
The Hypocrisy of U.S. Cyber Policy - philDunphy
http://techcrunch.com/2015/01/16/the-hypocrisy-of-u-s-cyber-policy/
======
mc32
This is a specious article. The internet landscape is not like 3D space. One
can agree to keep Antarctica demilitarized because it would be too expensive
for a private person to 'militarize' it. The internet, anyone can 'militarize'
it. So you have to have both offensive and defensive capabilities because the
barrier to entry for militarization by any third party is trivial.

In addition, it would seem they are conflating a freedom of the public
internet with keeping the internet medium free of maleficence. The latter is
night impossible. The internet is a medium not an object.

The thing about Iran is that it was the best option. You don't refuse to use a
tool like that over principle and instead choose a hardware or 'hot' war
instead. It would be like refusing to use spies because spies are 'unseemly'.
And to be strict, it was not done over the internet but via USB sticks.

It's an article to get people thinking but in reality it's self-satisfaction.
I'm sure I could try to be cleaver and write something called 'the hypocrisy
of amateur internet journalists'

------
diminoten
It's an absolute and utter joke to call for the demilitarization of the
Internet on the part of the US government, in the wake of the Sony attack.

Nation states are waging war on US companies. Regardless of what you think or
believe in the US policy abroad, the US _needs_ to find a way to defend its
citizens from attack.

~~~
AnthonyMouse
In what way is militarization going to defend against the likes of the Sony
attack?

The government is not equipped to handle this kind of security. You can't post
marines in US data centers to keep out foreign attackers, that's not how it
works. Offense isn't a defense; MAD doesn't work when you can't reliably
attribute attacks or the attacker doesn't have any meaningful infrastructure
to retaliate against.

The best thing the government could do in this context is provide money for
public security research and for security audits of popular software. But that
has nothing to do with the military or offensive capability, and the
government seems intent on going the other way with their renewed attacks on
the widespread use of encryption.

~~~
diminoten
Private companies shouldn't be going to war against nation states. The US
government should be able to defend itself and its citizens from attacks by
foreign nations.

Maybe you're right and the answer is to let private companies wage wars
against nations, but right now US government agencies have to sit on their
hands due to a lack of direction from congress on these issues.

There is no RoE for cyberwar. There really ought to be.

~~~
AnthonyMouse
It isn't a _war_. Nobody dies.

There is nothing for US government agencies to do. When a bank gets robbed
because they held their money in a cardboard box instead of a vault, the
question is not what the FBI can do to prevent that. The location of the
problem is not the government. The location of the problem is the cardboard
box.

~~~
diminoten
What?

These aren't some random bank robbers, these are entire countries.

What the hell do I pay the US government for, if not to protect me from other
nations?

No one even has remotely enough budget to deal with foreign nations attacking
them. Not Google, not Microsoft, nobody.

~~~
AnthonyMouse
> These aren't some random bank robbers, these are entire countries.

Sony's annual revenue is more than North Korea's GDP. That there can be a
legitimate question as to whether the Sony attack was carried out by North
Korea or some individual with a grudge probably puts it into the proper
context.

> What the hell do I pay the US government for, if not to protect me from
> other nations?

That's a fair point; maybe we shouldn't pay them as much.

> No one even has remotely enough budget to deal with foreign nations
> attacking them. Not Google, not Microsoft, nobody.

So budget is the issue then? Maybe you're on to something here -- we can cut
the NSA's budget and give the money to Google and Microsoft and other tech
companies so they can use it to improve security.

~~~
diminoten
I'm glad you think you can spitball solutions to global issues better than
folks who do it for a living.

That must feel good, for you.

~~~
AnthonyMouse
Right, sorry, I was mistaking this for a democracy. We should definitely just
do whatever the man from the government said and not think about it too hard.

But remind me again how the military is going to defend against the likes of
the Sony attack?

~~~
diminoten
Well, considering this is a representative democracy, we actually kind of
_should_ do what the folks we elect to tell us what to do say we should do.

If we don't like what they're telling us to do, we can always pick different
people.

But anyway, the military isn't going to do the same thing they've always done
with intelligence -- liaise with civilian government orgs to gather intel and
ultimately launch operations based on that intel.

~~~
AnthonyMouse
> If we don't like what they're telling us to do, we can always pick different
> people.

On what basis are the voters supposed to make that decision? What we see is
that our representatives take money from defense contractors and then do what
those defense contractors want them to do. If they have a good reason for that
they aren't sharing it.

That's the problem you're ignoring. "We can't tell you because it's a secret"
is something they can trivially say when the actual reason is blatant
corruption. Doing what defense contractors want for the same reason we
subsidize corn in Iowa is indistinguishable from having an actual reason when
the actual reason is secret. Which means we either have to assume that having
no public reason implies corruption, or have no defense from corruption and
consequently prolific corruption. And we _can 't have_ a corrupt and
unaccountable _military_ , that is totally crazy.

So what you're really saying is that they either have to give us the reason
(or end the programs) or we need to "pick different people". Which is kind of
what I'm saying.

> But anyway, the military isn't going to do the same thing they've always
> done with intelligence -- liaise with civilian government orgs to gather
> intel and ultimately launch operations based on that intel.

What operations? There is no military operation you can launch to prevent
someone from breaking into a computer when you don't even know they've done it
until after it's already over. You don't have a time machine.

This isn't a military problem. Look at the real world analogy of what they're
afraid of: It's like a foreign government having a spy infiltrate an American
company and steal their private documents. The defense from that has to be
from inside that company. You can't solve it from the top down.

~~~
diminoten
It's almost as if you have been completely ignoring all news events over the
past couple of years when you say "on what basis are the voters supposed to
make that decision?"

Guess what -- corruption is a possibility of our system. The end. Pick guys
who you don't think are going to be corrupted, or haven't been outed as
corrupt if you find that important.

 _Most Americans don 't find corruption to be that big of a deal._ You know
how I know that? Because they keep voting the same corrupt people into office.
Apparently, as long as things keep getting done, no one seems to mind the
corruption.

As for military response, there are _plenty_ of military operations you can
launch to deny foreign nations the capability of hacking into a company like
Sony, just like there are _plenty_ of military operations you can launch to
prevent foreign aggressors from shooting down US passenger planes, or pirating
along US coasts, or any of the dozen other preventative military operations
the US performs every single day.

~~~
AnthonyMouse
> Guess what -- corruption is a possibility of our system. The end.

That's like saying that crime is inevitable so we should disband the police.
Just because you can't totally eliminate something bad doesn't mean you can
give up fighting against it.

> _Most Americans don 't find corruption to be that big of a deal._ You know
> how I know that? Because they keep voting the same corrupt people into
> office. Apparently, as long as things keep getting done, no one seems to
> mind the corruption.

Are you honestly taking the position that murder and human rights violations
are fine as long as enough people in the district of the chairman of the
oversight committee are more interested in some other issues?

The response to "people don't care enough" is not that we should give up and
go home, it's that we need to find a way to make them care.

> As for military response, there are _plenty_ of military operations you can
> launch to deny foreign nations the capability of hacking into a company like
> Sony, just like there are _plenty_ of military operations you can launch to
> prevent foreign aggressors from shooting down US passenger planes, or
> pirating along US coasts, or any of the dozen other preventative military
> operations the US performs every single day.

OK, give an example of one. For example, the US Coast Guard can prevent marine
piracy by pirates in US territorial waters by shooting at them with heavy
weaponry until they go away, are captured, or die.

That's an actual thing that the military can do. What are they going to do
against people sitting behind computers in foreign countries? I'm honestly
asking. It doesn't make any sense to me.

The attackers never leave their home jurisdictions. Are we going to _invade
China_ because they hacked Google?

Let's just put aside the charade and call it what it is. They want permission
to attack foreign infrastructure and use it to spy. That whole thing with the
NSA? They want to do more of that, more aggressively, world-wide.

~~~
diminoten
Corruption is a problem, but it's an inherent part of our system, just like
crime. Pretending like it can be eliminated is a massive time waster.

As for dealing with hackers, they can't really hack things if their systems
are compromised, can they? Ask Iran how their nuclear development is going,
thanks to Stuxnet, for example.

You're just being sensationalist and melodramatic, and you're why places like
HN become echo chambers of stupid and untenable ideas, with your worthless
phrases like "murder and human rights violations", and "find a way to make
them care".

~~~
AnthonyMouse
> Corruption is a problem, but it's an inherent part of our system, just like
> crime. Pretending like it can be eliminated is a massive time waster.

There is no hope of _eliminating_ it, but that's hardly the same thing as
allowing it to proliferate without bound.

> As for dealing with hackers, they can't really hack things if their systems
> are compromised, can they? Ask Iran how their nuclear development is going,
> thanks to Stuxnet, for example.

Stuxnet is by far the outlier. If you compromise their systems they will, at
worst, have to get new ones. The cost difference between a PC and a uranium
enrichment facility is something like five orders of magnitude. Meanwhile
you've likely handed your enemies the 0-day you used to compromise them.

The capability necessary to launch these "attacks" is in the possession of
every sophomore computer science student in the world. No amount of
retaliation can fix that, we have to improve domestic computer security past
the point that that is no longer the case.

And going on the offense is creating a precedent that gives our enemies the
advantage. North Korea doesn't have anything worth compromising. We do. And we
can't credibly object to state-sponsored attacks while engaging in them.

> You're just being sensationalist and melodramatic, and you're why places
> like HN become echo chambers of stupid and untenable ideas, with your
> worthless phrases like "murder and human rights violations", and "find a way
> to make them care".

So to be clear, are you claiming that no killings or human rights violations
have occurred, or that they have but you think that's perfectly acceptable, or
that you just don't care or think that anybody else should?

------
tek-cyb-org
I wouldn't call it Hypocrisy, I would call it bias.

