When it comes to matters of information security, I’m a big fan of what might be called the “anti-exceptionalism” school of information security. That is: I reject the notion that the myriad of problems that we, the IT community, face in regard to security our networks, endpoints and the Internet are exceptional or extraordinary in any way. Rather, I see most security problems related to IT as similar (if not identical) to problems that humans have encountered – and solved - during other periods of rapid social or technologic change. I’ve tried to make that clear in my writing here. For example, back in October I wrote about the similarities New York City’s efforts to snuff out graffiti in the 1970s and 1980s with Google’s efforts to secure online marketplaces like Google Play and the Chrome Store. New York’s MTA beat the graffiti problem by pivoting from a (hopeless) policy of catching and punishing graffiti artists to one of making it harder and less rewarding to tag trains – securing train lots where much of the tagging was done, and taking defaced train cars out of service until they were clean. Writing in February, I made comparisons between our government’s response to critical software holes and its response to critical mechanical problems in aircraft, notably the new Boeing 787 Dreamliner, arguing that software industry (and public officials) could learn something from the culture of safety that characterizes the commercial airline industry. Civil aviation’s “safety culture,” I noted, wasn’t an accident, but the deliberate creation of both the federal government and the (then nascent) airplane industry itself, which was concerned about the bad image it was getting from daredevil barnstorming pilots. That’s why my anti-exceptionalist toes were tickled by a presentation given at this month’s Source Dublin conference by none other than Halvar Flake (a.k.a Thomas Dullien) that made connections with the current plague of nation-backed and “advanced persistent threat” attacks online and the rise of international piracy and privateering in the 16th and 17th century. (You can view the presentation here.) Then, as now, there were tectonic shifts taking place in the global economy. Back then, it was the discovery of The New World containing almost unimaginable wealth in (initially) gold, silver and other raw materials. Today, the Internet and e-commerce are doing for the world economy what the conquest of North and South America did for Europe more than four hundred years ago, Flake argues. Back then, controlling the high seas was the key to building national wealth, as ships were the only means of transporting wealth from the New World to the Old. And then – as now – there was a hegemonic power that was quick to recognize the potential of The New World and to exploit it for monetary gain. In the 16th century, that was Spain, the world’s Superpower. Today – you guessed it – it’s the U.S., which created the Internet and was the first to recognize its potential to transform the way businesses and individuals interact with the world. But then, as now, it was only a matter of time before other nations got hip to the promise of The New World. France, Britain and Holland all sought to establish a beachhead in trade with the New World, even if they couldn’t challenge Spain’s dominance on the high seas. And that’s where things get interesting. Flake makes a really interesting connection between the aspirations of those developing economies and those of countries like China and Russia today, which are looking to accelerate their own economic development and gain more control over our modern equivalent of the high seas: the Internet. Back in the 1500s and 1600s, countries like Britain turned to the advent of Buccaneers, privateers like Francis Drake and pirates (aargh!!). Privateers provided a critical service: waging a kind of asymmetric war against Spain for the benefit of their backers (investors in the UK), while providing the British government with plausible deniability for the attacks and theft. How different is that from the current situation facing the U.S. government and private corporations, which are falling left and right to independent hacking outfits operating within China and with the approval of the Chinese military and government? Dullien, the founder of the security firm Zynamics GmbH, which Google acquired in 2011, sees the various official and semi-official hacking collectives operating out of China as akin to the buccaneers who plied the Spanish Main, looking to make a quick buck, but also to coopt the product of Spanish investment and labor for their benefactors. “Will the architects behind industrial espionage operations be eventually knighted in their respective home countries?” he wonders, citing the example of Britain’s Sir Francis Drake. Like the U.S. today, Spain in the 16th century was reluctant to use privateers to act on its behalf on the open seas. The result was a significant loss of wealth to countries like Britain that had no such compunction. “Is the supposed Chinese economic espionage much different from the policies Britain had toward Spain in the late 1500s?” Dullien asks. The analogy is less important than the lesson to be learned from history. In the 17th century, pirates and privateers became the tail that began to wag the dog- acting unpredictably and without allegiance to any state power. The answer was treaties between trading nations, and the development of large, professional navies that could hunt down pirates and keep trade routes open. It's hard to say how that translates into the context of the Internet, but whatever the answer is, Dullien anticipates it will require a much larger share of the nation’s resources, talent and expertise than is currently being given to protecting private and public resources. The end result may be a “Pax Britannica,” he argues – but “under the aegis of a different superpower – which one?”
Hacking and Piracy. Aaargh!!
Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe, Salon.com, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.