Cyber security, civil society and vulnerability in an age of communications surveillance
Report Year: 2014 – Communications surveillance in the digital age
Organization: Justus-Liebig University Giessen and Geist Consulting
Cyber security is increasingly important to internet users, including stakeholders in governments, the private sector and civil society. As internet users increase, so does the amount of malware,2 fuelled by ubiquitous smartphones and social networking applications offering new vectors for infection. Botnets – networks of infected devices controlled by malicious operators – are used as proxies to commit criminal acts including fraud and identity or data theft. According to the antivirus company Symantec, in 2013 data breach incidents resulted in the exposure of 552 million personal identities.3 In May 2014, eBay announced that hackers had gained access to the personal data of 145 million customers and urged all customers to change their passwords.4 Infrastructures connected to the internet, such as power grids, are also vulnerable, and severely lacking security updates. A growing “internet of things”, which includes ubiquitous devices from sensors in homes and cars to medical technology, presents a plethora of new vulnerabilities to cyber security incidents.
Increasingly, states are establishing military “cyber units” or “cyber commands”, many of which have offensive hacking capabilities.5 Michael Hayden, a former director of both the CIA and the National Security Agency (NSA) has stated that Stuxnet, a state-sponsored computer worm discovered in 2011 and designed to attack and incapacitate nuclear reactors in the Natanz facility in Iran, marked “the crossing of the Rubicon” (a point of no return) for the use of state-sponsored malware.6 A number of similar worms, some of which have implemented Stuxnet’s source code, have arisen.7
Civil society organisations and human rights defenders are becoming victims of surveillance software. Some of this software is sold to law enforcement and intelligence agencies in repressive regimes. “Remote Access Trojans” can be bought both legally and on the black market, as well as downloaded for free, and are used to control mobile devices, laptops and computers remotely, capturing all the information input/viewed by the user. Such software has been used to target activists in Bahrain and Syria.8
Edward Snowden’s disclosures of documentary evidence regarding mass surveillance by the NSA, Government Communications Headquarters (GCHQ) in the United Kingdom, and other intelligence agencies of the “Five Eyes”9 countries have shown just how vulnerable the average netizen’s communications are to interception and surveillance. The disclosures have also demonstrated how surveillance activities can negatively affect the cyber security of all internet users.
It is tempting to think that more “cyber security” would be a means of countering the global privacy invasion caused by mass surveillance. However, cyber security discourse is dominated by states and corporations and focuses mainly on their security, rather than the security of civil society and of internet users. Civil society needs a vision of cyber security that puts the digital security of internet users at the centre of its focus. Attaining cyber security that protects human rights, including the right to privacy, while also ensuring an open and secure internet, will not be possible unless dominant discourses on cyber security radically change.
The problems with “cyber security”
The term “cyber security” often lacks clear definition. It is used as an umbrella concept covering a range of threats and responses10 involving national infrastructure, internet infrastructure, applications and software, and users. Sometimes it is even used to refer to the stability of the state and political structures. The inexact terminology of cyber security “mixes legitimate and illegitimate concerns and conflates different types and levels of risk.” This “prevents genuine objective scrutiny, and inevitably leads to responses which are wide-ranging and can easily be misused or abused.”11Cyber security not only leads to overly broad powers being given to the state, it also “risks generating a consensus that is illusory” and not useful for the problems at hand.12 We need to carefully unpack the relevant issues and develop “a clear vocabulary of cyber security threats and responses,” so as to enable “targeted, effective, and rights-respecting policies.”13 If we do not, cyber security can be used by governments as a justification to censor, control or surveil internet use.
Viewing cyber security as an issue of national security is perilous and unhelpful. We should distinguish between, and not conflate, on the one hand, protecting computers, networks and information, and on the other hand using technological tools to achieve security objectives. Using “cyberspace as a tool for national security, both in the dimension of war fighting and the dimension of mass surveillance, has detrimental effects on the level of cyber security globally.”14 When cyber security is framed as a national security issue, issues regarding technology and the internet are securitised – brought onto the security agendas of states. This may be counterproductive. The state, law enforcement, military and intelligence agencies may not have the best skills or knowledge for the job. State actors may have a conflict of interest in securing information: militaries, for example, may want to develop offensive weapons, while intelligence agencies may rely on breaking or circumventing information insecurity in order to surveil better. Cyber security may also be used to protect state secrets, and criminalise whistleblowers as cyber security threats. Focusing on the state and ‘‘its’’ security, “crowds out consideration for the security of the individual citizen, with detrimental effects on the security of the whole system.”15
Cyber security often disproportionately focuses on the protection of information, databases, devices, assets and infrastructures connected to the internet, rather than on the protection of connected users. Technological infrastructures and the assets of corporations are put at the centre of analysis, rather than human beings. Human beings are seen as a threat in the form of bad “hackers” or as a weak link in information systems, making mistakes and responding to phishing or “social engineering” attacks.16 Putting humans at the centre of cyber security is important. A definition of cyber security as purely protecting information avoids ethical challenges. Cyber security should not protect some people’s information at the expense of others. It should also not protect information about state secrets in order to enable mass surveillance and privacy invasion of individual users.
Read full article @www.giswatch.org
Human Rights Online Philippines does not hold copyright over these materials. Author/s and original source/s of information are retained including the URL contained within the tagline and byline of the articles, news information, photos etc.