A different kind of Bitcoin war

Two days ago, Business Insider's Joe Weisenthal published an article in which he argued that Bitcoin is actually a bubble that will eventually burst. See that article here. Salient points:

• Yes, a Bitcoin is now gaining value rapidly (the last report as of this writing is that it's now worth over $300). Folks as respected as the Washington Post's Timothy Lee are now asking whether Bitcoin critics who called it a bubble need to admit that they were wrong.
• Weisenthal's insistence: This doesn't matter in the long run. "Bitcoin is not the currency of the future. It has no intrinsic value."
• Unlike the dollar, "If people lose faith in it, it's over. Bitcoin is fiat currency in the most literal sense of the word." And worse: It's a "speculative vehicle."

The response from the Internet? Scorn. Weisenthal has written another piece demonstrating some of the most amusing reactions to his original article:

 

Whoa, chill pill, buddy.

OK, so this one is actually pretty funny and inspired.

It's never a good sign when advocates of a person or thing start investing their self-esteem into it, which means that they become hostile whenever somebody questions it. When something attracts those types of people, it says a lot about the thing itself: It means that the thing isn't just a person or a product, it's a way of life.

It's official: The administration is considering splitting up the NSA and CyberCom

At this point, I've already devoted two entries to the question of whether the NSA and Cyber Command should be split up once Gen. Keith Alexander retires next year (see my posts here and here). Now, however, it look as though the debate is heating up on the Hill:

"No formal decision has been made yet, but the Pentagon has already drawn up a list of possible civilian candidates for the next NSA director, the former official told The Hill. A separate military officer would head up Cyber Command, a team of military hackers that trains for offensive cyberattacks and protects U.S. computer systems.

The administration might also decide to have two military officers lead the two agencies. 

The fact that the administration is considering whether to split the commands isn’t a direct response to the revelations about the NSA’s surveillance operations, but it does reflect growing concern over the power of the NSA director and a shortage of oversight of the position."

I'm pretty skeptical about the last part: As I argued in my last post, it is preferable to allow Cyber Com to flourish without being tainted by the same controversy that surrounds the NSA and Gen. Alexander himself. But, one cannot expect the administration to admit that they share this perspective. And anyway, keeping Cyber Com free of controversy isn't the best (let alone the sole) argument for separating it from the NSA: I think Jason Healey has the right perspecitve:

"[Cyberspace] is too important to grant one person have a near-monopoly on threat intelligence while simultaneously conducting active espionage, directing military force, and advising on policy...Yes, General Alexander is a cyber expert and an intelligence hero whose work has saved hundreds of American lives. But this does not make him irreplaceable. The U.S. military has had generals in charge of combined offensive and defensive joint cyber commands since 1998; fifteen years should be enough time to develop a sufficient bench."

All things considered, there are still some larger issues at stake here, and the biggest is whether cyberspace is truly a military domain at all. Making it a separate combat command means that we are acknowledging that cyberspace is already a domain of warfare, and there are plenty of people prepared to argue against that assumption. Indeed, cyber espionage and IP theft are arguably the most exigent concern for policymakers right now, and those are not military concerns.

Questioning the "big scary number" approach to Somali piracy

After all the cyber talk that permeates this blog, it's time for me to turn my attention to something else. Arbitrarily, I choose...Somali piracy.

Actually, not so arbitrarily: The World Bank and the United Nation Office of Drugs and Crime have just put out a brand-new and eye-opening report on the financial costs of Somali piracy to the world economy. Much like recent reports on the cost of Intellectual Property theft in cyber space, this report provides policymakers with some enormous dollar values to quote in Congressional/Parliamentary testimony: According to UN data, pirates operating off the coast of Somalia and the Horn of Africa received $400 million USD in ransom payments between 2005 and 2012, and the total costs of piracy to the global economy (in terms of trade costs and countermeasure spending) so far have reached $18 billion USD. Those are the kinds of "big scary numbers" that are meant to spur action, and naturally imply that anything and everything we're doing to stem the "piracy tide" right now is inadequate. In other words, garden-variety alarmism.

This fellow here earned $10 million USD by capturing this beached ship, armed only with his trusty (and rusty) AK. Oh, and tourism on this beach decreased 60% by the following month.

The problem with studies like this - and numbers like the ones quoted above - is that one must always have a good idea of how the costs were calculated, and be ready to ask hard questions about where those numbers really originated. Whenever someone attempts to put a solid dollar value on the economic costs of some type of transnational criminal activity that's blowing up news headlines and Twitter feeds, it's not uncommon to find that there's a serious attribution problem going around. For instance, the Obama administration has been fond of claiming that cyber-crime costs the global economy $1 trillion USD, with intellectual property theft taking $250 billion USD out of the U.S. economy. As it turns out, those numbers came from misinterpreting a 2009 McAfee report whose authors have denied that they ever intended to make such an unsubstantiated claim. (And now an obscure cybersecurity consulting firm, which I discussed in another post, is playing the "big scary number" game in a desperate publicity stunt by claiming that cyber theft costs us $5 trillion per year.)

Then there are the methodology issues. Ostensibly, this is where my previously used cyber espionage cost analogy falls apart: It is, after all, much easier to count ships hijacked by pirates and tally up the cost of each ransom paid, whereas the costs of cyber IP theft is far, far more difficult to quantify for a whole litany of complicated reasons. But actually, calculating economic costs of piracy poses it owns challenges: Witness, for example, last year's report by Oceans Beyond Piracy, which has been harshly rebuked by analysts at SomaliaReport. As SomaliaReport points out, OBP already revised their scary number for the costs of Somali piracy twice: First they estimated the cost at $7 to $12 billion USD, and then revised that figure down to $6.6-$6.9 billion. And this was deduced by lumping together government costs for security (a bill footed by taxpayers), elective insurance costs (passed on to consumers), and opportunity costs (i.e. declining tourism in neighboring countries like Kenya). SomaliaReport points out that this approach has serious flaws:

• The counter-piracy industry, which includes the hiring of private security contractors and installation of safety counter-measures on ships, is now an industry that brings in $52 million per month. Talk about economic stimulus; that's money going into local economies that OBP is ignoring!
• OBP's estimates of the insurance costs are just that...woefully inaccurate estimates, which is a huge problem given that insurance brokers do not tend to give out this kind of information.
• The tourism costs claim is just flat-out wrong; SomaliaReport points out that in the case of Kenya, which was OBP's most specific example, tourism increased by 32% in 2011 alone.
• There's also a lack of contextualization in OBP's report: They ignore, for example, the fact that $10-$15 billion was stolen from U.S. ports in 2003 alone, and 10,000 shipping containers get lost at sea every year due to stormy weather - losses that far outstrip Somali piracy.

"Captain, we've got a huge problem!""You mean the fact that we're listing to starboard and about to dump $20 million worth of cargo in the drink?" "No, sir, worse than that: there's a Somali pirate ship approaching from port!"

Given the controversy surrounding the Oceans Beyond Piracy report, I am inclined to approach this new study by the World Bank and UN with an equally skeptical eye, especially when I see their big scary numbers. Reading the methodology section of the report makes me suspicious about their findings because, as they admit, data is scarce, and their sources don't appear credible: Among others, they interviewed (1.) former Somali pirates, (2.) local law enforcement and military, (3.) piracy victims, (4.) local officials, and (5.) local banks. These are not sources I would expect to be either reliable or honest. They also use event data on piracy that also comes from the UNODC Counter-Piracy Programme, but I wouldn't trust them, either; they have motive to exaggerate the problem, given that the program reportedly has a budget of only $55 million.

Better analysts than myself will have to consider the new report on its merits, but as a rule, I think it's time that we admitted that big scary number studies of complex security issues are, by their nature, untrustworthy. Alas, we live in a policy-making world where sources are often not vetted for credibility, so I am expecting to hear some Senator or high-ranking military officer mention the $18 billion number in a future Congressional testimony within the next couple months. If I ever have a career as a management consultant or think tank analyst who puts out studies for government and public consumption, one of the cardinal rules of my work will be: "Thou shalt not make any preposterous claims backed by dubious big scary statistics."

Another thought for today...

I'm rarely inspired to "pursue greatness" (or whatever) by the self-help/inspirational articles I see circulated by people on my LinkedIn network, but there are occasionally diamonds in the rough. In today's feed, "Why Being a Perfectionist Can Harm Your Productivity" was one of those few articles that spoke to me. The title says it all: Perfectionism becomes a disorder when it becomes an impediment to completing a task. In my case, I have found that perfectionism often gives me a natural anxiety about even getting started. It's the reason that my professional journal contains countless ideas for paper topics that I have yet to pursue, and why I have often been unable to finish any project that doesn't have a deadline attached (i.e. papers for classes). I cannot count the number of times that I've done an examination of scholarship on a given topic in foreign policy, and I find myself obsessing over whether I am including enough (or all) of the most important preceding journal articles on the subject, lest I come across as ignorant of the debate. The single scariest thought to me in writing a paper is that I might not sound like an expert on something because I haven't read everything ever written about it, and I am not sure why I feel this way.

So, in my own (endless) pursuit of perfection, I suppose that I would do well to mull over this quote from David Burns quoted at the end of the aforementioned piece:

"There are two doors to enlightenment. One is marked, 'Perfection' and the other is marked, 'Average.' The ‘Perfection’ door is ornate, fancy, and seductive… So you try to go through the 'Perfection' door and always discover a brick wall on the other side… On the other side of the 'Average' door, in contrast, there’s a magic garden. But it may have never occurred to you to open the door to take a look."

And because I haven't quoted Shakespeare in a while...

"All lovers swear more performance than they are able, and yet reserve an ability that they never perform; vowing more than the perfection of ten, and discharging less than the tenth part of one."

Consider this blog my attempt at making peace with my inability to be perfect: It's better for me to be writing something rather than absolutely nothing.

Letting slip the dogs of cyber-war?

Once again, I have missed out on cyber-related news that is of interest and possible importance: Mojtaba Ahmadi, the commander of the Cyber War Headquarters, was found shot dead outside of Tehran on October 3. Revolutionary Guard Corps investigators are warning regime supporters and hacktivists not to jump to conclusions about who was responsible, and the Israelis themselves (the inevitable target of ire) are also denying involvement. It's not exactly impossible to believe that such killings are below the Israelis, given Mossad's alleged involvement in the deaths and kidnappings of Iranian nuclear scientists. But as former Shin Bet intelligence chief Yaakov Peri has pointed out, these kinds of killings are also common in Iran due to internal disputes amongst rival politicians and military commanders.

This news has me reflecting upon two different speaking engagements that I attended this year:

• Earlier this year, the release of the Tallinn Manual on International Law Applicable to Cyber War made major waves when some journalists and scholars pointed out that the manual justified the killing of hackers in wartime. However, when I was at Georgetown's International Engagement in Cyberspace conference back in April, Professor Wolff Heintschel von Heinegg, one of the Tallinn Manual's authors (see an after-action report on that discussion here) pointed out that they did not seek to legitimize killing hackers under just any state of conflict. Rather, the Tallinn Manual requires evidence that the hacker participated in an attack causing death and destruction on a massive scale - as per Article 51 of the UN Charter. Whatever one thinks about Iran's cyber forces, there isn't any evidence yet that Ahmadi is a legitimate target under the criteria laid out by the Tallinn Manual for kinetic action.
• That being said, there is sentiment on K Street right now that Iran is not a "rational actor" in cyberspace. In July, I attended an Atlantic Council panel discussion on the threat that Iran poses in cyberspace. While I was there, I listened to folks such as the Council's Jason Healy and Crowdstrike's Dimitri Alperovitch make the argument that while the Iranians currently have low capability in cyberspace compared to the U.S. (though Alperovitch disputed the claim that they are merely a "third tier" cyber-power), they have high intent to cause major damage and (it was implied) death through catastrophic cyber attacks. And like Israel's PM Benjamin Netanyahu, none of the folks at this event seemed terribly optimistic that the election of Hassan Rouhani as the new Iranian President would significantly de-escalate tensions in cyberspace (Barbara Slavin said that the group's attitude was "cautious optimism" at best). As if one looks to the Pentagon, DoD's sentiments are pretty clear and have been expressed in the least subtle terms possible.

Long story short: There is definitely a lot of sentiment in DC right now that Iran is one of the most threatening actors in cyberspace that we face, but if Ahmadi's death really were one of the shots fired in the cyberwar, it would be a pretty scary precedent to set. That's why I am skeptical that he really was killed by Mossad - unless the U.S. and Israeli intelligence found evidence that Ahmadi had intent and capability to do something so horrible and drastic that they were able to make some sort of convoluted legal justification for killing him.