Silicon Valley, spy agencies and software sovereignty

The privacy and technology world has been left reeling since the first reports came through based on information provided by whistle-blower Edward Snowden. The releases paint a dreary picture of our current dystopian position, with the NSA going to extraordinary lengths to circumvent privacy and freedom on the Internet. From deliberately weakening public encryption standards to vacuuming up call records and metadata, from tapping internet junction points to “partnering” with technology companies to obtain client data, they have been nothing if not thorough.

According to reports, US-based technology companies have been collaborating closely with US intelligence agencies and, thanks to the use of national security letters, are unable to even inform users when their private data is being siphoned off. The sole outlier who stood against this surveillance was secure email provider Lavabit, who opted to shutdown rather than sell out their users, but this resolve has been markedly absent elsewhere.

The director of the NSA, along with other US government officials, have made several statements to pacify their constituents by making it clear that they seldom spy on US citizens – unless they really have to. The rest of the world was left to face the harsh reality that our emails, phone calls and data are fair game. Every additional revelation hammered home the facts that foreigners using US-based services are routinely snooped on, and that technology bought from US companies has a chance of containing backdoors.

For a world that has become dependent on software created by the US in general – and Silicon Valley in particular – this is a grim place to be. The US has provided the rest of the world with fantastic technology, but at the cost of our technical independence. Moving away from dependency on US technology companies is far easier said than done. Creating a new Silicon Valley is a tired meme, and the number of stories entitled “Country X plans to build their own X-Silicon-Valley” are matched closely by articles detailing how, despite the best intentions, high-speed internet connections and faux-startup offices, successful duplication has failed.

Hard to replicate?

People have cited multiple reasons for failing to create their own Silicon Valley, from the dearth of venture capital to the lack of appetite for failure. These are well-studied areas which highlight necessary criteria for success, but as they stand they are not sufficient. People who talk about replicating the Valley often gloss over an important but inconvenient truth: That Silicon Valley was brought to life largely to serve as a provider to the US military and was built on the back of defence funding.

In his talk, “The Secret History of Silicon Valley”, serial entrepreneur and academic Steve Blank sketches the early days of the Valley and shows how two individuals, Fred Terman and William Shockley, both military men, laid the roots for what would grow to be the Silicon Valley we know today. In the section titled “Spook Entrepreneurship” Blank explains how Terman moulded Stanford University to become a “full partner” in the military industrial complex, and how he served as an advisor to almost every major branch of the US military. He encouraged students like Bill Hewlett and David Packard to start companies and how under his leadership, Stanford became a centre of excellence for the NSA, CIA, Navy and Airforce. Shockley, the founder of Shockley Semi-Conductor which spawned Fairchild, Intel and 60 other semi-conductor companies was a former Department of Defence research director in the Weapons Systems Evaluation Group. 

Even casual observers of Silicon Valley history are aware that a host of today’s technological powerhouses cut their teeth on government funding and intelligence work. Oracle was actually named after the CIA project that birthed it and government contracts were the lifeblood of the young Oracle corporation. The importance of these military and intelligence contracts to young startups is oft underestimated; for many, they are the difference between life and death. As Blank says, these contracts “prime the pump” for young technology companies. 

This model, which was successful in creating Silicon Valley, still strongly supports it today. 

Anyone working in information security will at some point interact with technology from FireEye, Tenable, VeraCode, RedSeal, Palantir or ArcSight. What do all these companies have in common? All are relative frontrunners in their niche areas of cyber security, and each has had considerable investment from a CIA-backed, non-profit venture capital firm called In-Q-Tel. According to its website, In-Q-Tel exists to “identify, adapt and deliver innovative technology solutions to support the missions of the CIA and broader US Intelligence Community”. Just as DARPA invests in leading edge military research, In-Q-Tel looks for unmet needs in the intelligence community, and then encourages those technologies into existence by funding nascent technology companies playing in that area. They supply funding, connections and contracts that serve once more to prime the pump.

This model of funding – indeed this collaboration – has proven to be extremely effective at creating the sorts of products sought by the US military and intelligence communities. Then, like microwaves, computers, duct tape and even the internet, these technologies go on to serve a broader audience. Sometimes these go on to multi-billion dollar valuations. Clearly this is a recipe that should be actively replicated.

Folly of inaction

The reality is that while the US military and intelligence community were creating and supporting companies to build the technology they needed, most other countries – save an enlightened or paranoid few – were content to sit back and make use of the final products those companies generated. Until the recent Snowden events, that is.

The PRISM leaks – and indeed the documents that have surfaced since – show why this reliance on technology created by a foreign government is folly, and irresponsible to boot. Suddenly it is clear that countries do not need their own Silicon Valley for solely economic incentives, they need homegrown technology to have some measure of independence and security. In drafting their national cyber security policy, France demonstrated a clear understanding of this. As a key area of action they state:

“The development of the information society offers companies a worldwide market, currently dominated by actors located outside of Europe. As far as information systems security is concerned, this situation is neither desirable nor tenable.”

Their plan to resolve this is simplified by the strong skills and accessible resources available in the European industrial base.

“This base is made up of a large number of innovative SMEs. However, these companies have not yet reached the required critical size and are not in sufficient demand. Industrial strengthening will be promoted using the various resources of the State, in particular through strategic investment funds.”

Simply put, France plans to adopt a model based on US’ strategy of growing local companies through strategic state investments. How do developing nations, or nations without France’s base, achieve the same thing? Is it too late for them to start ?

Open source software

The Open Source/Free Software Movement (OSS) launched in 1983 has more than come into its own in the past decade. Today web browsers like Chrome and Firefox – with Open Source roots – dominate over Microsoft’s Internet Explorer. When Apple needed a new operating system, they embraced and extended the popular open source FreeBSD. When Google needed a mobile operating system, they adopted a flavour of Linux. Even the International Space Station today leans heavily on OSS to avoid total dependence on third parties.

The adoption of free software for government use is a no brainer, and has certainly been discussed before: In 2011 the founder of the free software movement Richard Stallman wrote, “The state needs to insist on free software in its own computing for the sake of its computational sovereignty (the state’s control over its own computing). All users deserve control over their computing, but the state has a responsibility to the people to maintain control over the computing it does on their behalf. Most government activities now depend on computing, and its control over those activities depends on its control over that computing. Losing this control in an agency whose mission is critical undermines national security.”

Adopting OSS alternatives to critical software is an interesting potential path to salvation for emerging nations. This is not because such software is inherently more secure than its closed source alternatives, but because it offers interesting possibilities for developing nations to catch up really quickly.

In the wake of the PRISM scandals, a number of countries have expressed a willingness to invest in software they can rely on, but face genuine capacity constraints. Does Brazil expect to build an operating system to rival Windows? The leaks cast a huge shadow on popular VoIP services, but does that mean South Africa should reinvent Skype? Developing nations do not have the infrastructure or oftentimes the human capital to build such ambitious projects from scratch.

The power of OSS means they do not have to.

Win-win situation

By adopting a popular Linux platform throughout government, Brazil instantly gains more control of their destiny. Strategic investments of relatively modest sums into important current projects – compared to developing homegrown systems from scratch – would buy goodwill in the community while simultaneously ensuring that those projects remain active. During this period nations build skills and competencies to embrace and extend the platform to their liking. And at the very worst, hire external developers to do this customisation until they are ready to do it themselves. For marginal sums they could support the likes of Grsecurity and PaX to ensure the continued existence of an open source security project that has been tested by time and consistently led its closed source competitors for years.

For investments that would read like rounding errors on current South African government IT projects, they could patron the Jitsi project that already supports encrypted voice, video and text chatting across multiple platforms.  

In the short term, this becomes a rising tide that lifts all boats. South Africa benefits from Brazil’s contribution to Linux, Brazil benefits from South Africa’s contribution to Jitsi, and both nations plot a way out of the crippling dependence they currently find themselves in. 

Carefully aimed investment plans should be used to sponsor contributions, code-audits and assessments of strategically chosen software. The work could be privately forked or fed back to the original projects to contribute to the greater good. Managing this process carefully will also result in the formation of young, homegrown talent that knows how to build robust and useful technology that can be quickly extended to consumers. In terms of building a Silicon Valley, the mountain will come to Mohamed.

Recently the ever quotable Marcus Ranum posited that the US is treating the Internet and its technology underpinnings as a colony. This should make us “native” technologists (who call the colonies home), quite nervous. The NSA revelations show that employing US-developed technology carries the very real threat of backdoors or intentional weakening by the NSA. More than ever, countries need to take a page out of the US government’s playbook and begin to develop key technologies closer to home; strategic government investments are critical to make this happen. Leveraging open source software means that even though it wont be easy, its easier today than it ever was, and the rewards may just prove to be substantially more.

Haroon Meer is the founder of Thinkst Applied Research.