from the bombing-for-the-lulz dept
"As President, I will make it clear that the United States will treat cyberattacks just like any other attack. We will be ready with serious political, economic, and military responses," she told the attendees, largely made up of veterans and their supporters. "We are going to invest in protecting our governmental networks and our national infrastructure," she continued. "I want us to lead the world in setting the rules in cyberspace. If America doesn't, others will."There are several things wrong with this narrative. The US government and Western media seem to frequently go out of their way to imply that the United States is an innocent little hacking daisy, nobly defending itself from a wide variety of evil international threats. But as we saw with Stuxnet, the United States is very often the country doing the attacking, often with major negative impact on countries, companies and civilians worldwide. That the US has the moral high ground on cybersecurity is little more than a stale meme, and it needs to be put out of its misery.
And granted, while Clinton was clearly trying to appeal to her veteran audience at the American Legion National Conference (most of whom likely can't tell a terabyte from T-Mobile), America's moral cybersecurity superiority was on proud display all the same:
"We need to respond to evolving threats from states like Russia, China, Iran and North Korea," Clinton said in the speech. "We need a military that is ready and agile so it can meet the full range of threats and operate on short notice across every domain – not just land, sea, air and space but also cyberspace. "You've seen reports. Russia's hacked into a lot of things, China has hacked into a lot of things. Russia even hacked into the Democratic National Committee, maybe even some state election systems. So we have got to step up our game. Make sure we are well defended and able to take the fight to those who go after us."Again, you'll note that the United States is portrayed as an innocent and noble defender of cybersecurity freedom, when it's the one often engaging in frequently-unprovoked attacks the world over. Of course, Clinton and friends are well aware that the vast majority of the time it's impossible to know where an attack came from, and any hacker worth his or her salt simply doesn't leave footprints. That makes a real-world military or economic response to a nebulous, usually-unprovable threat simply idiotic. You'd assume Clinton knows this and was just doing some light pandering to the audience.
But this rhetoric alone is still dangerous in that it opens the door wide to using hacking -- much like communism and Islamic extremism and numerous "isms" before them -- as a nebulous, endlessly mutable justification for a litany of bad US behavior. You could, for example, covertly hack a government, publicize its hacking response to your hack, using the press to help you justify military action. Given the US and global media's historical complicity in helping governments begin wars with jack shit for evidence, it shouldn't be hard to see how hacking is going to be a useful bad policy bogeyman du jour for decades to come.
Despite some repeated, painful lessons on this front stretching back generations, forcing the government to show its math before it resorts to violence is simply not the US media's strong suit. And with hacking and cybersecurity being subjects the press and public are extra-violently ignorant about, we've created the opportunity for some incredible new sleight of hand when it comes to framing and justifying US domestic and international policy. If history is any indication, by next time this year we'll be blaming everything under the sun on Russian hackers because after all, two anonymous senior government officials said so.
Healthy skepticism will be our ally as we stumble down the rabbit hole. While it's no surprise that Russia, like the United States is deeply-involved in nation state hacking, you'll note that actual evidence linking the Putin Administration to the recent rise in US hacking attacks remains fleeting. Most reports simply cite a single anonymous US government source, or security firms with a vested interest in selling services and products. That's not to say Putin and friends aren't busy hacking the US, but whether a country is responding to similar attacks by the United States (pdf) -- or is actually involved at all -- is rather important to transparently document before you begin trotting out awful new policies or worse, real world bombs.