On Friday, huge chunks of the internet were taken offline in an apparent distributed denial-of-service (DDoS) attack. From what we know so far, thousands of internet-enabled devices ranging from cameras to thermostats were marshalled to attack the servers of Dyn which provides domain name services (DNS) to connect the addresses of websites to their location on the web. While DNS has been described as an internet phonebook, it’s closer to your phone carrier providing cell service to your phone number allowing people to call it. This is less like someone ripping up a phonebook than it is them shutting down AT&T by programming your printer to make hundreds of calls per minute.
The immediate reaction has been a pessimism at the future of cyber warfare. Already in this presidential campaign, the candidates have extolled the pitfalls and promise of “cyber,” especially as it pertains to national security. Further, a joint committee of 17 intelligence agencies is insisting that Russia is behind the hacking of emails from the DNC that are currently being released by WikiLeaks. While the prospect that you can get an ageing political functionary to fall for a spear-phishing email scam is nothing knew, shutting down the ability for people to access hundreds of websites using their televisions is quite another.
In spite of the prospect that our civilization can be thrown into a new dark age if intelligence agencies or hostile non-state actors competitively shut down portions of the internet, I remain optimistic. What this attack highlights for me, above all, is the fundamental contradiction between cyber-security and data-capitalism. These internet-enabled devices – the so-called “internet of things” – are designed with security flaws built in.
In addition to the discrete tasks the user seeks to accomplish without having to go through the trouble of walking to push a button or plug in a cable, these devices also enable manufacturers to access usage data and apply patches and updates remotely. While businesses are interested in providing a product that consumers want to buy and use, they have more recently become interested in capitalizing on their products’ use data. In order to do this, companies making these products have built in the capability for these machines to routinely send data to the manufacturer through the internet without user initiation. That functionality, as we have seen, can be coopted by anyone.
Ultimately, businesses will have to rethink the degree to which they breach their customers’ privacy. A machine that can be used as a drone by a manufacturer is necessarily able to be used as a drone for a nefarious actor. In spite of domestic and international law, the power of individuals on the internet is only limited by what you are able to code. As far as a machine is concerned, an FBI agent has no more authority to use it than a hacker. If tech companies don’t want users to lose control of their devices to malicious coders, they will likely have to give up much of the control they currently have back to the consumers using their products.