In 2006, a stream of embarrassing information, in the form of copies of original documents from primary sources, began to be published on the Internet. Much of the material was classified and some of it was graded ‘secret’ or ‘top secret.’ It related to such matters as expenditure in Afghanistan, corruption in Kenya and the war in Iraq. In April 2010, the website that had published these documents, wikileaks.org, uploaded footage shot from a United States AH-64 Apache helicopter. It appeared to show the crew killing innocent civilians in Baghdad. Their callous remarks, as they carried out their merciless operation, were recorded on an accompanying audio track.
The resulting shock, which was felt around the world, was as nothing, however, compared with the sheer panic that greeted the publication by Wikileaks in November 2010 of a vast cache of US State Department cables. These had been redacted before publication but they nonetheless caused a combination of outrage and terror in diplomatic circles that was unrivalled by any similar event since Lenin and Trotsky published Russia’s secret diplomatic correspondence with the Allies in 1917.
One might have thought that it would have been difficult to cap the effect of ‘Wikileaks.’ Yet, in May 2013, a series of detailed exposes, which were the result of information provided by Edward Snowden, a former employee of United States intelligence agencies, including the CIA and the NSA, were published in newspapers and magazines in the United States, Great Britain and Germany. They revealed the existence of massive internet surveillance programmes, including PRISM, XKeyscore and Tempora, which had involved a concerted and successful attempt to crack Internet encryption codes, allowing American, British and other intelligence agencies access to almost all communication on the Internet. One British programme was named ‘Mastering the Internet’ and its purpose was to ensure that data was gathered, in order to allow unparalleled access to every form of electronic communication.
In Europe, America and across the world, there was widespread revulsion at the revelation that intelligence agencies had established, apparently without any political approval, oversight or control, a system for routinely gathering and storing the private communications of hundreds of millions of people.
In tandem with this series of devastating revelations, there have been other events, which have provided further evidence of the extraordinary shift in ‘information power’ that has been taking place during the past two decades. In the Arab World, revolutions and uprisings have been both spurred and coordinated by the widespread availability and use of information technology. In parts of Europe and America too, security forces have begun to realise the immense challenge that personal communication systems, often with sophisticated encryption, can present to their attempts to maintain public order in controversial situations.
These events, and the situation in which we now find ourselves, must make us wonder not merely whether there can ever be “glad, confident morning again” but, indeed, whether anything can ever be the same now. Three questions in particular seem most pertinent, although there are many others that arise from them, some of which I will deal with later.
The first question is whether anything can still be kept secret; the second is whether, ultimately, “security” can still be imposed, and the third is whether, if the answer to either or both of the first two is “no” or even just “maybe”, what can be done about it?
There are two aspects to the damage to our confidence in secrecy that Wikileaks and Snowden represent. The first is to the idea that governments, organisations or companies can any longer expect to keep anything secret for very long. The second is whether we can ever have confidence in online secrecy and privacy if governments themselves are involved in such a concerted attempt to break the Internet’s encryption systems. These issues are both pregnant with a plethora of potential ramifications.
Both Wikileaks and Snowden represented such colossal transfers of sensitive, and often supposedly secret, information into the public domain that we must ask whether this isn’t just the tip of the iceberg. Isn’t there inevitably going to be a continuing weakness in the ability of technology to protect information, particularly if it has been gathered without the knowledge or endorsement of the populations on whose behalf surveillance and intelligence-gathering has supposedly been undertaken?
I am not an expert on the technological methods and systems that are available to intelligence agencies, governments and corporations to store large amounts of data. It is clear, however, that they are very far from watertight and, indeed, whilst there may be an improvement in the short term in information security capabilities, which will enhance data protection, ultimately, there will remain a significant, perhaps insurmountable, problem.
The intelligence and security communities in all countries are unable to keep up with the pace of change. This is most clearly demonstrated in the field of recruitment. Despite the immense budgets available to them, the agencies are increasingly unable to rely on recruiting and training the staff they need to deal with cyber-related threats themselves; for some time now, they have been actively involved in recruiting former hackers. They even attend such events as ‘Black Hat’ and sponsor “ethical hacking” challenges, in order to find suitable candidates for recruitment.
This is, no doubt, sensible or, at the very least, inevitable, given the obvious budgetary and organisational constraints. However, it does not suggest that the agencies are able to rely on an impregnable system, which will keep them immune from “the human factor” and the recurrence of another Edward Snowden or Chelsea Manning.
The technology too, I suspect, is vulnerable. At every stage of the development of the Web, hacking has comfortably kept pace with the creation of new systems of security. What is perhaps more worrying, however, is what governments themselves have done to undermine secrecy and the security of the Web.
Sir Tim Berners-Lee, the creator of the Internet, famously said that his creation was “for everyone.” And, across the world, it has almost already become something upon which everyone is more or less dependent. It has taken such a central place in the lives of so many billions of people that it might almost be said to have assumed the importance in the modern world of something as fundamental as energy. Certainly, no modern economy could now afford to be without it.
Yet the attempts of those Governments which have sought to “master the internet” and to harvest its secrets for themselves have been dangerously counter-productive. “Governments have elevated the fight against organized hacking and militarized cyber-attacks to the rank of a top national security concern,” says Sir Tim Berners-Lee. “At the same time, they have aided cyber-criminals by weakening encryption.”
Their actions, however, have also had a wider and much more chilling effect on people’s trust in the secrecy and privacy of the web. As Sir Tim says: “The chilling effect is where the teenager does not click on the button and ends up being misinformed. Or when somebody does not want to admit they are depressed and commits suicide because they are worried they were being watched when they clicked on a site. The chilling effect is when people know something is wrong but don’t report it because they fear it will damage their career or put them in jail.”
A possible consequence of this may well be the creation of so-called “walled gardens,” where individual countries or regions try to put themselves beyond the reach of other countries’ surveillance systems. This is something that would destroy the fundamental basis of the Internet and undermine much of its benefit.
What then is to be done?
The first thing, clearly, is to recognise, at the highest international levels, the absolutely fundamental importance of the Internet to modern life and to modern economies. Education, finance, health, travel, development, recreation and almost every aspect of modern life is now inextricably bound up with the Internet. To cause its unravelling would create an unparalleled economic and social catastrophe.
It is surely time for its importance to be properly recognised at an international level and to give it the status of an asset protected by international law. We need an international system of protection to underpin the Internet, providing appropriate safeguards and sanctions, so that confidence is restored and the Web can continue to expand for the benefit of all humanity.
In the meantime, however, governments and corporations might be well advised to assume that we have arrived at the end of secrecy or, at least, that secrecy is not a ‘given.’ The reason they should make this assumption is the same reason that underlines the modern security equation in an age of widely available information technology: both secrecy and security are impossible to maintain without consent.
Such an assumption has many potentially significant consequences, the most fundamental of which perhaps relate to education and training. Governments, corporations, institutions and organisations need now to assume that they exist in an environment of inevitable transparency. They know “even as they are known.” Formerly, as it were, we saw them “through a glass darkly but now face to face.”
This must inevitably mean a huge change in operating standards and procedures. Civil servants, officials and employees will have to understand, and be trained to work in, conditions of much greater transparency. Governments and companies will have to cope with greater public scrutiny and interaction, where their standards and performance are monitored by citizens and consumers who hold increasing power.
This will not be a bad thing for either governments or corporations and it may even help them to realise that a proper, verifiable international agreement about the status of the Internet, and the right to privacy of users of it, is a cause well worth championing and one which most of their citizens will rightly expect them to support.
Dr Harold Elletson is the Chairman of The New Security Foundation. This is article is an edited version of a presentation given at the ‘Security and Defence Learning’ session during Online Educa Berlin in December 2013.