When the Pentagon updated its cybersecurity strategy last month, one key aspect that didn't attract much attention was its attack on Internet anonymity.
In fact, the Department of Defense used the updated strategy to rather boldly proclaim that it seeks to “reduce anonymity” because it “enables malicious cyberactivity” by state and nonstate groups.
This isn't the first time Defense officials have spoken out against anonymity, although it may be the boldest and most conspicuous opposition yet to secrecy on the Web. Back in 2009, Robert Lenz, the former chief information officer for the DOD, gave a speech at the Black Hat security conference in which he emphasized the need to “drive anonymity out of the network.” Specifically, Mr. Lenz called this our country’s “most important foundational priority.”
The Pentagon's new strategy identifies several problems with anonymity. First, American efforts to deter cyberintrusions are hindered when the US can't punish intruders because anonymity shields their identities. What's more, anonymity impedes the Pentagon's ability “to conduct response and denial operations against an incoming cyberattack.”
Anonymity is the classic double-edged sword. On one hand, it serves as a cloak for criminals and other adversaries engaged in malicious online activities. On the other, it shields individuals from retaliation for expressing their views.
Specifically, anonymity facilitates the free speech essential to a democracy by protecting individuals who express unpopular views. It also protects dissidents from torture at the hands of oppressive regimes. Think about the bloggers, journalists, and online activists who used Tor anonymity software to protect their identities when engaged in online speech during the Egyptian revolution.
In addition to activists and dissidents, anonymity can shield whistleblowers from official retaliation. And, more generally, it holds out to individuals the promise of a modicum of privacy in an increasingly connected world.
Throughout US history, we have enjoyed what the Supreme Court calls “the honorable tradition” of anonymous speech. The original architecture of the Internet preserved this tradition as it facilitated a significant degree of anonymity. In the early 1990s, on college campuses across the US, students who wished to connect to the Internet could simply plug their computers into any Ethernet jack on campus. (This ability to be anonymous online led to the now-iconic New Yorker cartoon with the caption "on the Internet nobody knows you're a dog.").
But today pressure is building to drive anonymity out of our networks. Some of that pressure comes from businesses seeking a robust identity infrastructure to alleviate fraud and other financial crimes. Indeed, when we bank online, we want our banks to know they are dealing with us and not an imposter. Pressure also comes from our government, as online anonymity poses a challenge from both a law enforcement and a national security perspective. The concern is that online anonymity will create a safe haven from which criminals and terrorists can operate with impunity and thereby thwart law enforcement and national security efforts.
Technology, government, and industry forces are converging toward the creation of an identity layer in the net. Once such a layer is created, there will be increasing pressure on users to provide identification prior to accessing online resources.
While the Pentagon's drive to reduce the anonymity of malicious actors is understandable, we must be careful not to throw the baby out with the bathwater. Anonymity has long been essential to the functioning of our democracy. A failure to change the course we are on could lead to the death of Internet anonymity as we know it – and along with it the freedom of expression and political activity it often guards.