MEP explains the security problem with militarizing the Internet

The Dutch MEP Marietje Schaake has a fantastic, must-read essay on the problem with "cyber-war." She lays out the case for securing the Internet (and the world of people and systems that rely on it) through fixing vulnerabilities and making computers and networks as secure and robust as possible, rather than relying on weaknesses in security as vectors for attacking adversaries.

Mass surveillance, mass censorship, tracking and tracing systems, as well as hacking tools and vulnerabilities can be used to harm people as well as our own security in Europe. Though overregulation of the internet should never be a goal in and of itself, regulation of this dark sector is much needed to align our values and interests in a digital and hyper-connected world. There are many European examples. FinFisher software, made by UK’s Gamma Group was used in Egypt while the EU condemned human rights violations by the Mubarak regime. Its spread to 25 countries is a reminder that proliferation of digital arms is inevitable.

Vupen is perhaps best labelled as an anti-security company in France that sells software vulnerabilities to governments, police forces and others who want to use them to build (malicious) software that allows infiltrating in people’s or government’s computers.

It is unclear which governments are operating on this unregulated market, but it is clear that the risk of creating a Pandora’s box is huge if nothing is done to regulate this trade by adopting reporting obligations. US government has stated that American made, lawful intercept technologies, have come back as a boomerang when they were used against US interests by actors in third countries. Other companies, such as Area Spa from Italy designed a monitoring centre, and had people on the ground in Syria helping the Assad government succeed in anti-democratic or even criminal behaviour by helping the crackdown against peaceful dissidents and demonstrators.

It's just not good policy to make the people who are supposed to be securing our computers dependent on insecurity in computers to achieve that end.

In defense of digital freedom (via Techdirt)

Cybercrime sucks (for criminals)

Bruce Schneier comments on an NYT report on cybercrime that shows that there's just not much money to be had in being a ripoff artist. Dinei Florêncio and Cormac Herley wrote:

A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

The authors frame cybercrime as a "tragedy of the commons," where the overfishing (overphishing) by crooks has reduced everyone's margins to nothing, making it hard graft indeed. Meanwhile, cybercrime estimates are subject to the same lobbynomics used to calculate losses from music downloading and profits from drug seizures:

Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can't be canceled.

Cybercrime as a Tragedy of the Commons