26 July 2016

Cyberwar, the IT Professional, and Battles between Nations

On the securitymetrics list, Joel Rosenblatt recently posted a link to an article by David Gerwitz  and asked "Do you, as IT professionals, have to get involved in the battles between nations?"

It is a good question, but the article he cites confuses cyberwar and cybercrime. After all, not all cyber attacks are cyberwar, if you understand war of any kind to require the use of force, political objectives, and, arguably, nation states.

Given that understanding of war, the metrics that the article cites are misleading. Most data breaches are made for economic gain, not political advantage. Therefore, the numbers cited about the cost of breaches, the growth of incidents, and so forth, miss their mark. So do the numbers on the growth of the amount spent on defense, given the apolitical nature of the attacks and the attackers they are defending themselves against.

I would make the further point that we have yet to see true cyberwar. Attacks in Estonia, Georgia, Ukraine, and elsewhere have been examples of how cyber attacks can affect political conflict. But were they truly cyberwar? Nobody died. No long-lasting damage was done. Did these cyber attacks, in the end, successfully advance any political goal?  Arguably, no.

That said, the article asks a larger question that does need an answer. To paraphrase it: What responsibility must private enterprise take in defense against attacks in cyberwar? In addressing this list, Rosenblatt placed this question at the personal level when he asked "Do you, as IT professionals, have to get involved in the battles between nations?"

It is unlikely that anyone would argue that private enterprise bears no responsibility. The question can then become more precise: How much responsibility should lie on private hands and how much should be assumed by the government? This has been debated publicly, at length, for years. The White House has issued Executive Orders to address the issue, and Congress has passed some legislation and debated much more. Nonetheless, it not yet been answered.

Part of the reason why the question remains open is that we don't have a clear idea what cyberwar is. What do we need to prepare for? More Sony attacks? Massive DDOS attacks like in Estonia? Attacks on industry like the assault on power stations in Ukraine? Or something else?

The truth is that we need to prepare for the last, for something not yet seen in its entirety. Or perhaps not at all. Herzi Halevi, the Chief of Israeli Intelligence, recently pointed out that the power of air warfare did not become evident until World War II, about 40 years after the airplane was invented. With that in mind, it is early days in the development of cyberwar.

Drawing on the analogy with air power, we can expect cyberwar to be of two kinds. 'Tactical' cyberwar will directly affect the battlefield. The growing importance of digital communication makes the importance of this aspect of cyberwar clear. 'Strategic' cyberwar is analogous to the use of Liberators and Lancasters to bomb German industrial plants, railroad yards, dams, and oil fields.

The former is clearly the province of government. The latter is where the private sector comes in. A difference between cyberwar and air war is that private enterprises can do much to protect their assets against cyber attacks, but little to protect them against air attacks. Indeed, when it comes to cyber attacks, the essential work is out of the hands of government, though it can provide money and information.

That is particularly true in the United States, where private enterprise does not trust government and has little inclination to work with it. There is less distrust elsewhere, so government can do more. The Israeli government, for example, is establishing a national CERT that will provide cybersecurity services to private industry. With the American public and private sectors at loggerheads, nothing like that can be done here and be effective.

And, as it stands now, the money and information that government might provide won't be available. Congress almost certainly won't provide funds for defenses that private industry is not certain it needs. Despite much effort and almost endless discussion, information has been exchanged grudgingly at best.

What does this mean? The United States is likely to remain unprepared for attacks made in strategic cyberwar, barring some horrendous wake-up call.

So, following on Rosenblatt's question, what is an IT professional to do for cyberwar?  Keeping in mind that not all cyber attacks are cyberwar and that many of the tactics, techniques, and procedures of cyber attacks used by nation states and private criminals are similar, I would tell the professional: Keep on working to strengthen the defenses you are responsible for. That may seem a small task to those who don't have to do it, but it is essential. Those who make policy, in industry and government, should do much more.

07 February 2016

Putin’s Russia and Political War

Has Russia changed? Does it have a new strategy for dealing with those who oppose it?
Some think so. After a British court found cause to believe that Putin was complicit in the death of Alexander Litvinenko and after attacks on power plants in Ukraine, attributed by many to Russia, it has been argued that Russia has adopted a new strategy, a new tradecraft.  In particular, the claim has been made that Moscow has replaced murder with hacking.
The truth is that Moscow uses a multitude of means to deal with opposition in the world beyond Russia’s borders.  It always has. It is doing nothing new.  It follows a strategy that was adopted by Lenin.
Political war: More than hacking, less than combat
Lenin and his successors in the Soviet Union used all means available to influence a world they saw as irretrievably hostile. Putin’s Russia does much the same. Because of geography and the relative weakness of Russia’s military or simply out of prudence, the use of Russia’s military has been out of the question in most of the world. Like Lenin and Stalin before him, therefore, Putin has come to rely on political war, that is, on “the use of political means to compel an opponent to do one’s will.”
This is not the same as hybrid war, the term used to describe Russia’s actions in Ukraine. Hybrid war still relies on military force and political war has a different aim. In Ukraine—and in Syria, for that matter—occupying territory matters, which makes military action necessary. In political war, the goal is simply to weaken the political will of opponents, to “chip away at public confidence.”
The Soviet Union used a variety of political means—both overt and covert— to extend its influence into the West and elsewhere. Many of these means have been updated and are used by the Kremlin today. Instead of Radio Moscow, look at RT and similar   Instead of support given to Communist Parties in the West, look at the support given to right-wing parties.
Information technology has increased the potential of political war in the 21st Century. The cyber realm promises to extend the reach of political war far beyond. Russia has been taking full advantage of it.
As they have shown, social media can be a potent tool of the political warrior. It is ubiquitous, accessible through any smartphone or computer, available at any time of day or night, and increasingly important in the lives of many in the developed world.
It is also less attributable than older media. Whereas radio in particular was clearly identified with its owners and the country from which it broadcast, social media are often ostensibly state-neutral. We knew who Tokyo Rose, Radio Moscow, the BBC, and Radio Free Europe represented; we don't know that about most of those who post on Facebook, Twitter, or LinkedIn. They can come from anywhere; they can be anybody.
Then there is hacking, or cyber war, if you will. It is often hard to attribute the source of cyber-attacks to their source, particularly if that source is a nation-state determined that its efforts remain hidden. Indeed, attacks often go unnoticed for years even as they quietly achieve their goals.
They can be launched to serve a multitude of purposes. Some can deny access to services available online, as in Estonia in 2007. Others can be another form of espionage, as with the attacks on OPM databases in 2014-2015. Still others can wreak physical destruction. Stuxnet showed that potential. More recently, just last year, the BlackEnergy toolkit was used to attack power plants in Ukraine. It appears to have been used for a variety of political purposes since at least 2014.
Of course not all of these attacks were made by Russia, and Russia is far from the only country able to wage cyber war. But it is widely recognized that Russia is one of the best at it. It is an important element in the Russian approach to political war, as an article by two Russian military officers published in Voennaya Mysl in 2013 shows. They describe a continuum of operations through all phases of ‘new-generation war.’ Cyber-attacks have a prominent role throughout, from spreading propaganda to the final, military phase.
What is to be done?
The West has always had difficulty dealing with political war. The credulousness of William Duranty, who won a Pulitzer Prize for reporting that the Great Famine in Ukraine did not occur and Joseph Davies, the ambassador to Moscow who believed that the people Stalin put on stage in the show trials were guilty, are but two examples. There are myriad others that can be gathered from across the Western world.
As Mark Galeotti argues, we are no better prepared today as Putin and his government use the methods of 21st Century political war to combat the many hostile elements they find in outside world. We need to recognize the efforts that they are making and the means they have available. Sometimes they will succeed.
Should Russian political war be cause for alarm? Arguably not, especially in regard to the United States. After all, it is not new. We survived the Soviet version of political war; the Russian threatens us less, despite the evident effectiveness of Russian cyber arms over the last decade and the growing efforts to gain influence through the new and old media.  Moreover, political war is not war war. And while Russia is certainly not a friend—the hostility of Putin to the West can be almost palpable—it is not an out and out enemy. For most of its history, the Soviet Union was.
Countries where democratic institutions are weaker are a different matter. Ukraine is one example, but Bulgaria is another. A response to Russian efforts to wage political war is needed, but it should be measured.
We would do well to nurture that antidote by strengthening private and public programs that foster open media, good government, and cyber defense. An increase in covert programs such as those George Kennan sought in 1948 will not survive when they come to light once again, as they did before and will again. The creation of a bureaucracy devoted to political war, as Max Boot advocates, is overkill.
Our response to this long-standing Russian reliance on political war needs to take into account the strengths that our open society can bring to a political struggle. The weaknesses have been often noted, but truth is a powerful antidote to propaganda.

Reading Packets is Like Chess, Except When It’s Like Poker

In chess, everything is laid out in front of you. Nothing is hidden. The outcome depends solely on your skill. No cards are hidden. You can’t be dealt a bad hand. No dice can give you snake eyes or boxcars.
When looking at network traffic, packets give you a chess player's view. It is all there in front of you, whether you are troubleshooting problems or looking for what the bad guy did.  That doesn’t make it easy, of course. Your skill and knowledge determine how much you can do, especially against a stronger opponent.
Of course, encrypted traffic is different. Then it becomes more like poker. Much of what you would like to know is hidden.  As the game goes on, you can get clues about what is hidden, but you cannot know for certain what is there.
To be more precise, looking at encrypted traffic is more like playing stud poker than draw. In the latter, all cards are hidden. In stud, some are dealt face up, so you always know something about the hands on the other side. Network packets always show their headers. 
These are the cards you can see. Pulled together into session data, they give you a solid basis for analyzing what is going on. 
This makes reading packets an important skill for network administration and an essential skill for network defense.
[Here comes the commercial part.]
For that reason, my favorite security course is SANS Security 503. It also happens to be one of the best courses SANS has put together. That is why I am teaching it in the SANS Mentor format this spring. The course will meet in Rockville, MD, each Wednesday beginning April 13.
In addition to reading packets you will learn about intrusion detection using Snort and Bro. As you might expect from a SANS course, there will be plenty of hands-on work, so you will come out knowing that you can actually do it.
If you are in the DC area, I hope you’ll sign up.

01 November 2015

The Value of Dialogue Between Adversaries

It has been like meeting old friends. In recent weeks, I have looked anew at the Dartmouth Conference, a series of meetings that began at the height of the Cold War as an effort to get Soviets and Americans to talk to each other.  Dartmouth was the subject of my book, but it has been more than a decade since I last considered it in any depth.
The Dartmouth Conference is the longest continuous bilateral dialogue between Americans and Russians. Norman Cousins started it in 1960. He was the renowned editor of the Saturday Review. He was an anti-nuclear activist and believer in world government, a man the powerful wanted to speak to, including Eisenhower, Kennedy, and Khrushchev. Cousins believed that the United States and the Soviet Union had a common interest in not blowing each other up. He also believed that dialogue outside official channels could help prevent that holocaust.
How could it do that?  A naïf would argue that through dialogue we can dissolve differences. That is almost never the case. It was certainly not the case during the Soviet era when Soviet participants in Dartmouth like Georgi Arbatov and Yevgeniy Primakov, who became Russia’s prime minister, made their differences with American policy clearly known. The ability of Soviet participants to deviate far from official pronouncements was limited in any case.
What dialogue can do is to clarify the differences between the two sides. It can show what perceptions, experiences, and reasoning lead two sides to oppose each other on a particular issue. Or in general. It can also reveal what interests they share. During the Cold War, the two superpowers wanted to avoid nuclear war and nuclear proliferation at the same time that they were nearly coming to blows over Berlin and Cuba and fighting proxy wars in Africa and Afghanistan. The dialogues at Dartmouth did not paper over the differences—would one expect participants like Zbigniew Brzezinski to soft pedal what they saw as Soviet malfeasance?
But the participants at Dartmouth have also sought areas of common interest. And found them. In time, they came to propose ways to strengthen those common interests. Primakov “noted that we achieved considerable progress in designing measures to normalize the situation in the Middle East.” Policy makers don't always pay attention, as Primakov also noted. But they do sometimes and that can be important. In 1984, Secretary of State George Schultz used information gained from Dartmouth about Soviet attitudes to further an improvement in U.S.-Soviet relations from the cold freeze of the early Reagan years.
Dialogues like Dartmouth that involve people trusted by both sides and are sustained over time can also provide a ready-made back-channel for policy makers to use to send messages or, as Primakov put it, “to ‘test the water’ regarding ideas put forward by their governments.” Alexander Haig, Reagan’s first Secretary of State, was not the only one to do this with Dartmouth.
I’m pleased to be able to say that Dartmouth continues to meet and make recommendations that could help American policy as it deals with conflict across the globe. For example, the 19th Conference, held in March this year, recommended that Russia and the United States “create a contact group to work on common approaches to such issues as controlling the flow of fighters [to Islamic State], financing and possibly sharing ideas on the sensitive issue of Turkey’s role in this conflict.” Who knows what influence that might have had on the mess we find ourselves in now in Syria.
Dialogues like Dartmouth are especially important at a time when regional expertise is devalued in academia and government and language skills are diminishing across the board in the United States. The chances that we might be trapped in the bubble of our own assumptions are increasing. History is rife with errors made by those who could not escape that bubble.
I spent much of an earlier part of my career, before I became involved in cybersecurity, cyberwar, and the like, looking at Dartmouth. For several years, I’m proud to say, I worked with Hal Saunders, a former Assistant Secretary of State and co-chair, with Primakov for a time, of the Dartmouth Regional Conflicts Task Force. I am a realist by nature and a pessimist about international relations, yet through that experience, I learned that if there is dialogue, there is hope that the worst can be avoided. The 20th session of the Dartmouth Conference just ended. Long may it continue.

05 April 2015

Will More Cyber Offense Deter Cyber Attacks?

Admiral Mike Rogers, the head of CyberCommand, told the Senate Armed Services Committee recently that we need to “think about how can we increase our capacity on the offensive side.” He was responding to Senator McCain and other members of the committee who were pushing for CyberCommand to put a greater emphasis than it has on offensive measures. Their reason for that emphasis? To deter attacks like those we have seen in the headlines, especially the attack on Sony.

That is the wrong message, given at the wrong time for the wrong reason.

There is no doubt that the United States needs a strong capability to launch cyber-attacks. They may, indeed, help deter some attacks by some adversaries. But other reasons are more essential to national security.

First, the cyber domain is an increasingly important part of the modern battlefield, much as air power became increasingly important in war during the first half of the last century. The military cannot ignore it, particularly as militaries other than our own are becoming both more capable and more reliant on this new technology. Our military must be prepared to take the cyber battle to the enemy, to project power through the cyber domain.

Second, cyber-attacks give policymakers an alternative means for pursuing policy objectives short of war. Economic sanctions are one set of several sets of tools that can be used to promote the ends that policymakers seek. Stuxnet showed how valuable an offensive cyber tool could be in this context. The Israelis were pushing for an attack on Iranian nuclear facilities; Stuxnet provided an option that could—and did—slow the Iranian push toward a nuclear capability.

But how useful will offensive cyber weapons be for deterrence? Keep in mind that deterrence is all about perception. It is not enough to have a capability and to say that you will use it. Your opponent must believe that you will retaliate if the opponent attacks and that you will cause that opponent harm that exceeds the probable gains from the original attack.

This puts several conditions on the use of cyber means used for deterrence. First, the attribution problem has to go away. Not only must we know who attacks us, our would-be attacker must know that we will know, despite efforts made to hide the source of the attack.

Second, would-be attackers must know the threshold beyond which they cannot go. Will we respond if embarrassing corporate emails are made public? If state secrets are stolen? If a million social security numbers are taken? If essential files are destroyed? If industrial control systems malfunction? If the power grid goes down? The threshold lies somewhere on a line drawn through that list, but where? The line has to be precise and clear to the opponent.

Third, a would-be attacker must know that the threat of our retaliation is credible. The opponent must know that action threatened will hurt and that there can be no effective defense against it. Such a threat is easy for a nuclear power to make. A nuclear blast does hurts and, as yet, there is no assurance that the delivery of nuclear weapons can be stopped.

It is different in the cyber world. Can a retaliatory attack on targets purely in the cyber domain cause enough damage to make an opponent think twice about attacking? Perhaps, but I suspect not. Attacks on cyber targets that affect the physical world are more likely to, if their success can be guaranteed. But a would-be attacker must believe that such an attack will happen and that it cannot be stopped. 

There is, of course, no reason to limit retaliation to the cyber domain. But such asymmetric responses get away from the committee’s call for a greater emphasis on offensive cyber weapons. They warrant consideration precisely because of the limitations of cyber attack. (McCain did not simply call for a greater emphasis on offense. He called for a strategy for deterring cyber attacks. )

Another problem with making a threat credible is that cyber threats against a determined defender are transitory. An attack that succeeds today will be defended tomorrow. Stuxnet relied on five zero-day attacks. They have been patched, though one was fully patched only recently. And we cannot assume that the Iranians are as vulnerable to attacks launched through USB devices and contractor’s laptops as they were in 2010. After all, the Defense Department was also the victim of an attack by USB in 2008. Measures have been taken and the department’s vulnerability has been reduced. It is true that the attacker has the upper hand in today’s environment.

It is also a truism that a determined attacker can succeed. But will a would-be attacker be convinced that offensive cyber attacks by the United States that can cause significant harm are unstoppable? There is good reason to think not, despite the skills of the personnel in CyberCommand.

In addition, a response to a cyber attack using offensive means has to take escalation into account. In the nuclear world, deterrence was more like playing poker: once you got to the threat of a nuclear exchange, the chips were in; the cards were on the table. The power of the weapons, the damage they could do, put stark, horrifying limits on how the game could play out. In the cyber world, deterrence is more like chess: you have to plan to meet your opponent's next move. And the options the opponent has are manifold. This is especially so as the United States, more dependent on information technology than most other countries, with an immense cyber sector, offers a multitude of targets, many, perhaps most, of which are poorly defended. Can we be ‘escalation dominant’ in the cyber realm? That seems unlikely, even if our offensive cyber capability becomes more robust.

To conclude, then, when policymakers consider how to allocate the resources we are prepared to give to cyber operations, it seems wiser to continue to focus on defense than to seek to strengthen deterrence using offensive cyber means. A strategy of deterrence for cyber attacks, as McCain called for, is needed, but it can and should draw on means outside the cyber domain. The recent executive order that ordered sanctions against those responsible for cyber attacks can be one element of such a strategy.

What is needed more strongly than even the strong defense that CyberCommand may be able to provide for DoD is a comprehensive approach to defense in both the public and private sectors. Such an approach should strive to get past the distrust between (and within) the two sectors that has been especially strong since the Snowden revelations. It must include the exchange of the information available about the threats both sectors face, as so many are discussing now. It must also seek to set and maintain stronger standards for cyber defenses in ways that are both effective and flexible.

That is a tall order, but it is certainly not impossible to achieve. It gives us is a more certain path to reducing the plague of attacks that both private companies and government agencies have suffered recently than trying to use cyber attacks to deter our opponents.

22 February 2015

Attributing Nation-State Cyberattacks: How Do You Know Who Decided and Why?

In January 2011, Secretary of Defense Robert Gates told reporters that he doubted that the Chinese could make a fighter that was truly stealthy. Shortly thereafter, while Gates was in China,scheduled to meet with the Chinese leader, Hu Jintao, the Chinese military tested their new stealth fighter1Instead, Gates decided to ask Hu Jintao why the test had been made. According to David Sanger:

Hu's  face turned quizzical when Gates mentioned the test.

"Hu turned to the guy next to him and asked if he knew what I was talking about," Gates said. "That guy shook his head no and moved down the line." The pattern continued until they hit the first officer in uniform. He knew all about it. The test, it was reported, had been rescheduled from an earlier date because of a minor equipment malfunction.2 

Curious, Sanger later asked Gates whether Hu actually knew. The secretary replied with a diplomatic 'yes,' but may have had doubts. Still curious, Sanger asked a diplomat and one of Gates' aides why the Chinese made the test. He got two answers. The diplomat said that it was to send a message to the United States and to Gates. Gates' man said it was to send a message--'screw you,' he said--to Hu, who had told the military to patch up their relationship with the Pentagon.

Was the military really acting on its own, contrary to direction from the senior leadership? The truth is, we can guess, but we don't know.

When cyberattacks are attributed to nation-states, as in Estonia in 2007, Georgia in 2008, or with Stuxnet, the assumption is often made that the attack has been approved by the senior leadership. The state is seen as a unitary actor, with all actions coordinated among all the players.

Clearly that is a simplification of what actually happens, but it is true enough, often enough, that this simple assumption is a useful one to make. But the incident Sanger cites tells us that it is not always so, and that it behooves those who make policy in one country to understand how policy is made in the states they blame.

This is often something that policymakers know little about. It is not always easy to understand how decisions are made even in a raucous democracy like the United States or the UK, where the press has access to most of the players and the players want their part known. Sanger's revelations about Olympic Games are a case in point.3 . In authoritarian societies like China and Russia it becomes much more difficult. In an isolated society like North Korea, it is close to impossible.

What this means for the attribution of cyberattacks is that forensics may give us the technical knowledge to attribute an attack to a nation-state. We may know enough about how that state operates in the cyber domain to pin the attack on it.4 But the question of motivation can become more complex than the reality of decision-making can allow. That simple assumption that decisionmakers act as one may woefully distort our understanding of how the decision to attack was made. Which leaves us not knowing with certainty who is responsible and why.

In most circumstances, this particular problem with attribution will be of little consequence. Most cyberattacks are not made by states, after all. Moreover, few attacks by nation states require an immediate, direct, and public reaction. Most, in fact, are merely digital espionage and not clear acts of war.

The reality of how decisions are made is, then, one more variable that needs to be added to the equation used to determine the attribution of a cyberattack to a nation-state.


1 David E. Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (New York: Crown Publishers, 2012), pp. 370-372.
2 Sanger, Confront and Conceal, p. 371.>
3 Sanger, Confront and Conceal, Chapter 8.
4 Thomas Rid & Ben Buchanan "Attributing Cyber Attacks," Journal of Strategic Studies, retrieved on 06 January 2015 from http://dx.doi.org/10.1080/01402390.2014.977382 provide an exceedingly useful framework for examining attribution.

26 January 2015

A Moment in Time: Russia, Ukraine, and a Road That Might be Taken

Since the Soviet Union collapsed, Ukraine has had two chances to find a road to find a road to freedom, stability, and prosperity. It failed after it became independent in 1991; it failed again after the Orange Revolution in 2004, a decade ago. It desperately needs to succeed this time, despite losing the Crimea and large chunks of the east.

There are new faces in the government that give grounds for hope, as a recent article in the New York Times pointed out. Yet the odds remain steep. Through most of the former Soviet Union, old habits die hard. More often than not, corruption rules. The social underpinnings required by democracy are weak. In Ukraine, desperation has led to the strengthening of reactionary forces.

But desperation may yet produce a new outcome. There are forces at play that are not new. They existed before 2004. They surprised me when I saw them first hand in 1989. Until recently, I had forgotten about that time, when the Soviet Union was opening up after 70 years of Communist dictatorship.

The spring of 1989 was the heyday of the Gorbachev era, a time of Perestroika, of restructuring. In March of that year, for the first time since 1917, the Soviet Union held elections that were open, contested. They produced the Congress of People's Deputies, a new legislative body.

I came to the country for a conference two months later, a member of a delegation from the Forum for U.S.-Soviet Dialogue, an organization dedicated to the proposition that dialogue between the two superpowers had value. The American delegation included scholars and students, executives, journalists, military officers, and even a jazz singer. The Soviet delegation was of similar status, but less varied. Two members came from a institute attached to the International Department of the Communist Party that had entertained no Western visitors until we entered its gates in Moscow.

Two incidents on that trip showed me that Ukrainians and Russians were eager to have a government more effective and more democratic than the authoritarian Soviet government they had known.

The conference itself took place on a hydrofoil that skimmed the Dnepr River from Kyiv to the Black Sea and Odessa. It was a floating testament to dialogue and optimism, cordial and serious, despite wide differences in outlook between the two sides.

The first incident took place when we stopped in Zaporozhye, a city in the center of Ukraine, only 120 miles from Donetsk. Our delegation was greeted warmly and divided into two groups to be addressed by local officials.

Those of us who were there to discuss political, legal, or cultural issues, were led to an auditorium. Filled with more than a hundred local citizens.

What happened then left me astonished. Several senior party officials spoke to us about the state of affairs in Zaporozhe and the country at large. They were laughed at. Not by us, but by the locals. The officials were not used to this and did not expect it. A lawyer from Moscow--a member of the Soviet delegation to our conference--asked a question about irregularities in the election that had just taken place. The official responded by complimenting him on his Russian. Clearly, he believed that no Russian would ask such a question.

The laughter showed that the audience was not prepared to accept falsehood and pablum. By their reactions, the officials showed that they were not prepared to be taken to task. This in a country that had sent people to die in the Gulag for less only a generation before and still found dissent difficult to deal with, as the next two years would show.

After we left the hydrofoil in Odessa, at the base of the Potemkin steps, we flew to the Crimea, where the second incident took place. During our stay in Yalta, the Congress of People's Deputies held its first session. it was extraordinary, and televised in the lobby of our hotel. A crowd that included some of our delegates and a number of hotel workers stood around watching it.

I remember one maid in particular. She was blond and dressed in her hotel uniform. Her eyes were focused intently on the screen.

The session at the Congress had been going on for some time. It had reached the point of electing a president. Everyone knew it would be Gorbachev, General Secretary of the Communist Party. But we watched as Alexander Obolensky, an unknown delegate from Leningrad--and not a member of the party, complained about the privileges that senior officials enjoyed. He then nominated himself for president, wanting to set a precedent of competition for office.

When he finished, the maid--like others around us--said quietly: 'Molodets!' 'Good lad!' 'Well done!'

 The odds against democracy are steep in both countries--more in Russia than Ukraine, where the unsettled state of things may make change possible. But when we read about the efforts to make Ukraine democratic; when we hear of the strong support that Putin gets for Slavophilic, Russo-centric aggrandizement, we should keep that 'Molodets!' in mind. There is more going on in both countries than we know. The road not yet taken remains open.

22 November 2010

A Framework for Analyzing the Issues Raised by the Tea Party

I wrote this last month for myself--to get my thoughts organized. It is long for a blog post, but here it is.

The Tea Party movement has been characterized as many things, by its friends as well as its enemies. At its heart, though, is anger over the growth of government's role in American life. Tea Partiers see symptoms of this in the expansion of the laws and regulations that they must follow and in the increase in the amount of taxes that they must pay.

This anger is not always expressed temperately. It runs too high. Nor are those in the Tea Party movement or aligned with it always consistent. The movement is too diffuse. Consequently, other issues get attached to the Tea Party name, at least by those outside the movement. Some, of these issues, like race and immigration, and some of the language used elicit knee-jerk hostility from those on the other side.

But the Tea Party movement's basic issue―the role of government―is one that should be debated by the American polity. A consensus is needed―a new one―that we as Americans can live with. In truth, this issue is not a new one. It is perennial. It has also been central to American history from the time the Pilgrims first stepped on Plymouth Rock. To that end, let me suggest a framework that we can use to address this.

This framework outlined here will be abstract, the language, dispassionate. It is not meant to address the specific issues the Tea Party movement raises. It will not be useful if you want to simply dismiss the Tea Party movement as crazies or as mere proxies for the right-wing rich. You shouldn't. They aren't. The issues they raise affect us all; the Tea Party movement's point of view deserves to be taken seriously. We need to address the issues and engage the people. Beneath the rhetoric, beyond the hysteria, there may be common ground.

What Is Government?

Government is an elephant, one might say. Certainly the Tea Party movement sees it as clumsy and gargantuan. The movement and its allies view it as too big and too clumsy for the country's good. But it is also an elephant in the sense of the Chinese story of the blind wise men, each of whom touch a part of it and conclude that the whole is like that part―the trunk, a tusk, the tail, the back. Of course, the elephant is all these things.

And so we see the government as bureaucracy, as laws and regulations, as the expression of the people's will, and dozens of other things besides. Many of these definitions can, indeed, included in any complete definition of what government is. Let me step back and offer another way of looking at government.

A good place to begin is with the sociologist Weber. Government, he said, has a bureaucracy and a legal order. It alone has the legitimate right to use force. Government also claims binding authority over everyone within a particular geographic area. That is, if you live in California, the state government claims authority over you; if you live in the United States, the Federal government does.

All four characteristics are important. Possession of the right to use force is essential. It backs up the last characteristic. That characteristic, the claim to binding authority, is the essential difference between the private and public in this context. You must do what the government says, whether or not you agree. No other part of society (aside from parents) makes that claim without implicitly calling on government's authority. They make rules; only the government makes law.

What Should Society Care About?

Each of us makes hundreds of decisions each day. Many we leave to habit, such as which side of the bed we climb out of in the morning. Many we leave to others―family, friends, neighbors associates, organizations that touch our lives, the government. Those others, broadly speaking, are society. There are simply some matters in life that we need help wit, this raises two questions:
  • What should society leave to us as individuals?
  • What should society take to itself to manage?
These are the broadest of questions. After all, society is everyone else and society has an interest in most of what we do. Even a decision not to brush your teeth may offend friends and family, that is, a small portion of society. But the truth is that while people might complain about such a decision,, society leaves most of what we do to us. We are free to make fools of ourselves. And we are free to do so in numerous ways.

How Can Society Manage What It Cares About?

But how does society 'manage' things? That is, 'society' may want people to make certain choices, certain decisions. It may want people to behave in certain ways. If so, how does it make that happen?

In the most general sense, society rewards what it wants and punishes what it does not. But who (or what) is it? can be divided into four parts, when looked at from wherever we stand. Three of these are: those around us, organizations we belong to, and―drum roll, please―government. Each of these three parts of society has different ways of deciding what it cares about and how it can reward or punish you.

Government, of course, has laws, passed by legislators. These are executed by other parts of government, including bureaucrats. Regulation is one of their tools. Enforcers―police, the armed forces, the tax man―punish unwanted behavior. After all, they, collectively, have the legitimate right to use force. Rewards are issued by bureaucrats, that same tax man, and others.

The organizations we belong to often manage just a small set of the things we do. But not always. We might, for example, join a church and follow its precepts in all aspects of our life. No matter: how much we give up to any private organization is a matter of choice. The organization will determine the rewards and punishments it can mete out. You can accept those rewards or punishments or leave the organization. It doesn't have the authority―the right―to make you stay.

Those around us―family, friends, neighbors, associates, strangers we encounter--operate much as organizations to, but much less formally. What they care about is often set by custom or tradition, both of which can change greatly over time. Rewards and punishments include smiles, hugs, and kind words; scowls, slaps, and insults. You can accept these, too, or leave.

I said that there are four parts of society, but I've named only three. The fourth is more amorphous. In fact, it encompasses all of the above. This is all of us as separate, independent individuals. You might call it 'the mass of us.' This mass can be sliced or diced in different ways, according to the context. This is the part of society that defines us as voters, consumers or producers, workers or managers, buyers or sellers.

How does this part of society decide what it cares about? How does it reward or punish? Everything this part of society does is the agglomeration of decisions by individuals. Those decisions affect and are affected by the group of people around us and the organizations we have joined. They are also affected by what government does. Indeed, much of what government does is designed to affect us en masse. Because we live in a democracy, this agglomeration of decisions also affects government, though which of the slices and dices affect it can be a matter of contention. Many who support the Tea Party see government dominated by an elite they find alien; many who oppose it see it dominated by 'special interests' alien to them.

What Does Society Care About?

In 1919, society decided that it cared whether people drank. It passed Prohibition. In 1934 it decided otherwise and repealed it. Society no longer cared. At least it did not care enough to do anything about it. Of course, it was a little more complicated than that. Parts of American society have always cared. Those around Carrie Nation cared deeply about the consumption of alcohol before 1919. So did brewers and vintners. Those who lived in dry counties after Prohibition was repealed still cared about the consumption of alcohol. So do brewers and vintners.

When measured by the laws enacted, the concerns that society has decided cannot be left to the individual have shown a more or less steady increase since sometime in the 19th century. In particular, as any Tea Party support can show, there can be little doubt that the concerns taken up by the Federal Government have increased. That trend, in fact, can be traced as far back as the Civil War. The expansion of the Federal government since FDR became president has been well documented.

But the concerns of society have shrunk in some cases as well. Prohibition is one example. Blue laws that forbid activity on Sunday are another. Not long ago, one could not shop on a Sunday in many cities and states. In the last thirty years or so, that has changed. Now, for many, Sunday is now a shopping day like any other. Society, as a whole, no longer cares whether you limit your activities on the Christian Sabbath.

Banking regulation is another example. The Glass-Steagal Act was passed during the Depression to limit the speculative activities of banks. Government acted to allay society's concern that the banks were playing too freely with their depositor's money. By 1999, that concern had passed. The act was effectively repealed in 1999 when the Gramm-Leach-Bliley Act was passed by a Republican congress and signed by a Democratic president. The recent financial crisis has revived that concern and led, once again, to another act of Congress.

These examples are designed to show simply that what our society, cares about, how much it cares about it, and which part of society care about it changes constantly. Much of what the Tea Party gets angry about has to with these changes. They see government, especially the Federal government, expanding the number of its concerns and taking up action on those concerns, taking over responsibilities that had been left to other parts of society. There is truth to that perception. Whether government should have done that is a matter for argument.

The actions of the Obama administration have been an extension of that trend. They have, therefore, been the particular focus of those, in the Tea Party and outside it, who see government action as harmful to the society within which we all live. The Health Care Bill, with its requirement that people buy insurance; the takeover of GM and Chrysler; the interventions in the financial industry are all extensions of the powers of the Federal government that the Tea Party movement questions.


Can Government Do Anything Good?

Even if could all agree on what the society should be concerned with, the question of which parts of society should act on those concerns would still arise. The Tea Party movement asserts that action on most concerns should be left to the private sector. So does most of the Republican Party. They will often argue that the free market can best determine how to manage society's concerns. They will usually put this argument in terms of efficacy. That is, if you want it done right, let the private sector do it, because the government can't do it effectively, cheaply, and for the benefit of all.

Both the Tea Party movement and the Republican Party argue, with some justification, that Democrats tend to fall back on government, the Federal Government in particular, as the best means for managing society's concerns. Democrats might argue that government action can be cost-effective and that the private sector can't be counted on to act for the benefit of all.

At bottom, the arguments of the two sides rest on opposing principles. One is the principle of the invisible hand:

  • If everyone acts to further their own interests, the common good is served.
This principle has been around at least since Adam Smith published The Wealth of Nations in 1776. It is the cornerstone of economic theory of all schools, whether Friedmanite or Keynesian. And it is central to the thinking of the Tea Party movement.

The opposite principle is both older and newer than the invisible hand:

  • If everyone acts to further their own interests, the common good is injured.
Hobbes argued this principle at length in the 17th Century. He said that if everyone acted without constraint, in their own interests, society would find that everyone would be at war―literally--with everyone else. That made big government―the Leviathan--necessary.

A milder version, more relevant to the issues addressed here, dates from 1968, when Garrett Hardin discussed the tragedy of the commons. One of the examples he uses is the national parks. Many are beautiful, but if visited by everyone with no limits, much of that beauty would be lost. Some higher authority--government, perhaps--is needed to maintain a beauty that most of us would want to see maintained.

Each of these principles is valid in part. Neither is completely valid. Either or both can be pertinent when figuring out how to address any of society's concerns. Whether private action benefits or harms the common good in fact depends on a number of things. Among these are the virtues and flaws of the part of society called upon to address the concern at issue. It also depends on which values society values most in that particular case.

In Principle: Let the Private Sector Do It
The principle of the invisible hand is at the heart of the free market system. Without it, that system could not work. With it, an economy can produce things efficiently, so that it can produce the best goods at the least price. The prosperity of this country is built on that principle, as Tea Party supporters will affirm.

Efficiency is what the private economy excels at. In this, government cannot be its equal. After all, agencies live, not by the bottom line, but by the next appropriations bill. The private sector of the economy must profit to survive: firms that have no profits, die. This is something else the Tea Party movement knows well. Indeed, a number of conservatives, not just Tea Party supporters, dedicated to private enterprise, believe that a proper reaction to many of the economic problems of the last few years was simply to let firms die. Even goliaths like General Motors and Citibank.

Another economist, Joseph Schumpeter, called such deaths creative destruction. A firm like Polaroid can die, but its place will be taken by new ones that will take us into this future. This, too, is something the private sector does well and the public sector poorly. It is essential if economic progress is to be made. But government has no effective, consistent means for choosing which firms should stay in business and which should not. The market―free enterprise―does. That means is the bottom line―profit and loss, revealing the beneficent side of the invisible hand.

The principle of the invisible hand assumes some things about the market. One essential assumption is that the market is competitive. An associated assumption is that there are no secrets about demand, supply, or price. This means that no firm can manipulate prices or supplies unfairly, to the detriment of other firms in its market or consumers (that part of “the mass of us”). Each firm can eke out the profits it requires to the benefit of all. Under these conditions, the Gekko Corollary to the principle of the invisible hand becomes effective: Greed is good.

In contrast, a monopoly guides itself. It needs no invisible hand. If profits fall, it can raise prices. Consumers have no option if they want or need that good or service. A monopoly can act as it will, with little regard to efficiency or to the concerns of society, unless those around all of us act together (an effort difficult to achieve, as numerous attempted boycotts have shown), or government acts. And, of course, a monopoly, too big to fail, at least in its own eyes, can wield influence on those, in government and out, who might try to constrain it.

A spectrum of competition lies between a completely competitive market and a monopoly lies. The closer to monopoly a market gets, the less the principle of the invisible hand applies. It becomes more likely that we will see the tragedy of the commons. So, during the financial crisis the people of Goldman Sachs, Citibank, Lehman Brothers, and the rest of the oligopoly that led the financial world, acted in accordance with the principle of the invisible hand. They may well have cited the Gekko Corollary. And the country―the world―faced disaster.

To sum up, the private sector of the economy can do some things extremely well. And there are things that government dies much less well, and often poorly. But the private sector sometimes needs help.

In Principle: Only Government Can Do It
There are things that government can do that the private sector cannot. After all, only the government has binding authority and the force available to make it stick. So where the principle of the invisible does not work, government can act. For example, it can do so with monopolies, as it does with power companies. It acted when bank's activities in the 1930s. In general, it can do so where the principle behind the tragedy of the commons is at work on a concern that society has expressed. And, in truth, no other part of society can.

That might sound simple. You know it's not. So does the Tea Party movement. Democrats and those further left on the political spectrum will complain about the influence of business―monopolists and lesser folk―and special interests of various kinds. Let's be fair. Republicans and and Tea Party supporters all make similar complaints about special interests. They find, as many of their political opponents do, that government's actions do not reflect the concerns of those around us, of the organizations that we have joined, or of our slices and dices of the mass of us. It leads to this question:

  • How can you trust a government controlled by those who don't share your interests?
This is a basic question behind much of the anger of the Tea Party movement. The government is not theirs, they feel. It has been taken over by those with different backgrounds, different values, different concerns. It is easy for those opposed to the Tea Party movement to dismiss this sentiment as a simplistic rejection of those who are different. But this sentiment is shared by many who reject what the Tea Party stands for. They don't feel the same anger, they don't complain about the same influences on government, but the sense that the government is beholden to someone else is widespread.

Indeed, this lack of trust in government has been growing for decades. A study of public attitudes in 1991―under a Republican president―showed that the public had many of the same complaints that the Tea Party movement and many of the rest of us are making today. The more things change....

If government does not concern itself with what we care about, if the people in charge of it do not share our values, if, indeed, they further their own interests to the detriment of the public good, what are we to do when the principle of the invisible hand does not apply?

There are two choices. We can rely on those around us and the organizations we have joined. For concerns that affect just a few people, that can suffice. Some argue that in the past we, as a people, felt more connected with each other than we do now. So we were both willing and able to do more for our fellow citizens ourselves, without relying on the authority of government. If that were true, let us try to make it so again. But, even if that were true, the change involved, change in culture, in our traditions and values, cannot come quickly and is not certain.

The other choice is to change our government and how we interact with it. That is no easy task either. But it is what the Tea Party movement is trying to do. There are important differences between the Tea Party movement and its opponents on issues. Differences in how the movement and its opponents view the world may also be important. But there may more room for common ground than many recognize.