Tamsin Shaw
The Darkening Web: The War for Cyberspace by Alexander Klimburg
The Darkening Web:
The War for Cyberspace by Alexander Klimburg. Penguin, 420 pp., $30.00
The big Silicon Valley technology companies have long been viewed by much of the American public as astonishingly successful capitalist enterprises operated by maverick geniuses. The largest among them—Microsoft, Apple, Facebook, Amazon, and Google (the so-called Big Five)—were founded by youthful and charismatic male visionaries with signature casual wardrobes: the open-necked blue shirt, the black polo-neck, the marled gray T-shirt and hoodie. These founders have won immense public trust in their emergent technologies, from home computing to social media to the new frontier, artificial intelligence. Their companies have seemed to grow organically within the flourishing ecology of the open Internet.
Within the US government, the same Silicon Valley companies have been considered an essential national security asset. Government investment and policy over the last few decades have reflected an unequivocal confidence in them. In return, they have at times cooperated with intelligence agencies and the military. During these years there has been a constant, quiet hum of public debate about the need to maintain a balance between security and privacy in this alliance, but even after the Snowden leaks it didn’t become a great commotion.
The Big Five have at their disposal immense troves of personal data on their users, the most sophisticated tools of persuasion humans have ever devised, and few mechanisms for establishing the credibility of the information they distribute. The domestic use of their resources for political influence has received much attention from journalists but raised few concerns among policymakers and campaign officials. Both the Republicans and the Democrats have, in the last few election cycles, employed increasingly intricate data analytics to target voters.
Private organizations, too, have exploited these online resources to influence campaigns: the Koch brothers’ data firm, i360, whose funding rivals that of both parties, has spent years developing detailed portraits of 250 million Americans and refining its capacities for influence operations through “message testing” to determine what kinds of advertisements will have traction with a given audience. It employs “mobile ID matching,” which can link users to all of their devices— unlike cookies, which are restricted to one device—and it has conducted extensive demographic research over social media. Google’s DoubleClick and Facebook are listed as i360’s featured partners for digital marketing. The firm aims to have developed a comprehensive strategy for influencing voters by the time of the 2018 elections.
Only in recent months, with the news of the Russian hacks and trolls, have Americans begun to wonder whether the platforms they previously assumed to have facilitated free inquiry and communication are being used to manipulate them. The fact that Google, Facebook, and Twitter were successfully hijacked by Russian trolls and bots (fake accounts disguised as genuine users) to distribute disinformation intended to affect the US presidential election has finally raised questions in the public mind about whether these companies might compromise national security.
Cyberwarfare can be waged in many different ways. There are DDoS (distributed denial of service) attacks, by which a system is flooded with superfluous traffic to disrupt its intended function. The largest DDoS attack to date was the work of the Mirai botnet (a botnet is created by hacking a system of interconnected devices so they can be controlled by a third party), which in October 2016 attacked a company called Dyn that manages a significant part of the Internet’s infrastructure. It temporarily brought down much of the Internet in the US. There are also hacks designed to steal and leak sensitive materials, such as the Sony hack attributed to North Korea or the hacking of the DNC’s e-mail servers during the 2016 election. And there are attacks that damage essential devices linked to the Internet, including computing systems for transportation, telecommunications, and power plants. This type of attack is increasingly being viewed as a grave threat to a country’s infrastructure.
The military once used the term “information warfare” to refer to any cyberattack or military operation that targeted a country’s information or telecommunications systems. But the phrase has come to have a more specific meaning: the exploitation of information technology for the purposes of propaganda, disinformation, and psychological operations. The US is just now beginning to confront its vulnerability to this potentially devastating kind of cyberattack.
This is the subject of Alexander Klimburg’s prescient and important book, The Darkening Web: The War for Cyberspace, written largely before the revelation of Russian interference in the 2016 election. With its unparalleled reach and targeting, Klimburg argues, the Internet has exacerbated the risks of information warfare. Algorithms employed by a few large companies determine the results of our web searches, the posts and news stories that are featured in our social media feeds, and the advertisements to which we are exposed with a frequency greater than in any previous form of media. When disinformation or misleading information is fed into this machinery, it may have vast intended and unintended effects.
Facebook estimated that 11.4 million Americans saw advertisements that had been bought by Russians in an attempt to sway the 2016 election in favor of Donald Trump. Google found similar ads on its own platforms, including YouTube and Gmail. A further 126 million people, Facebook disclosed, were exposed to free posts by Russia-backed Facebook groups. Approximately 1.4 million Twitter users received notifications that they might have been exposed to Russian propaganda. But this probably understates the reach of the propaganda spread on its platform. Just one of the flagged Russian accounts, using the name @Jenn_Abrams (a supposed American girl), was quoted in almost every mainstream news outlet. All these developments—along with the continued rapid dissemination of false news stories online after the 2016 election, reports by Gallup that many Americans no longer trust the mainstream news media, and a president who regularly Tweets unfounded allegations of “fake news”— have vindicated Klimburg’s fears.* Klimburg argues that liberal democracies, whose citizens must have faith in their governments and in one
*See Art Swift, “Americans’ Trust in Mass Media Sinks to New Low,” Gallup News, September 14, 2016. another, are particularly vulnerable to damage by information warfare of this kind. And the United States, he observes, is currently working with an extremely shallow reservoir of faith. He cites Gallup polls conducted prior to the election of Donald Trump in which 36 percent of respondents said they had confidence in the office of the presidency and only 6 percent in Congress. We have no reason to believe that these numbers have subsequently increased. The civic trust that shores up America’s republican political institutions is fragile.
Klimburg gives a fascinating diagnosis of how this situation has been inflamed. He describes a growing tension in the US over the last twenty years, coming to a head under Obama, between the perception of the Internet and its reality. The Silicon Valley corporations have attained their global reach and public trust by promoting the Internet as a medium for the free exchange of information and ideas, independent of any single state’s authority. Since almost all trade in and out of the US now relies on the information transfers that these Silicon Valley companies facilitate, this perception of independence is economically essential. The country’s largest trading relationship, with the European Union, is governed by the Privacy Shield agreement, which assures EU companies that data transfers will be secured against interference and surveillance.
In Obama’s International Strategy for Cyberspace, released on May 16, 2011, he described the Internet as a democratic, self-organizing community, where “the norms of responsible, just and peaceful conduct among states and people have begun to take hold.” When Edward Snowden’s revelations about NSA surveillance and the collection of metadata threatened to compromise this agreement, Obama issued Presidential Policy Directive 28, which set out principles for “signals intelligence activities” compatible with a “commitment to an open, interoperable, and secure global Internet.” Martin Libicki, a researcher at the RAND corporation, the global policy think tank, has had an important part in restraining offensive initiatives at the Department of Defense. His aim is to restrict America’s capabilities to what is required for defense against cyberattacks. Klimburg himself adheres closely to Libicki’s general view, expressed in several RAND reports, that the US needs to maintain a perception of itself as one of the “free Internet advocates”—in contrast to “cyber-sovereignty adherents” such as Russia and China, which aim above all to control cyberspace and its influence over their citizens.
But Klimburg’s book warns us that the facts too frequently contradict this view. In his account, America’s military and intelligence agencies have always considered cyberspace a site of potential conflict and sought global dominance over it. Throughout the 1990s, the US military had intensive discussions about the various ways in
which these new technologies might be applied to traditional forms of warfare. They were particularly concerned with psychological warfare, which might be used, for example, to weaken an enemy army’s resolve to fight or to bring down national leaders by eroding their popular support.
Only a year before the release of Obama’s International Strategy for Cyberspace, Russia’s Kaspersky Lab had discovered the Stuxnet virus, a malicious worm originally built as a cyberweapon by the US and Israel. It was intended to disrupt Iran’s nuclear program (by infecting the control systems used to operate its centrifuges, causing them to malfunction and explode), but subsequently spread across the globe. This attack, along with Obama’s establishment of US Cyber Command alongside the National Security Agency in 2009, signaled to other states that the US intended to use the Internet for offensive purposes.
What concerns Klimburg most, though, is the extent to which US government agencies are prepared and willing to mislead the American people about its own cyber initiatives. Such disinformation creates exactly the kind of confusion that liberal states vulnerable to psychological and information warfare urgently need to avoid. This sort of deceit is now a crucial aspect of US policy and defense strategy. Klimburg suggests, for example, that the details about America’s extraordinary intelligence-gathering programs, which Bob Woodward disclosed in his book Obama’s Wars (2010), had been deliberately leaked to him as a warning to adversaries—an attempt on the government’s part to impress the extent of US cyber power upon the rest of the world.
At the same time, other government agencies have sought to maintain a view, both domestically and internationally, of the Internet as a domain of cooperation, not conflict. The language employed in official cyber strategy documents, Klimburg tells us, is deliberately obfuscatory. The 2015 Defense Department statement of its cyber-strategy used terminology such as “Offensive Cyber Effects Operations” but gave no indication of what that term included or excluded. Fred Kaplan, in his book Dark Territory: The Secret History of Cyber War (2016), has also claimed that even in the early days of cyber-operations at the NSA, under Michael Hayden’s command, the already tenuous distinction between defensive and offensive operations was deliberately elided.
Klimburg suggests that a healthy democracy needs much greater transparency about its cyber-policy. The government could provide its citizens with clear, unambiguous principles concerning the collection of signals intelligence, the development of offensive and defensive cyber-capabilities, their relation to traditional military strategy, and the evolving relationship between the intelligence community and the military. The American public might come to have more trust in the government, for example, if it only used psychological cyber-operations to win over “hearts and minds” in military zones— such as the locally informed and culturally specific influence campaigns used as counterinsurgency measures in Afghanistan—rather than manipulating popular beliefs more broadly and in less controlled ways. Klimburg is not greatly concerned by the burgeoning power of the private corporations, like those in Silicon Valley, that run the online platforms on which the government’s influence operations take place. In his view they are independent and have purely commercial interests. But if we want to understand the growing imbalance of power in online persuasion, we might ask more questions than he does about the carefully guarded lack of transparency with which the titanic Silicon Valley companies operate. The interests that now guide what technologies they produce are not entirely commercial ones. The national security community has exploited the private sector to help develop America’s immense cybercapabilities. In doing so it has placed an extraordinary array of potential cyberweapons in the hands of unaccountable private companies.
The Internet, as is well known, owes its origins to DARPA (the Defense Advanced Research Projects Agency), the agency responsible for establishing and cultivating new military technologies. According to the “free Internet” narrative encouraged by Obama, Silicon Valley, and the Defense Department, the Internet technologies we use, from software to social media platforms, are controlled by the private sector. However, when DARPA boasts online about the technologies whose research and development it has sponsored, it lists, along with the Internet, the graphical user interfaces that allow us to interact with our devices, artificial intelligence and speech recognition technologies, and high-performance polymers for advanced liquid crystal display technology. These technologies encompass every aspect of the smartphone. Our online lives wouldn’t be possible without the commercialization of military innovations.
DARPA offers early funding, often to academics and researchers rather than private corporations, to develop new technologies for national security purposes, but the economic relationship between Silicon Valley and the national security community extends much further than that. One aspect of that relationship is detailed in Linda Weiss’s America Inc.?: Innovation and Enterprise in the National Security State (2014). Weiss describes the development in Silicon Valley of a hybrid public/private economy in which the government assists in the creation of new technologies it needs for national security operations by investing in companies that can also commercialize these technologies.
Government agencies have mitigated risk and even helped to create markets for companies whose products, while ostensibly strictly civilian and commercial, satisfy their own needs. The driverless car industry will incorporate, test, and improve technologies devised for missile guidance systems and unmanned drones. Facial recognition software developed by intelligence agencies and the military for surveillance and identity verification (in drone strikes, for example) is now assuming a friendly guise on our iPhones and being tested by millions of users. The government has used various mechanisms to fund these projects. The Small Business Innovation Research program (SBIR), Weiss tells us, “has emerged as the largest source of seed and early-stage funding for high-technology firms in the United States,” investing, at the time of writing, $2.5 billion annually. This investment—the national security agencies supply 97 percent of funding for the SBIR program—not only serves as a form of government “certification” for private venture capitalists, it also provides an incentive for invention, since SBIR asks for no equity in return for its investment.
Silicon Valley has also been profoundly shaped by venture capital funds created by government agencies. The CIA, Defense Department, Army, Navy, National Geospatial-Intelligence Agency (NGIA), NASA, and Homeland Security Department all have venture capital at their disposal to invest in private companies. Weiss quotes a Defense Department report to Congress in 2002 explaining the aim of its initiatives:
The ultimate goal is to achieve technically superior, affordable Defense Systems technology while ensuring that technology developed for national security purposes is integrated into the private sector to enhance the national technology and industrial base.
The direction of technological development in the commercial sector, in other words, is influenced by the agenda of government agencies in ways largely unknown to the public.
It’s not difficult to trace, for example, the profound influence of In-Q-Tel, the CIA’s wildly successful venture capital fund, which has sometimes been the sole investor in start-ups but now often invests in partnerships with the Big Five. In-Q-Tel was the initial sole investor in Palantir Technologies, Peter Thiel’s software company specializing in big data analysis. A branch of the company called Palantir Gotham, which specializes in analysis for counterterrorism purposes, has won important national security contracts with the DHS, FBI, NSA, CDC, the Marine Corps, the Air Force, and Special Operations command, among other agencies.
But In-Q-Tel’s achievements are also familiar to us in more mundane forms: Google Earth originated in an In-QTel sponsored company called Keyhole Inc., a 3-D mapping startup also partially owned by the NGIA. The cloud technology on which we all increasingly rely is being developed by companies like Frame, which is jointly funded by In-Q-Tel, Microsoft, and Bain Capital Ventures. Soon we will be able to use our computers to interact with 3-D holographic images, thanks to another In-Q-Tel–sponsored company, Infinite Z. Another of their companies, Aquifi, is producing scanners that can create a color 3-D model of any scanned object.
Since many of the startups in which government agencies invest end up being absorbed by the Big Five, these companies all now have close relationships with the defense and intelligence agencies and advise them on technological innovation. Eric Schmidt, the former executive chairman of Alphabet, Inc., chairs the Pentagon’s Defense Innovation Board (Jeff Bezos formerly served on it too), which in a January 2018 report recommended encouraging tech entrepreneurship within the military. The goal would be to create “incubators” like those used in the business and tech worlds that would help develop startups targeted to new defense needs, such as big data analysis. The US government has supported the monopolies of the Big Five companies partly for the sake of the “soft power” they can generate globally. Libicki, in a 2007 RAND publication, Conquest in Cyberspace: National Security and Information Warfare, suggested that the government could achieve “friendly conquest” of other countries by making them depend on US technologies. The “bigger and richer the system, the greater the draw,” he tells us. Huge global corpo-
rations (his primary example is Microsoft), whose technologies are deeply linked with the domestic technologies of other nation-states, give America greater soft power across the globe.
It is clearly time to ask whether this hybrid Silicon Valley economy has been a good national security investment. Weiss points out that after the government funds research, it gives away the patents to private companies for their own enrichment. We can find on the websites of organizations like In-Q-Tel and DIUx the kinds of contracts they offer. The licenses that they acquire are generally nonexclusive. The technologies that power America’s national security innovations can be sold to anyone, anywhere. The profits go to companies that may or may not be concerned about the national interest; Intel recently alerted the Chinese government to a vulnerability in their chips, one that could be exploited for national security purposes, before alerting the American government. Mariana Mazzucato, in The Entrepreneurial State (2013), examined the case of Apple, which has the lowest research-and-development spending of the Big Five. The company has succeeded commercially by integrating technologies funded by the military and by intelligence agencies (such as touch screens and facial recognition) into stylish and appealing commercial products. The government has shouldered nearly all the risk involved in these products, while Apple has reaped the rewards. In other words, taxpayer’s money has helped enrich companies like Apple, and as we now know from the recently released Paradise Papers (documents concerning offshore tax havens leaked from a Bermudan law firm), the companies have not responded with a corresponding willingness to increase the government’s tax revenues. Apple managed to keep a great deal of its $128 billion in profits free from taxation by using Irish subsidiaries and only pledged to repatriate its sheltered funds once the Trump administration dramatically slashed the corporate tax rate.
Silicon Valley companies do not simply have vast amounts of money, though; they also own vast amounts of data. To be sure, much older corporations like Bank of America and Unilever, which have been gathering our data for decades, own much more (approximately 80 percent, compared to Silicon Valley’s 20 percent, according to a recent study by IBM and Oxford Economics) but the Big Five, Uber, and others have extremely sophisticated data analytics, and their platforms are designed for the efficient exploitation of their data for advertising and influence.
This is where Klimburg’s concerns about the development of offensive cyber-powers by the military and intelligence agencies intersect most worryingly with the problem of privatizing our cyber-assets. The US has, since the start of the war on terror, increasingly outsourced intelligence and military operations to private companies, particularly those engaged in data analytics and targeting. Government agencies have offered lucrative contracts to older companies such as Booz Allen Hamilton and Boeing AnalytX, as well as to new players, such as Palantir, SCL group, and SCL’s now infamous partner, Cambridge Analytica, whose roles in the Leave EU campaign in Britain and in Trump’s presidential campaign have both drawn legal scrutiny. In doing so the government has encouraged these companies to develop the most sophisticated methods for influencing the public. These kinds of military-grade information operations may then be applied to their client base. Government partnerships with such companies make the data owned by the Big Five exploitable in ways that many of us are only just beginning to understand. But these immense powers may also be freely employed for ends that threaten national security. The way in which the Koch brothers have already exploited their resources to promote skepticism about climate change should serve as a warning.
The problem is compounded by the exceptional form of corporate governance that the Big Five have been allowed to maintain. Even though Facebook and Google are publicly traded companies, their founders, Mark Zuckerberg of Facebook and Larry Page and Sergey Brin of Google, have a more than 50 percent vote on their respective boards—that is, effectively total control.
In Klimburg’s view, the national security community has irresponsibly overdeveloped its offensive powers in cyberspace. As far as its pursuit of dominance in military and intelligence capacities goes, this may be true. But by giving Silicon Valley irresistible commercial incentives to develop military technologies, the government has, at the same time, surrendered unparalleled power to private corporations. Extensive control of information has been handed over to unaccountable global corporations that don’t profit from the truth. It’s currently laughably easy, as Vladimir Putin has brazenly shown us, to spread foreign propaganda through the platforms they operate. But even if they can develop mechanisms to prevent the spread of foreign propaganda, we will still be heavily reliant on the goodwill of a handful of billionaires. They are, and will continue to be, responsible for maintaining the public’s confidence in information, preserving forms of credibility that are necessary for the health and success of our liberal democratic institutions.
Zuckerberg, in a well-known incident he now surely regrets, was asked in the early days of Facebook why people would hand over their personal information to him. He responded, “They trust me—dumb fucks.” We’re finally starting to appreciate the depth of the insult to us all. Now we need to figure out how to keep the corporations we have supported with our taxes, data, and undivided attention from treating us like dumb fucks in the future.