Cyberwar: Silicon Valley’s new bright, shiny thing

The Cybersecurity Tech Accord is the latest public relations effort by the private sector to show that they’re serious about making cyberspace a safer and more secure environment.

For real this time.

The accord comes on the heels of Google employees demanding that their company not be “in the business of war,” and earlier statements by the president of Microsoft calling for a digital Geneva Convention. In the immortal words of the bard: it is a tale of sound and fury, signifying nothing.

Between citrus and cyberwar

Silicon Valley is only the place is it today because of war, both hot and cold. It is easy to forget that the place now building Uber for dirty underwear, and streaming video of other people playing video games was also the home of Liberty Ships, the Polaris missile, and the armored personnel carrier among other martial technologies. Defense contracts funded early tech companies, including one of the biggest defense contractors in the world. Palatiar, which made Total Information Awareness a reality, is a child of the valley. Like it or not, the valley has played a key role in our nation’s ability to wage war since before transistors replaced fruit trees.

Perpetuating legacy futures

Good wishes and aspirations captured on paper isn’t going to lead to progress. The tech accord is yet another attempt by people trained to think and act in the approved way to force legacy futures on a world that does not fit the old models. We have an actual Geneva convention that gets violated all the time. More countries have nuclear weapons today than had them before the non-proliferation treaty was in effect. Systems and methods built to deal with physical weapons will not work when applied to code, but it is far easier to go with what you know, regardless of whether that will get us where we want to be, or if it even makes sense.

The distraction

The most amusing part of this entire exercise is the idea that the signatories are going to do anything of substance to bring about change. What are these firms pledging to do?

• Mount a stronger defense against cyberattacks. An admirable goal. Should we start with hardening your source code? What is the backlog of reported bugs for Windows, Oracle, Cisco, anyway?
• Not help governments launch cyberattacks. A useless gesture, considering the decision to launch cyberattacks is entirely in governmental hands. No corporate assistance or approval needed.
• Do more to…improve developer and user ability to protecting themselves. The NSA just released Unfetter for public use: what are the signatories offering the world that doesn’t come with licensing and maintenance fees?
• Build on existing relationships and establish new…partnerships with industry, civil society and security researchers. We know what major tech companies think of researchers, and we already have InfraGard, ISACs, ISAOs, the things like the Cyber Threat Alliance. If everyone is at a meeting, who is doing what needs to be done?

When given the opportunity to reduce the risk of cyberattacks, most companies balk. The cybersecurity community makes a big deal out of the NSA losing some of its offensive tools, and rightfully so, but Microsoft would rather you forget that when their database of Windows bugs was hacked, timely disclosure wasn’t on the to-do list. The anti-virus industry, which loves to tout their ability to combat APT, would prefer you never hear that they helped fertilize those very threat actors.

There is cyberwar because of Windows. There are targeting packages because of Facebook and LinkedIn. There are pathways into targets (and targets themselves) because of Cisco and Juniper. The best way these firms – all signatories to the Accord – can help defend cyberspace is to not make facilitating offense a feature.

All thrust, no vector

We all want to do something to improve the state of cybersecurity, but at what point do we stop being Heracles and start being Sisyphus? The amount and type of bad things that are happening in cyberspace on a regular basis is only growing in scope and scale, but there is no corresponding public outcry to do anything about it. You can’t get people to do the minimum it takes to influence policy after children are massacred in real life: do you think people are willing to do more or less when it comes to malicious activity online?

We know what to do to counter threats, block attack vectors, and mitigate risk. We’ve known for decades. Every time we look at the problems we come up with the same solutions because the people responsible for the problems aren’t responding at scale and in a meaningful timeframe. Governments are only warring online because industry has built the environment for and provided the tools to wage it. Saying you’re against such activities absent some serious self-reflection is self-delusion.

Accords and declarations and proclamations make people feel good, but they’re aimless motion, not forward progress. They’re what you do in the hopes that, if things get bad enough the powers that be – under the guise of leadership – will call on you to implement your politically familiar and acceptable solution. But until that day comes, what are you doing to make a difference now?