It’s great to be on board for the ISA 2017 Annual Convention in Baltimore. I thought I would drop my abstract below for this, where I’m exploring the object as a way to think around malware and its implications for cybersecurity and a malware politics.
As I am going to be busy on fieldwork over the next year, I have decided to limit where I am going to be and focus on doing some ethnographic research. This means I will only be taking on limited activities outside of my core PhD. Thus, I have taken on more requests in the last year to be involved with projects, talks, and debates which will now take a back seat – don’t be offended if I say no! Therefore the only things I will be going to over the next 9-12 months will be:
- YATA Seminar on ‘NATO’s Future Challenges’ (Berlin, Germany – November 2016)
- International Studies Association (ISA) panel on ‘Modular Performances of Security’ with my paper on ‘Malicious Modulation: Collusions of a Laboratory’ (Baltimore, USA – February 2017)
- Association of American Geographers (AAG) with my CfP on ‘Curating (in)security: Unsettling Geographies of Cyberspace’ and possibly presenting on another panel (Boston, USA – April 2017)
All of these pieces will be focusing on the more ‘human’ sides of malware, and how malware interacts with us, particularly in what is typically to be deemed to be political to develop a core tenet of my work.
I’m very excited with what looks like a fascinating workshop with a great set of people (I don’t believe the list is finalised yet, so will hold off on that) on living with algorithms. This is being hosted by Royal Holloway, University of London. I’m particularly excited with the short 5 – 10 minute provocations that this call for papers asked for – I’m sure they’ll be a some pretty diverse, and contentious, contributions on the day.
Below is my abstract for the workshop:
The kiss of death: an algorithmic curse.
Malicious softwares slither through noise of systems, of cyberspaces, attempting to avoid the signal, to defy their abnormality to their surrounding ecological condition. It’s a parasitical existence, to avoid the kiss of death.
Algorithmic detection: The curse of malwares. The curse of humans?
In similar techniques deployed against humans, the collection of data, its analysis, abnormality breathes from ever-modulating normalised abstractions. Or that is the intention, at least. Modern malware mostly emerges as malicious through the deployment of the detecting algorithm. Circulation and mobility are absolutely necessary for malwares to carry out their deeds of infection, exfiltration and so on. Yet precisely this circulation is its downfall. To be malware, it must move. Yet in moving it changes its ecological condition. Two cultures emerge at the point of software’s algorithmic detection; one becoming-human, one becoming-malware. Indeed, it is tempting to focus on humanly responses, looking at things in relation to ourselves. Yet how does algorithmic detection expose the malicious intentionality of otherwise ‘normal’ software? What human-malware normality is required?
We, malwares and humans, are rightly concerned with algorithmic detection. This is where our cultures converge in a more-than-human political project. We are unlikely to ever sense each other in that way however. Humans and malwares develop everyday practice at certain sites, sometimes technological, other times not. These include anti-virus programs, the secure connection to banking credentials, stealing ‘confidential’ big data, in organisational practice, in the virtue of the software programmer, in the chatter of politicians. When malware is detected, when it becomes known, it is sealed-off, destroyed, deleted. As humans, can similar algorithmic detection mechanisms come from our dividualisation? Can looking to a more-than-human offer potential futures of hope and resistance to the dominance of algorithms? A way for us to slither through our spatial registers?
I will be presenting at the Durham conference on May 4 2016 with the paper:
W32.Stuxnet: An Olympic Games.
Sprinting, jumping, throwing, shooting, running, leaping.
Siemens Programmable Logic Controller (PLC)? Seimens SIMATIC Step 7 Industrial Control Software? Yes… Next Step.
Welcome to the most wonderful of Olympic Games. A brilliant new, sophisticated cyber weapon has been created. A game against Iran, against its nuclear enrichment programme in Natanz. Those who played we can only deduce; the USA and Israel. Stuxnet is the name attributed to this multifaceted, modular, updating malicious software(s?). It slithers, propagating between machines, checking, stealthily, hiding, the joker of the system. What a game, to travel with this more-than-human. Enter this cyberspatial ecology, driven by a tension of potentiality, beyond virtual, the real. Collaborations between malware artists and their offspring, malwares, generate peculiar, novel methods of movement. USB sticks, Seimens PLCs, network shares, command and control servers. It is simultaneously divided and yet constituted, materialised. Its mobility disguised, tricking, mimicking normal flows. Through its movement it becomes known. Static analyses neglect the agential vibrancy this malware exudes; it is through flows it is malicious – to us humans – ultimately it is (simply) software. Experience how Stuxnet interacts with complex geopolitical interactions of Iran and the USA / Israel, confused engineers at their screens, Windows operating systems, zero-day exploits and modular malware engineering. Let’s explore what our expert human friends tell us of malware, the conflicting narratives of their movement, one that disjoints dominant human action from the ecology within which cyber security develops. Join us on a geographical adventure to experience an ever-incomplete picture of our destructive (productive?) compatriot.
For the upcoming talk I am giving at the RGS-IBG in under a week now on the ‘The Pacemaker’. This is an exhibit piece available on the Society and Space Open Site.
The link is here.
I do see a worrying trend in Europe for constant fiscal restraint in rather odd timescales; demonstrated in the problematic Greek crisis (where we will find out the referendum result this evening) and UK budgetary austerity. They both have rather arbitrary dates for a supposedly conclusions to a fiscal crisis for the former and to ‘balance the books’ for the latter – both are needed. I am not saying anything else but. Countries cannot simply constantly borrow more than their income over the long-term. Some would argue that this somehow puts me in the ‘anti-austerity’ camp. This is the problem. One that I will return to later.
I have recently, post completing a first-draft report on commercialisation of academic cybersecurity research from UK universities to the Department for Business, Innovation and Skills, been attempting to read about something other than the topic for my own sanity. This lead me to walking around the wondrous bookshop, Blackwells, in Oxford, where I came across ‘Cyber-Proletariat: Global Labour in the Digital Vortex’ by Nick Dyer-Witheford. I’ve not finished it yet due to having a fairly relaxed holiday period in which to enjoy doing very little (plus doing lots of admin for my College MCR at Oxford). Yet it has provided me with some thoughts on how space and capitalism is transforming our society with reference to technologies – some of this following the cybernetics of the 1950s and 1960s, through to more modern utterances that include Tiqquin. It makes very compelling arguments for deteriotation of working conditions for a variety of individuals who are not part of the ‘top’ (but this is not used explicitly in the book but think is a good summary of what he means here).
There may be a section on the welfare state and its ‘austerity’ in there but I have not yet come across it. However I believe there are interesting parralels of how the fiscal situation is being primarily considered as ‘sensible’. The troika of creditors in Greece all demand that it is the ‘only’ way. This vision is being destroyed by Syriza (the governing party in Greece). Thoguh I may not agree with Syriza themselves, I do have to applaud their ability to present another vision, one that is aggressively put-down by the creditors as not being ‘sensible.’ What is sensibility? This is forthcoming with Cameron et al., in the Conservative Party – ‘hard-headed pragmatism’. What does that even mean. Pragmatic to underinvest in capital expenditure? Reductions to tax credits (whether you agree with the policy or not), increases in the threshold in inheritance taxes to £1m? This ‘sensible’ decision is seen as devoid of ideology. Although I have some raucous arguments with my housemate in particular on whether post-politics works in this arena (I normally am more cautious about whether it is really exists). There is definitely something that rings true there. There is an implicit acceptance that neoliberal economics and the ever-increasing privatisation of public services (being brought forward by Osbourne to bring down the current deficit) – with reductions in support for working families. It cannot be said that if you earn minimum wage in the UK that you can live comfortably, if at all, without the supplementary income through tax credits. No matter how much you cut the threshold the cap for income tax, many of those who will struggle with a cut in credits will already be out of the threshold. Therefore pursuing this policy becomes a cut for the middle classes and the rich.
So, what does this all have with the ‘cyber-proletariat’ of Dyer-Witheford? Well, it is showing how there is an increasing polarisation in the work of those at the ‘top’ and those elsewhere. Automation and outsourcing phenomenon has depressed wages and lead to ‘flexible’ work. There are fight-backs against this – demonstrated in the legal action in France against Uber (the taxi-hailing app) – but it is becoming increasingly widespread as technologies enable far more accurate supply and demand forecasts where workers are only to be sustained for certain periods and then dumped when they are not needed (think the growth of zero-hours contracts). This is increasingly affecting the bastions of the middle class, where automation and flexible working are eroding the benefits they have had in the post-war period. Hence, it is entirely dispiriting to see the desperation in some parents’ eyes when they were milling around Oxford colleges earlier this week for open days. Not that they shouldn’t be eager for their children to attend an excellent university. It is the fact they are vulnerable. Vulnerable to an uncertain future. Their children’s future could be beset by problems in flexible working and attaining a ‘graduate job’ or through interning unpaid for several months at a time. Increasing house prices, particularly in the south-east add to this. It then makes me consider myself without any possibility of parental backing, what would happen if I was to try and buy property. Probably unlikely.
Anyway, the rhetoric, discourses, ideologies, are all neoliberal. We live in a neoliberal age. Why do we not have a plurality of economic futures? Where has the future gone? If we look at the absolute trouncing of the UK Labour Party in the recent general election; few candidates are opening new futures. Futures win elections. Something that was not offered at the last. There are some; think Islamic State, Russia. None of these are desirable. Yet Syriza is attempting to challenge the neoliberal dogma from within. One that I may not support in its entirety, but one I respect for opening up possibilities of alternate futures. It may not work. Strong winds are blowing against it.
Going back to my original point, about my concern we are cutting too quickly and should support small growth of spending to invest in infrastructure (classic example of how this could be done would be continuing with the electrification of Northern UK routes – one of them directly affecting my dear Sheffield). Yet to even say this means I oppose austerity completely. I advocate a flexible budegtary plan that leads to growth – positive future but one that will balance. I cannot see the problem in this. Yet the winds of neoliberal thought place me in an anti-future. A future of impossibility. A future which would lead us to economic disaster. That’s the true problem. A foreclosure of possibility. We need new future, and we need them now.
Yesterday I went to a reading group within cyber security, and we talked about an interesting paper that was in Science January this year, called “Unique in the shopping mall: on the reidentifiability of credit card metadata” (paid subscription required). Though we talked about several of the issues with the paper and the reason for its appearance in Science for a start, this got me thinking about the wider concept of the ‘dividual’ that Deleuze details in a short article that was published (see paper here) in the publication October in 1992.
Through a fairly dense, but easy to read paper, Deleuze summarises that we have moved from Foucault’s disciplinary societies to control societies. For those with a background in this, please skip to the next paragraph. So, to potentially to give the work of Foucault great injustice in what I am about to say; Foucault identifies a transformation of society in the transition from the medieval to industrial period. These periods are obviously not solely independent and the mechanisms do not always belong to one and can be applied alongside one another. Hence the growth of institutions such as the school, the hospital, the barracks, the prison and so on all were a transition where bodies en masse were controlled and disciplined to work for the powerful.
To speed on from the simple explanation above, Deleuze (and Foucault himself in governmentality and biopolitics) identify a new movement in the development of their thought. This is one where individualism and the body not solely as an empty ‘space’ becomes a ‘place’ where thoughts and movements should be all-flowing and monitored. Modulation is the word Deleuze uses to express this new formation where we do not simply move between institutions as before but are constantly having to learn, self-police, healthcare services in the home and the burgeoning market in healthcare products. This means that the emphasis is on the individual to succeed (with its associated serpent, neoliberal capitalism).
So, why the societies of control or control societies? Unlike in the past where individuals were constructed in order to be disciplined, neoliberalism requires free movement but states (and other stakeholders seeking to control – think corporations, gated communities) still require extensive monitoring to ensure they maintain their power. This monitoring is aided through the use of technologies that track our movements through passes to enter buildings, touchless payment cards and mobile phone signals. Deleuze coins the word ‘dividual’ to capture the data that are produced by in(dividuals) where segments of the data are used to control; such as the ability to access buildings, access to credit according to financial transaction history, et cetera. The concept of the dividual makes more sense if we have discrete datasets. Yet, we live in the world of supposedly ‘big’ data where there is an increasing ability to cross-reference dividualised data to (re)construct an ‘in(dividual)’.
Returning to the paper that constructed my thoughts above, the authors claimed that they could easily reconstruct roughly 90% of unique credit card identifiers through four informational nodes. These could include the location of the shop, time of purchase, approximate cost and distance from next purchase for example. Though there are other issues of privacy and the unicity (the ability to reidentify unique individuals) of data, there is a philosophical question to grapple with that uses both the societies of control and disciplinary societies. I consider the ‘body’ (in its extension to producing non-human datas, movements across space and like) to be critical to arguing our current epoch is not one of pure dividuals – and displaying the geographies this produces.
I much prefer to use the ‘in(dividual)’ to present the current manifestation of our society. The formation of the internet and ever-increasing sharing of information has enabled disparate information to come together and provide ‘value’ to capitalism. This is epitomised in the valuation of social networks such as Facebook and Twitter, and the giant Google. This value requires these companies to in(dividual)ise. Let me explain what I mean here. So for ‘big’-data analytics to operate effectively it needs to dividualise my body(ie)’s movements through its limited collection points; through my credit card, my phone signal, my Facebook account, the cookies I leave lying around and so on. This enables a population-becoming whereby services can be focused on particular ‘groups'(?) and reflects the growing use of statistics in the development of biopolitics (see Louise Amoore’s article ‘Security and the claim to privacy‘ on ‘data derivatives’). Yet there is a requirement for personalised advertising where I must become in(dividual). I must form a group. I am gay. Therefore I get many ‘gay-themed’ adverts across the internet (some to my utter amusement!). This feedback loop, where I am classed as forming as ‘at risk’ group for example, if I was to apply for credit with a ‘poor’ rating, then the in(dividual) would come to play. My in(dividual) body’s movement influences ‘it’, and ‘it’ influences ‘me’.
Therefore how can one work against this? What playful acts can I working as an in(dividual) do? I could spend rather large amounts at different places (although probably not), use different cards, use other people’s cards? Or I could change my Facebook ‘likes’ or make completely false trails everywhere. This is where the power lays. This is where the kink in current society lies. Although I am partially determined by my allocation, what happens if I do not conform to any group – I do not only do it for myself, the data that feeds the group is also skewed. This is true play. To circumvate the rules, to not conform to one identity, but express the multiple identities the body inherently exudes. This in(dividual)ising both can have detrimental effects on how I operate as an in(dividual) as long as I play by the rules. The best play is one which bends them.
Why is the body critical to this? Critically the body is one which has truely emancipatory affect (though we must realise we live in a period where ‘able’ bodies tend to ‘succeed’ in comparison to less-able bodies). There are only a limited amount of collection points (though these are ever-increasing in size with sensors in the Internet of Things (IoT)) that mean that their comprehension of the world is always limited and non-pervasive. Therefore feeding certain nodes bits of information that our bodies produce incorrectly (such as hacking a wearable technology to send ‘healthy’ signals to an insurance company) enable small acts of powerful play that not only distort the in(dividual) but the dividualised groupings. We can use the ingenuity of the body (and here I refuse to use the mind-body dualism – useful to point out here) to claim the in(dividual) for ourselves, in whatever form ourself may take.
Over the past couple of weeks I have been fairly busy completing the end of my taught courses at the Cyber Security CDT and moving onto more substantive research (look for updates here as I post about it!). So a couple of events that have happened…
This was organised by Nesta (an innovation charity) on 14th/15th March. Luckily I received a free guest ticket from Professor Ian Brown – so thanks for that! This was an exceptional event – where I asked a couple of questions on the future of UK party politics – and had a direct chat with Natalie Bennett (Leader of the England & Wales Green Party). I also had some great 3D printed chocolate and some ‘future’ alcohol shots that varied from delicious to repulsive. It was a great day and would encourage anyone to attend a similar thing!
I even got a clip on blockchain referring to Bitcoin (I’m not sure I completely agree with what I agree with what I said but hey ho)
Andrew Carl Dwyer, PhD cyber security student at Oxford University, on the downside of the blockchain https://t.co/DCsac1m64W
— Cryptocity (@crypto_city) March 15, 2015
There were also loads of other great stuff – including seeing my face on a robot…
— Andrew Dwyer (@cyberdwyer) March 15, 2015
So, this was an international competition to generate policy solutions against a cyberattack against a poor state in South-East Asia. It involved 3 U.S. universities (Georgetown, George Washington and Maryland) and 3 European (Oxford (the UK), Leiden Delft (the Netherlands) and Chair Castex (France)). It was organised by CSIS – more information here.
I was a member of the Oxford team that represented between us 6 countries and 4 continents (there were only 8 of us!). It was an absolutely great day that included a fire alarm 5 mins in….
— Jamie Collier (@cyberjsc) March 26, 2015
That led to the ‘Zambonian Opportunity’ in the final presentation after a long two-days to deliver the product. I was so happy with everyone on the team. An absolutely amazing job! Here’s me via VTC in Washington DC (just).
— Sophie Reddering (@SophieReddering) March 27, 2015
Anyway that’s been my past couple of weeks – quite a lot of fun!
Luciano Floridi has recently written on uncertainty in a short editorial on conditions of ‘uncertainty’ within information theory in Philosophy & Technology (the article is currently available free here) with which I have a problem with.
Although I agree with the principles outlined in his piece, I believe there is an assumption explicit within its execution. This is the belief that somehow ‘information’ and its knowledge is able to predict the future. As I mentioned in my previous post, Louise Amoore’s work on probability (and indeed uncertainty) argues that the future is impossible to correctly predict. Thus, information due to its abstracted quality, the impossibility of recording everything and their associated variables ensure that we are always in a ‘block’ or “add some friction to the flow of information”. I am not here to critique the great explanation of uncertainty that Floridi provides, but to make a more nuanced point.
This point refers to the fact that Floridi alludes (whether intentionally or not) to a world where human agency alone provides uncertainty because we cannot somehow ask the right questions and gain their answers. In our world(s) it is not possible to ask all the right questions due to the interplay of the non-human with the human. This ensures that ‘questions’ are out of the bounds of ‘our’ language and we will never be able to generate these questions in their human form. Look to the work of Derrida on the deconstruction of language or différance as examples of how language cannot specify the true meaning of the world. Therefore I believe that information (as an abstracted form of the world which is given intrinsic human value) always provides blockages. Look at the below quote;
“In philosophy, it is time we learn the value of a low and stable degree of uncertainty. It is unhealthy to eradicate it completely, for a small dose of unanswered questions in the social system leads to increased degrees of liberalism, toleration and fairness, as well as more efficient flows of information. It seems that the value of information also lies in what it can teach us about its own equilibria.” (p.3)
This creates an impression that there is an ability to ‘eradicate’ uncertainty and claims we somehow the power to deny this. Plus, I question what Floridi means by “its own equilibria”. Can information ever have an equilibrium? If information is abstracted then it has human value in its process of becoming known. Hence this statement appears to give a somewhat ‘natural’ quality to information based on older western philosophical norms. There is fundamentally nothing ‘natural’ about information – it is a socially-constructed phenomenon. It is therefore interesting that this term is used. Uncertainty, then, is a condition of human existence – we can never comprehend the world in its entirety – yet Floridi’s call for it to be further recognised can be applauded even if its execution is somewhat questionable.
This weekend I ended up on an impromptu trip to Birmingham and decided to go to see the film Blackhat (Click here to see the official website). Admittedly, it was something rather of an atypical Hollywood blockbuster film – yet it had great insights into the changing perspectives of cybersecurity and its connections to wider security discourses. Most strikingly it had a classic lead in Chris Hemsworth as a convicted hacker who was released to help in a cross-border investigation into a severe hack against a Chinese nuclear power plant and a later one on financial corn exchanges. This pitted cooperation between the US and China on a single hacker – which I thought was a rather bold move. There is a scene in which the FBI discusses the difficult relationship on cybersecurity and the mistrust this exposes, which is returned to at several points during the film. I wish not to spoil the film any further so I will leave those of you who may wish to watch it can do so without me ruining it for you.
The film’s understanding of cybersecurity and general security discourses was particularly encouraging to see. There were definite attempts to engage with current perspectives on cybersecurity beyond a purely technical problem to one of tracing fragments of data and political decision-making. I would claim this demarcates a coming-of-age for cybersecurity in film that is welcome. It clearly had clear parallels with the Stuxnet malware that is thought to have targeted Iranian nuclear power plants in order to commit sabotage, which was comprehensively detailed in 2010. Although the execution of the attacks were somewhat unrealistic, I appreciate that creative license is required to entertain, so was a rather good attempt. The wider questions around attribution were a core theme of the film, in order to find the hacker which included tracing the clues that were left ‘behind’ through not only files, but also money transfers – demonstrating the complex interactions in ‘cyber-crime/terrorism’. This complexity of ‘older’ crimes such as fraud and its combination with cyber attacks demonstrate the physicality of ‘cyber’ and that these crimes may be committed solely through the means of data communications but have material impacts.
The use of 9/11 and wider terrorism discourses in ‘connecting the dots’ which the Department of Justice says was one of the core of elements of the US Patriot Act 2001, is of crucial importance to how cybersecurity is conceived in the public imagination. As Louise Amoore from Durham University states in her latest book, there is a crucial imaginary built upon code and how modelling into the future can ‘pre-empt’ events before they take place. Although this work primarily focuses on the movement of bodies and things, one can argue that cybersecurity discourses are far more (dis)connected. By this, I mean there are difficulties in humans perceiving the tangible effects of much action in cyberspace and yet we are constantly told that we are being increasingly interconnected. This binary is contradicted in Blackhat where the lead female US FBI agent as a ‘human’ body of affects and emotions combines her husband’s death in the 9/11 attacks to preventing further attacks by the hacker. The hacks of the exchange, not only purely lead to monetary values being manipulated, but expose the highly-connected nature where variables in one place can change an entire market and the lives that depend on this. The interesting connotation that the connection of dots, or fragments of the hacker (as a dividualised expression of pseudonym), will prevent further attacks is therefore an interesting imaginary that is formed. I believe this grows out of what was dreamt in the Patriot Act and subsequent actions by the US Government to be able to foresee through data the low probability, high risk event. Therefore the (dis)connection of cybersecurity is intermingling with former security discourses, determining that precision calculation can prevent attacks but admitting that there are tangible effects of a hack. Hence a prevention of attacks in ‘cyberspace’ mean we are directly affected as Blackhat shows, eroding dualisms of physical/cyber. This is something new in this film that I have not seen and lets the inherent complexities of cybersecurity to emerge; folding cyber, physical spaces, humans, politics, materials, code and so on into it.
So, how does the infusion of security discourse of 9/11 and cybersecurity fit together? Here are three examples:
- First, there is a simple problem of attribution (look to Thomas Rid for some of his work on this at King’s College London). This ‘problem’ correlates concerns of terrorism entering through the US border – with increases in airport security and the use of Passenger Name Records (PNRs) as examples of the increased use of data in order for dots to be connected. Therefore, among all the possible options to identify who is suspicious at the ‘border’ compares well here to detecting the malicious hacker.
- Second, the international nature of hacking and their sometimes confused objectives. The Blackhat hacker’s motives are constantly questioned within the film and with the networked nature of movements across state spaces, places it in ‘conventional’ terrorist networks within this post-9/11 imaginary. If we think back to Al-Qaeda and other Islamist extremists, then this confused nature of an unknown assailant is clear.
- Third, the insider. Since the Summer 2005 London bombings, and the recent concern with those returning from Syria who have gone to assist the Islamic State (IS) in Europe, the insider is a dominant schizophrenic problem in security discourses post-9/11. Edward Snowden is the example du jour for cybersecurity – who to trust. Blackhat‘s main character is one whose trust is questioned by the FBI and details how there is now greater scrutiny of those ‘within’ security discourses. The distinctions of ‘inside/outside’ for states have now become problematic and now a core theme in broader security discourses.
To end this post – I believe the critical point to take away is the enveloping of cybersecurity into wider security discourses as it enters the popular imagination. Therefore we can no longer see cybersecurity as solely a technical ‘problem’ but one interconnected in wider security discourses and is being used so, such as with the recent Sony hack where its interests became one of US national security. It is about connecting the dots.