Big tech firms say they are the only providers of large cybersecurity services – even as their products are compromised. The conflict of interest is huge
Marcus Hutchins, an IT security blogger from Ilfracombe, became an ‘accidental hero’ when he halted the global cyber-attack that hit the NHS. Photograph: Frank Augstein/AP
Saturday 20 May 2017 16.39 EDT
First published on Saturday 20 May 2017 16.32 EDT
To appreciate the perversity of our reliance on US technology giants, you just need to grapple with the fact that one of the likely winners in the global “cyber-outage” – caused by the series of crippling cyber-attacks that hit public and private institutions worldwide a week ago – might be the very company whose software was compromised – Microsoft.
The WannaCry ransomware used in the attack wreaked havoc on organisations including FedEx and Telefónica, as well as the NHS, where operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work. In the end the global spread of the attack was halted by an “accidental hero”, a 22-year-old IT security blogger from Ilfracombe, Devon. Marcus Hutchins found and inadvertently activated a “kill switch” in the malware by registering a specific domain name hidden within the program.
But even before the recent WannaCry ransomware attacks, Microsoft – always seeking to deflate any responsibility for the flaws in its products – had been advocating the establishment of the digital equivalent of Geneva conventions that would protect civilians from cyber-attacks launched by nation states. At the same time, such agreements would allocate responsibility to big tech companies that would help to ensure safety online.
Brad Smith, Microsoft’s president, who has been spearheading the company’s efforts over this, has even compared the tech sector to the Red Cross. “Just as the fourth Geneva convention recognised that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyber-attacks requires the active assistance of technology companies,” he wrote on the company’s blog in February.
In the wake of the WannaCry outage, Microsoft stepped up its rhetoric, with Smith and many others demanding immediate action by governments.
Yet something in this effort seems disingenuous as Microsoft is essentially asking to be given more duties and responsibilities by means of international legislation. And what company would voluntarily desire more such regulations imposed on its global operations?
However, the reasons for such humanitarian enthusiasm – which has become the trademark of the tech industry – are entirely selfish. First, it is an elaborate publicity exercise aimed at presenting cyber-attacks as natural and inevitable, or at least as something that only nation states are responsible for; tech companies, by this logic, are just the victims of sophisticated hacking attacks by the geniuses at intelligence agencies.
Analysis Who is to blame for exposing the NHS to cyber-attacks?
Could the government or intelligence agencies have done more to protect the health service from cybercriminals?
This reasoning has little basis in reality: tech giants such as Microsoft enjoy so much market power – not least due to their extensive intellectual property holdings – that they hardly operate in a competitive market environment. This quickly eliminates any incentives to actually make their software as secure as possible, issue regular updates, retire outdated and compromised products early and so on. These firms are fat and lazy, and justify their rentier-like status with highfalutin talk of “disruption” and “innovation”, not to mention that the proprietary nature of their software makes it impossible to examine it for any possible flaws and backdoors.
Second, there is no sign that the US – which has the most sophisticated and extensive government-run hacking apparatus in the world – would sign up to these digital Geneva conventions. This, after all, is the same country that has been refusing to ratify several core protocols of the original Geneva conventions. But even if the Trump administration does miraculously decide to adhere to its digital equivalent – and it would be a miracle because all the evidence suggests Trump hates multilaterial treaties – there are few grounds to believe that the National Security Agency or the CIA would not simply ignore them.
Third, you cannot understand Microsoft’s desire for regulation without understanding what exactly it would entail. Essentially, the complexity of modern cyber-attacks has become so enormous that the only actors capable of shielding us from them are the likes of Google, Facebook and Microsoft. Even many seasoned security professionals now concede that for most cyber-attacks we might be safer using commercial services from big tech giants rather than, say, running our own email servers – a lesson learned by Hillary Clinton.
When artificial intelligence and machine learning become key ingredients in determining what is spam or a malicious attack, it is obvious that whoever controls those resources will also be the key service provider. In this field, there is little or no competition to the big US tech firms. A few Chinese companies are trying to catch up, but not very successfully because this battle also involves a global hunt for the talent and data needed to train the machine-learning systems. How did US tech firms develop this superb capability in artificial intelligence? Some of it has to do with the legacy of the cold war and the massive government funding that it spawned. But some of it comes from the particular nature of the business models, which are greatly facilitated by America’s insistence on the liberalisation of the global trade in services and the removal of any barriers to the free flow of data.
NHS cyber-attack causing disruption one week after breach
These business models are quite brutal in their simplicity: firms such as Google and Facebook use advertising to pay for the provision of relatively trivial services, like search or email, in order then to extract and deploy the user data to develop non-trivial products and services, such as self-driving cars or advanced health analytics capable of diagnosing diseases early on.
In essence, the concentration of the most valuable resource of the new century – artificial intelligence – in Silicon Valley makes US tech firms impossible to disrupt, allowing them to create new opportunities for rent-extraction. In the case of cybersecurity and the “digital Geneva conventions”, Microsoft’s game plan is clear: once nation states formally recognise the company as the digital equivalent of the Red Cross, it should also lead to lucrative private contracts to offer cybersecurity protection – all of that, obviously, at a hefty fee. Thus, in addition to regularly extracting rent from the users of its software, Microsoft can now also extract additional rent from those very users for protecting the very software that they are renting in the first place – no one really buys or owns anything in the digital world, it all belongs to platform operators.
The conflict of interest here would be mind-boggling: the more insecure Microsoft’s software, the greater the demand for its cybersecurity services to protect it. Worse, governments – instead of doing something to curb such conflicts of interest – are only aggravating them. They allow tech companies to use their intelligence services as scapegoats while also creating a secondary market in cyberweapons that can then be used by petty criminals to instil terror and dread in the population. No wonder there are people demanding that some version of the digital Geneva conventions pass: the horrors, imposed by the tag team of government and industry, are just too painful to endure.
Cybersecurity that has been turned into a service is a perfect example of how the surveillance imperatives of modern governments – with the US leading the way – create almost infinite opportunities for monopolistic rent extraction by tech firms. In essence, every time you read that something is offered as a service – as in “cloud as a service” or “mobility as a service” – it is almost always a bland euphemism for legalised rent extraction that has a large tech company as the middle man.
Thanks to digitisation and automation, it is obvious that the future providers of most services are those that happen to own the data – and the advanced artificial intelligence powered by it. They might preach the values of brotherly love, decentralisation and hippiedom but the new giants of Silicon Valley are just the latest generation of rentiers who are far more likely to become a drag on the rest of the economy than to produce the infinite digital abundance that they promise.