The CIA: Stop Digital Proliferation! Destroy your computer now

A new essay in Harvard National Security Journal by Dr. Dan Geer, the Chief Information Security Officer of the CIA's venture firm In-Q-Tel, reveals how militarizing the internet puts the brakes on business opportunities or innovations that might come from the internet. Any change makes things less “secure,” you see? Geer argues that

“…the recent decision of the Internet Corporation for Assigned Names and Numbers (ICANN) to wildly proliferate the number of top-level domains and the character sets in which domains can be enumerated is the single most criminogenic act ever taken in or around the digital world.”

That’s quite a claim. The argument seems to be that allowing the supply of names or addresses in a network to expand so that it meets growing demand is “criminogenic,” meaning, to actually generate crime. This isn’t the kind of generativity Dr. Zittrain mentioned, is it? (Or, is it?) It follows that the more information technology gets into the hands of the people, the worse the world becomes.

Here at IGP we are kind of hoping that Dr. Geer has not noticed the wild proliferation of email addresses in the past five years. We think their growth rate exceeded that of the proposed increase in the number of new gTLDs by several orders of magnitude. We are afraid that if he does notice such growth, In-Q-tel will push for shutting down email servers, or forcing Google to charge monthly fees for Gmail. We also hope he hasn’t yet noticed the relentless proliferation in the number of iPads, personal computers and mobile smartphones. We really would like to hang on to those things, if Dr. Geer doesn’t mind. And please, please, please don’t tell him about the IPv6 address space.

One has to assume Geer is insinuating a link between new gTLDs and malware like the Conficker botnet. The coders who wrought Conficker leveraged the DNS to provide the botnet's command and control mechanism and infect computers worldwide. Participants in the Conficker Working Group sought to mitigate Conficker's spread by working with ICANN and ccTLDs operators worldwide to preemptively register tens-of-thousands of domains, thereby cutting off the ability of compromised computers to get instruction updates. But those massive numbers of registrations were at the second level, not the top level. It is doubtful if adding new TLDs (or eliminating old ones) would have had any effect on Conficker. The number of TLDs is irrelevant to the exploit. In fact, Conficker did just fine in the current environment of 250 TLDs.

Conficker has not gone away, but its threat was mitigated by the very companies and governance institutions that would bear the costs if Conficker were ever successfully used for destructive purposes. The incentives appear to be aligned well.

When most of us look out over the world and see telephones, computers, routers and switches connecting more people we feel that the world is becoming a safer, better place. Dr. Geer sees only weapons proliferation: every new LAN is a missile aimed at us by hostile states; every new smartphone is a bullet pointed in our direction.

Geer is one of those who believe that network security experts are at a “permanent, structural disadvantage compared to the attackers.” He is convinced that other countries are aiming to deal us a crippling attack via cyberspace, and he thinks he knows their plans:
“State-level opponents primary targets are essential industries, the secondary are the counterparties to those primary targets, and the tertiary are sites that can be prepped for future attacks. It would be wise to structure our defenses accordingly.” So Geer proposes a far-ranging militarization of the Internet economy: “This leads directly to whether government’s cooperation with the private sector should not focus on the Defense Industrial Base and if the Defense Industrial Base should be expanded to include cybersecurity firms and technology within its remit.”

Thus, Geer conflates network security with national security; he erroneously focuses his attention on artificially bounded territories and their military units rather than on the security problems of networks and the operational systems and people they connect. He seems unconcerned about economic growth, or willing to sacrifice it to pursue his inner, inter-state demons.

2 comments

  1. Anonymous

    The single most criminogenic act is property development. Any one who builds new homes is responsible for the increase in burglaries. I bet Geer lives in a home, so he is directly funding criminogenic acts.