Life used to be much simpler: War was between nations, the military had much more powerful weapons than the general population and when someone attacked us, we knew who it was. But when it comes to technology, those long-held notions start to fray at the edges.
A new book called “The Future of Violence” takes a look at the state of governance, warfare and privacy in the age of cyber-threats and how totally unprepared we are in facing our new challenges. The book is the labor of legal powerhouse Gabriella Blum from Harvard Law School and the Brookings Institute’s Benjamin Wittes, who is also the editor of the security blog Lawfare.
“Today, each person needs to fear an exponentially higher number of people and entities than only a decade ago,” Mr. Wittes and Ms. Blum write in the book. “The threads to your personal security now include not merely governments and corporations but also other individuals around the world: stalkers, identity thieves, scammers, spammers, frauds, competitors and rivals[…] You can be attacked from anywhere—and by nearly anyone.”
The book isn’t meant to be totally accessible: it’s a well-researched, academic exploration, rather than a Malcolm Gladwell-style round-up of buzzwords and glib observations—you might want to brush up on your Hobbes and Locke before you dive in. It also isn’t, as Mr. Wittes puts it, a laundry list of policy prescriptions like the Brookings Institute is wont to publish. Instead, it’s a tectonic-level exploration of the political theory and philosophy for legislating our new age of privacy, security and warfare.
We spoke to Mr. Wittes about his new book, cyber-threats, North Korea, Fifty Shades of Grey and the end of the world:
You argue that the responsibility of defending us in some cases has moved slowly from the state to private corporations or individuals. Does that make us inherently less secure?
Let me give you a kind of dramatic example of this that involves me personally: About a year ago Lawfare was the subject of a serious DDoS attack. I couldn’t personally repel the attacks and neither could the hosting company. Under normal circumstances, if somebody is attacking you, you go to the police or the FBI. But in terms of cybersecurity, the attack was beneath the notice of law enforcement. So we hired a bodyguard—we hired a private corporation.
So we’ve had a migration of security responsibilities towards private actors. Does it make you more secure because you have many more options for your security goods? Or does it make you less secure because there is no single actor responsible for protecting you? That’s unclear.et
It’s not just being more secure or more vulnerable. It’s both at the same time.
If you store all of your stuff in Dropbox, you are really secure for certain purposes, right? House fires will not destroy your data, your hard drive crash will not destroy your data. But Dropbox has had some security problems over the years.
As in: we’re becoming more secure from environment threats—accidents, happenstance, etc.—but less secure when it comes to targeted threats.
Exactly right. If you have distributed powers of defense, but also distributed powers of offense, you’re in a situation where you are much more secure on average, but if somebody really wanted to get you, they can do really bad things.
So you’re simultaneously more and less secure, depending on who you are and who your enemies are.
Speaking of enemies, we also have new kinds of enemies. You say in the book that the distinction between war and non-war is becoming less clear, but also we have nation states attacking and being attacked by corporations and individuals.
The problem is under-theorized. Right? When you read Hobbes and Locke, and then you look at Sony and North Korea, there’s no passage you can point to in those enlightenment theorists who imagined the modern state that defines our vocabulary. There’s no passage of Faber that you can point to that you can say, “Aha! That describes the relationship between North Korea and Sony.”
But wasn’t the struggle between Sony and North Korea the perfect opportunity to address that question? To make a distinction between a traditional, U.N. definition of an “act of war” per se, and set a new precedent?
There isn’t going to be one Big Bang-type revelation. These are the tectonic plates, occasionally causing tremors. These movements are deep underground. And it will take many iterations of events and responses for us to develop a way of thinking and talking about it that comports with the reality then the way we have.
The classical understanding is that you have a relationship with your government, and government has a relationship with some other government, but that there’s no relationship for example, between the French people and the Israeli state.
But now there is, Europeans as it turned out don’t like being spied on by NSA, and they seem to think there is some principle in which our government owes them something. And we seem to think that our government gets to tell Saudi nationals who they are allowed to give money to and who they are not. That is a very hard statement to reconcile with classical political theory.
In the book, you work on dismantling the notion that privacy and security are diametrically opposed. But it’s such a common narrative in all technology, not just in terms of government. We hear all of the time that privacy is what we have to give up in order to use services like Facebook and Google for “free.”
I have a paper coming out soon about the privacy benefits of privacy-eroding technologies. Let me just give you an example: Amazon Kindle is like, the most invasive technology. Amazon not only knows what you bought, but it knows what you’ve read, and it knows what pages you’ve read. But the Kindle version of Fifty Shades of Grey will out-sell the print copies—it has the highest rating purchase of kindle versus in hardback of any book ever.
Because you don’t want people to see you reading porn in public.
Right, it turns out that people don’t actually give a shit about the first part, what they really give a shit about is when they’re on the subway. People don’t think the remote corporation is judging them for reading page 679 of Fifty Shades over and over and over again. They care what the person next to them sees.
The privacy that people really care about, and the privacy activists that people care about may not actually be the same privacy.
So beyond theory, how do we create legislation that sensibly protects us?
First, we have to take the problem seriously. The second thing is that when we’re attempting to legislate an incredibly complex ecosystem: We can do things that make us believe we’re more secure that leave us, in fact, less secure, or that we think will make us freer and leave us less free. Finally, we have to understand that the capacity for overreaction and paralysis is significant. There’s a tendency to look for things to blame—a lot of them seem to involve Muslims, and I’m really not in to that.
Here’s the metaphor you want to keep in mind: seven billion people walking around with nuclear weapons in their pocket. How do you govern a world in which everyone has an app on their phone to destroy the world? We have to stay engaged with the right problems and not going off on distracting tangents that are more about disliking disfavored minorities.
You end with some pretty dour imagery—a toothless leviathan, a scene from Annie Hall about the end of the world. You don’t seem very optimistic.
Personally my uncertainty ranges from these very legitimate questions, to genuinely entertaining the possibility that the continued existence of the species is subject. It partly depends on what kind of mood I’m in on any particular day.
