AFP - Getty Images
This undated screen grab taken released by the Kaspersky Lab site shows a program of the computer virus known as Flame.
Has the U.S. government been caught with its virtual hands in the world's cookie jar? And might it lose control of the Internet as a consequence?
If you were among the forces on the planet wanting to wrest control of the Internet from the U.S.-friendly agencies that manage it, that's the story you'd surely want to tell.
But things are rarely what they seem. The barrage of Flame news – including word that Flame and Stuxnet appear to have common authorship -- should not be viewed in a vacuum.
A group of nations led by China, Russia and several Middle Eastern countries would love to see the end of U.S. dominance over the operational control of the Internet, and these nations think they have found their vehicle for accomplishing that: A U.N. body called the International Telecommunications Union.
The organization, which manages international telephony agreements, will meet in Dubai in December and attempt to extend its charter to take operational control of the Internet away from the U.S.-dominated nonprofit International Corporation for Assigned Names and Numbers, or ICANN.
Even as news of Flame first hit, an ITU working group was meeting in Geneva to finalize the agenda for the Dubai meeting. At almost the same time, there was a hearing in an obscure congressional subcommittee where experts rang alarm bells about an ITU coup.
The argument that the U.S. should not be in a position of power as far as overseeing the Internet will be bolstered by a world set aflame by news that the U.S. may have exploited its technological advantage to attack sovereign nations with Flame and Stuxnet.
Some technology experts say the Dubai meeting could very well decide the direction of the world's most valuable resource - information - for the rest of the 21st century: The future of Internet anonymity, free speech and perhaps freedom itself could be at stake.
"I think there is a political story that is being missed here," said Chris Bronk, a former State Department official who worked in that agency’s Office of eDiplomacy and is now a professor at Rice University. "There's much more to this. … Stuxnet was better than bombs in the short run, but this could hurt the U.S. down the road.”
Conspiracy theorists -- including several interviewed for this story who requested that their comments remain off the record -- point out that the world learned about Flame from a Moscow-based antivirus company (Kaspersky Labs), and the ITU chose Flame as the subject of its first-ever international cyber-warning, claiming for the first time an important role in cybersecurity affairs. They see the grand publicity surrounding Flame as little more than a power grab by the ITU in advance of the Dubai meeting, dubbed the World Conference on International Telecommunications (WCIT).
“If you want to be cynical, this is definitely a play by an international group to try to gain control over arguably the world’s most valuable resource,” said Paul Rohmeyer, a Stevens Institute of Technology professor who specializes in cybersecurity and international issues, and one of the few members of the conspiracy camp willing to connect the dots publicly.
But you don't have to draw such a direct connection to see the relationship between Flame and ITU's desire to find and flex new power. Kaspersky Labs, the Russian firm that continues to publish the most informative details about Flame, has a solid reputation in the security research world, and there’s no reason to believe it is acting on behalf of Russian national interests. Still, it's impossible not to view Flame -- and recent revelations about Stuxnet -- without understanding the diplomatic backdrop.
“If I were advising Russia, I would be all over the place waving these stories around,” said Eneken Tikk, formerly the legal and policy advisor for NATOs Cooperative Cyber Defense Centre in Estonia. “It seems like a great opportunity to increase pressure on talks around cyber threats to international peace and security and gather a coalition of potential victims to say, ‘We see the U.S. establishing itself on the Net in offensive way, we need an international umbrella to do something.’”
If the U.S. is guilty of escalating cyberwar by writing computer code that disabled critical Iranian computers, there is no question that forces around the globe will try to exploit the news to their own ends. While most analysts have focused on the potential that Flame invites other countries to counterattack the U.S. with similar cyber-bombs, the real threat might be the rationale it could provide for ending the free-flow of information around the Web.
“It's very concerning from a purely political standpoint. You can see why a group like ITU would be incentivized to release this news,” Rohmeyer said. “I’m guessing that's what they are trying to set up. They are building their case for internationalization. They have everything to gain and the established order, which is U.S.-based, has everything to lose.”
U.S. officials aren't blind to the threat; they've made very public warnings about it. In February, Federal Communications Commission member Robert McDowell wrote an op-ed piece in the Wall Street Journal where he criticized the ITU:
"The most lethal threat to Internet freedom may not come from a full frontal assault, but through insidious and seemingly innocuous expansions of intergovernmental powers," he wrote. "Scores of countries led by China, Russia, Iran, Saudi Arabia, and many others, have pushed for, as then-Russian Prime Minister Vladimir Putin said almost a year ago, 'international control of the Internet' through the ITU."
McDowell also testified before that congressional subcommittee on May 31, and warned that "pro-regulation" forces led by China and Russia are far more organized than U.S. allies.
"While precious time ticks away, the U.S. has not named a leader for the treaty negotiation," he said.
Some in Congress were even more blunt:
“If we're not vigilant, just might break the Internet," said Rep. Greg Walden, R-Ore.
The dire-sounding warnings aren't coming solely from U.S. government officials, either. Even the so-called “father of the Internet,” Vint Cerf, expressed grave concern that day in Congress.
“(The Dubai meeting) holds profound—and I believe potentially hazardous— implications for the future of the Internet and all of its users," he testified. "If all of us do not pay attention to what is going on, users worldwide will be at risk of losing the open and free Internet that has brought so much to so many.”
Nor is the alarm coming just from the U.S. Toomas Hendrik Ilves, president of Estonia, rang alarm bells on Friday during the International Conference on Cyber Conflict in Tallinn.
“The outcome of (the Dubai meeting), and related processes, will help determine the topography of the Web for the next two decades,” he said. “While this conference may fall into the domain of ministries of commerce and communications, make no mistake, there will be major cybersecurity ramifications. More ominously, we will face calls to limit free expression as we know it on the Web today.”
But as Western nations try to draw battle lines, the reality of Flame and Stuxnet muddies the argument considerably. The U.S. risks losing moral high ground through stories about such cyberattacks.
"When we had plausible deniability for Stuxnet, we could make the argument more easily,” Bronk said. “This completely cuts at the knees the Internet freedom agenda. How can the U.S. use clandestine cyberattack to go after a threatening regime, and then push the free agenda? "
As Rohmeyer sees it, the combination of U.S. cyberattacks and the Dubai meeting puts the Internet at “an age-old crossroads.”
What might change mean?
The ITU has its roots in an organization created during the 1860s to standardize cross-border telegraph traffic in Europe. It became a U.N. body after World War II, focused almost entirely on simplifying international telephony. Only recently has it tried to extend its charter to Internet traffic, most notably with the creation of an agency called The International Multilateral Partnership Against Cyber Threats, or IMPACT, based in Kuala Lumpur. Modeled after national computer emergency response teams, IMPACT’s stated mission is to share time-critical computer vulnerability and virus information around the globe. The U.S. has so far refused to join ITU’s IMPACT. Russia, China, Iran and about 140 other nations are members.
IMPACT tried to take the lead in international dissemination of information about Flame, using the virus as cause for its first-ever warning.
How might ITU change the way the Internet works? No one knows, of course, but there are obvious reasons for concern. Chinese officials have repeated stated they want an Internet where users must register by IP address, effectively ending anonymity and, perhaps, Internet-based uprisings.
McDowell warns that Russia, Tajikistan and Uzbekistan asked the U.N. General Assembly to create an “International Code of Conduct for Information Security” to mandate “international norms and rules standardizing the behavior of countries concerning information and cyberspace.” Even ITU’s head of corporate strategy, Alexander Ntoko, raised eyebrows earlier this year in Cancun when he predicted that anonymity online would end.
“Why countries are interested in the ITU varies. … China and Russia, their motivations are not very friendly to human rights or openness,” said Cynthia Wong, a lawyer for Center for Technology and Democracy. “Other places feel like they don't have a voice in the current process. “
One of the main criticisms of the process is a lack of transparency and the limitations on participation of non-governmental groups, according to complaints publicized but the Center for Technology and Democracy and human rights groups. But it’s clear the ITU plans new ways to raise revenue, which might lead to some form of a per-click tax, according to witnesses who testified before Congress at that May 31 hearing. wong also expects the ITU to push for mandatory standards for packet delivery – Net standards have been voluntary so far -- which could be a precursor for giving nations more control over incoming and outgoing Internet traffic at their borders.
One state, one vote
“Part of the problem with ITU process is that it's so opaque, so it is really hard to understand what might be at stake,” Wong said. “But what we do know is Russia and some of the Arab states have put cybersecurity on the table. There are proposals for greater regulation of traffic routing for security purposes. Depending on how such regulations are implemented, it could be used to justify greater intrusions on privacy and fundamentally change how the Internet currently works technically.”
In other words, such proposals would make it easier for nations to control Internet traffic.
Practically speaking, it will be difficult for ITU to grab control over the central tool governing the Web – the domain name system – in Dubai. That system is currently operated by ICANN. But a sizable block of non-U.S. countries agreeing to mandatory routing standards could still wield considerable power. Treaty negotiations are one state, one vote. The U.S. government could make a reservation with something in the treaty, but if ITU standards become mandatory, all Internet users could be impacted. One potential outcome would see a “splitting” of the Internet, where traffic from nations following one standard is denied by a bloc of nations following another.
But Wong’s chief concern currently is that groups like hers aren’t welcome in the proceedings. On May 17, the Center for Democracy and Technology and 20 other non-governmental agencies from around the world sent a letter of protest to Secretary-General Dr. Hamadoun Touré, who is running the meeting, saying “there has been scant participation by civil society” in the run-up to Dubai. But Wong thinks the influential Internet protests around SOPA demonstrate that no government agency will be able to pull a fast one on a recently empowered digital constituency.
“One of the lessons you can pull from SOPA is this: The time when governments can go behind closed doors and make important decisions about how we use the Internet is gone. That’s not acceptable anymore,” she said. “There is a community of users who are paying attention, and are really concerned about the future of the Internet. They are not going to find it acceptable anymore to use these old ways of creating laws. And it behooves governments involved in this to pay attention to that.” To that end, several groups have collaborated to create WCITLeaks.org, to encourage anonymous uploading of conference-related documents.
The experience of SOPA might make the Flame and Stuxnet sagas even more important. Could the potential for Internet users to rise up against U.N. control of the Net be blunted if the alternative seems to be continued control by the U.S., its image damaged by Flame and Stuxnet? Rohmeyer thinks so: Like many technology experts, he’s skeptical of claims that Flame is the most powerful virus ever created. As others have pointed out, Flame is so large that it’s clearly not designed for stealth operation – whoever created it almost begged for it to be found. He thinks a big part of the publicity around Flame is a function of this battle for control of the Net.
“Is the U.S. releasing viruses so powerful that it needs to lose its control of the Internet?” he said. “I don't think by itself the release of Flame rises to threshold. I’m dubious of is effectiveness, and suspicious of those claims.”
There are also open questions about ITU’s ability to take operational control over the Internet and cybersecurity.
'No country is an island on the Internet'
“The ITU has been kind of like one big group hug,” said Rohmeyer. “Do U.N. groups have a track record of success with this kind of operation? The ITU was a standard-setting body for telephony. Once you move out of the connectivity realm into operational controls – wow! That gives them an enormous amount of power. ICANN seems to be functioning. When I woke up this morning, the Internet seemed to be working. I don’t think (ITU) has been in this business before.”
Not everyone in the U.S. is against giving ITU more control over cyberspace. Jody Westby, who launched the Central Intelligence Agency’s famed In-Q-Tel technology investment arm and is now a highly sought-after U.S. cyberexpert, penned a column for Forbes last week strongly endorsing U.S. participation in IMPACT.
“No country is an island on the Internet, and the U.S. cannot expect to be able to adequately respond to cyberattacks or malware infiltrations without the input and involvement of others around the globe,” said Westby, who disclosed that IMPACT was previously a client of her consultancy firm. “The U.S.’s ‘our way or the highway’ attitude in the important area of cybersecurity appears petulant.”
She also said that, absent U.S. participation, other nations will look to Russia and China for leadership.
“The U.S. appears as the shirking nation state quietly standing on the sidelines while being accused of engaging in cyberwarfare tactics,” she said.
But Rohmeyer was was among those who wondered aloud what was in it for the U.S.
“There is no upside for the U.S. (in participation),” he said. “Is the Internet going to be managed better? Will it be more open?”
Many experts think the end result of Dubai will mean the already tense balance between bottom-up governance, where private firms dictate policy through collaboration, and top-down governance, where governments mandate Internet policies, will grow even more stressed. So will the tension between anonymity, free speech and U.S.-friendly control on one side, they say, vs. accountability, control, and Chinese/Russian/Arab interests on the other. McDowell, from the FCC, has repeatedly warned that even a positive outcome for the U.S. in Dubai offers little reason to celebrate.
“Given the high profile, not to mention the dedicated efforts by some countries, I cannot imagine that this matter will disappear,” he testified before Congress. “Similarly, I urge skepticism for the ‘minor tweak’ or ‘light touch.’ As we all know, every regulatory action has consequences.”
Phillip Hallam-Baker, writing in the online magazine CircleID, compared the balancing act to the uneasy management of the Church of the Holy Sepulchre in Jerusalem, where power is shared awkwardly among various Christian groups and squabbles are common.
“Backing ICANN appears to be the only sensible course for the U.S. But the problem with this approach is that the U.S. cannot risk ICANN itself being captured by hostile powers, and that in turn means that the U.S. cannot ever release its de facto control of ICANN,” he wrote. “It is an inherently unstable situation that is only maintained through constant vigilance on all sides. “