Was this the big one?
Will the breach of at least 4 million government personnel files across all federal government agencies, including the private data of those applying for top-security clearance, be the one that brings everything down? Or is it merely another tremor before the big quake we’ve all been expecting but are in too much denial to prepare for?
In either case, it’s an opportunity to reconsider our relationship to data, to secrecy, and to the Internet itself. This latest cyberattack, which investigators think originated in China –right on the heels of a attack on the IRS, which the agency believes originated in Russia — can easily be misinterpreted as a call to tighten up security of the Internet, spy on users even more closely, and further compromise the openness of the world’s communication infrastructure.
No, instead of changing the Internet to better secure sensitive data, we should get sensitive data off the people’s network.
First, it’s important not to underestimate the gravity of the most recent breach. Government officials will surely brush off the damage as minor. Sure, it’s inconvenient for all these workers to have their Social Security numbers and other important records released, but it’s not like the enemy has our nuclear launch codes. But with their hands on private personnel data — particularly that of officials and operatives with the highest levels of security clearance — they have unpredictable leverage in any number of situations.
Imagine how well pilots perform when they find out their family’s bank account at home has been frozen. Or consider how effectively an operative can perform in the field when her counterparts have access to her medical or psychological histories. How well can an ambassador function when the foreign government he’s attempting to strong arm can blackmail him over things he’s confessed to his supervisors but not his wife?
No, data breaches aren’t pretty, and the things smart hackers and governments can do with even peripheral files dwarf any of the cable-TV drama scenarios I’m imagining here. But they are to be expected because they are an inevitable outcome of using an open network to convey information we mean to keep closed.
The Internet was not designed for this. The network was built on the presumption of trust. (Don’t overestimate the Defense Department’s role in building the thing. The computer scientists the DoD funded had a bigger idea than facilitating Pentagon communications.)
The net was meant for researchers to share information with trusted peers on other nodes of the network. All the machines talk to one another as intimately as two nerve endings in your brain. They ping each other back and forth, all the time. Even “I’m closed to you” is a response from a server that is, at the very least, listening for the right request.
This is part of the reason why the Internet was originally closed to businesses, banks, and others who had agendas other than the free expression and sharing of information. The universities and organizations running the net understood that the moment people wanted to accomplish something other than learning online, the openness and effectiveness of the system would be compromised. Users had to sign an agreement promising not to conduct business online in order to get an account.
Once business, and eventually credit and banking were allowed online, networking became a whole lot more serious. Now a password meant more than accessing someone’s stored computer game files or research papers; it was connected to something real: money. And once government started using these very same networks for sensitive data, well, from then on the clock was ticking. This week, we got the alarm.
The Internet may look big, but it is a fragile little network. It can hardly handle the stress of streaming video without compromising its legacy of neutrality, much less the secrets of the U.S. government without sacrificing its true mission of connecting the people of world in open interaction.
The government, along with business, banking, and everything else that depends on security should simply get off the Internet and build another one. After this week, they can’t say they haven’t been warned.