On Thursday, Amnesty International released a new tool called Detekt to tell if there's government spyware on your computer. It's basically an anti-virus scan, but the bugs it's looking for are really nasty. They're advanced bugs, designed to hijack your accounts and eavesdrop on your Skype calls, typically used by countries like Bahrain, Egypt, and Vietnam to crack down on people they don't like.
If you found spyware on your computer tomorrow, the NSA would not help you
It's unlikely that anyone reading this has been targeted by one of these bugs, but it's worth thinking about what would happen if you were. The US government is spending tens of billions of dollars a year to defend the nation from digital attacks, so you might imagine that it would come to your rescue, in the same way it would if a squad of North Korean commandos tried to abduct you from your home. But cyberspace works by different rules. There’s no border to defend, no idea of national sovereignty. To the network, the Egyptian secret police don’t look that different from run-of-the-mill Russian scammers.
So if you found spyware on your computer tomorrow, the NSA would not help you. Maybe you could reach someone at the FBI who cared, but I wouldn't bet on it. US Cyber Command is designed to defend military and government infrastructure. When James Clapper talks about defending the nation from cyberattack, these are the people he means. Everyone else is on their own. When the New York Times was attacked by state-sponsored Chinese hackers in 2013, it was a private firm called Mandiant that dug them out, not law enforcement. As governments build more and more sophisticated defenses, they also turn more and more towards relatively defenseless civilian targets. The result is governments on both sides hacking civilians, and no one bothering to play defense.
What's the arms race good for if it can't protect people?
In fact, most of the cyberdefense money is actively making things worse. The techniques behind these weapons were all actively developed by organizations like the NSA before trickling out to more oppressive regimes. The same agencies are lobbying against encryption that might protect your conversations from being stolen, and planting backdoors in the algorithms you might use to encrypt your files. They're buying up software vulnerabilities and keeping them secret, leaving the door open for anyone who discovers them in the future.
I don't expect anyone reading this will find anything on their computer — just like I don't expect to be abducted by North Korean commandos. But laying it out, I find myself getting angry. If cyber-defense isn't about defending you, then what's it about? Why are we developing and deploying these weapons if we can't defend against them? What's the arms race good for if it can't protect people? But these are weapons, and weapons are their own reason.
This logic is why groups like Amnesty don't like the term "cyberwar." War makes it sound like two sides, America vs. China, each playing offense and defense together. But the reality is all offense, all collateral damage. We're building better and better weapons, protecting the most powerful parts of society from attack, then leaving everyone else to fend for themselves. It isn't America vs. China, and it isn't cops vs. robbers. It's boots vs. faces.
I'm with the faces.