Show Hide image

Databases of ruin

Ben Wizner, chief legal advisor to Edward Snowden and director of the ACLU’s Speech, Privacy and Technology project, talks to the New Statesman about the new age of mass surveillance.

A Skype call with Edward Snowden’s lawyer is different from other Skype calls. Beneath the introductions and the courtesies sits the question of who else is listening. Among the NSA data released by Snowden in 2013 was a training document which confirmed that “sustained Skype collection began in Feb 2011”. Since that date, the NSA has been able to listen to and record any Skype call. Does Ben Wizner think they’re listening, right now?

“I guess I would say… probably not.” Wizner is not one for dramatic speculation. He first sued his government for torturing its own citizens more than a decade ago; his work is dramatic without embellishment. Wizner joined the ACLU months before 9/11. Ten years later, he became the director of the Speech, Privacy, and Technology Project. In 2013, he became principal legal advisor to the world’s most wanted man. In his defence of Snowden and his work for the ACLU, Wizner works at the point where civil liberties and national security meet. Increasingly, he says, it is hard for the legislation that protects civil liberties to keep up with the methods available to those who would infringe them.

“The fundamental issue,” says Wizner, “is simply that surveillance used to be expensive, and now it's cheap. That's something that we have to confront, centrally, as one of the main challenges of our time. It used to be that our privacy was protected more by cost than by law, but that cost protection is gone. If governments wanted to know where you were, a generation ago, they had to assign a team of agents to track you 24 hours a day. There was no real legal barrier to doing that, but there was a huge resource barrier. There had to be a pretty good reason for it. Now, our technological systems are passively collecting all of this intimate information about all of us. The cost of storing it, forever, has plunged from being very expensive to almost trivially cheap. So we're going to need law and policy in places where we didn't need it before. We're going to need to figure out what role law needs to play in a world where governments have the financial and technological capability to record and store virtually complete records of our lives.”

Many technologists have observed that the advances in computing and communication of the past few decades have allowed us to sleepwalk into an almost perfectly pervasive surveillance state. Wizner advises viewing any argument for extension of these powers with extreme caution. “ I think the way to understand this is that even people who seem willing to exchange personal privacy for a measure of safety wouldn't want video cameras throughout their house, including in their bedrooms, on at all hours of the day. They wouldn't want drones with sophisticated cameras hovering over their homes and communities, 24 hours a day, recording every movement in the streets. But mass metadata surveillance achieves almost the same effect. If the police can know, without any legal restriction, where your phone is at any hour of the day, what other phones are with it at any hour of the day, and they can get months of this information and put it together, they can paint a remarkably intimate picture of your life. Who you're sleeping with, whether you pray, whether you drink, if you've had an abortion. All of this information can be very easily reconstructed from the metadata that we leak on a daily basis, now.”

The argument for further extension of government surveillance almost justifies its means by the threat of terrorism. Wizner calls this a “bait-and-switch” – a ruse, to secure powerful surveillance in the name of preventing extremist attacks, but then to pass these powers on to other authorities. Against terrorists, he point out, “mass surveillance is not terribly effective as a predictive measure. Collecting billions of communications in order to predict extremely rare events is not effective. The system gets overwhelmed with false positives, no matter what measure you’re using. That's why the investigatory groups that were put together following the Snowden revelations uniformly reached the conclusion that collection of the metadata for all US phone calls didn't lead to either the prevention or the discovery of any terrorist attack or activity.”

For domestic law enforcement, however, vast databases of the details of citizens’ lives represents a goldmine. Wizner calls it “a kind of surveillance time machine. They would be able to hit rewind on the database, and to reconstruct all kinds of things that had happened. Because they could be extremely useful for solving crimes, the capabilities will migrate from intelligence into law enforcement. And then, our societies are going to feel very different - when every police officer with a smartphone has access to the kind of information that the NSA and GCHQ collect.”

In the UK, Wizner’s forecast has already precipitated. Under the Investigatory Powers Act, the communications data of any UK citizen is now collected by default and may be provided, without warrant, to any police force. The data is also available, again without a warrant, to most government departments, as well as such well-known anti-terrorist forces as the Food Standards Agency and the Welsh Ambulance Service.

What kind of state does Wizner think this will lead us into? “Here, I like to quote the security technologist Bruce Schneier, who asks "how do you feel when a police car is driving right next to you? Imagine having that feeling all the time." Some people might say, "oh, I just feel safer". But most of us don't just feel safer. We feel nervous, we feel watched, scrutinised. It absolutely would affect our willingness to take risks, to engage in behaviour that's not fully sanctioned - the kinds of things that free societies need to grow and develop.”

Whether the unprecedented mass surveillance now being conducted by the governments of the UK, US and other nations on their own citizens will lead inevitably to totalitarianism is debatable. What is inevitable is that when governments collect data on their citizens, it falls into other hands. In 2015, it was revealed that councils in the UK suffered data breaches at an average of almost four per day, losing the personal data of children on 658 occasions in three years. In 2012, the NHS lost 1.8 million patient records. In 2008, HMRC lost the personal data of 25 million taxpayers. The list of incidents in which the UK government has lost, stolen and carelessly handled databases of its subjects’ data is thousands of items long.

“We've already seen networks of hackers obtain vast amounts of personal information, and convert it into profit,” agrees Wizner. It is absolutely the case that we're going to have to come to see that aggregated data is not just something that has beneficial uses, but something that creates real liabilities for us.”

However, Wizner says we should not compare the data being collected on us by mass surveillance to traditional government records. It is more personal than that. The data breaches that will result will be closer to the 2015 data breach of Ashley Madison, a dating website that enabled people to have extramarital affairs. Publishing of the site’s user database was linked to suicides in two countries. Wizner says he and his colleagues refer to such deeply personal information as "databases of ruin", because “they contain within them the seeds to ruin any of us.”

That a government database could contain the seeds of your ruin – the means to impersonate you, jeapordise your position or make public the evidence of anything you’ve done which you’d rather wasn’t publicly known – is not, says Wizner, a paranoid idea about the future. “That information sits in government databases today. And not just our own government. The Chinese government was able to breach the database the Office of Personnel Management, which does all of the background checks for people who work in sensitive jobs in the United States. Millions of records, of the most sensitive kinds of information, are now available to a foreign government.”

Wizner says last year’s dispute between the FBI and Apple, in which the technology giant refused to crack the security on its iPhone in order to aid the agency’s investigation of the San Bernadino terrorists, is a good example of law enforcement’s failure to recognise that data security can be more important than forensic capability.

“Many former high-level NSA officials actually took Apple's side in that dispute. They argued that it was actually more important for Apple to be able to create government-proof security on a global scale than it was for US law enforcement to be able to break into this one phone. They know that if Apple has to engineer its product to allow the FBI in, then it will also have to allow in the Chinese military, and Russian intelligence.”

So how can civil liberties be protected in this emerging state of cheaply available, barely regulated surveillance? “There are two parallel reform conversations that need to take place. One is about what kind of laws we need to pass, and how our courts can act as a check on government.  The other is on the technology side - how can we build up our defences. The answer to the second [question] is encryption.”

The great benefit of encryption is that “it can assist citizens even in authoritarian states. We could have the best surveillance reform imaginable in the US - we haven't, but we could - and it wouldn't protect anybody in Russia or China. On the other hand, if the technology platforms that we're using make it difficult or impossible for governments to engage in mass surveillance, that's something that could be a benefit everywhere.”

Wizner says it’s crucial that these issues of privacy and security are seen as international, because the means are so easily to sell and transport that one country’s surveillance capabilities soon become another’s. “It would be a mistake if everyone in the world viewed the Snowden revelations as a story about the NSA's activities and capabilities. Snowden likes to say that we have reached the “atomic moment” for computer science. But proliferation is much faster; it doesn't require all of the complexity that nuclear proliferation has required. So now is the time for us to be developing laws about how we're going to deploy those technologies against each other.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

Inside the National Cyber Security Centre

The new chief executive of the National Cyber Security Centre, Ciaran Martin, and other senior members of NCSC staff give their take on a more open, more outgoing arm of GCHQ.

The GCHQ base in Cheltenham is a building the size of Wembley stadium, bristling with security cameras, patrolled by armed guards and surrounded by tall fences that are topped with razor wire. The organisation’s new London headquarters, however – the National Cyber Security Centre – occupies two floors of a glass-walled office building in Victoria. It’s a very smart, new office building, but there is a distinct lack of razor wire, and none of the receptionists appear to be carrying automatic weapons.

The NCSC’s open environment is illustrative of its approach, particularly where businesses are concerned. While much of its operational work will remain classified, the NCSC will invite people from the private sector to train within its walls. Following an official opening by the Queen, Philip Hammond delivers a speech in which the digital economy is mentioned before national security, and in more detail.

“The private sector is piling in extensively here today,” agrees Ciaran Martin, the NCSC’s chief executive. “We’re getting 100 private sector people in to work here,” he adds, referring to the Industry 100 initiative, which will “embed” 100 workers from across the private sector in the NCSC to share expertise. “It’s not one of those areas where the private sector is telling the government to back off – they’re asking to work with us, and we’ve got plenty to learn from them.”

The NCSC will also be heavily involved in securing the public sector, too, helping to co-ordinate cyber defences across bodies from the MoD to the smallest local council. “Local government is a major concern for the NCSC,” says Martin, “but let me be nice to local government. They are under significant financial pressure, they’ve got all sorts of obligations, and this can be quite complex stuff. There are 380-odd local authorities in Great Britain. Some of them, like Birmingham, are the size of decent-sized companies, and some of them are very small. If you’re a small local authority, I think that in the past, organisations like mine have been slightly too lecturing towards you about what you’re not doing right, and not sympathetic enough to the fact that if you’re trying run, for example, a small rural local authority, you’ve got lots of citizen data but you’ve got lots of other responsibilities, and it’s quite hard to get the right people and the right tools in place. It’s quite hard to even know where you can look for help.”

Martin aims to change that by introducing simple, effective tools that will help public bodies of all sizes secure themselves. “One of the things that we’re proudest of, which we’ll be rolling out later this year – and which has been exhibited in front of the Queen today – is WebCHeck. What WebCHeck does is, it scans websites for vulnerabilities and it says “here’s where you’re good, here’s where you’re bad, here’s where your certificates are out of date.” It gives you a report that’s automatically generated, and it tells you how to fix it. We’re giving that to local government for free.”

These NCSC-developed tools will also become available to small businesses, too. The centre recently built a tool to eliminate spoof emails that appeared to be from HMRC; “The code that we used to stop HMRC spoofing, we’re making freely available today. That means that if you run a small business with an internet domain address, you can work out who, if anybody, is spoofing you and what you might be able to do to thwart them. We’re trying to do things that make it that little bit simpler for people who may not have the resources and time of a larger government or private sector organisation, just to make it a little bit easier to take sensible, risk-based decisions and make the improvements that will help. Because every little helps, in cyberspace – if you raise the bar a little bit, attackers can go elsewhere.”

The NCSC’s technical director, Dr Ian Levy, says blunt instruments are still too effective in cyberspace. “It’s important to differentiate the sophistication of the attack with the level of the impact. The two are not correlated; you can have a really, really simple attack that causes a lot of national impact. Take TalkTalk as an example – a very, very simple attack had a huge effect across a large number of people. Whether it should have done is another discussion, but it did. It changed the public consciousness; a lot of the very sophisticated attacks don’t have that same sort of impact on a large number of people. Some of them are not about disclosing large amounts of personal data, or stealing, or making money – they’re about traditional statecraft, and that has a much lower impact on your average population. It can have a national security impact, but one of the things we need to change the narrative of is the difference between the sophistication of an attack and the impact of that attack.”

State-level attacks

While much of the NCSC’s work will be in making the UK a “hard target”, as Martin describes it, for cybercriminals of all kinds, the centre remains a part of GCHQ. Its work will also encompass the new possibilities digital technology has opened up for espionage, diplomacy and war. At the centre of one of the exhibits shown to the Queen and other visitors on the opening day is a grey box, about the size of a biscuit tin, a few lights blinking on its front. Easily ignored by the passing dignitaries, this box is of particular significance in security circles. It is a programmable logic controller, or PLC. These controllers are found everywhere moving parts need to be automated and controlled – in factories, power stations, aeroplanes, trains, and automatic doors. In 2010, a mysterious and highly sophisticated piece of malware appeared that targeted one specific model of PLC, in a very specific configuration, and caused it to malfunction, causing serious damage to the equipment it controlled. The equipment it targeted was later identified as the enrichment technology used in the Iranian nuclear programme.

The display also contains a laptop. Tap a button, execute a command through the malware on it, and a light on the PLC changes from green to amber. In December 2015, an unknown hacker tapped just such a button. Moments later, the lights in 230,000 Ukrainian homes went off.

A member of NCSC staff who declined to be named said that his greatest worry with regard to this type of attack was that it could be used on the gas grid. “If the gas network was depressurised,” he told me, “it could take up to a year to get it back.” These are the more worrying scenarios the NCSC must imagine and plan for; a winter without central heating would bring the NHS to its knees, at the very least.

Jacqui Chard, the NCSC’s Deputy Director for Defence and National Security, says that a national security level cyber incident could take many forms. “It’s about the impact across government or across citizens,” she explains, adding that at the most serious level, the NCSC helps to plan against and prevent attacks that would cause “serious damage, loss or disruption of critical services or systems for the nation – which could be critical national infrastructure, the parliamentary system, defence, our finance institutions, or our transport system.”

“From a defence point of view,” Chard says, the most serious type of cyberattack would be one that looks like an enemy preparing the battlefield, that “impacts on the strategic planning for our military forces. Or, if we were subject to attacks on our soil, how we’re going to co-ordinate – so, if communications between government at the highest level were affected. That’s where we’re focusing for the biggest risks for the country at the moment.”

While attacks of this type are fortunately still mostly theoretical, it does look increasingly as if cyberweapons are capable of causing loss of life on a similar scale to the kinds of weapons that are bound by international treaties. Steps in this direction were taken in 2015, when the Chinese government agreed with the US and UK “not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information” (in the words of the China-UK statement). Asked why she thinks this statement did not include a statement on national security, Chard replies that “The business agreements that we’ve made are a matter of national security. They’re for our prosperity as a country, so we absolutely see those as part of that.”

The new diplomacy

With the growing power of cyberattacks to cause devastating consequences across borders comes the thorny issue of determining where an attack has originated, who ordered it, and if a government was involved. It is likely that the difficulty of attribution will have profound effects on diplomacy in the future, and a key role for the NCSC will be to provide evidence of the involvement of other nation states.

Both Ciaran Martin and Michael Fallon have spoken publicly about a “step change” in Russian cyber aggression, but Martin says certainty is still hard to come by. “Attribution can be very difficult, and a lot of the detection work on state attacks is in the classified area of where we work, even though we work a lot in the open. But in general terms, in my three years of looking at these [incidents], sometimes you have direct evidence of named individuals with pictures, and sometimes you have very little clue as to even what country an attack might be coming from.” Furthermore, “attacks could be coming from within a particular country, but that’s not necessarily the same thing as being sponsored by that country, or even tolerated by the government of that country.”

What makes international relations even more complex is that increasingly, and especially with regard to Russia, technology allows other “actors” to expose secrets and disseminate lies at scale. This is particularly effective when it comes to elections. The extent to which Russia may have been able to influence the US presidential election is the subject of furious debate, but the UK’s political system is not immune to intervention either. Last year, GCHQ revealed that it had tracked and thwarted what Martin calls “activity” with regard to Whitehall servers. “There was activity we noticed,” he says, “because we notice activity all the time, that was in and around institutions that may or may not be related to the possibility of an attack on the election.”

Governments and political parties are going to have to recognise the threat this “activity” represents. Martin says no formal requests have been made by specific parties for help, but that he expects these requests to be made.

Ultimately, he advises that to safeguard British politics, “you need to look at the system as a whole, all the way through from government institutions to parliament, to institutions that are influential in political life, like the media, like think tanks – way beyond political parties, even to high-profile individuals whose views are of interest. It’s about the totality of that. So we’ll publish data and recommendations about how to mitigate these sorts of attacks, and we’ll look at the most aggressive actors and try to find out what they’re targeting. That’s probably better than trying to predict the precise route of attack on the British political system.”

Will Dunn is the New Statesman's Special Projects Editor.