Chertoff sees ‘Internet of threats’ (Q&A)
Envision a secure Internet, where privacy and free expression are the norm. Now think of another Internet, whose blighted landscape is defined by insecurity and state surveillance.
The Internet has reached a proverbial crossroads, according to a report prepared by 29 Internet policy makers and influencers under the auspices of the London-based Chatham House and the Centre for International Governance Innovation.
Sounding a clarion alarm for the future of the Internet, the report, two years in the making, lays out three possibilities: In the worst-case scenario, cybercriminals and government regulation force many people and organizations offline, causing a dangerous and broken cyberspace. The second is one of stunted growth, with uneven and unequal gains. The third is a healthy Internet marked by broad and unprecedented progress.
Michael Chertoff, secretary of the U.S. Department of Homeland Security from 2005 to 2009, under Presidents George W. Bush and Barack Obama, co-chaired the commission behind the report.
Cybercriminals and authoritarian rulers eager to suppress dissenting voices threaten Internet progress, Chertoff told me this week. Here is an edited transcript of our conversation.
Q: Your report describes three visions for the Internet’s future. Which do you think is most likely to win out?
It’s likely going to be somewhere between the most optimistic scenario, which is a flourishing Internet, and a scenario where the Internet’s benefits are unevenly distributed. The real question is how much of the world will move to the more optimal outcome and how much of the world will get left behind.
The report talks about the possibility of winding up with an “Internet of threats,” without secure and resilient systems. Can we avoid that fate?
I’m certainly not 100 percent confident that we can. I can easily imagine a point at which people no longer trust the ability to transact over the Internet. To be honest, I am very careful about which transactions I do over the Internet.
Part of what we need to do is raise people’s awareness and consciousness about the choices they make for their security. There are so many different kinds of threats and solutions that it’s easy for enterprises or individuals to get overwhelmed. If we are smart about it, and have good cooperation between the private and public sectors, we may not eliminate these problems, but we will reduce them to a level where it doesn’t fundamentally erode trust in the Internet.
When it comes to law enforcement and intelligence agencies intercepting Internet communications, where do you think governments ought to draw the lines?
The fundamental rule remains the same as it was prior to the Internet: If you are going to invade an area that we generally, as a matter of social expectation, view as private, you have to get lawful authority. Generally, at least in Western countries, that involves some degree of judicial oversight.
That clearly extends to the Internet. Privacy protections may actually become harder, but I think the balance has to tip in favor of stronger security for the public at large, even if it makes it more difficult for law enforcement.
Where should the federal government have taken different action to shape Internet privacy policy?
Encryption might have been discussed sooner, and perhaps we should have looked at whether privacy rules ought to be modified to cover the sheer volume of generated data. The technology really outpaced the legal structures.
There was a bit of a lag in really understanding how profoundly technology would upend our ideas about what’s public and private. But on balance, I think that we are much better off with a largely unregulated Internet, as opposed to having the government from the very beginning trying to regulate it very heavily. So serendipitously, we wound up taking a better course.
Is the war for Internet freedom of expression close to being a lost cause?
I don’t think it’s a lost cause, but it is an ongoing struggle. You can never declare victory and say, “OK, the Internet and freedom of expression have won.” You have to recognize that there are fundamentally different concepts of what freedom of expression should include.
There are countries where, when you ask what they mean by Internet security, they say it’s security against content that they find distasteful or that undermines the authority of the state or defames their leaders. This is a fundamental fault line between societies, and it remains an ongoing point of tension between countries that take a broad view of freedom of expression and those that take a more narrow view.
The world has so far avoided the spectacle of a full-blown cyberwar. Do you expect to see one erupt in the next decade?
I am unfortunately of the view that we will see cyberconflict that results not just in nuisance and irritation like a DDoS attack, but is actually destructive and has an impact on infrastructure. There has been some discussion among nation-states with the most cybercapabilities whether there should be things that are off-limits in cyberwarfare in the same way that there are things that are off-limits with physical warfare.
We don’t have time to waste in getting some of those agreements. It’s an urgent task for international discussion.