GUEST BLOG / By Justin Sherman, Cybersecurity Policy Fellow,
NewAmerica.org
PillartoPost.org
note: New America is a Washington DC, independent
think tank dedicated to renewing America by continuing the quest to realize our
nation’s higher ideals, honestly conftronting the challenges caused by rapid
technological and social change, and seizing the opportunities those changes
create. New America kindly shares its New America Weekly blog content with
responsible media. More on New America click here.
WHEN COUNTRIES PULL THE PLUG
On the first day of
the new year, the Democratic Republic of Congo cut internet connections and SMS
services nationwide—for the second day in a row. The reason? To avoid the
“chaos” that might result from its presidential election results. Not even a
week later, on January 7, Gabon’s government did the same after an attempted
coup. While this may sound jaw-droppingly unique, it’s unlikely that these will
be the last “internet blackouts” we hear about over the coming months. (Both of
these incidents, ironically, took place after I outlined this piece.)
In
fact, we’ll likely see a rise in internet blackouts in 2019, for two reasons:
countries deliberately “turning off” the internet within their borders, and
hackers disrupting segments of the internet with distributed denial-of-service
(DDoS) attacks. Above all, both will force policymakers everywhere to reckon
with the fact that the internet itself is increasingly becoming centralized—and
therefore increasingly vulnerable to manipulation, making everyone less safe.
The
first method—states deliberately severing internet connections within their
country—has an important history. In 2004, the Maldivian government caused an
internet blackout when citizens protested the president; Nepal similarly caused
a blackout shortly thereafter. In 2007, the Burmese government apparently
damaged an underwater internet cable in order to “staunch the flow of pictures
and messages from protesters reaching the outside world.” In 2011, Egypt cut
most internet and cell services within its borders as the government attempted
to quell protests against then-President Hosni Mubarak; Libya then did the same
after its own unrest. In 2014, Syria had a major internet outage amid its civil
war. In 2018, Mauritania was taken entirely offline for two days when undersea
submarine internet cables were cut, around the same time as the Sierra Leone
government may have imposed an internet blackout in the same region.
When
we think about terms like “cyberspace” and “internet,” it can be tempting to
associate them with vague notions of a digital world we can’t touch. And while
this is perhaps useful in some contexts, this line of thinking forgets the very
real wires, servers, and other hardware that form the architecture of the
internet. If these physical elements cease to function, from a cut wire to a
storm-damaged server farm, the internet, too, is affected. More than that, if a
single entity controls—or can at least access—that hardware for a region or
even an entire country, government-caused internet blackouts are a tempting
method of censorship and social control.
Which
is to say: As countries around the world tighten control of the internet within
their borders, we can expect to see some governments with relatively
centralized internets—particularly authoritarians or those with authoritarian
leanings—literally disconnect their domestic internet networks from the rest of
the globe during domestic unrest or other incidents.
As
for the second method, we can expect a rise in DDoS attacks against internet infrastructure
as millions of wildly insecure Internet of Things (IoT) devices—from smart
thermostats to water-pressure sensors—are linked online. As many studies have
documented, IoT devices typically have terrible security features, such as
basic passwords and minimal encryption. Put another way, they’re not hard to
hack. So, by compromising these devices en masse and turning them into a
“botnet” army, hackers can completely overwhelm segments of the internet,
channeling traffic to a single service until it’s overwhelmed and can no longer
function.
If
that sounds far-fetched, recall what happened in 2016, when the so-called Mirai
botnet took over hundreds of thousands of IoT devices, spread across multiple
continents, and used them to flood traffic to the servers of the American
internet company Dyn. At the time, it was the largest known DDoS attack on
Earth; Twitter, Spotify, SoundCloud, Reddit, and a number of other sites were
temporarily unavailable as a result. In other words, Mirai effectively took down
part of the American internet.
Democratic
governments in the United States, Europe, and elsewhere typically don’t exert
control over major internet gateways or internet servers; it’d therefore be
quite unlikely for them to cause a partial internet blackout themselves. Add to
this the fact that the internet in the United States isn’t as centralized as it
is in other countries, and it becomes clear why it’s harder to control all its
major gateways to the global network at once, like Egypt did in 2011.
But
even if a government can’t easily disconnect its whole country from the
worldwide internet, Mirai demonstrated just how effectively third-party
malicious actors can take down segments of a country’s internet.
In
principle, policymakers have long argued that neither of the aforementioned
scenarios was possible due largely to the internet’s decentralization. More and
more, though, the internet has become centralized in countries where the
government has controlled the buildout of infrastructure and where there’s
little market competition for internet services; and even in countries with
better market competition for internet services, and with less government
control of infrastructure, there are still pockets that remain centralized and
vulnerable—as demonstrated by the Mirai botnet attack against American internet
company Dyn.
All
this matters for a few reasons. For one, democratic policymakers, in
particular, will have to think more about cyber norms in the context of
internet manipulation (i.e., disconnecting your country from the global
network), not just offensive cyber operations (i.e., hacking into another
nation’s computer systems). Several events in 2018 already made this fact
clear, like when American internet traffic was once again routed through China
and Russia and underscored the vulnerability of core internet functions to
manipulation. A sovereign and controlled model of the internet is spreading,
and democracies must effectively fight it through, among other things, norms on
and around the internet.
Two,
the rising threat of botnets will create more pressure within the United States
to generate technical standards for IoT devices. Currently, there exist
virtually no consensus rules for “minimum security” on these devices, which
means that many industry organizations and government agencies are using IoT
systems that have terrible security; this not only poses vulnerability to
connected infrastructure systems and opens wearable-wearing government
personnel to real-time GPS tracking, but it also means that the IoT market is
flooded with devices that can be easily hijacked in service of DDoS attacks.
Building these standards will give companies and government agencies guidance
in building and acquiring IoT devices, which in turn will bolster their security.
Finally,
countries will have to take greater international action against botnets as a
cybersecurity threat. As Jason Healey and Robert Knake wrote in a recent
Council on Foreign Relations report, DDoS attacks via scores of hijacked IoT
devices can “cause serious harm by allowing foreign governments to stifle free
speech abroad and enabling them to shut down countries’ domestic networks or
even the internet globally.” Further, explains a report from the Council to
Secure the Digital Economy, these incidents undermine “fundamental confidence
and trust in the digital economy” that depends on reliable availability and
performance of internet services.
So,
whether national or regional, caused by governments or hackers, internet
blackouts are likely going to increase in frequency over the coming months—and
their harms will take many forms. But recent IoT hacks, a history of internet
disconnections around the world, and an even longer history of DDoS attacks,
collectively, give us a sign of what’s to come. Policymakers would be wise to
pay attention.
ABOUT THE AUTHOR
Justin
Sherman is a fellow in New America's Cybersecurity Initiative. He is a junior
at Duke University double-majoring in computer science and political science,
where he is the Co-Founder and President of Duke’s Cyber Club and Cyber Team
and is co-teaching Duke’s “Cyber and Global Security” seminar. Sherman is also
the Co-Founder and Vice President of Ethical Tech, which works to empower ALL
people to have a voice in technology innovation, consumption, and regulation.
![]() |
Justin Sherman |
His
research has spanned everything from critical infrastructure security and
mobile privacy to machine learning bias and the ethics of international tech
transfers, and he has written extensively on cyber policy and technology
ethics, including for Journal of Cyber Policy, Defense One, The Strategy
Bridge, Technology for Global Security, and the Council on Foreign Relations.
He is a Fellow at Interact and the youngest Fellow in the history of the Duke
Center on Law and Technology.
No comments:
Post a Comment