Don’t rely on governments to solve your security problems

Far from solving all your problems, if you rely on government to solve your cyber-security problems, I think you’re more likely to end up with restricted access to the Internet and someone other than hackers evaluating your communications. And I mean this is a possibility not only from your own national government but due to future international “cooperation” among governments.

Here are five reasons why you have to build your own cyber-protection capabilities rather than relying on governments to solve any of your security (and cyber-attack) problems for you. And you have to be vigilant and aware of what’s going on that might put governments even more in control of your online communications, reducing the options you have available to communicate privately with others as well as to defend yourself.

1. Government behavior recently shows that ultimately they (all?) want online communications to be available for them to read, even if they’re encrypted. The excuse is that terrorists and traitors use encrypted channels and therefore all communications must be readable by the authorities. Thus countries are fighting to secure warrantless wiretapping[1. Here’s what the EFF says on warrantless wiretapping – this is a great jumping off point for info], and to get hold of encryption keys (RIM/Blackberry[2. This has been going on for a couple of years with RIM/Blackberry, here Bruce Schneier tells us what the issue was as early as 2008.], Google[3. Read article about Google’s response in Economic Times (India) 16 December, 2010], etc.) so they can read Internet traffic.
2. Some governments (certainly the US that we know of) are already copying your communications into their data storage for later correlation and reference [4. Download the EFF release on AT&T diverting fiberoptic traffic in San Francisco to the NSA.]. ISPs and telcos have gigabit taps in place at interconnect facilities that give government agencies unfettered access to the entire information flow. I know from secondhand reports that this happens in other countries—you can google-around for more leads on that.
3. Governments are now saying (the UN particularly is floating this idea) they want to create international agreements so governments can work together to help make the Internet a safer place. This is a bad, bad, bad idea[5. Here’s what Vint Cerf and others said, according to the Huffington Post.] because repressive governments would rather you not have the ability to blog freely, and if this turns into an international agreement, everyone will be reduced to the lowest-common denominator.
4. They’re talking about kill switches[6. See my article In case of emergency, shut eyes and stagger in the dark.]  that would shut down critical portions of net communications in the event of a government-declared emergency. And many governments already selectively kill some types of communication, walling off YouTube, or Google search, online news like the New York Times, or other services  when they cover something the nation’s governors do not like.
5. If they don’t like something you say, then governments, or patriotic individuals, or attackers-for-hire will shut you down with denial of service attacks. So really you have to have your own plan in place and be ready to execute it. Your plan might just be to shut down, but at least you should be thinking about it in advance. And I’m telling you that governments are not going to be able to step in and protect you from that—it requires action at the level of your hosting facility.

My bottom line is that you yourself have to take care of your security to the degree you can.

First, (#1 above) you need to encrypt your communications with your business partners and friends. There are lots of ways you can do this and all of them require some amount of work, and that small amount of work has always been a barrier. You gotta get over that barrier and do it!

Second (#2) if your communications are encrypted and are copied for later analysis, someone who wants to snoop on you probably won’t like it, but you still are safer because it may take a considerable time to break that encryption. And although 99.9% of what you say won’t be of interest anyway, unless you’re plotting some evil deed, it’s possible for people to misinterpret what you’re saying and go after you. And on top of that, some of your personal conversations might just be embarrassing.

On #3, it’s just a really bad idea for governments to make policy about what can be carried on the Internet because the repressive governments will speak loudest, and any uniform international rules that would be formed would aim to protect the interests of the most repressive governments, not the rights of individuals. They’ll make it illegal to “advocate overthrow of the government” or “to offend national social norms” and since these differ so radically from one place to another, we will all be bound by rules that severely restrict our ability to speak openly about practically anything.

On #4, cutting access to the Internet in the event of a government-declared emergency immediately impedes the ability of civil society and NGOs to work across borders to stop any hostilities that might arise. It would plunge the net into darkness, where none of us could function. We see evidence of this in the ways China’s Golden Shield (the Chinese firewall) is used to suppress any mention of topics the government does not wish to see discussed. There is no broad freedom of speech in countries that do this kind of filtering and blocking, and if this were institutionalized worldwide so that we could not offend the Chinese government (they say offend the Chinese people, but we know it’s the government objecting, not the people—Chinese citizens are certainly as able as humans anywhere to accept diversity of opinions). Forming regulations that would apply worldwide would severely restrict freedom of speech in the most “free” countries in order to reduce it to the level acceptable to all repressive states.

And finally, #5 denial-of-service attacks are becoming the norm when someone doesn’t like what you’re saying. These are the “private” equivalent of setting up a firewall to stop your opinion from entering a country (like China) by shutting down your “printing press” as it were.

Why the parrot photo? Well, I’ve long had a policy of “if you can’t say something new and unique, don’t say anything at all” so I have not, so far,   parroted any comments on Wikileaks or Julian Assange, though there are many hints about the future of free speech, journalism, and government involvement in all of this, in what you can read almost anywhere online!