Crypto-geographies and the Internet of Things

Secret codes have long fascinated people. According to Secret History, a new history of cryptology by Craig Bauer, who was Scholar-In-Residence at the NSA Center for Cryptologic History in 2011-12, cryptography predates the Greeks. Many of these ciphers were relatively simple by today’s standards, involving either transposition or substitution (respectively systems where the letters are moved but not replaced, and where the letters are replaced, eg., A is replaced by Z, etc).

The now fairly well-known Enigma machine, deciphered by British scientists at Bletchley Park (and the subject of many books and a couple of movies) is pictured above. This was a German system of ciphering, used by the German Nazi regime during WWII. Less well-known (but undeservedly so) are the decryptions by the NSA and its predecessor group (The US Army Signals Intelligence Service located at Arlington Hall, a former girl’s school in Virginia) of the so-called Venona traffic. Venona refers to the project to decrypt Soviet diplomatic communications with its agents in the USA and elsewhere. These encrypted messages often referred to codenames of American spies working for the Soviets during the war. With the help of investigations by the FBI the US government was able to identify many of these people, based on the partial decryptions. According to the NSA and most (but not all) historians, these included Julius and Ethel Rosenberg, Klaus Fuchs, and several serving OSS personnel.

The Soviets were tipped off to the fact that the US was decrypting their messages (probably by Kim Philby, the British spy who was posted to the US for a time), and stopped using their one-time encryption pads. Nevertheless the project to decrypt the messages continued until the early 1980s, eventually yielding about 2,900 partially decrypted messages. They remained a closely guarded secret long after their operational worth had dwindled, and it was only with the publication in 1987 of Spycatcher, by Peter Wright, a former British intelligence officer, that the project was referred to by its codename in public. (Publication of Spycatcher was embargoed by Margaret Thatcher’s government in the UK, but Wright succeeded in publishing it in Australia anyway.)

Some terms: “Cryptography” is the science (and art) of creating ciphers. “Cryptanalysis” is the effort of deciphering them without the key. “Cryptology” is both of these, to include the assessment of the security of a cipher, comparing ciphers and so on. The words are Greek from kryptos (κρυπτός) meaning hidden, secret.

Is there such a thing as cryptologic geographies? If not, could there be, and of what would it consist? In other words, are there (non-trivial) geographies of encryption? Here are some ideas.

One of my earliest ideas of this was a geography of https, the secure version of web-browsing (now coming into vogue but still greatly variable). The New York Times recently laid down a challenge to make https default by the end of 2015 if other media companies would do the same. This is non-trivial, because if encrypted messages are more secure than non-encrypted ones, then the latter will reveal weaknesses in the internet. These weaknesses could be exploited. Second, if you are sending emails and other communications over the internet in non-encrypted form, then this is easier for governments to intercept and monitor.

And this is not just to do with messages you write, but also other parts of the personal datastream. For example, your location. What if you could record, but encrypt your geolocation to take advantage of services offered by apps (eg Google Maps) in such a way that they could not be intercepted, decrypted and exploited by third parties (including the government)? Would this mean that the web and internet would “go dark” as officials warn? And would criminals and terrorists be afforded protection in those dark spaces? That was certainly the message of the Attorney General and the FBI Director a few days ago in response to plans by Apple and Google to implement better encryption. AG Holder:

said quick access to phone data can help law enforcement officers find and protect victims, such as those targeted by kidnappers and sexual predators.

Justice Department officials said Holder is merely asking for cooperation from the companies at this time.

And how universal would this advantage to users, potential criminals and law enforcement be? And would those places where one of these had an advantage necessarily overlap with the others? That is, what would be the differential access to encryption from place to place or group to group–a digital divide of encryption?

Is there a political economy of encryption? Who are the companies and individuals working on encryption in the commercial sector? To what extent is there movement between the private and public sectors of both cryptology expertise and personnel? Further, to what extent is there better crypotography in the government and intelligence community than there is in the commercial sector? What are the implications of allowing backdoors to encryption algorithms that can “only” be broken by the government but not by third parties? (I’m thinking here of the well-known proposal in the 1990s for the “Clipper Chip” which allowed just such a backdoor for the NSA but was met with such opposition that it was not implemented.) Is such a backdoor safe from third party hacking, and if so, for how long? (And what is an acceptable definition of “safe” here?). A geographical analysis of these questions would imply some access to where and who has installed the systems in question, which might be provided by basic research efforts such as those carried out at the Oxford Internet Institute by Mark Graham and his colleagues.

Do other computer systems have vulnerabilities? That is, ones without designed-in backdoors? If so, where are they? When it comes to exploits and vulnerabilities, what are the implications of announcing them vs. hoarding them (eg, so-called zero-day exploits)? Is there differential access to knowledge about exploits and vulnerabilities? Where? Again, who makes money off this? What is the crypto- value-chain?

Speaking of hacking; there are a huge array of secret attempts (and thus crypto- if not cryptologic) to break into, disrupt, or exploit systems (and an equally expansive range of countermeasures). The Department of Defense has estimated there may be up to 10 million hacking attacks per day. Most of these are probably automated scans, according to Adam Segal, a cybersecurity expert at the Council on Foreign Relations.

What systems are vulnerable to these exploits, and what exploits are being carried out? Here we could examine mundane events such as DDOS, where antagonists attempt to bring down a web server to deny its proper function, to more exotic events such as the US/Israeli Stuxnet virus meant to disrupt Iranian nuclear programs (but which had effects well beyond Iran once the virus was in the wild). (For more on this virus/worm, see the Stuxnet Dossier [pdf] compiled by Symantec.)

We often hear in the news that certain countries (Russia, China) are more responsible for intrusions and exploits than others, but I’m not aware of any detailed work on this sort of cryptogeography. The recent JP Morgan vulnerability affected more than 83 million US households (who? why?), according to the NYT, and actually included another 9 banks not previously reported. The NYT also said the attack was carried out by hackers having “at least loose connections with officials of the Russian government.” But that is a very imprecise and sketchy account. Just recently, a new poll showed bipartisan low levels of confidence among Americans in the “government’s ability to protect their personal safety and economic security.” Here government is arguably failing at its job of providing security. Ferguson and domestic homicides were mentioned specifically in the AP story. Do people feel threatened by the JP Morgan hacks, the Target and other breaches?

There is surely a whole economy of knock-on effects that result from this; so again, we can speculate about a political economy of crytogeographies.

What would a better map of hacking attempts look like? Security companies and telcos track these data, as for example in this map created by Norse which describes itself as “a global leader in live attack intelligence.” Who is this company? How do they earn their money? More importantly, what is the nature of this market sector more generally?

mass-attack-norse-map-100315099-orig
(Click for live version.)

The above map however is to a large extent a misrepresentation because it only shows attacks on their honeypots, not the entirety of the internet, or even the entirety of a particular region or network.

A similar visualization, again covering the globe by country, is offered by Kaspersky Labs.

ScreenClip1
(Click for live version)

These are not per se all that analytically valuable, although they are visually striking (if somewhat derivative).

What do these attacks do, and to whom do they do it? It would be interesting to do a geopolitical analysis of the Stuxnet worm here, which has received a fair amount of coverage. Stuxnet would make an interesting case study, although it remains to be seen how representative it is (being created by state actors against the nuclear capabilities of another state). As stated above, most attacks are undirected and opportunistic. A Congressional Research Services (CRS) Report on Stuxnet examined the national security implications of the attack, and of course there is a long history of the study of cyberattacks and cyberwarfare going back several decades. But I’m not aware that geographers have contributed to this literature in a geopolitical sense.

For some, these concerns are especially paramount in the context of smart cities, big data and automated (“smart”) controls–including the so-called smart grid and the Internet of Things (IoT). Take utilities and smart meters for instance. There are minimally two concerns–that hackers could access smart controls and take command of critical infrastructure, and second, that data held in smart meters may be legally accessible under surveillance laws by the government. Another CRS report in 2012 warned that current legislation “would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA)”. Although we hear a lot about surveillance of phone and internet communications, there is as yet much less on surveillance of other big data sources. Luckily I have a paper coming out on that topic but needless to say much more needs to be done.

Cryptologic geographies would appear to be a fertile field for investigation. Broadly conceived to include geopolitical implications, big data, regulation and policy, governance, security, the Internet of Things, cybergeographies, and justice, there is a need for intervention here to both clarify our understanding, and intervene in policy and political debate. Certainly other scholars are already doing so (eg., Internet Governance Project paper on whether cyberwarfare is a new Cold War, pdf).

The mass of connected computer systems and devices known as the Internet of Things will surely only intensify issues of security, encryption and governance. The crypto-geographies of these are highly important to sort through. This post is an attempt to highlight what issues are at stake and to provide some initial ideas.

2 responses to “Crypto-geographies and the Internet of Things

  1. Pingback: Bruce Schneier on iPhone cryptography | Open Geography

  2. Pingback: Cyberwarfare and Encryption | Open Geography

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s