the National Security Agency Director & Cyber Command (CYBERCOM) Commander, Admiral Mike Rogers, say that he will never act outside of the bounds of law in his two roles.   These statements got me to thinking about war, cyberspace and international relations (IR).

In particular, IR scholars have tended to argue over the definitions of “cyberwar,” and whether and to what extent we ought to view this new technology as a “game-changer” (Clarke and Knake 2010; Rid 2011; Stone 2011; Gartzke 2013; Kello 2013; Valeriano and Maness 2015).   Liff (2012), for instance, argues that cyber power is not a “new absolute weapon,” and it is instead beholden to the same rationale of the bargaining model of war. Of course, the problem for Liff is that the “absolute weapon” he utilizes as a foil for cyber weapons/war is not equivalent in any sense, as the “absolute weapon,” according to Brodie, is the nuclear weapon and so has a different and unique bargaining logic unto itself (Schelling 1977). Conventional weapons follow a different logic (George and Smoke 1974).

Continue reading

The “Right” to Be Forgotten & Digital Leviathans

We hear every day that technology is changing rapidly, and that we are at risk of others violating our rights through digital means.   We hear about cyber attacks that steal data, such as credit card numbers, social security numbers, names, incomes, or addresses. We hear about attacks that steal intellectual property, from movies to plans for the F-35 Joint Strike Fighter. Indeed, we face a continual onslaught from not only the cyber criminals, but from the media as well. One of the lesser-reported issues in the US, however, has been a different discussion about data and rights protection: the right to be forgotten.

Last year, The European Court of Justice ruled in Google vs. Costeja that European citizens have the right, under certain circumstances, to request search engines like Google, to remove links that contain personal information about them. The Court held that in instances where data is “inaccurate, inadequate, irrelevant or excessive” individuals may request the information to be erased and delinked from the search engines. This “right to be forgotten” is a right that is intended to support and complement an individual’s privacy rights. It is not absolute, but must be balanced “against other fundamental rights, such as freedom of expression and of the media” (paragraph 85 of the ruling). In the case of Costeja, he asked that a 1998 article in a Spanish newspaper be delinked from his name, for in that article, information pertaining to an auction of his foreclosed home appeared. Mr. Costeja subsequently paid the debt, and so on these grounds, the Court ruled that the link to his information was no longer relevant. The case did not state that information regarding Mr. Costeja has to be erased, or that the newspaper article eliminated, merely that the search engine result did not need to make this particular information “ubiquitous.” The idea is that in an age of instantaneous and ubiquitous information about private details, individuals have a right to try to balance their personal privacy against other rights, such as freedom of speech. Continue reading

SOTU: Cyber What?

In last night’s State of the Union Address, President Obama briefly reiterated the point that Congress has an obligation to pass some sort of legislation that would enable cybersecurity to protect “our networks”, our intellectual property and “our kids.” The proposal appears to be a reiteration that companies share more information with the government in real time about hacks they are suffering. Yet, there is something a bit odd about the President Obama’s cybersecurity call to arms: the Sony hack.

The public attention given over to the Sony hack, from the embarrassing emails about movie stars, to the almost immediate claims from the Federal Bureau of Investigation (FBI) that the attack came from North Korea, to the handwringing over what kind of “proportional” response to launch against the Kim regime, we have watched the cybersecurity soap opera unfold. In what appears as the finale, we now have reports that the National Security Agency (NSA) watched the attack unfold, and that it was really the NSA’s evidence and not that of the FBI that supported President Obama’s certainty that North Korea, and not some disgruntled Sony employee, was behind the attack. Where does this leave us with the SOTU?

First, if we believe that the NSA watched the Sony attack unfold—and did not warn Sony—then no amount of information sharing from Sony would have mattered.   Sony was de facto sharing information with the government whether they permitted it or not. This raises concerns about the extent to which monitoring foreign attacks violates the privacy rights of individuals and corporations.   Was the NSA watching traffic, or was it inside Sony networks too?

Second, the NSA did not stop the attack from happening. Rather, it and the Obama administration let the political drama unfold, and took the opportunity to issue a “proportionate” response through targeted sanctions against some of the ruling North Korean elite. The sanctions are merely additions to already sanctioned agencies and individuals, and so functionally, they are little more than show.   The only sense that I can make of this is that the administration desired to signal publicly to the Kim regime and all other potential cyber attackers that the US will respond to attacks in some manner. This supports Erik Gartzke’s argument that states do not require 100% certainty about who launched an attack to retaliate. If states punish the “right” actor, then all the better, if they do not, then they still send a deterrent signal to those watching. However, if this is so, it is immediately apparent that Sony was scarified to the cyber-foreign-policy gods, and there was a different cost-benefit calculation going on in the White House.

Finally, let’s get back to the Sony hack and the SOTU address. If the US was taking the Sony hack as an opportunity in deterrence, then this means that it allowed Sony to suffer a series of attacks and did nothing to protect them. If this is the case, then the notion that we need more information sharing with the government may be false.   What the government wants is really more permission, more consent, from the companies it is already watching. Protecting the citizens and corporations of the US requires a delicate balance between privacy and security. However, attempting to corrupt ways of maintaining security, such as outlawing encryption only makes citizens and corporations more unsafe and insecure. If the US government really wants to protect the “kids” from cyber criminals, then they should equip those kids with the strongest encryption there is, and teach good cyber practices.

Theatre and Cyber Security

By now I am sure many of you have seen the news that Sony has indefinitely postponed/canceled the theatrical release of The Interview under threat from hackers apparently connected to the regime in North Korea. It is not clear whether the threat was explicitly against movie goers or against the companies screening the film, and whether the assault would be virtual or physical in form (although the Obama Administration has suggested the theatre threat was overblown and has criticized Sony for withholding the film). What is clear is that the cancellation costs Sony tens of millions of dollars in lost production and promotion costs and has established a precedent that digital assaults can produce real world costs and behavioral changes.

Quite striking is the shift in construction of the Sony issue as a threat. Previous breaches of corporate information technology (IT) security have hardly prompted the kind of national security discourses the Sony case has generated. Indeed, the earlier disclosure of sensitive emails from the Sony IT breach did not result in discussions of national threat. Certainly, the more international and public elements of the situation suggest greater basis for making a national security claim. And yet, the appearances are deceptive. The Obama Administration specifically downplayed the possible threat to cinemas, with the Department of Homeland Security indicating there was no credible threat to cinemas or theatregoers. The cancelation of the film is certainly costly, but most of the cost is born by Sony (to the tune of tens of millions of dollars). To that end, the IT breach is not any different from other corporate IT breaches where customer information has been compromised. The North Korean element is certainly substantive, but not altogether unique. 

What the shift in discourse reveals is the socially constructed nature of threat. The public costs of the Sony IT breach are economically smaller than in other breaches, and the linkage to external state is not unique to the Sony case. So materially, there is little that obviously qualifies the Sony IT breach as a national security issue, much less something that calls for US government retaliation. The discursive shift regarding the national security ‘threat’ posed by the Sony incident highlights the utility of securitization theory for thinking about the issue of cyber security. Specifically, securitization theory directs our attention to how political actors are seeking to reconstruct the Sony IT breach in ways that justify extraordinary measures, in this case the US government risking conflict escalation with a isolated, reactive, and militarized regime in North Korea on behalf of a private economic/corporate entity. Notably, since the cancellation of the film discourses have highlighted core elements of American political identity, specifically the right to freedom of expression, as the basis of the security claim. This discursive shift suggests a societal boundary with respect to information technology issues in the United States between a private concern (Sony breach before film cancellation) and a public security matter.

Securitization also draws our attention to the political effects of security, and a consequence the costs of security. Who benefits from or is empowered by treating IT issues as security issues? What consequences arise from making IT security a national security matter? How can the state possibly mandate security measures for an issue that interweaves throughout the economy? What kinds of instabilities are created by involving states as security actors in the cyber realm with the strong potential of militarization? Certainly weak states will seek to take advantage of the asymmetric opportunities of global information technology, but the question of responsibility and countermeasures remains an open one for the most powerful and developed states in the system and whether those should lie with the state. Specifically, in past nonsecuritized (from the standpoint of the state) IT breaches, the responsibility and the cost were assumed to lie with the victimized corporation. Securitization shifts that responsibility and cost to the state.

I have long been a skeptic of the concept of cyber security as such, and for me securitization theory opens up an analytical space for critically interrogating the concept of cyber security, the process by which information technology issues are transformed into security, as well as the political and social effects of terming information technology as security.

 

**Thanks to Dave McCourt for helpful comments on this post!

 

Cyber Letters of Marque and Reprisal: "Hacking Back"

In the thirteenth century, before the rise of the “modern” state, private enforcement mechanisms reigned supreme. In fact, because monarchs of the time had difficulties enforcing laws within their jurisdictions, the practice of private individuals enforcing their rights was so widespread that for the sovereign to be able to “reign supreme” while his subjects simultaneously acted as judge, jury and executioner, the practice of issuing “letters of marque and reprisal” arose. Merchants traveling from town to town or even on the high seas often became the victims of pirates, brigands and thieves. Yet these merchants had no means of redress, especially when they were outside the jurisdiction of their states. Thus the victim of a robbery often sought to take back some measure of what was lost, usually in like property or in proportionate value.

The sovereign saw this practice of private enforcement as a threat to his sovereign powers, and so regulated the practice through the letters of marque. A subject would appeal to his sovereign, giving a description of what transpired and then asking permission to go on a counterattack against the offending party. The trouble was, however, that often the offending party was nowhere to be found. Thus what ended up happening is that the reprisals carried out against an “offending” party usually ended up being carried out against the population or community from which the brigand originated. The effect of this practice, interestingly, was to foster greater communal bonds and ties and cement the rise of the modern state.

One might ask at this point, what do letters of marque and reprisal have to do with cybersecurity? A lot, I think. Recently, the Washington Post reported that there is increasing interest in condoning “hacking back” against cyber attackers. Hacking back, or “active defense,” is basically attempting to trace the origins of an attack, and then gain access to that network or system. With all of the growing concern about the massive amounts of data stolen from the likes of Microsoft, Target, Home Depot, JPMorgan Chase and nameless others, the ability to “hack back” and potentially do malicious harm to those responsible for data theft appears attractive.   Indeed Patrick Lin argues we ought to consider a cyber version of “stand your ground” where an individual is authorized to defend her network, data or computer. Lin also thinks that such a law may reduce the likelihood of cyberwar because one would not need to engage or even to consult with the state, thereby implicating it in “war crimes.” As Lin states “a key virtue of “Stand Your Cyberground” is that it avoids the unsolved and paralyzing question of what a state’s response can be, legally and ethically, against foreign-based attacks.”

Yet this seems to be the opposite approach to take, especially given the nature of private enforcement, state sovereignty and responsibility. States may be interested in private companies defending their own networks, but one of the primary purposes of a state is to provide for public—not private—law enforcement.   John Locke famously quipped in his 2nd Treatise that the problem of who shall judge becomes an “inconvenience” in the state of nature, thereby giving rise to increased uses of force, then war, and ultimately requires the institution of public civil authority to judge disputes and enforce the law. Cyber “stand your ground” or private hack backs places us squarely back in Locke’s inconvenient state.

Moreover, it runs contrary to the notion of state sovereignty. While many might claim that the Internet and the cyber domain show the weakness in sovereignty, they do not do away with it. Indeed, if we are to learn anything from the history of private enforcement and state jurisdiction, sovereignty requires that the state sanction such behavior. The state would have to issue something tantamount to a letter of marque and reprisal. It would have to permit a private individual or company to seek recompense for its damage or data lost. Yet this is, of course, increasingly difficult for at least two reasons. The first is attribution. I will not belabor the point about the difficulty of attribution, which Lin seems to dismiss by stating that “the identities of even true pirates and robbers–or even enemy snipers in wartime–aren’t usually determined before the counterattack; so insisting on attribution before use of force appears to be an impossible standard.” True attribution for cyber attacks is a lengthy and time-consuming process, often requiring human agents on the ground, and it is not merely about tracing an IP address to a botnet.  True identities are hard to come by, and equating a large cyber attack to a sniper is unhelpful. We may not need to know the social security number of a sniper, but we are clear that the person with the gun in the bell-tower is the one shooting at us, and this permits us to use force in defense.   With a botnet or a spoofed IP address, we are uncertain where the shots are really coming from. Indeed, it makes more sense to think of it like hiring a string of hit men, each hiring a subcontractor, and we are trying to find out who we have a right of self-defense against; is it the person hiring or the hit men or both?

Second, even if we could engage a cyber letter of marque we would have to have some metric to establish a proportionate cyber counter-attack.   Yet what are identities, credit card numbers, or other types of “sensitive data” worth? What if they never get used? Is it then merely the intrusion? Proportionality in this case is not a cut and dry issue.

Finally, if we have learned anything about the history or letters of marque and reprisal, then it is that they went out of favor. States realized that private enforcement, which then turned to public reprisals during the 18th to early 20th centuries, merely encouraged more force in international affairs. Currently the modern international legal system calls acts that are coercive, but not uses of force (i.e. acts that would violate Article 2(4) of the United Nations Charter), countermeasures. The international community and individual states not longer issue letters of marque and reprisal. Instead, when states have their rights violated (or an ‘internationally wrongful act’ taken against them), they utilize arbitration or countermeasures to seek redress. For a state to take lawful countermeasures, however, requires that it determine the responsible state for the wrongful act in question. Yet cyber attacks, if we are to rely on what the professional cybersecurity experts tell us, are sophisticated in that they hide their identities and origins. Moreover, even if one finds out the origin of the attack, this may be insufficient to ground a state’s responsibility for the act. There is always the deniability that the state issued a command or hired a “cyber criminal gang.” Thus countermeasures against a state in this framework may be illegal.

What all this means is that if we do not want ignore current international law, or the teachings of history, we cannot condone private companies “hacking back.” The only way one could condone it is for the state to legalize it, and if this were the case, then it would be just like the state issuing letters of marque and reprisal. Yet by legalizing such a practice, it may open up those states to countermeasures by other states. Given that most of the Internet traffic goes through the United States (US), that means that many “attributable” attacks will look like they are coming from the US.   This in turn means that many states would then have reason to cyber attack the US, thereby increasing and not decreasing the likelihood of cyberwar.   Any proposal to condone retaliatory private enforcement in cyberspace should, therefore, be met with caution.

A Tale of Three Cyber Security Articles

Cyber security has been on the general security agenda for some time now, but it is only recently that Political Scientists have really engaged the topic in a serious manner befitting of the theoretical and empirical advances in the field.  In general, we have ceded this ground to those who either have a vested interest in the question (the cyber security industry) or to those who seek to inflate the threat based on imagined fears.  This blog will review some recent work in the field and evaluate the state of knowledge plus future directions.arguing duck

Continue reading

Political Science without a Net

Marc Maron, on his popular WTF Podcast, made an offhand remark that he does not prepare for his comedy performances.  He feels that preparing is for cowards, that you need to be ready and willing to fail in your work since there is a fine line between a unique achievement and total failure. Skirting this line led him to ruin many times in his career, but it has also led him to the transcendent place he is at now.  He has reached the heights of his field by putting it all on the line and risking total devastation by focusing on his Podcast, a new and untested medium at the time.  Now he has one of the most popular podcasts, a TV show, and is more popular than ever on the comedy circuit.  duck net

Maron’s path to success reminds us that we need to think a bit about this frame in our own work in Political Science.   Are we really willing to fail?  Are we cowards?  Do we skirt that fine line between success and ruin?

Continue reading

What is Cyber Hygiene?

Super bowl security wifiI was struck this morning to read a post on a Cyber Security forum with a link stating the “Super Bowl was Hacked!”  Clicking on the link lead to this write up and picture.  I can’t think of better visualization of the need for basic cyber hygiene.  The cyber security industry kills many trees and wastes much bandwidth on discussions of cyber offensive and defensive strategies.  Yet, if we can’t practice basic cyber hygiene, what is the point?

The UK Cabinet estimated that as much of 80 percent of cyber crime can be prevented with basic cyber hygiene.  While that figure is pretty much a wild guess, its also likely very much accurate.  We know very little about the basics of computer protection.  Ask yourself, when is the last time you changed your password?  Do you know what you are agreeing to when you given an app permission for access?  Have you checked to see what programs are draining power on your laptop and communicating with external computers?  The answer is likely no to all these questions.

Continue reading

Cyber Shrinkage: Loss and Cyber Security

scared duckThe nature of cyber discourse concerns me, and this is a point I have written about extensively with Ryan Maness (Valeriano and Maness 2012a, Valeriano and Maness 2012b, Valeriano and Maness 2014).  The idea is that threats we see materialize from cyberspace seem to vastly outweigh any other threats we have faced, ever.  Some argue this cyber threat is different, faster, and bigger.  I question this conventional wisdom.  Is the cyber threat really any different than any other threat we have faced?

Continue reading

© 2017 Duck of Minerva

Theme by Anders NorenUp ↑