Black Code: Inside the Battle for Cyberspace — Q&A with Ron Deibert
Ron Deibert is Director of the Canada Centre for Global Security Studies and the Citizen Lab. Nora Young interviewed him about his new book, Black Code: Inside the Battle for Cyberspace. This Q&A is a lightly edited version of that interview.
You’re the director of the Citizen Lab at the University of Toronto, which is a pretty unusual place. You’ve described it as “X-Files meets academia.” What’s your mission and how do you go about it?
Essentially, it’s to apply an evidence-based, impartial approach to investigating issues around cyberspace security from a human rights perspective. I think the signature of the Citizen Lab is our mixture of technical, forensic methods with field research. We partner with literally dozens of people all around the world who live in the countries that we’re interested in that help us undertake our research. We combine the data that they collect with, very forensic, detailed, computer engineering/programming type of investigations.
The subtitle for your book is, “Inside the Battle for Cyberspace,” and you lay out different battlegrounds where this is going on. How would you characterize what that battle is?
We kind of take this communications ecosystem that’s all around us for granted. It surrounds us, it’s deeply embedded in everything we do. It seems like this wonderful liberating technology, which it is, in many cases. It’s phenomenal. But there are kind of dark clouds forming on the horizon. They come in multiple shapes and forms, which I try to describe in the book.
I think one of the biggest ones has to do with security. The fact that this domain is now being securitized, that was probably inevitable. When it was a minor network used by university researchers and geeks, it really didn’t matter. Now that it is part of everything, part of critical infrastructure, hospitals and so on, of course, securing it has become critical.
What do you mean by securitized?
Securitized is actually a term that comes from political science, a term that describes the process of taking an area, whatever it is, drugs, environment, and describing it in military terms — the “war on drugs” and so on. We’re seeing a lot of that in cyberspace — cyberwarfare, cybersecurity.
People who have studied the processes of securitization notice that there are certain tendencies that go along with it. Secrecy is one. The predominance of military and intelligence agencies is another. Trying to govern a domain through hierarchy and closure and so on.
We see this going on in cyberspace. The big three-letter agencies that most people have never heard of are now actually taking command of cyberspace. To me, that’s paradoxical. In a world of so much seeming transparency, we’re delegating authority over — essentially our public sphere — to some of the world’s most secretive agencies. This is not a good recipe in the long run.
One of the things that you explore is how governments are surveilling and censoring the Internet. How have you seen that play out in Syria?
Syria is a really interesting case. In addition to all the terrible things that are going on, they’re in the midst of a civil war and obviously war crimes, crimes against humanity happening. I think many people initially thought, a couple of years ago, that Syria would follow in step with the other Arab regimes, like Tunisia, Egypt. There would be a toppling of this dictatorship because of Twitter-enabled dissidents.
We at the Citizen Lab — I think primarily because of our research networks in the Middle East and North Africa — we had a different view on it. We were certainly more cautious. That was because we had seen the ways these governments that were quickly toppled in Egypt and Tunisia actually had capabilities that, if you re-ran history, it might have turned out differently. I think the clock ran out on them. But they had very advanced surveillance technologies equipped by Western firms that enabled them to infiltrate opposition groups and essentially monitor their computers.
We see this going on now in Syria. Dissidents, opposition — the Syrian opposition — is routinely targeted with malicious software, usually through a Skype link or a comment on YouTube that then takes over their computers and compromises their social networks. It’s hard to say, on balance, what impact that has had on the conflict, but it’s certainly put many people on the opposition side at great risk.
The other interesting thing about Syria is the Syrian Electronic Army. There is a group of pro-government electronic actors. They seem to be operating with the encouragement and support of the Syrian government, but they’re not quite connected to it. They’re not like a traditional army. They’ve been becoming more sophisticated over time.
At first, they were defacing websites that had no connection to Syria. Of course, just a few weeks ago, they commandeered the Twitter account of Associated Press and put this notice about a bombing, a hoax about a bombing in the White House. We saw the stock market drop 500 points. They’re getting much more sophisticated. That’s a really interesting phenomenon, this idea of pro-government electronic actors using offensive computer network attack capabilities to support autocratic regimes and infiltrating opposition groups abroad.
You paint a picture of an Internet that’s gradually becoming more controlled by the government. Why is this so troubling to you?
I think there’s a kind of fitness problem when it comes to ideally what we want a global communications environment to look like and how governments tend to operate and the capabilities that they have. I think it’s inevitable that governments would get involved in the Internet.
The issue is that we don’t want a heavy hand. We don’t want them to impose controls that territorialize the Internet because ultimately, in my opinion anyway, if we are going to survive as a species — deal with all the problems that we have from environmental change to population, disease, whatever — we need a single communications environment through which we can share ideas and debate and so on.
With the Internet, we came very close to having that, but it is now being carved up. It’s being heavily monitored, and governments are asserting control. They’re changing the way private companies operate in cyberspace, in important ways.
That will end up essentially Balkanizing it, and I think that’s a recipe for disaster in the long run.
I hear from people about this all the time, which is, “Why do I care?” If I’m not breaking the law, why do I care that the government is submitting requests without a warrant. Or why do I care for that matter if Facebook is gathering all this data on me because it wants to target me with ads? Why do I care?
Beyond what I just said about the future of the human race?
[Laughs] But why does this matter to me, Ron?
There’s a demographic shift going on in cyberspace.
This technology that we take for granted here in Toronto was invented in Silicon Valley. We kind of assume it’ll always look the way it looks. We take it for granted, but the vast majority of users come from the developing world right now, from the global South.
Unfortunately, most of those users live in autocratic, failed, fragile states, authoritarian regimes. Many of them use the technology differently than how we use it. I spend a lot of time talking about that in the book — groups in Somalia, the way the militants use mobile phones, and criminal organizations in Mexico and so on.
Over time, just as we gave cyberspace its character, the Internet its character, based on our norms, our culture, and so on, it will change over time based on the users coming from these regions. I think it’s an uncomfortable truth that there are huge governance problems in those parts of the world.
In many countries, religion plays a much greater role. We see that, for example, in Pakistan, in India, and a lot of other countries in the global South. It’s beginning to change the nature of the technology.
You spend a bit of time talking about the Stuxnet worm, which appears to have been created by the US and Israel, and raises this question of whether we’re looking at a future of cyber warfare. Do you think that that’s a likely scenario, that we could see full-on cyber warfare?
This is a topic that’s widely debated in the security community, people who study warfare. A good friend of mine, Thomas Rid, just published a book called “Cyber War Will Not Take Place.” He’s convinced that this is overstated.
I have great respect for him, but I think as Stuxnet has shown, it is certainly possible to engage in sabotage of critical infrastructure through cyberspace. The big troubling concern I have is that governments are now devoting a lot of resources within their armed forces to refining techniques like Stuxnet.
It’s not just the United States now. Now that Stuxnet has happened, the precedent has been set. As the NSA’s Michael Hayden said, a Rubicon has been crossed. I think many other countries will look to develop these techniques, and so we have an arms race in cyberspace.
This is one of the other big troubling concerns I have, the number of countries that have cyber commands is growing. There’s a great potential now for, I think, some kind of accident that could lead to kinetic conflict.
It’s not so much virtual war, pressing buttons and so on that troubles me. It’s something like a dispute over the islands in the South China Sea. Tensions heat up and then China would be hard pressed not to deploy information operations to try to disrupt American forces, which would then lead to some kind of reprisals.
It doesn’t take a genius to spell out a scenario like that where we can be led very quickly down the road of a real armed conflict because of growing tensions in cyberspace.
We have this industrial espionage online, we’ve got cyber warfare, we’ve got crime, we’ve got all sorts of spam. We’ve got a future where everything around us has a digital layer. Why not bring the Internet more directly under control of governments, then?
We can’t escape governments. We need governments in order to set regulations and standards. But I think, ultimately, for this communications environment to remain open and distributed so that if you’re in India and I’m in Canada, we can access the same information, and we can speak to each other privately and securely. We need a different model of governance.
Don’t forget that most of cyberspace, what we call cyberspace, is in private sector hands. While governments are important and we do need to bring some order to deal with a lot of the major security threats, I actually think the best way to deal with them is through a distributed approach.
The kicker to the book, if you will, is laying out this philosophy, if you will, of how to deal with security in cyberspace. I think it’s nothing new, I’m not inventing anything. I’m saying the principles that we need to remind ourselves of actually go back to ancient Greece, principles like mixture, division, checks and balances, oversight. We’re losing sight of all of these things, especially in liberal democratic countries as we give away powers to secretive agencies to control this space.
While security is important, we’ve got to remember not to throw the baby out with the bath water.
It’s not that we don’t need governance, it’s the shape of that governance.
Absolutely. We need security forces. We need intelligence agencies. It’s a matter of balance. We’ve really gone overboard, in my opinion, delegating so much power and authority to these secretive agencies to control this space that is ultimately a public domain.
We need to stop and think, OK, we have serious security problems, critical infrastructure, it’s a big problem. But how to deal with it? Ask the engineers.
It’s interesting, when you talk to the people who actually run the Internet, although they may not be political philosophers, they probably haven’t, may not have read Polybius or even the Constitution of the United States, the methods that they apply to securing cyberspace are actually very much in accordance with the basic principles of this distributed security approach that comes from all the way back to ancient Greece.
Ron Deibert is the author of Black Code: Inside the Battle for Cyberspace. You can listen to Nora Young’s full interview with him at cbc.ca/spark/