Big Brother and the Global Info Wars

Privacy, Cybersecurity, National Security, and the Future of Warfare

Privacy and safety (or at least a sense of safety) are often intertwined. Given that the deadliest predators humans have faced throughout our history have been members of our own species, it just makes sense.

If you’re sitting comfortably in your living room reading a book or watching TV and happen to look up at your front window and see a menacing-looking person standing outside staring at you, you immediately go from feeling safe to feeling unsafe.

Most people don’t have deep, dark online secrets they want to hide from others on the internet; most of us are not pornographers or terrorists or burglars. But even the most innocent, benign person would prefer that strangers aren’t reading their emails or knowing every click or purchase that comes out of their time online.

Governments, though, are another matter. There isn’t a government in the world that doesn’t have secrets that, if revealed, would damage the national security of that country. Be it military, trade, or political, governments routinely conceal information for reasons both bad and good, and competing governments are always trying to find them out.

Spying, in this regard, is as old as humankind.

From Moses’ 12 spies in the Bible to the story of the giant wooden horse that carried warriors into Troy to tales from behind the lines in World War II, we’re all familiar with the damage that can be done to a nation when it’s infiltrated by hostile agents. And this is where our Internet of Things presents a particular vulnerability for the United States.

On the internet, maintaining privacy and security is important for individuals but vital for governments.

Most Americans are familiar with the story of how the United States and Israel apparently collaborated to implant a computer worm known as Stuxnet into the nuclear enrichment systems of Iran in 2010. The worm burrowed into the computerized systems controlling the spinning centrifuges used to purify uranium, causing them to spin so fast or irregularly that they essentially broke into pieces.[i]

Far less well known is the story of how Iran responded.

A paper from the Strategic Studies Institute of the US Army War College titled Iran’s Emergence as a Cyber Power states that prior to then, virtually all of that country’s cyber capability was directed at spying on their own citizens, hoping to stop rebellions before they began. But Stuxnet changed everything.

“Today, Iran as a cyber power is the elephant in the room that everyone is finally beginning to notice,” the report’s authors wrote. “The Iranian government was originally believed to have budgeted approximately $76 million annually to its fledgling cyber force.”

Then came Stuxnet in 2010. As the War College said, “However, in late-2011, Iran invested at least $1 billion dollars in cyber technology, infrastructure, and expertise. In March 2012, the IRGC [Iran Revolutionary Guard Corps] claimed it had recruited around 120,000 personnel over the past 3 years to combat ‘a soft cyber war against Iran.’ In early-2013, an IRGC general publicly claimed Iran had the ‘fourth biggest cyber power among the world’s cyber armies.’”[ii]

On August 15, 2012, they used that power first to disable the world’s wealthiest oil company, Saudi Aramco, irretrievably destroying 30,000 computers, leaving only an image of a burning American flag on every monitor’s screen.

Then they went after a 245-foot-tall, 800-foot-long dam in Oregon, the Arthur R. Bowman Dam, which backs up the Crooked River. Had they opened its floodgates fast enough, it would have wiped out the downriver town of Pineville, killing thousands.

Fortunately for Oregonians, they got the wrong dam; instead of the Oregon dam, they successfully infiltrated and took control of the Bowman Avenue Dam in New York State, which reroutes a relatively small stream. And, to add insult to injury for the Iranians, when they hit that dam (as the CIA was just then discovering), the sluice gates had been separated from the computer system for maintenance.

In an article about the attack, Wall Street Journal reporter Danny Yadron wrote, “America’s power grid, factories, pipelines, bridges and dams—all prime targets for digital armies—are sitting largely unprotected on the Internet.” It was just a fluke that they got the wrong dam and that it was down for repairs.[iii]

The late Las Vegas billionaire Sheldon Adelson, then a close friend of Benjamin Netanyahu and a major donor to both Israeli and GOP causes, was the next victim of Iran after telling an audience at Yeshiva University in New York that the United States should drop an atomic bomb in Iran’s desert, implicitly threatening the capital, Tehran.

“You want to be wiped out? Go ahead and take a tough position,” Adelson said.

Iran’s Supreme Leader Ayatollah Ali Khamenei replied that somebody “should slap these prating people in the mouth.”[iv]

Weeks later, all the computers at the Sands, Adelson’s hotel/casino, died. Totally. Every hard drive wiped, every screen showing a photo of Adelson and Netanyahu with the inscription, “Don’t let your tongue cut your throat”; the computers may as well have been boat anchors. Bricked is the word that hackers use.

Two years earlier, the Obama administration had put forward legislation to require all privately owned “essential infrastructure” in the United States to harden their cyber capabilities. While it passed the House of Representatives, as the New York Times reported, “Senate Republicans . . . argued that the minimum standards were too burdensome for businesses, and by late July had managed to change the legislation to make them optional. In early August, the bill essentially died when it was blocked by a Republican filibuster.”[v]

Failing at getting Congress to force the American companies that controlled our infrastructure to harden their systems, President Obama signed an executive order “that promotes increased information sharing about cyberthreats between the government and private companies that oversee the country’s critical infrastructure” and “put together recommendations that companies should follow to prevent attacks.”[vi]

The order was ignored, and continues to be ignored, by American industry.

Cybersecurity for our privately owned dams, bridges, electrical generating stations, nuclear power plants, gas and oil pipelines, and water and sewage systems is now optional, and few