Hello and happy Thursday!
I know Twitter whistleblower Peiter “Mudge” Zatko testified before the Senate Judiciary Committee on Tuesday; but I’m writing this on Monday because this week is packed. I promise, I’ll review Mudge’s testimony and comment soon if I have anything of value to share.
One of the things keeping (or, should I say, “that kept?”) me busy this week is an event with Australian Sen. James Paterson, shadow minister for cybersecurity (awesome title) and former chair of the Intelligence and Security Committee. Assuming everything goes to plan, you can watch a recording of the event here.
Thanks, and enjoy this selection of tech potpourri!
VPN Providers Are Bounced from India
India’s Computer Emergency Response Team (CERT) will soon require all providers of virtual private networks (VPNs) to collect the names, email addresses, and IP addresses of everyone accessing these services from inside the country. But VPN companies and internet-rights organizations say the new rules are authoritarian and anti-democratic. “[Rules like these are] typically introduced by authoritarian governments in order to gain more control over their citizens,” a spokeswoman for NORD Security (NordVPN) told the Wall Street Journal. “If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech.”
CERT argues this information is necessary to defend the “sovereignty or integrity of India” and will be essential to counter cybercrime and other online harms. Beginning on September 25, the agency will require VPN providers not only to collect this information, but to also hold it for five years and turn it over to the government upon request. But companies aren’t going along.
While Amazon Web services, Google, and Microsoft have not commented on the new rules or their intentions to comply, U.S.-based Private Internet Access and IPVanish, Canada’s TunnelBear, the British Virgin Islands’ ExpressVPN, and Lithuania’s Surfshark have shuttered their servers in India.
Here’s what I’m thinking (HWIT): First, VPNs are critically important. As a quick reminder: VPNs are typically an app on your phone, laptop, or other device that encrypts your data so that others can’t see who you are, where you are, or what you’re doing online. They are a good general security practice and are essential when using public Wi-Fi networks.
Second, while India is the world’s largest democracy, its posture toward speech and internet freedom is decidedly authoritarian. According to the Software Freedom Law Center, the Indian government has shut down the nation’s internet at least 665 times since 2012—more than any other nation during that same period. Jammu and Kashmir alone have had 411 deliberate internet blackouts, with the longest lasting more than 550 days.
Delhi considers these shutdowns to be a legitimate response to everything from regional crime to national political protests. The bans often include 3G and 4G/LTE mobile networks as well as dial-up and wired/wireless broadband internet access, and they are not always announced. While governments from multiple political parties have executed these shutdowns, Prime Minister Narendra Modi has been especially aggressive, ordering 106 shutdowns in 2021 alone. His government, of course, says these actions are necessary to prevent the spread of rumors and misinformation, as well as for preventing the deterioration of law and order.
Finally, you’re going to see more of this—particularly in non-Western and non-democratic countries. We can’t deny that the internet challenges the authority and capacity of governments and so, in a bid to reassert sovereignty and control, governments are seizing and manipulating the underlying infrastructure of the internet itself. While India is less restrictive than authoritarian regimes in China, Russia, Iran, or North Korea, its constitutional provisions for freedom of speech are relatively new and have significant political constraints. These restrictions include any speech or activity the government believes would threaten national security, friendly relations with foreign states, public order, decency and morality, defamation, incitement of offense, and the sovereignty and integrity of the nation itself. While each of these is, in one sense, understandable, they’re also so broad and vague that an oppressive political regime could justify just about any crackdown it wanted to.
To put it plainly: Nations that cannot provide internal security without resorting to authoritarian means, and who do not provide robust political structures for the peaceful airing and resolving of political differences, will increasingly shut off the internet as a way of stifling public awareness and organizing. This only worsens public dissatisfaction and frustration and makes the worst outcomes even more likely. India hasn’t gone fully down this road, but it’s certainly pointed in this direction.
U.S. Sanctions Iran Over Cyberattacks
The U.S. Treasury Department is adding sanctions against Iran’s intelligence ministry and its chief, saying they are responsible for multiple cyber operations targeting the United States and its allies, according to the Wall Street Journal. The new penalties block American individuals and companies from doing business with the Iranian Ministry of Intelligence and Security (MOIS) and its director, Esmail Khatib, and block all property held by them that is under U.S. jurisdiction.
Iran-affiliated groups are suspected in two operations in July that forced Albania to temporarily shut down its Total Information Management System (TIMS)—the network Tirana uses to track everyone entering and exiting the country. Last week’s actions byTreasury fit into a larger U.S. effort to suppress online hackers and to pressure the regime in Tehran.
HWIT: While Iranian hackers are not nearly as sophisticated as those in the United States and China, they are capable and dangerous. Even more, they seem to be growing more aggressive. Albania is a NATO ally of the United States and it’s reasonable to view the July operations as a notable escalation. “This is an aggressive escalatory step that we have to recognize,” John Hultquist, vice president of intelligence at Mandiant Cybersecurity, told Wired. “Iranian espionage happens all the time all over the world. The difference here is this isn’t espionage. These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance. And it was essentially a coercive attack to force the hand of the government.”
Albania was scheduled to host the World Summit of Free Iran in late July and this was likely the reason it landed on Iran’s target list. The summit, which was postponed, was associated with Iranian opposition leaders in the Mujahideen-e-Khalq (“People’s Mojahedin Organization of Iran”) and it’s not surprising that MOIS hackers wanted to disrupt the meeting. Iran typically focuses its most aggressive cyber operations in the Middle East—especially against Israel—but now that may be changing. Also from Wired:
“We’ve become used to seeing Iran being aggressive in the Middle East where that activity just has never stopped, but outside of the Middle East they’ve been far more restrained,” Hultquist says. “I’m concerned that they may be more willing to leverage their capability outside of the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever deterrents we believe exist between us and them may not exist at all.”
I think John raises some good points and, while the sanctions are a good start, it will likely take even more aggressive action from the United States to keep Iranian hackers from deliberately or accidentally instigating troubles that would draw in the world’s most powerful alliances.
Microsoft’s HoloLens Goes to War
The U.S. Army is buying thousands of Microsoft HoloLens battle goggles, to the tune of $22 billion over the next decade, according to interestingengineering.com. Formally called the Integrated Visual Augmentation System (IVAS), the glasses blend holographic, augmented reality, and even night vision technologies to give soldiers a data-saturated understanding of the battlefield that looks a lot like the interfaces and heads-up displays (HUDs) in video games.
For example, units operating with IVASes will seamlessly identify and track good guys, bad guys, aerial and ground support assets, and even their own ammunition—all from a ruggedized, digital display right in front of their eyes. Before deploying, these same headsets will be used to model and study terrain, troop movements, or even for dry runs of an operation using holograms matching the exact specifications of targets.
HWIT: Look, I know these things are not ready for prime time and that there’s all kinds of concerns about power, data latency, and general survivability. But I also think these challenges will be solved and that, ultimately, this tech is going to make American soldiers more capable, more lethal, and straight-up nightmare fuel for our enemies. Even more, Microsoft deserves credit for unapologetically working with the Pentagon.
In 2019, a group of Microsoft employees tweeted a letter protesting the company’s work with the Department of Defense. “We are alarmed that Microsoft is working to provide weapons technology to the U.S. Military, helping one country’s government ‘increase lethality’ using tools we built,” they said. “We did not sign up to develop weapons, and we demand a say in how our work is used.”
But Microsoft President Brad Smith has made his position very clear:
“[We believe in] the strong defense of the United States” and want those “who defend it to have access to the nation’s best technology … At the same time, we [Microsoft employees] appreciate that technology is creating new ethical and policy issues that the country needs to address in a thoughtful and wise manner … But we can’t expect these new developments to be addressed wisely if the people in the tech sector who know the most about technology withdraw from the conversation.”
Right on, Brad. Right on.
That’s it for this edition of The Current. Be sure to comment on this post and to share this newsletter with your family, friends, and followers. You can also follow me on Twitter (@KlonKitchen). Thanks for taking the time and I’ll see you next week!
Please note that we at The Dispatch hold ourselves, our work, and our commenters to a higher standard than other places on the internet. We welcome comments that foster genuine debate or discussion—including comments critical of us or our work—but responses that include ad hominem attacks on fellow Dispatch members or are intended to stoke fear and anger may be moderated.
With your membership, you only have the ability to comment on The Morning Dispatch articles. Consider upgrading to join the conversation everywhere.