Too often, we talk about cybersecurity as though it were a single good. We treat it, that is to say, like airline security, where our policy objective is zero civilian jetliner or general aviation vulnerabilities. We want no plane crashes, which makes measuring airline security pretty easy. When bad things happen — and, in particular, when people die as a result — we define that as insufficient airline security and safety.
To talk about cybersecurity in this manner, however, is a serious error, because very few people or organizations, in fact, want a perfectly secure Internet, and the United States government certainly isn’t one of the groups that does. It wants to monitor the activities of a whole range of bad guys — including criminals, terrorists, and foreign adversary governments — and a not-small range of not-so-bad-guys too, allied foreign governments for example. The US objective in cyberspace is, one might say, textured. It wants perfect cybersecurity except against its own actions, where it prefers, and often acts to create, sufficient insecurity so as to facilitate its own operations. Many other national governments do the same.
To ask, therefore, about the effects of the Snowden revelations on cybersecurity poses the question at a level of altitude that makes it impossible to answer without first breaking it down. And it assumes that cybersecurity is always a good, and that more of it is therefore always better. So we need to start by refining the question: the effect of the revelations on whose cybersecurity, exactly? And against what sort of attack? And from whom?
If the question is the cybersecurity of individual users, the effects of the Snowden disclosures were certainly positive. At the most basic level, the disclosures told us all that our communications were vulnerable — something we knew, to be sure, but a reality that was not sufficiently close to the fronts of our minds to affect mass behavior. Now, for many people, it’s more of an action item. People have responded to the news of NSA’s programs by tightening their own security hygiene. More importantly, service providers have ramped up encryption at all levels of service. The combination means that data is harder for bad actors to capture and harder to read once it is captured.
This is good news for a lot of individual users fearful of identity theft. But it’s bad news if you’re, say, FBI director Jim Comey, who has actively complained about it and the problems it is causing for law enforcement wielding valid search warrants that now produce junk. Yes, it’s a form of cybersecurity at the corporate and individual levels; it’s a direct result of the Snowden revelations; and it’s creating a more secure online architecture within which all of us — including a lot of really bad people — operate.
For some, the availability of interpretable signal to US law enforcement — not to mention to US intelligence — is a priority of low, or even negative, salience. And for such people, Edward Snowden and Glenn Greenwald certainly among them, these developments therefore present an unalloyed good. The picture is not so black and white, however, for those of us who believe in effective law enforcement and want our policymakers maximally informed of other countries’ intentions and actions and want our operators maximally effective against terrorists. The woeful state of cybersecurity practices both among end users and among many companies badly needed a jolt to wake people up — perhaps many jolts. And the Snowden disclosures offered a jolt and that is nothing to sneeze at.
The trouble is that some of the people best positioned to take advantage of the slew of information Snowden made available are exactly the sort of actors whose empowerment may not serve broader cybersecurity objectives. Is American cybersecurity better off if the People’s Liberation Army and Vladimir Putin know the details of NSA’s programmatic activity? I suspect not. Are companies like Sony less vulnerable if North Korea knows a great deal more about our government’s capabilities and constraints? I doubt it. Are you individually safer online if your and your employer’s cybersecurity practices improve marginally but those of the many criminal gangs after your credit cards and your company’s data improve dramatically? Again, probably not, and those criminal gangs are in fact far better positioned thanks to the Snowden materials to improve their tradecraft than you or your employer are to improve your defenses.
In other words, the answer to the question of the effects of the Snowden revelations on cybersecurity depends a great deal on one’s vision of what cybersecurity really is. If, with the great libertarian security theorist Bruce Schneier, you imagine cybersecurity as an Internet resistant to all attackers — including those we call law enforcement and intelligence agencies operating under the rule of law — the effects of Snowden have certainly been positive. If you believe, with the US government, that not all attacks are created equal policywise — that some are hugely damaging criminal and national security threats while others are policy objectives of the highest order and some actually augment larger cybersecurity objectives by enabling the prevention of the damaging intrusions — the landscape is far more complicated. Snowden has clearly had an impact, but it’s an impact that pushes toward a more Schneierian vision of Internet security. And that’s a vision far friendlier to some US objectives than to others.
My instincts about what real cybersecurity is are closer to the government’s than they are to Schneier’s. I don’t see intrusions by the FBI and the NSA under the rule of law as the moral or legal equivalent of the sorts of behaviors that China and Russia and Iran engage in (I don’t think Schneier does either) and I’m not opposed to building the Internet to facilitate lawful access to signal where society decides that’s appropriate. I don’t have a conceptual problem, in other words, with defining cybersecurity in a more nationalist fashion that doesn’t treat all state access similarly and doesn’t treat all intrusions as attacks to be avoided.
But those of us who take this view of cybersecurity have to be candid that it is a vision laced with all sorts of value judgments — some may say hypocrisies — that people like Snowden may not share. And we should be honest as well that the libertarian ethos has a different vision of cybersecurity, one that is more universalistic, less nationalist, and more compelling to a great many people around the world than the one our government — and people like me — hope to realize.