Mikko Hypponen has a mea culpa about Flame that is worth reading. The F-Secure chief believes that antivirus companies, including his own, failed to detect Flame and that this failure has broader implications:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers, and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
In short: all of the AV gear in the world is not going to protect you when a well-resourced state intelligence service is trying to execute a zero-day exploit against your systems, just like even the most expensive private security would not save your life if the Navy SEALs came for you like they did for Bin Laden. This is significant, not only for network defense, but also for the way we think about power and security online. Simply put: states are dominant in cyberspace. States are the primary threats precisely because of their greater resources and ability to generate political and military outcomes. State power, is of course, not total in cyberspace, just as there are many offline disruptions of power and sovereignty that still nonetheless leave states as the primary actors within the international system.
Richard Stiennon reinforces this message with his latest Forbes blog on the consequences of Stuxnet. Operation Olympic Games, Stiennon argues, risks creating a tension between the worldwide IT industry, which focuses on providing cyber defenses to all, and the US government, which seeks to develop offensive cyber capabilities for covert action and military operations. Stiennon predicts that the US government, should it desire, may clamp down on AV vendors in order to deprive likely targets of defensive capabilities. Law enforcement and intelligence agencies have demanded backdoors in everything from encryption to social network profiles. Finally, the SOPA/PIPA mess also illustrates the degree to which governments have far-reaching powers to regulate cyberspace. Cyberspace is often analogized to the Wild West, but one forgets that in the real West the US government eventually developed formidable political, military, and law enforcement coercive powers to enforce its writ.
While this might seem like common sense, it runs against one of the Web’s strongest prevailing mythos. In 1996, John Perry Barlow declared that cyberspace itself was independent and could never be tamed by government:
Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather. We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
Now, some caveats: Barlow did not mean that cyberspace was literally independent. But the basic utopian spirit of his declaration spread throughout the technorati. Glib slogans like “Information wants to be free” and “the Internet routes around censorship” melded with a myth of “Twitter Revolutions” during the 2009 Iranian election crisis and the Arab spring. The idea that there is something sacred in information freedom is the closest thing that can be called a motivating principle for Anonymous. But Barlow’s successors confused an admirable normative idea of how information power should be–the Internet should not be hobbled by government regulation–into an assessment of the actual relationship between state and non-state entities in the information sphere. In other words, Barlow’s declaration of independence of cyberspace is looking more and more like the cyber equivalent of Paris Commune today. Beautiful and admirable, for sure. But also incredibly fragile.
Does this mean that government is in firm control of cyberspace or should exercise complete control? No to both questions. As Tim Stevens observed, cyberspace provides opportunities for infringement of sovereignty every nanosecond. Anonymous’ success at the expense of the feds and the constant foreign criminal and intelligence service intrusion in both government and corporate systems. And the prosperity cyberspace has delivered is imperiled, or at least heavily complicated, by a tight government rein and the second and third-order effects of offensive cyberwarfare efforts. But as a statement of day-to-day truth, Uncle Sam is the “strongest tribe” in the Internet’s Wild West where it counts.