The Obama administration has admitted, painfully, that the recent hack of government agencies’ personnel files may have put at least 21.5 million government background checks – including those seeking top security clearance – in the hands of Chinese hackers. It’s as if our efforts to make ourselves safe by investigating people and storing that data have become our greatest vulnerability.
Maybe the Internet and security simply don’t mix?
Americans are right to respond to every computer problem with the New York Stock Exchange, United Airlines or The Wall Street Journal, as happened on the same day earlier this week, with dread. Any one of these incidents, we fear, could be the other shoe dropping on our nation’s computer insecurity, crippling blows to our networking infrastructure.
But each new tremor before the seemingly inevitable “big one” is also an opportunity to reconsider our relationship to data, to secrecy and to the Internet itself.
This latest cyberattack, which investigators think originated in China – right on the heels of an attack on the Internal Revenue Service, which the agency believes originated in Russia – can easily be misinterpreted as a call to tighten up security of the Internet, spy on users even more closely and further compromise the openness of the world’s communication infrastructure.
But we must not let our inability to tighten security on the Net lead us into increasingly paranoid surveillance of our citizens and restrictions on the freedoms of Internet users. No, instead of compromising the Internet and its users to secure sensitive data better – essentially conceding that the Internet is another high-stakes battlefield – we should get sensitive data off the people’s network.
First, it’s important to appreciate the gravity of the most recent breach. Sure, it’s inconvenient for all these workers to have their Social Security numbers and other important records released, but it’s not like the enemy has our nuclear launch codes. But with their hands on private personnel data – particularly that of officials and operatives with the highest levels of security clearance – they have unpredictable leverage in any number of situations.
Imagine how well pilots perform when they find out their family’s bank account at home has been frozen. Or consider how effectively operatives can perform in the field when their counterparts have access to their medical or psychological histories. How well can an ambassador function when the foreign government he’s attempting to strong arm can blackmail him over things he’s confessed to his supervisors but not his wife?
Or what about simply freezing 21 million Americans’ bank accounts or changing their credit scores? With 21 million files, it’s not too hard to grind the American economy to a halt, even temporarily.
Data breaches aren’t pretty, and the things smart hackers and governments can do with even peripheral files dwarf any of the cable TV drama scenarios I’m imagining here. But they are to be expected because they are an inevitable outcome of using an open network to convey information we mean to keep closed.
The Internet was not designed for this. The network was built on the presumption of trust. (Don’t overestimate the Defense Department’s role in building the thing. The computer scientists the Defense Department funded had a bigger idea than facilitating Pentagon communications.)
The Net was meant for researchers to share information with trusted peers on other nodes of the network. All the machines talk to one another as intimately as two nerve endings in your brain. They ping each other back and forth, all the time. Even “I’m closed to you” is a response from a server that is, at the very least, listening for the right request.
This is part of the reason why the Internet was originally closed to businesses, banks and others who had agendas other than the free expression and sharing of information. The universities and organizations running the Net understood that the moment people wanted to accomplish something other than learning online, the openness and effectiveness of the system would be compromised. Users had to sign an agreement promising not to conduct business online to get an account.
Once business, and eventually credit and banking, were allowed online, networking became a whole lot more serious. Now a password meant more than accessing someone’s stored computer game files or research papers; it was connected to something real: money. And once government started using these very same networks for sensitive data, well, from then on the clock was ticking. We’ve gotten the alarm.
The Internet may look big, but it is a fragile little network. It can hardly handle the stress of streaming video without compromising its legacy of neutrality, much less the secrets of the U.S. government without sacrificing its true mission of connecting the people of the world in open interaction.
The government, along with business, banking and everything else that depends on security, should simply get off the Internet and build another one. They can’t say they haven’t been warned.