GUEST BLOG / By Justin Sherman, Cybersecurity Policy Fellow, NewAmerica.org
PillartoPost.org note: New America is a Washington DC, independent think tank dedicated to renewing America by continuing the quest to realize our nation’s higher ideals, honestly conftronting the challenges caused by rapid technological and social change, and seizing the opportunities those changes create. New America kindly shares its New America Weekly blog content with responsible media. More on New America click here.
WHEN COUNTRIES PULL THE PLUG
On the first day of the new year, the Democratic Republic of Congo cut internet connections and SMS services nationwide—for the second day in a row. The reason? To avoid the “chaos” that might result from its presidential election results. Not even a week later, on January 7, Gabon’s government did the same after an attempted coup. While this may sound jaw-droppingly unique, it’s unlikely that these will be the last “internet blackouts” we hear about over the coming months. (Both of these incidents, ironically, took place after I outlined this piece.)
In fact, we’ll likely see a rise in internet blackouts in 2019, for two reasons: countries deliberately “turning off” the internet within their borders, and hackers disrupting segments of the internet with distributed denial-of-service (DDoS) attacks. Above all, both will force policymakers everywhere to reckon with the fact that the internet itself is increasingly becoming centralized—and therefore increasingly vulnerable to manipulation, making everyone less safe.
The first method—states deliberately severing internet connections within their country—has an important history. In 2004, the Maldivian government caused an internet blackout when citizens protested the president; Nepal similarly caused a blackout shortly thereafter. In 2007, the Burmese government apparently damaged an underwater internet cable in order to “staunch the flow of pictures and messages from protesters reaching the outside world.” In 2011, Egypt cut most internet and cell services within its borders as the government attempted to quell protests against then-President Hosni Mubarak; Libya then did the same after its own unrest. In 2014, Syria had a major internet outage amid its civil war. In 2018, Mauritania was taken entirely offline for two days when undersea submarine internet cables were cut, around the same time as the Sierra Leone government may have imposed an internet blackout in the same region.
When we think about terms like “cyberspace” and “internet,” it can be tempting to associate them with vague notions of a digital world we can’t touch. And while this is perhaps useful in some contexts, this line of thinking forgets the very real wires, servers, and other hardware that form the architecture of the internet. If these physical elements cease to function, from a cut wire to a storm-damaged server farm, the internet, too, is affected. More than that, if a single entity controls—or can at least access—that hardware for a region or even an entire country, government-caused internet blackouts are a tempting method of censorship and social control.
Which is to say: As countries around the world tighten control of the internet within their borders, we can expect to see some governments with relatively centralized internets—particularly authoritarians or those with authoritarian leanings—literally disconnect their domestic internet networks from the rest of the globe during domestic unrest or other incidents.
As for the second method, we can expect a rise in DDoS attacks against internet infrastructure as millions of wildly insecure Internet of Things (IoT) devices—from smart thermostats to water-pressure sensors—are linked online. As many studies have documented, IoT devices typically have terrible security features, such as basic passwords and minimal encryption. Put another way, they’re not hard to hack. So, by compromising these devices en masse and turning them into a “botnet” army, hackers can completely overwhelm segments of the internet, channeling traffic to a single service until it’s overwhelmed and can no longer function.
If that sounds far-fetched, recall what happened in 2016, when the so-called Mirai botnet took over hundreds of thousands of IoT devices, spread across multiple continents, and used them to flood traffic to the servers of the American internet company Dyn. At the time, it was the largest known DDoS attack on Earth; Twitter, Spotify, SoundCloud, Reddit, and a number of other sites were temporarily unavailable as a result. In other words, Mirai effectively took down part of the American internet.
Democratic governments in the United States, Europe, and elsewhere typically don’t exert control over major internet gateways or internet servers; it’d therefore be quite unlikely for them to cause a partial internet blackout themselves. Add to this the fact that the internet in the United States isn’t as centralized as it is in other countries, and it becomes clear why it’s harder to control all its major gateways to the global network at once, like Egypt did in 2011.
But even if a government can’t easily disconnect its whole country from the worldwide internet, Mirai demonstrated just how effectively third-party malicious actors can take down segments of a country’s internet.
In principle, policymakers have long argued that neither of the aforementioned scenarios was possible due largely to the internet’s decentralization. More and more, though, the internet has become centralized in countries where the government has controlled the buildout of infrastructure and where there’s little market competition for internet services; and even in countries with better market competition for internet services, and with less government control of infrastructure, there are still pockets that remain centralized and vulnerable—as demonstrated by the Mirai botnet attack against American internet company Dyn.
All this matters for a few reasons. For one, democratic policymakers, in particular, will have to think more about cyber norms in the context of internet manipulation (i.e., disconnecting your country from the global network), not just offensive cyber operations (i.e., hacking into another nation’s computer systems). Several events in 2018 already made this fact clear, like when American internet traffic was once again routed through China and Russia and underscored the vulnerability of core internet functions to manipulation. A sovereign and controlled model of the internet is spreading, and democracies must effectively fight it through, among other things, norms on and around the internet.
Two, the rising threat of botnets will create more pressure within the United States to generate technical standards for IoT devices. Currently, there exist virtually no consensus rules for “minimum security” on these devices, which means that many industry organizations and government agencies are using IoT systems that have terrible security; this not only poses vulnerability to connected infrastructure systems and opens wearable-wearing government personnel to real-time GPS tracking, but it also means that the IoT market is flooded with devices that can be easily hijacked in service of DDoS attacks. Building these standards will give companies and government agencies guidance in building and acquiring IoT devices, which in turn will bolster their security.
Finally, countries will have to take greater international action against botnets as a cybersecurity threat. As Jason Healey and Robert Knake wrote in a recent Council on Foreign Relations report, DDoS attacks via scores of hijacked IoT devices can “cause serious harm by allowing foreign governments to stifle free speech abroad and enabling them to shut down countries’ domestic networks or even the internet globally.” Further, explains a report from the Council to Secure the Digital Economy, these incidents undermine “fundamental confidence and trust in the digital economy” that depends on reliable availability and performance of internet services.
So, whether national or regional, caused by governments or hackers, internet blackouts are likely going to increase in frequency over the coming months—and their harms will take many forms. But recent IoT hacks, a history of internet disconnections around the world, and an even longer history of DDoS attacks, collectively, give us a sign of what’s to come. Policymakers would be wise to pay attention.
ABOUT THE AUTHOR
Justin Sherman is a fellow in New America's Cybersecurity Initiative. He is a junior at Duke University double-majoring in computer science and political science, where he is the Co-Founder and President of Duke’s Cyber Club and Cyber Team and is co-teaching Duke’s “Cyber and Global Security” seminar. Sherman is also the Co-Founder and Vice President of Ethical Tech, which works to empower ALL people to have a voice in technology innovation, consumption, and regulation.
His research has spanned everything from critical infrastructure security and mobile privacy to machine learning bias and the ethics of international tech transfers, and he has written extensively on cyber policy and technology ethics, including for Journal of Cyber Policy, Defense One, The Strategy Bridge, Technology for Global Security, and the Council on Foreign Relations. He is a Fellow at Interact and the youngest Fellow in the history of the Duke Center on Law and Technology.