Signals Intelligence isn’t just an intelligence methodology, it’s a great business. SIGINT means huge procurements – servers, administrators, electricity, data-centers, cooling – while HUMINT involves sending a lot of your friends into harm’s way, potentially never to return.
We are indeed in the “golden age of SIGINT”. Despite security services’ claims that terrorists are “going dark” with unbreakable encryption, the spooks have done much to wiretap the whole Internet.
The UK spy agency GCHQ really tipped their hand when they called their flagship surveillance program “Mastering the Internet.” Not “Mastering Cybercrime,” not “Mastering Our Enemies.” Mastering the Internet – the very same Internet that everyone uses, from the UK’s allies in the Five Eyes nations to the UK Parliament to Britons themselves. Similarly, a cursory glance at the logo for the NSA’s Special Source Operations – the fiber-tapping specialists at the NSA – tells the whole story.
If the NSA’s decision to launch SSO had been attended by a nightly news broadcast featuring that logo, it would have been laughed out of the room. The program depended on the NSA telling its story to itself, and not to the rest of us. The dotcom boom would have been a very different affair if the major legislative debate of the day had been over whether to allow the surveillance agencies of Western governments to monitor all the fiber cables, and harvest every click and keystroke they can legally lay claim to, parcel it into arbitrary categories like “metadata” and “content” to decide what to retain indefinitely, and to run unaccountable algorithms on that data to ascribe secret guilt.
As a result, the entire surveillance project has been undertaken in secrecy, within the bubble of people who already think that surveillance is the answer to virtually any question. The surveillance industry is a mushroom, grown in dark places, and it has sent out spores into every corner of the Internet, which have sprouted their own surveillance regimes.
We need cyber defense and we need it badly. But for the security services to shine, they’d have to spend all their time patching up the leaky boat of networked security, while their major project for a decade and more has been to discover weaknesses in the network and its end-points and expand them, adding vulnerabilities that they can weaponize against their adversaries – leaving these vulnerabilities wide open for their adversaries to use in attacking us.
The NSA and GCHQ have weaponized flaws in router operating systems, rather than telling the vendors about these flaws, leaving the world’s electronic infrastructure vulnerable to attack by the NSA and GCHQ’s adversaries. Our spies hack core routers and their adversaries’ infrastructure, but they have made themselves reliant upon the continuing fragility and insecurity of the architectures common to enemy and ally alike, when they could have been making us all more secure by figuring out how to harden them.
The security services are a system with a powerful accelerator and inadequate brakes. They’ve rebranded “terrorism” as an existential risk to civilization (rather than a lurid type of crime). The War on Terror is a lock that opens all doors. As innumerable DEA agents have discovered, the hint that the drug-runner you’re chasing may be funding terror is a talisman that clears away red-tape, checks and balances, and oversight.
The story of terrorism is that it must be stopped at all costs, that there are no limits when it comes to the capture and punishment of terrorists. The story of people under suspicion of terrorism, therefore, is the story of people to whom no mercy is due, and of whom all cunning must be assumed.
Within the security apparatus, identification as a potential terrorist is a life sentence, a “FAIR GAME” sign taped to the back of your shirt, until you successfully negotiate a kafka-esque thicket of secretive procedures and kangaroo courts.
The next document is the “HIMR Data Mining Research Problem Book,” a fascinating scholarly paper on the methods by which the massive data-streams from the deep fiber taps can be parsed out into identifiable, individual parcels, combining data from home computers, phones, and work computers.
It was written by researchers from the Heilbronn Institute for Mathematical Research in Bristol, a ”partnership between the UK Government Communications Headquarters and the University of Bristol.” Staff spend half their time working on public research, the other half is given over to secret projects for the government.
The story the Problem Book tells is of scholars who’ve been tasked with a chewy problem: sieving usable intelligence out of the firehoses that GCHQ has arogated to itself with its fiber optic taps.
Somewhere in that data, they are told, must be signatures that uniquely identify terrorists. It’s a Big Data problem, and the Problem Book, dating to 2010, is very much a creature of the first rush of Big Data hype.
The problem with this is that once you accept this framing, and note the happy coincidence that your paymasters just happen to have found a way to spy on everyone, the conclusion is obvious: just mine all of the data, from everyone to everyone, and use an algorithm to figure out who’s guilty.
The bad guys have a Modus Operandi, as anyone who’s watched a cop show knows. Find the MO, turn it into a data fingerprint, and you can just sort the firehose’s output into ”terrorist-ish” and ”unterrorist-ish.”
Once you accept this premise, then it’s equally obvious that the whole methodology has to be kept from scrutiny. If you’re depending on three ”tells” as indicators of terrorist planning, the terrorists will figure out how to plan their attacks without doing those three things.
This even has a name: Goodhart’s law.
Much of the paper deals with supervised machine learning, a significant area of research and dispute today. Machine learning is used in “predictive policing” systems to send cops to neighborhoods where crime is predicted to be ripening, allegedly without bias. In reality, of course, the training data for these systems comes from the human-directed activity of the police before the system was set up. If the police stop-and-frisk all the brown people they find in poor neighborhoods, then that’s where they’ll find most of the crime. Feed those arrest records to a supervised machine algorithm and ask it where the crime will be and it will send your officers back to the places where they’re already focusing their efforts: in other words, “predictive policing” is great at predicting what the police will do, but has dubious utility in predicting crime itself.
Most people – including most people like these kids – are not terrorists. You can tell, because we’re not all dead. An indiscriminate surveillance dragnet will harvest far more big talkers than bad guys. Mass surveillance is a recipe for creating an endless stream of Arars, and each Arar serves as inspiration for more junior jihadis.
I worry about “cybersecurity,” I really do. I know that kids can do crazy things. But in the absence of accountability and independent scrutiny, the security services have turned cyberspace into a battleground where they lob weapons at one another over our heads, and we don’t get a say in the matter. Long after this round of the war on terror is behind us, we’ll still be contending with increasingly small computers woven into our lives in increasingly intimate, life-or-death ways. The parochial needs of spies and the corporations that supply them mustn’t trump the need for a resilient electronic nervous system for the twenty first century.