This week the Economist featured an article about an anti-censorship product called Haystack. The product was supposed to provide anti-censorship technology. The effort was motivated by events related to the Iranian opposition movement in 2009 when activists used mobile versions of Twitter and Facebook to upload videos of police brutality and spread messages of demonstrations. The Iranian government cracked down by tracing users, blocking services and closing websites as well as arresting dissenters.
Haystack entered the picture earlier this year with a highly publicized product designed to provide anti-censorship software to combat the Iranian authorities’ efforts. Unfortunately, they made several fundamental mistakes related to information security. They tried to implement a proprietary encryption scheme (when it is well known that it takes 5 to 10 years to properly vet an encryption scheme, why would anyone ever “roll their own”?) and rushed the product to market without sufficient review and testing. Not only did the encryption mechanism fail, but the software also revealed the identities and locations of users (mostly Iranian dissidents the government was trying to catch). The U.S. government is also a partner in this mess. Hilary Clinton, U.S. secretary of state helped the publicity effort behind the product by endorsing the effort, and the Treasury, State Department and Commerce Department accelerated the normal process to grant the company a license to export software to Iran (normally an arduous process for cryptography related products).
In most cases when a product or service is poorly implemented the consequences are found in poor business results. In this case, the consequences to the users in Iranian opposition groups include imprisonment and torture at the hands of the Iranian government. Of course the dissidents had a choice to use the product. The U.S. government however showed poor judgment in rushing to grant an export license in a technologically sensitive area to fulfill a political agenda.
This small example of the implications of information security in geo-political conflicts caused me to consider some of the larger discussions regarding cyber war that have been taking place in the media recently. The U.S. military has been gaining much attention over the last several months with respect to this topic, mostly related to their zeal to develop and deploy offensive cyber war “weapons”. It is quite clear to me that a well organized force with nation-state class funding and highly skilled attackers can do damage on a scale similar to nuclear weapons. It seems that the armed forces have realized this over the last few years. The Air Force and Navy have been particularly aggressive in building out capability. Unfortunately, so have many other nations, most notably China and Russia. The problem with the offensive mindset that has become popular in the military is that investment in offense sacrifices defensive capability. The U.S. has the biggest exposure and the most to lose in a cyber war, given our dependence on the internet and technology in general. We are the ones who need to be investing the most heavily in defensive capability just for that reason. What we really need most in this whole area is some leadership and clear policy that can lead to deterrence.