WikiLeaks obtained from a third party thousands of stolen computer files containing sensitive government information. Is this a cybercrime or whistle blowing?
It’s clearly a crime in the sense that the alleged third party released classified documents, which for him is a crime. It’s not clear that WikiLeaks has committed a crime in posting it. The U.S. Senate and congressmen, and others, are trying to figure out if they can prosecute under the Espionage Law, and other places, but then you get into the issue about: Is it a crime for the [New York Times], or other news outlets to post it? So, it’s cyber in the sense that it’s all been digitalized and that the ability to spread it and the difficulties in controlling it are all part of the fact that it’s been digitalized.
What does this unfolding saga say about U.S. cybersecurity in the case of the third party?
It doesn’t say a lot, in the sense that when people generally use [the term] cybersecurity they’re talking about the defense of communication and computer-control networks from outside attacks. This is mostly about the control of information and how you prevent it from spreading. The supporters of WikiLeaks--Anonymous and other people--attacked MasterCard, PayPal, and Amazon for taking WikiLeaks down or for limiting the ability to support or donate to WikiLeaks. Those are what we have traditionally thought of as cyberattacks. But the attacks that they’ve done, called DDOS, distributed denial of service attacks, haven’t really caused very much damage or trouble to those companies, and are more kind of disruptions or disturbances. They point to some vulnerabilities: The U.S. government sites have dealt with lots of DDOS attacks. They’re not a major threat.
Some in the Internet governance community point out the need for a form of cyber due process to protect against unilateral actions by companies such as PayPal, which critics say succumbed to government influence. How legitimate are these actions? What does it say about current challenges to Internet governance?
The larger issues, as Rebecca MacKinnon and some others have pointed out, [are] that proponents of free speech are now relying on these commercial providers to provide a public service, to create a public sphere. That is very much an unregulated or under-conceptualized problem: How do you deal with private companies providing for public free speech? There are efforts to try to create norms and rules. The GNI, the Global Network Initiative, is trying to get people to sign on to rules. That is probably the most useful way of going about it.
For the U.S. side, the real issue--especially coming from the State Department and looking at Secretary Clinton’s speech--is there’s been this huge push on Internet freedom and promoting free access of information, and then a lot of the response to WikiLeaks seems to very much run counter to those policies.
We believed that [the Internet] was primarily a commercial space, and we should let commercial actors take the lead and government would basically stay out of the way. WikiLeaks, again, shows that states are very active in this space, and they’re trying to assert their authority, and the commercial providers need some guidance.
Does the Internet have a democracy problem in terms of how it’s governed?
A lot of people have talked about how you create global governance or global norms for the Internet. We’re a long way from that. As the WikiLeaks event has shown, definitions of free speech, of company responsibility, differ by national jurisdictions. It’s very unlikely that we’re going to find enough common ground at the national level to be able to create any type of common, accepted responsibilities. What is does show, though, is even when major players like Amazon don’t go along, WikiLeaks managed to move to other servers and mirror plenty of other sites and get its message [out] without very much disturbance.
The physical structure of the Internet is still so decentralized and resilient that it serves the purposes of free speech and spreading information. But the larger issues are ones that have been present from the beginning. Even though [the Internet is] transnational, companies are located in physical spaces and can be prosecuted by specific national governments. That is going to continue to be the case, and we’re going to see a further balkanization in which governments do what they can in their own space and bump up against what other states are doing in their own space.
Some people say the actions against WikiLeaks will undermine cloud computing, in which people use networking and software services or store private data offsite in places like Amazon, Google, and Yahoo. Do you agree?
First, cloud computing is going to be an attractive target for hackers and activists. It has to be reliable and people have to have some confidence in its resilience. Because when you attack a site like Amazon, you can’t just say, "We’re taking WikiLeaks down." There’s going to be a lot of collateral damage. [The WikiLeaks site also experience denial of service attacks.] There’s already been a lot of talk about: Can you rely on the cloud? That’s just going to increase the discussion about it and probably increase government regulation. The government is probably going to be more involved in deciding on the innovation side.
And then the second point is what we’ve just discussed, which is what role do these private companies play in promoting, protecting, or supporting free speech? The government is going to have less of a role there. It’s going to be very much up to the companies to figure out how they maneuver in that space. They will look to the government for some kind of direction about what they can and cannot protect, and what the responsibilities are.
A2009 Council Special Report on Internet governance focused on what policy actions the United States should take to secure the Internet. Which of the recommendations apply in this case?
The report was very much focused on trying to control an arms race in cyberspace. So a lot of that has to do with what norms we could try to develop with the Russians or Chinese. But there are a couple things you can draw from the report. The first is that the report says that the United States has to get its own house in order before we start telling other countries to change their rules or enforce their rules more effectively. The discussion in the report is mostly about crime, spam, and malware, but clearly with the WikiLeaks, our lecturing other countries about access to information and free flow of information has been severely damaged by our response to the WikiLeaks. That is probably the largest lesson.
The other [thing that applies] is just pointing out that traditionally the United States has approached cyberspace or cyber-diplomacy passively. We believed that [the Internet] was primarily a commercial space and we should let commercial actors take the lead and government would basically stay out of the way. WikiLeaks, again, shows that states are very active in this space, and they’re trying to assert their authority, and the commercial providers need some guidance.
Just as the WikiLeaks event has shown, definitions of free speech, of company responsibility, differ by national jurisdictions. It’s very unlikely that we’re going to find enough common ground at the national level to be able to create any type of common, accepted responsibilities.
WikiLeaks’ founder Julian Assange has uploaded as insurance an encrypted file he’s calling a poison pill, or a nuclear option. He says he’ll release the code if things don’t go his way. Are we seeing an evolution of what can happen in cyberspace?
What’s happened with WikiLeaks is primarily what some have called hacktivism or political hacking, in which the supporters of WikiLeaks attack sites they feel are ideologically or politically opposed to their view of the Internet. This points to some larger trends we’ve already seen: It’s open to everyone [and no longer takes] a lot of technological ability, or software ability, or hacking ability. So, this process of decentralizing power and spreading it to the individual [is something] we’ve seen from the beginning of the Internet age. These kinds of things are going to be a part of any kind of political contest now, [and] anything that goes on now is probably going to have a cyber side to it, some hacking to it.
Information is now uncontrollable. If it’s in electronic form, it’s going to be spread. Once it’s out there, there’s very little that anyone can do about it to get it back. Government and companies and individuals have to figure out what to do about that. How can they live with information that they don’t want to be out there to be fully accessible? That is just the reality. How do you respond? How do you shape a diplomacy and political activism around that fact--which we clearly haven’t done?
Information is now uncontrollable. If it’s in electronic form, it’s going to be spread. Once it’s out there, there’s very little that anyone can do about it to get it back.
A blogger for the Economist argues that we’re going to see a new breed of guerilla transparency movements similar to WikiLeaks. Is this a good thing?
I don’t know. The impact of WikiLeaks is not actually going to be radical transparency. WikiLeaks existed before this current set of leaks, first about the Afghan and Pakistan war and now about the cables. WikiLeaks’ impact so far hasn’t come from just dumping the documents, it’s come from working with the mainstream media. So, the story actually isn’t radical transparency, it’s the two connected--new media and old media working hand-in-hand. Other groups will go out there and try to copy radical transparency, but there’s going to be so much [information] out there. Nobody will know it’ll exist and won’t be able to take advantage of it. You’ll need these intermediaries like professional journalists, or professional activists, or [nongovernmental organizations] that can take that information and convert it into real action. That is probably the more likely trend.