Cybersecurity is the theater of war of the 21st century. While the 20th century’s battles were fought on the oceans, in the air, or on the ground, today’s conflicts take place in the digital realm – a realm that the U.S. state is slowly equipping itself to dominate.
This is creating a struggle between privacy rights and free trade, and the power of government to ensure public safety. And it’s playing out in front of our eyes as the Trump administration seeks to crack down on malware created by foreign “adversaries.”
Because of this, it’s vital to keep track of the politics of cybersecurity. This article looks at the roots of the current situation, assesses recent developments, and tries to tease out some takeaways to put Trump’s policies into context. And to truly understand that context, we need to step back in time – to a time when Trump was a flashy property developer, and malware had barely been conceived.
1. Expanding War-Fighting Capabilities to the Digital Battlefront
During the 1990s and 2000s, U.S. war-fighting capabilities gradually started to embrace a new set of priorities. Seeing that forces based around tanks, fighter jets, and cruise missiles were rapidly becoming less and less relevant, planners started to focus on what became known as “cyber-warfare” – taking the fight into the realm of megabits and malware, instead of missiles.
Under the Bush administration, Strategic Defence Reviews stressed the need for “Full Spectrum Dominance,” including the ability to attack targets via digital weapons. And as the War on Terror kicked into gear, the Patriot Act armed intelligence agencies with a new set of powers to track, attack, and detain suspected enemies of the state.
This continued under the Obama administration, which deepened U.S. cyber-warfare capabilities, extending already-existing NSA surveillance to encompass virtually every byte sent across networks to and within the USA. New weapons emerged as well, such as Stuxnet – a malware agent that ripped through Iranian servers associated with nuclear research in the 2010s.
More recently, stories have emerged about the U.S. attempts to place malware in strategic locations within the Russian power grid – potentially providing Washington with a “nuclear button” to take down the nation’s electricity networks.
As usually happens in global affairs, U.S. attacks have sparked “blowback,” as adversaries seek to leverage their cyber-warfare expertise. However, while the state has learned more about how to fight wars in the digital realm, it has failed to boost its awareness about the threats posed by malicious online warriors. Cyber-warfare has trumped “cybersecurity,” leading to considerable vulnerabilities in the U.S. information infrastructure.
2. How Online Threats to State and Corporate Assets Has Grown
These weaknesses were exposed in vivid detail in 2016 and 2017 when the Lazarus and WannaCry malware attacks hit major US-based corporations. Both were immediately connected to North Korean hacking groups, raising strong suspicions that the reclusive east-Asian state had developed ways to attack American targets that the Pentagon and NSA couldn’t neutralize.
These malware attacks were complemented by the exposure of Electric Fish in 2019 – which has been linked to vast financial crimes across the world (and also traces its origins back to Pyongyang).
North Korea is the only state exposing U.S. cybersecurity weaknesses. Chinese groups like APT10 have been accused of targeting American utilities, potentially leading to crippling blackouts. And, in a development that shows how negligent U.S. authorities have been, there’s a good chance that Chinese digital attackers have been using code created by the NSA.
At the same time, cyber-attacks by non-state actors have become endemic. The sums are so huge that we can’t say for sure exactly how much these attacks cost American companies every year. According to Accenture, the average cost of individual cyber-attacks amounts to around $13 million, and the frequency of security breaches increased by 67% from 2014-2019.
Given that state of affairs, the fact that the U.S. government is taking action to boost its cybersecurity powers is unsurprising. However, coming after the shocking extent of the NSA surveillance scandals, and with distrust of the Trump administration rising, is this expansion a welcome development, and what does it mean for everyday internet users?
3. How the Trump Administration is Taking Action on Cybersecurity
On May 15, 2019, the White House released a highly significant Executive Order, entitled “Executive Orders on Secure the Information and Communications Technology and Services Supply Chain.” Forget about the clunky official title. The substance of this Order has some clear implications for the way we use the internet, and the security measures we need to adopt.
Trump’s Order responded directly to the kind of threats documented earlier, including the dangers posed to information storage infrastructure by ” economic and industrial espionage.”
Importantly, the Order placed blame for this situation on the growing use of foreign-developed technology (with the role of Chinese companies like Huawei firmly in the background). While acknowledging that free trade and technological exchange has significant benefits, the Order made one key demand, which put those ideals into question.
Trumps’s Order has created a new prohibition on importing technology produced by companies in which foreign powers have a controlling interest, providing that the Secretary of State for Commerce has deemed that the technology would pose a severe security threat to the U.S. assets (private and public).
This essentially allows government officials to determine which foreign suppliers are approved, and which companies are unacceptable. And it enables the state to penalize companies or individuals who engage with those suppliers.
The idea is to prevent the importation of technologies that are capable of disseminating malware or spying on American citizens. But will it work? In that context, it’s worth remembering that this E.O. comes after a related Order in 2017, which sought to strengthen U.S. corporate and Federal defenses against cyber-attacks. That failed to have the desired effect, resulting in the need for more stringent measures.
4. Is the U.S. Government Tightening Its Grip on Cybersecurity?
Trump’s latest Executive Order could well raise alarms among US IT professionals. For instance, many companies work with Chinese firms like Huawei, or source products from Chinese manufacturers, and will need to ensure regulatory compliance for any future imports.
There are also signs that individuals have cause to be concerned as well. The Executive Order encompasses tech imports as well as “software and other products or services originally intended to fulfill the role of information or data processing, storage, retrieval, or communication by electronic means.”
This means that many of those downloading software developed abroad will need to take into account the status of the vendor. Seeing as almost all software these days incorporates “data processing,” the scope of the Order is potentially enormous.
So, on the surface, it seems as if the state is launching a new phase in its cybersecurity efforts, but what are the takeaways for everyday web users?
5. Understanding the Implications of Cybersecurity Politics
Firstly, there’s no need for businesses or individuals to panic. While the Order represents an expansion in the power of government to sanction foreign companies and individuals, it does not mandate punishments for U.S. citizens.
Said that the future could hold some nasty surprises if the Order is pursued to its logical conclusion. For instance, companies may find it harder to recruit trained professionals from countries deemed “adversaries” of the USA.
Companies that have sourced software or hardware solutions from foreign-owned suppliers could find that their connections to suppliers are disrupted, leading to serious technical challenges.
There may also be challenges for individual software users. For example, many of the best VPNs are based outside the USA. The Executive Order could be used as a tool to suppress these privacy-enhancing services, especially if Congressional oversight is not sufficient.
So, what’s the key takeaway from our brief look at U.S. cybersecurity politics? While panic and alarm are counter-productive, the expanding state role in determining what technologies are acceptable is something to watch. When coupled with the dangers posed by official surveillance, it suggests that we should reinforce efforts to balance security and freedom in the digital age.