Editor’s note: Since the first segment of the interview with Georgia State University scholars Shawn Powers and Michael Jablonski, authors of the Real Cyber War, earlier this week, a breach of the computer systems of United Airlines, the world’s second largest airline, was detected. The same group of China-backed hackers that allegedly obtained the security-clearance records from the U.S. Office of Personnel are the prime suspects once again. In Part II of the interview, the authors discuss China’s development of the Internet, the use of the Internet in developing countries such as Kenya and Tanzania, Atlanta‘s prospects as a cybersecurity center of development and the future of Google and the Internet more generally. Click here to see Part I of the interview.
Global Atlanta: You provide intriguing reviews of how countries besides the U.S. are regulating the information traveling on the Internet. For the purposes of this interview would you describe China’s tactics at protecting what you call its “information sovereignty?”
Dr. Powers: China’s multifaceted approach of government regulation, censorship, monitoring, self-regulation, encouragement of national industry, and protectionism has been highly effective at keeping Chinese netizens away from foreign applications and content. This effort coincides with a concerted campaign to reframe access to the internet as a privilege rather than a right, for those citizens able to use the Web in ways fit for China’s harmonious society. Despite Western predictions of its inevitable failure, China’s approach has worked. According to Harvard University’s Berkman Center, 96 percent of all page views in China are of Web sites hosted within China.
China is well on its way to having a popular and robust de facto intranet system. While technically connected to providers and content from around the world, the government uses variations of IP blocking, DNS filtering and redirection, URL filtering, packet filtering, connection reset, and network enumeration to control Web access throughout China. The architecture of its system allows the government to monitor and constrain every aspect of the system, from the deployment of technology to the operation of ISPs and the creation of regulatory agencies capable of enforcing censorship through a dedicated internet police force.
The government blocks Web sites that discuss the Dalai Lama, the 1989 crackdown on Tiananmen Square protesters, the banned spiritual movement Falun Gong, and others. According to Google, which closely tracks search queries that trigger government filtering, the word “freedom” has been censored since 2010. Microblogging sites (called weibos) are also tightly controlled. New users are required to verify their identity, matched against police data, with the service before they are allowed to post. Any user found disturbing social order or undermining social stability, including by “spreading rumors, calling for protests, promoting cults or superstitions and impugning China’s honor,” is punished, often without trial.
Regulators also require ISPs to self-monitor their Web services and delete any objectionable content. The government employs more than 30 million paid “internet opinion analysts” who pose as ordinary Web users to actively combat criticism of the government. Members of the government are increasingly encouraged to embrace social media to monitor public opinion (and anger) and “actively spread the core values of the socialist system, disseminate socialist advanced culture and build a socialist harmonious society.”
Despite these controls, the Chinese intranet connects to the world’s internet in strategically advantageous ways, allowing connections to the global financial sector and many Western cultural exports. For example, the USITC estimated that in 2009, unauthorized Chinese downloading of copyrighted material cost the U.S. creative industries $48 billion per year.
Most popular Western Web sites (such as Facebook and YouTube) are either heavily censored or, at times, banned altogether, leaving them unreliable and unpopular among Chinese netizens. As a result, a robust Chinese copycat internet industry has emerged, developing local variations of Google (Baidu), Twitter (Sina Weibo), Facebook (Renren), Ebay (TaoBao), MS Messenger (QQ), and YouTube (Youku). These local copies of popular Web services are hugely popular, sometimes providing more functionality than the Western counterparts. For example, Baidu, the Chinese version of Google, includes search results from sites that allow users to freely download copyrighted content, like music, movies, and television shows. Google, meanwhile, filters similar results due to its compliance with U.S. intellectual property law. Needless to say, Baidu is vastly more popular than Google among Chinese Web users.
Restricting foreign Web content and applications serve a protectionist agenda as well. The local variations of Western internet services are all owned and operated by Chinese nationals, creating flourishing internet industry that contributes to China’s job growth and GDP.
Tencent (better known as QQ) has annual revenue of $1 billion and a current market capitalization of $24 billion, making it as big as eBay and bigger than Yahoo! Baidu earns $1 billion in annual revenue. Overall, China’s internet industry generated $42.1 billion in total revenue 2011. This is in addition to $10.8 trillion in total turnover from e-commerce and $118.7 billion in revenue from internet-based auctions. Of course, Chinese-owned companies are also the least resistant to the government’s myriad intrusive regulations.
At the same time, Chinese authorities seem cognizant of a need for the appearance of restraint in their efforts at controlling the Web. For example, in 2009, the government pushed (and ultimately backed off from) a rule that would have required the installation of a new software program called “Green Dam Youth Escort” on all computers sold in China. The software would effectively monitor a user’s every move. After strong resistance at home and abroad, however, China indefinitely delayed enforcement of the requirement.
The decision to pull back from Green Dam suggests a careful balancing act between control and individual rights. The government has also slowly scaled back its blocking of Western content, allowing selective access to certain portals while still blocking particular Web pages with objectionable content. Such an approach allows users to feel as though they are not restricted from connecting to the outside world—yet unable to detect that their freedoms are more acutely controlled.
While many Chinese activists use the internet to express criticism of government officials and policies, these criticisms are increasingly contained within a system that allows criticism, but not public protest. Han Han, China’s most popular blogger, recently soured on the potential for the internet to transform China, noting, “You feel everyone’s really angry, you feel like you could go open the window and you would see protesters on the street. But once you open the window, you realize that there’s nothing there at all.” The Economist suggests that the internet has helped Chinese leaders better manage public opinion, noting, “The internet may well turn out to have been an agent not of political upheaval in China but of authoritarian adaptation.”
Despite seemingly draconian controls—by Western standards—on the Web, 85 percent of Chinese citizens support government control and management of internet content. A 2013 study by David Herold interviewed 70 university students in China and similarly found a remarkable consensus supporting government restrictions and controls online. In terms of protecting its information sovereignty, China has adopted a multifaceted, flexible model that, thus far, has been quite effective.
Global Atlanta: In the case of a developing country such as Kenya where the M-Pesa is used as a daily currency thanks to the Internet, does such a development provide an example of Western domination of the country and a threat to its government’s sovereignty or does it help Kenya by advancing the country’s economy?
Dr. Powers: The M-Pesa platform and mobile banking more broadly are tremendous advances enabling parts of the less-developed world to leapfrog and compete in the modern global economy. But they are too often conflated with the benefits of enhanced internet connectivity. In Africa, mobile banking is primarily conducted via simple (i.e. not-smart) mobile phones and traditional telecommunications services. In fact, many of the economic and political benefits attributed to greater internet connectivity are actually due to the spread and affordability of mobile telephony, not the World Wide Web.
Don’t worry, I’m an advocate for improved global connectivity and access to information. But care is required in pursuing these goals, as they require serious commitments of resources that necessarily carry opportunity costs.
For example, let’s look at Tanzania, one of the world’s poorest economies (based on per capita income). Modeled after Sweden’s national internet program, Tanzania’s $250 billion national backbone initiative established a 10,000-kilometer high-speed fiber-optic cable network connecting rural villages, towns, and cities to the Web. The quality of the network and the speeds it offers are among the best in the world. Yet despite its availability and relative affordability compared to other networks of similar quality, less than 10 percent of its capacity is being utilized. A 2012 study found that virtually no citizens outside of government and multinational corporations had accessed the high-speed network, adding, “Few people even know it exists.” Despite the existence of the network, only 4.4 percent of Tanzanians use the internet. A Tanzanian participant in a US-Government funded training course echoed these challenges, expressing concern for the economic sustainability of internet access: “Tanzanian citizens are faced with a choice feed their families or spend their income (two to three dollars a day) on telecommunication services. Economically they cannot afford Internet access at the expense of eating to survive” (This quote comes from documents retrieved using Freedom of Information Act requests to the Department of Commerce).
Rather than spend $250 billion—roughly five times Tanzania’s GDP—building a network that is inaccessible to 95 percent of Tanzanians, why not spend the money improving its “limited [mobile] coverage in remote and underserved areas, where the majority of the population live”?
Global Atlanta: You indicate a need for “interstate cooperation and rule making,” and most interestingly cite the development of the International Telegraph Convention and the General Postal Union, which had its name changed to the Universal Postal Union. How do these organizations provide insights into the possibility for international coordination and standardization in a cyberworld?
Dr. Powers: The history of interstate cooperation and rulemaking is, actually, neatly intertwined with developments in international communication. The first two intergovernmental organizations were created in order to coordinate the rules by which information flowed across national borders. The International Telegraph Convention established the first organization in 1865. After the invention and widespread adoption of radio technology, it was renamed the International Telecommunications Union (ITU) to encompass all types of transnational telecommunication issues.
The second was the General Postal Union, established in Berne, Switzerland, in 1875. The name was changed to the Universal Postal Union (UPU) in 1878 due to rapid increases in membership. According to the UPU, the Treaty of Bern “succeeded in unifying a confusing international maze of postal services and regulations into a single postal territory for the reciprocal exchange of letters. The barriers and frontiers that had impeded the free flow and growth of international mail had finally been pulled down.”
By the beginning of the twentieth century, the UPU’s success was well known, at least among elites. In 1900 Josef Zemp, the head of Switzerland’s railway and post operations, described the intergovernmental organization as “the most powerful work for peace which history has ever seen.” In fact, the UPU and ITU were so integral to international politics that adherence to its provisions was often among the first commitments made by newly established governments.
While international post may seem seamless today, it is only a result of the coordination and standardization procedures established in the nineteenth century. At the time, there were substantial disagreements over a range of issues, as international information flows were as politicized as they are today. Before standardization, rates varied from service to service, and from day to day. There was no agreement on how shipments were to be weighed, and prepayment was allowed only for certain types of letters (and never for newspapers). Size limits also varied, occasionally resulting in a package being shipped and then refused by another service along the way, well before it reached its intended destination.
Central to the early success of these institutions was a willingness among states to agree to shared rules that would restrict their capacity to act for the sake of maintaining the integrity of the systems themselves. Speaking at the 50th anniversary of the UPU in 1924, Swedish Post Director Claes Juhlin argued that international institutions only work when states “have the will to subordinate special interests to general interests. It is in possessing these great qualities that we shall best and most thoroughly serve both our own interests and those of the world.” When the UPU was formed, statesmen understood that establishing shared standards and rules for communication across national borders, including protecting the confidentiality of messages, was critical. Their commitments became integral to the emergence of today’s international institutions, the bedrock of modern international relations.
Yet, today, international internet governance is veritably in shambles. Governments are rushing to try and control this crucial digital space by any means necessary (a trend I refer to as the rise of information sovereignty). With this in mind, acknowledging the necessary fallout from the Snowden revelations and the real possibility of the emergence of nation-based intranets, it is time we stop undercutting international institutions that are foundational to the current system of international, shared governance.
Global Atlanta: Atlanta prides itself on being a growing center for cybersecurity. Do you feel that the many companies involved in this work have an obligation to address these political and social issues. If so, would you advocate the development of a cyber security forum of some sort?
Dr. Powers: Atlanta is a hub for cyber security talent and start-ups. This is in large part due to the density of higher-Ed institutions in metro Atlanta and its surrounding areas, and Georgia Tech in particular. I’m careful in the book not to make moral or ethical arguments for or against particular courses of action. Instead, I focus on outlining the underlying motivations for particular courses of action, and particular policies, and outline their likely long-term consequences. So, rather than suggest Atlanta-based cyber companies have particular obligations, it is simply in their best interest to prioritize protecting consumer and client data from government and illegal intrusion. The American tech sector will be unable to compete globally unless it is seen as a trustworthy partner, and not a proxy for the U.S. government or the National Security Agency. It is also important for these companies to have a healthy, balanced portfolio, and not become dependent of (oftentimes bloated) government contracts for annual revenue (see my previous discussion of a rise of an information industrial complex).
Finally, the technology sector, including Atlanta-based companies, need to help in industry self-policing. This is to say: no one knows better which firms are prioritizing consumer data protections and challenging government interference than the cybersecurity companies themselves. These enterprises have a responsibility to call out those that do not live up to their promises, or risk the entire industry’s reputation for not holding each other accountable.
Global Atlanta: Do you see Google becoming increasingly dominant on the Internet globally in the future and corporations increasingly dependent on its ability to mine data, or do you see national policies and developments that will increasingly encourage the rise of competing companies – especially in China or elsewhere that will resist its dominance?
Dr. Powers: Both. Google is dominant across the data sector, and is able to use this dominance to prevent competition. It also uses its tremendous resources ($125,572 of revenue per minute) to purchase start-ups that may compete in the future and to prevent talented information scientists and engineers from working for other companies. This is concerning, not because of Google harbors evil intentions (that I know of, anyway), but because it slows competition and innovation in this crucial economic sector.
Google’s dominance, and the substantial financial and political stakes in controlling data markets, also mean that powerful state actors (China and Russia in particular) are increasingly concerned about cultivating Google (and Facebook, and Amazon, and Twitter) rivals capable of competing nationally and, eventually, internationally. This is why the rise of information sovereignty, whereby governments enact policies to increase control over domestic information flows, isn’t simply about security. It is also about economic protectionism. Restrictions on Google’s operations in China, for example, don’t simply slow the free flow of information into (and out of) the mainland. They also give Chinese companies time to grow, establish brands and large consumer bases enabling them to compete with the Google’s of the world down the road.
The EU is increasing concerned about Silicon Valley’s dominance as well, as is evidenced by the European Commission’s ongoing antitrust inquiry against Google and its wide-ranging probe of Amazon and Facebook. And its “Digital Single Market” strategy is clearly an effort to energize European tech companies to innovate and compete on a global level.
So, while Google and several other American tech companies remain dominant, governments have tremendous tools to shape the industry, including regulation, subsidies and force. These battles between governments to shape the digital marketplace is, for me, the heart of the Real Cyber War.
Global Atlanta: A paragraph in an article in the Sunday, July 19, issue of the New York Times by Michael D. Shear and Nicole Perlroth includes a certain sense of urgency: “The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.” Even the Department of Homeland Security faces more “complacency” than “competency,” according to sources in the article.
Mr. Jablonski: Cybersecurity companies that fail to address political and social issues arising from collection and diffusion of information across computer-controlled communications create a false sense of security. The perception bias that cyber exploits are technological problems permits every day users of the internet, or other technologies, to shift responsibility for their own bad decisions to other entities. “Hackers” have become modern incarnations of mythical creatures lacking form or substance roaming a mysterious (and imaginary) space to visit untold terrors upon innocent users. The hackers, in this mythology, live in exotic places most users do not comprehend, like China, or Iran, or North Korea. Since hackers exploit technology defects, the fable justifies use of technological talismans with arcane names like “firewalls,” “anti-virus,” or “malware detectors” which somehow force the hacker to withdraw in terror.
The problem, though, is that there will never be a pure technological fix to cyber threats because it is not a pure technological problem. Cyber security is mainly a social problem. Firewalls, anti-virus software, and malware detectors only work when users employ them. Cyber attackers seek to exploit the weakest part of the system. Often the weak point is the human user. Phishing attacks, for example, work because some users can be fooled into disclosing sufficient information to compromise systems. Often it only takes one careless user to create an opening for a system breach.
Cybersecurity companies are beginning to realize that the internet is a sociotechnological system. Technology is an expression of society. Providing tools to defeat attacks is not enough to prevent havoc. There must be social buy-in. Non-technical users of the internet, unfortunately, fail to consider that they are part of the system. The internet has famously been described as a “network of networks.” Each user is part of a network and, therefore, is part of the internet. Responsibility comes with network membership. Fixes based upon technology alone allow individual members of the network to blame someone else for failure.
Comparing the recent theft of data from the Office of Personnel Management with the Sony Pictures breach last November is instructive. Guardians of Peace, as the hackers named themselves, apparently accessed the Sony systems for more than a year. The intrusion was evident only after the hackers activated malware that rendered many of the networked computers inoperative. Immediately there was a demand that the U.S. do something to preserve the integrity of the network. Very few argued that Sony shared some measure of fault for failing to operate high-quality data safeguards.
The demand that the government protect the network was itself an indication that users sought to shift responsibility to a third party. It was never clear what the U.S. should do. Ironically, in June 2015 the federal OPM revealed a massive breach in its own data warehouse that had existed since at least March 2014. The OPM breach had been discovered during a product demonstration of intrusion detection software by a commercial cybersecurity company. Government systems were as vulnerable as ones operated by private companies.
One of the arguments of The Real Cyber War is that internet governance is an important battleground. Demands that government do something to protect against data breaches in effect argue that government should have a greater role in controlling the flow of online information. Increased government surveillance of networks concomitantly increases the ability of government to harvest, store, and analyze personal information transmitted across the net. So on the one hand, people upset about pervasive information collection activities of the National Security Agency were arguing on the other hand that government should take action to prevent catastrophic intrusions into databases, a process that requires collection and examination of huge volumes of internet communication. The existence and scale of NSA activities became public only because NSA itself had a data breach in which Edward Snowden used digital certificates and keys, as well as usernames and passwords assigned to colleagues to access information that he was able to collect for future release.
The Sony hack, the OPM data theft, and Snowden’s rifling of NSA files could have been prevented. All of them resulted from vulnerabilities known to the victims. What was missing was a deeper understanding of governance issues for the involved networks and that the weak link in the sociotechnological system is the people who use the system. A cybersecurity forum would be a basic step. A more sophisticated approach involves educating every user about vulnerabilities and good practices while inculcating an understanding that cyber security is a personal responsibility.
Global Atlanta: More generally, how do you foresee the Internet developing globally?
Dr. Powers: The history of technological development and integration is remarkably circular. The introduction of new technologies disrupts existing markets and institutions, creating extraordinary opportunity and, sometimes, panic. New industries emerge, typically led by monopolies, some of which are capable of threatening existing political order. Governments, whose primary motivation is survival, adjust, sometimes coopting the power of these emerging giants, and other times regulating them (or even breaking them up entirely).
The current cycle of disruption differs due to the speed with which decisions are made and conveyed, and the fact that that digital technologies now touch every single economic sector. This means that the stakes are higher, and the transition a bit less stable, as institutions are forced to adjust at the pace of a Millennial’s attention span. Thus, while the internet and all of its potentialities will eventually be firmly entrenched into existing institutional frameworks, during a period of transition, there is a capacity to challenge existing institutions (see Uber and Craigslist, for example), and their protocols (see Anonymous, for example), for better or for worse. The challenge, from my perspective, is to encourage productive disruption, while preserving and reforming the institutions capable of protecting public and consumer interests.