Our societies are digitalising with an increasing pace. Our governments authenticate us, tax us, police us and take care of our health with an arsenal of digital technologies, sourced from different vendors on a globalized marketplace. More often than not, vendor decisions are driven by pure financials and latest technological trends, as opposed to critical background analysis of who is actually controlling and purveying these technologies, and why the price is sometimes just too attractive.
In my country, which has had to twice (or more, depending on how you calculate) fight off an existential threat (war) from the Soviet Union, self-reliance and sustainability during crises have always been prioritized high on the government agenda. We’ve stockpiled grain, fuel oil, spare parts and many other essentials, in addition to supporting enough domestic production to feed the nation and maintain our military forces even when our maritime artery, the Baltic Sea, would happen be too hostile for merchant ships, or when our airspace would be surrounded with hostile forces.
In just about 20 years (which happens to be the age of BaseN), the reliance on foreign networks, technologies and international systems such as the SWIFT banking mechanism, has just skyrocketed in most developed countries. Systems are built on systems, and the emergence of large cloud providers just exacerbates this consolidation of power to fewer and fewer governments who have (sort of) jurisdiction over these players.
Two of the most innocent sounding, but at the same time very dependence-creating and intelligence gathering services are Denial-of-Service (DDoS) attack protection technologies and Content Delivery Networks (CDNs) used by popular and high-bandwidth sites, such as citizen authentication systems, banks, healthcare, national broadcasters and many others.
The simplest way to implement a DDoS protection service is to route all incoming network traffic into the network of the DDoS service provider, which then tunnels the ‘cleaned’ traffic to the original customer site. CDNs in turn are used to distribute the load (eg. video clips or directly streamed TV) across a multitude of servers owned by the CDN company, so that the originator company (e.g. public broadcaster) does not have to maintain large network capacity to send the stream to millions of users. Simple and easy. Almost too good to be true? Yes.
When an unit of government of a country, say, the agency responsible for digitally authenticating people for various government services, outsources the traditional DDoS protection service to a foreign party, perhaps even residing in a different country, what happens on the network level is extremely relevant what comes to data privacy, security and especially situational awareness capabilities of the said foreign party and their respective national intelligence agencies.
Although we have splendid encryption technologies in our web browsers, when one truly hands over an IP network block to a third party e.g. for DDoS protection, this third party can not only heuristically analyze the traffic, but it can also place special decrypt-encrypt mechanisms and decrypt the traffic at will, without the customer ever noticing this. Yes, this requires some level of malfeasance, but doing it is so cheap and easy that as a foreign government, I would most certainly at least maintain the situational awareness which is handed over me on this proverbial digital plate.
To see how some governments both boost their influence on others while systematically protecting their own assets, look no further than our usual superpowers, old or new. A newly emerged DDoS protection service https://ddos-guard.net/ offers very afforfable pricing and seems to be backed with ample investment and infrastructure (it’s based in The Netherlands, but notice the Russian flag). China has its own ChinaCache and other state-linked services, while the US has a plethora of companies whose initial customers were from the federal government. Meanwhile, Russia is training with a sovereign Internet to ensure no public agency or nationally important industry is dependent on foreign, remotely disruptable technology.
In order to maintain national security and sovereignity to make independent decisions in the future, but also very much industrial competitiveness, nation states must take a deep look at new networked technologies and their darker dependencies. One will often pay a slightly higher price, but as the old saying goes, all countries have a military. It’s either your own or someone else’s. The same increasingly applies to sovereign digital platforms.
//Pasi