Thursday, February 26, 2015
Wednesday, February 25, 2015
This is the fifth Decade Forecast published by Stratfor. Every five years since 1996 (1996, 2000, 2005, 2010 and now, 2015) Stratfor has produced a rolling forecast. Overall, we are proud of our efforts. We predicted the inability of Europe to survive economic crises, China's decline and the course of the U.S.-jihadist war. We also made some errors. We did not anticipate 9/11, and more important, we did not anticipate the scope of the American response. But in 2005 we did forecast the difficulty the United States would face and the need for the United States to withdraw from its military engagements in the Islamic world. We predicted China's weakness too early, but we saw that weakness when others were seeing the emergence of an economy larger than that of the United States. Above all, we have consistently forecast the enduring power of the United States. This is not a forecast rooted in patriotism or jingoism. It derives from our model that continues to view the United States as the pre-eminent power.
We do not forecast everything. We focus on the major trends and tendencies in the world. Thus, we see below some predictions from our 2010 Decade Forecast:
We see the U.S.-jihadist war subsiding. This does not mean that Islamist militancy will be eliminated. Attempts at attacks will continue, and some will succeed. However, the two major wars in the region will have dramatically subsided if not concluded by 2020. We also see the Iranian situation having been brought under control. Whether this will be by military action and isolation of Iran or by a political arrangement with the current or a successor regime is unclear but irrelevant to the broader geopolitical issue. Iran will be contained, as it simply does not have the underlying power to be a major player in the region beyond its immediate horizons.
The diversity of systems and demographics that is Europe will put the European Union's institutions under severe strain. We suspect the institutions will survive. We doubt that they will work very effectively. The main political tendency will be away from multinational solutions to a greater nationalism driven by divergent and diverging economic, social and cultural forces. The elites that have crafted the European Union will find themselves under increasing pressure from the broader population. The tension between economic interests and cultural stability will define Europe. Consequently, inter-European relations will be increasingly unpredictable and unstable.
Russia will spend the 2010s seeking to secure itself before the demographic decline really hits. It will do this by trying to move from raw commodity exports to process commodity exports, moving up the value chain to fortify its economy while its demographics still allow it. Russia will also seek to reintegrate the former Soviet republics into some coherent entity in order to delay its demographic problems, expand its market and above all reabsorb some territorial buffers. Russia sees itself as under the gun, and therefore is in a hurry. This will cause it to appear more aggressive and dangerous than it is in the long run. However, in the 2010s, Russia's actions will cause substantial anxiety in its neighbors, both in terms of national security and its rapidly shifting economic policies.
The states most concerned — and affected — will be the former satellite states of Central Europe. Russia's primary concern remains the North European Plain, the traditional invasion route into Russia. This focus will magnify as Europe becomes more unpredictable politically. Russian pressure on Central Europe will not be overwhelming military pressure, but Central European psyches are finely tuned to threats. We believe this constant and growing pressure will stimulate Central European economic, social and military development.
China's economy, like the economies of Japan and other East Asian states before it, will reduce its rate of growth dramatically in order to calibrate growth with the rate of return on capital and to bring its financial system into balance. To do this, it will have to deal with the resulting social and political tensions.
From the American point of view, the 2010s will continue the long-term increase in economic and military power that began more than a century ago. The United States remains the overwhelming — but not omnipotent — military power in the world, and produces 25 percent of the world's wealth each year.
The Decade Ahead
The world has been restructuring itself since 2008, when Russia invaded Georgia and the subprime financial crisis struck. Three patterns have emerged. First, the European Union entered a crisis it could not solve and which has increased in intensity. We predict that the European Union will never return to its previous unity, and if it survives it will operate in a more limited and fragmented way in the next decade. We do not expect the free trade zone to continue to operate without increasing protectionism. We expect Germany to suffer severe economic reversals in the next decade and Poland to increase its regional power as a result.
The current confrontation with Russia over Ukraine will remain a centerpiece of the international system over the next few years, but we do not think the Russian Federation can exist in its current form for the entire decade. Its overwhelming dependence on energy exports and the unreliability of expectations on pricing make it impossible for Moscow to sustain its institutional relations across the wide swathe of the Russian federation. We expect Moscow's authority to weaken substantially, leading to the formal and informal fragmentation of Russia. The security of Russia's nuclear arsenal will become a prime concern as this process accelerates later in the decade.
We have entered a period in which the decline of the nation-states created by Europe in North Africa and the Middle East is accelerating. Power is no longer held by the state in many countries, having devolved to armed factions that can neither defeat others nor be defeated. This has initiated a period of intense internal fighting. The United States is prepared to mitigate the situation with air power and limited forces on the ground but will not be able or willing to impose a settlement. Turkey, whose southern border is made vulnerable by this fighting, will be slowly drawn into the fighting. By the end of this decade, Turkey will emerge as the major regional power, and Turkish-Iranian competition will increase as a result.
China has completed its cycle as a high-growth, low-wage country and has entered a new phase that is the new normal. This phase includes much slower growth and an increasingly powerful dictatorship to contain the divergent forces created by slow growth. China will continue to be a major economic force but will not be the dynamic engine of global growth it once was. That role will be taken by a new group of highly dispersed countries we call the Post-China 16, which includes much of Southeast Asia, East Africa and parts of Latin America. China will not be an aggressive military force either. Japan remains the most likely contender for the dominant position in East Asia, both because of its geography and its needs as a massive importer.
The United States will continue to be the major economic, political and military power in the world but will be less engaged than in the past. Its low rate of exports, its increasing energy self-reliance and its experiences over the last decade will cause it to be increasingly cautious about economic and military involvement in the world. It has learned what happens to heavy exporters when customers cannot or will not buy their products. It has learned the limits of power in trying to pacify hostile countries. It has learned that North America is an arena in which it can prosper with selective engagements elsewhere. It will face major strategic threats with proportional power, but it will not serve the role of first responder as it has in recent years.
It will be a disorderly world, with a changing of the guard in many regions. The one constant will be the continued and maturing power of the United States — a power that will be much less visible and that will be utilized far less in the next decade.
The European Union will be unable to solve its fundamental problem, which is not the eurozone, but the free trade zone. Germany is the center of gravity of the European Union; it exports more than 50 percent of its GDP, and half of that goes to other EU countries. Germany has created a productive capability that vastly outstrips its ability to consume, even if the domestic economy were stimulated. It depends on these exports to maintain economic growth, full employment and social stability. The European Union's structures — including the pricing of the euro and many European regulations — are designed to facilitate this export dependency.
This has already fragmented Europe into at least two parts. Mediterranean Europe and countries such as Germany and Austria have completely different behavioral patterns and needs. No single policy can suit all of Europe. This has been the core problem from the beginning, but it has now reached an extreme point. What benefits one part of Europe harms another.
Nationalism has already risen significantly. Compounding this is the Ukrainian crisis and Eastern European countries' focus on the perceived threat from Russia. Eastern Europe's concern about Russia creates yet another Europe — four, total, if we separate the United Kingdom and Scandinavia from the rest of Europe. Considered with the rise of Euroskeptic parties on the right and left, the growing delegitimation of mainstream parties and the surging popularity of separatist parties within European countries, the fragmentation and nationalism that we forecast in 2005, and before, is clearly evident.
These trends will continue. The European Union might survive in some sense, but European economic, political and military relations will be governed primarily by bilateral or limited multilateral relationships that will be small in scope and not binding. Some states might maintain a residual membership in a highly modified European Union, but this will not define Europe.
What will define Europe in the next decade is the re-emergence of the nation-state as the primary political vehicle of the continent. Indeed the number of nation-states will likely increase as various movements favoring secession, or the dissolution of states into constituent parts, increase their power. This will be particularly noticeable during the next few years, as economic and political pressures intensify amid Europe's crisis.
Germany has emerged from this mass of nation-states as the most economically and politically influential. Yet Germany is also extremely vulnerable. It is the world's fourth-largest economic power, but it has achieved that status by depending on exports. Export powers have a built-in vulnerability: They depend on their customers' desire and ability to buy their products. In other words, Germany's economy is hostage to the economic well-being and competitive environment in which it operates.
There are multiple forces working against Germany in this regard. First, Europe's increasing nationalism will lead to protectionist capital and labor markets. Weaker countries are likely to adopt various sorts of capital controls, while stronger countries will limit the movement of foreigners — including the citizens of other EU countries — across their borders. We forecast that existing protectionist policies inside the European Union, particularly on agriculture, will be supplemented in coming years by trade barriers created by the weaker Southern European economies that need to rebuild their economic base after the current depression. On a global basis, we can expect European exports to face increased competition and highly variable demand in the uncertain environment. Therefore, our forecast is that Germany will begin an extended economic decline that will lead to a domestic social and political crisis and that will reduce Germany's influence in Europe during the next 10 years.
At the center of economic growth and increasing political influence will be Poland. Poland has maintained one of the most impressive growth profiles outside of Germany and Austria. In addition, though its population is likely to contract, the contraction will most probably be far less than in other European countries. As Germany undergoes wrenching shifts in economy and population, Poland will diversify its own trade relationships to emerge as the dominant power on the strategic Northern European Plain. Moreover, we expect Poland to be the leader of an anti-Russia coalition that would, significantly, include Romania during the first half of this decade. In the second half of the decade, this alliance will play a major role in reshaping the Russian borderlands and retrieving lost territories through informal and formal means. Eventually as Moscow weakens, this alliance will become the dominant influence not only in Belarus and Ukraine, but also farther east. This will further enhance Poland's and its allies' economic and political position.
Poland will benefit from having a strategic partnership with the United States. Whenever a leading global power enters into a relationship with a strategic partner, it is in the global power's interest to make the partner as economically vigorous as possible, both to stabilize its society and to make it capable of building a military force. Poland will be in that position with the United States, as will Romania. Washington has made its interest in the region obvious.
It is unlikely that the Russian Federation will survive in its current form. Russia's failure to transform its energy revenue into a self-sustaining economy makes it vulnerable to price fluctuations. It has no defense against these market forces. Given the organization of the federation, with revenue flowing to Moscow before being distributed directly or via regional governments, the flow of resources will also vary dramatically. This will lead to a repeat of the Soviet Union's experience in the 1980s and Russia's in the 1990s, in which Moscow's ability to support the national infrastructure declined. In this case, it will cause regions to fend for themselves by forming informal and formal autonomous entities. The economic ties binding the Russian periphery to Moscow will fray.
Historically, the Russians solved such problems via the secret police — the KGB and its successor, the Federal Security Services. But just as in the 1980s, the secret police will not be able to contain the centrifugal forces pulling regions away from Moscow this decade. In this case, the FSB's power is weakened by its leadership's involvement in the national economy. As the economy falters, so does the FSB's strength. Without the FSB inspiring genuine terror, the fragmentation of the Russian Federation will not be preventable.
To Russia's west, Poland, Hungary and Romania will seek to recover regions lost to the Russians at various points. They will work to bring Belarus and Ukraine into this fold. In the south, the Russians' ability to continue controlling the North Caucasus will evaporate, and Central Asia will destabilize. In the northwest, the Karelian region will seek to rejoin Finland. In the Far East, the Maritime regions more closely linked to China, Japan and the United States than to Moscow will move independently. Other areas outside of Moscow will not necessarily seek autonomy but will have it thrust upon them. This is the point: There will not be an uprising against Moscow, but Moscow's withering ability to support and control the Russian Federation will leave a vacuum. What will exist in this vacuum will be the individual fragments of the Russian Federation.
This will create the greatest crisis of the next decade. Russia is the site of a massive nuclear strike force distributed throughout the hinterlands. The decline of Moscow's power will open the question of who controls those missiles and how their non-use can be guaranteed. This will be a major test for the United States. Washington is the only power able to address the issue, but it will not be able to seize control of the vast numbers of sites militarily and guarantee that no missile is fired in the process. The United States will either have to invent a military solution that is difficult to conceive of now, accept the threat of rogue launches, or try to create a stable and economically viable government in the regions involved to neutralize the missiles over time. It is difficult to imagine how this problem will play out. However, given our forecast on the fragmentation of Russia, it follows that this issue will have to be addressed, likely in the next decade.
The issue in the first half of the decade will be how far the alliance stretching between the Baltic and Black seas will extend. Logically, it should reach Azerbaijan and the Caspian Sea. Whether or not it does depends on what we have forecast for the Middle East and Turkey.
The Middle East and North Africa
The Middle East — particularly the area between the Levant and Iran, along with North Africa — is experiencing national breakdowns. By this we mean that the nation-states established by European powers in the 19th and 20th centuries are collapsing into their constituent factions defined by kinship, religion or shifting economic interests. In countries like Libya, Syria and Iraq, we have seen the devolution of the nation-state into factions that war on each other and that cross the increasingly obsolete borders of countries.
This process follows the model of Lebanon in the 1970s and 1980s, when the central government ceased to function and power devolved to warring factions. The key factions could not defeat the others, nor could they themselves be defeated. They were manipulated and supported from the outside, as well as self-supporting. The struggle among these factions erupted into a civil war — one that has quieted but not ended. As power vacuums persist throughout the region, jihadist groups will find space to operate but will be contained in the end by their internal divisions.
This situation cannot be suppressed by outside forces. The amount of force required and the length of deployment would outstrip the capacity of the United States, even if dramatically expanded. Given the situation in other parts of the world, particularly in Russia, the United States can no longer focus exclusively on this region.
At the same time, this evolution, particularly in the Arab states south of Turkey, represents a threat to regional stability. The United States will act to mitigate the threat of particular factions, which will change over time, through the use of limited force. But the United States will not deploy multi-divisional forces to the region. At this point, most countries in the area still expect the United States to act as the decisive force even though they witnessed the United States fail in this role in the past decade. Nevertheless, expectations shift more slowly than reality.
As the reality sinks in, it will emerge that, because of its geographical location, only one country has an overriding interest in stabilizing Syria and Iraq, is able to act broadly — again because of its geographical location — and has the means to at least achieve limited success in the region. That country is Turkey. At this point, Turkey is surrounded by conflicts in the Arab world, in the Caucasus and in the Black Sea basin. But Turkey has avoided taking risks so far.
Turkey will continue to need American involvement for political and military reasons. The United States will oblige, but there will be a price: participation in the containment of Russia. The United States does not expect Turkey to assume a war-fighting role and does not intend one for itself. It does, however, want a degree of cooperation in managing the Black Sea. Turkey will not be ready for a completely independent policy in the Middle East and will pay the price for a U.S. relationship. That price will open the path to extending the containment line to Georgia and Azerbaijan.
We expect the instability in the Arab world to continue through the decade. We also expect Turkey to be drawn in to the south, inasmuch as its fears of fighting so close to its border — and the political outcomes of that fighting — will compel it to get involved. It will intervene as little as possible and as slowly as possible, but it will intervene, and its intervention will eventually increase in size and breadth. Whatever its reluctance, Turkey cannot withstand years of chaos across its border, and there will be no other country to carry the burden. Iran is not in a position geographically or militarily to perform this function, nor is Saudi Arabia. Turkey is likely to try to build shifting coalitions ultimately reaching into North Africa to stabilize the situation. Turkish-Iranian competition will grow with time, but Turkey will keep its options open to work with both Iran and Saudi Arabia as needed. Whatever the dynamic, Turkey will be at the center of it.
This will not be the only region drawing Turkey's attention. As Russia weakens, European influence will begin inching eastward into areas where Turkey has historical interests, such as the northern shore of the Black Sea. We can foresee Turkey projecting its power northward certainly commercially and politically but also potentially in some measured military way. Moreover, as the European Union fragments and individual economies weaken or some nations become oriented toward the East, Turkey will increase its presence in the Balkans as the only remaining power able to do so.
Before this can happen, Turkey must find a domestic political balance. It is both a secular and Muslim country. The current government has attempted to bridge the gap, but in many ways it has tilted away from the secularists, of whom there are many. A new government will certainly emerge over the coming years. This is a permanent fault line in contemporary Turkey. Like many countries, its power will expand in the midst of political uncertainty. Alongside this internal political conflict, the military, intelligence and diplomatic service will need to evolve in size and function during the coming decade. That said, we expect to see an acceleration of Turkey's emergence as a major regional power in the next 10 years.
China has ceased to be a high-growth, low-wage economy. As China's economy slows, the process of creating and organizing an economic infrastructure to employ low-wage workers will be incremental. What can be done quickly in a port city takes much longer in the interior. Therefore, China has normalized its economy, as Japan did before it, and as Taiwan and South Korea did in 1997. All massive expansions climax, and the operations of the economies shift.
The problem for China in the next decade are the political and social consequences of that shift. The coastal region has been built on high growth rates and close ties with European and American consumers. As these decline, political and social challenges emerge. At the same time, the expectation that the interior — beyond parts of the more urbanized Yangtze River delta — will grow as rapidly as the coast is being dashed. The problem for the next decade will be containing these difficulties.
Beijing's growing dictatorial tendencies and an anti-corruption campaign, which is actually Beijing's assertion of its power over all of China, provide an outline of what China would like to see in the next decade. China is following a hybrid path that will centralize political and economic powers, assert Party primacy over the military, and consolidate previously fragmented industries like coal and steel amid the gradual and tepid implementation of market-oriented reforms in state-owned enterprises and in the banking sector. It is highly likely that a dictatorial state coupled with more modest economic expectations will result. However, there is a less likely but still conceivable outcome in which political interests along the coast rebel against Beijing's policy of transferring wealth to the interior to contain political unrest. This is not an unknown pattern in China, and, though we do not see this as the most likely course, it should be kept in mind. Our forecast is the imposition of a communist dictatorship, a high degree of economic and political centralization and increased nationalism.
China cannot easily turn nationalism into active aggression. China's geography makes such actions on land difficult, if not impossible. The only exception might be an attempt to take control of Russia's maritime interests if we are correct and Russia fragments. Here, Japan likely would challenge China. China is building a large number of ships but has little experience in naval warfare and lacks the experienced fleet commanders needed to challenge more experienced navies, including the United States'.
Japan has the resources to build a significantly larger navy and a more substantial naval tradition. In addition, Japan is heavily dependent on imports of raw materials from Southeast Asia and the Persian Gulf. Right now it depends on the United States to guarantee access. But given that we are forecasting more cautious U.S. involvement in foreign ventures and that the United States is not dependent on imports, the reliability of the United States is in question. Therefore, the Japanese will increase their naval power in the coming years.
Fighting over the minor islands producing low-cost and unprofitable energy will not be the primary issue in the region. Rather, an old three-player game will emerge. Russia, the declining power, will increasingly lose the ability to protect its maritime interests. The Chinese and the Japanese will both be interested in acquiring these and in preventing each other from having them. We forecast this as the central, unsettled issue in the region as Russia declines and Sino-Japanese competition increases.
Post-China Manufacturing Hubs
International capitalism requires a low-wage, high-growth region for high rewards on risk capital. In the 1880s it was the United States, for example. China was the most recent region, replacing Japan. No one country can replace China, but we have noted 16 countries with a total population of about 1.15 billion people where entry-level manufacturing has gone after leaving China.
To identify these countries, we looked at three industries. The first was garment manufacturing, particularly low-end and of garment parts like coat linings. Second was the manufacturing of footwear. Third, we looked at cell phone assembly. These industries require low capital investment, and manufacturers move their facilities around rapidly to take advantage of low wages. Industries of this sort, such as inexpensive toys in Japan, served as a foundation for manufacturing sectors to evolve into broader low-wage products in high demand. The workforce, frequently women at first, expanded dramatically as new low-wage industries moved in. The wages were low on a global scale but very attractive on the local scale.
Like China during its takeoff in the late 1970s, these countries tend to be politically unstable, with uncertain rule of law, poor infrastructure and all of the risks advanced industrial business try to avoid. But companies from other countries excel in these environments and have built business models around this.
The map of these countries shows that they are concentrated in the Indian Ocean Basin. Another way to look at it is that these are the less developed countries (or regions) in Asia, East Africa and Latin America. Our forecast is that in this next decade, many of these countries — and perhaps some not identified — will collectively take on the role that China had in the 1980s. This would mean that by the end of the decade, they would be entering an intensifying period of growth in a much wider array of products. Mexico, whose economy exhibits potential in both low-end manufacturing and higher-end industry in a cost-competitive environment, stands to benefit substantially from its northern neighbor's investment and healthy level of consumption.
The United States
The United States continues to make up more than 22 percent of the world's economy. It continues to dominate the world's oceans and has the only significant intercontinental military force. Since 1880, it has been on an uninterrupted expansion of economy and power. Even the Great Depression, in retrospect, is a minor blip. This expansion of power is at the center of the international system, and our forecast is that it will continue unabated.
The greatest advantage the United States has is its insularity. It exports only 9 percent of its GDP, and about 40 percent of that goes to Canada and Mexico. Only about 5 percent of its GDP is exposed to the vagaries of global consumption. Thus, as the uncertainties of Europe, Russia and China mount, even if the United States lost half of its exports — an extraordinary amount — it would not be an unmanageable problem.
The United States is also insulated from import constraints. Unlike in 1973, when the Arab oil embargo massively disrupted the American economy, the United States has emerged as a significant energy producer. Although it must import some minerals from outside NAFTA, and it prefers to import some industrial products, it can readily manage without these. This is particularly true as industrial production is increasing in the United States and in Mexico in response to the increasing costs in China and elsewhere.
The Americans also have benefited from global crises. The United States is a haven for global capital, and as capital flight has taken hold of China, Europe and Russia, that money has flowed into the United States, reducing interest rates and buoying equity markets. Therefore, though there is exposure to the banking crisis in Europe, it is nowhere near as substantial as it might have been a decade ago, and capital inflows counterbalance that exposure. As for the perennial fear that China will withdraw their money from American markets, that will happen slowly anyway as China's growth slows and internal investment increases. But a sudden withdrawal is impossible. There is nowhere else to invest money. Certainly the next decade will see fluctuations in American economic growth and markets, but the United Stares remains the stable heart of the international system.
At the same time, the Americans have become less dependent on that system and have encountered many difficulties in managing — and particularly, in pacifying — that system. The United States will become more selective in assuming responsibilities politically in the next decade, and even more selective in military interventions.
For a century, the United States has been concerned about the emergence of a hegemon in Europe, and in particular of either an accommodation between Germany and Russia or a conquest of one by the other. That combination, more than any other, might be able to muster a force — between German capital and technology and Russian resources and manpower — capable of threatening American interests. Therefore, in World War I, World War II and the Cold War, the United States was instrumental in preventing this from occurring.
In the world wars, the United States came in late, and though it absorbed fewer casualties than other countries, it nevertheless suffered more than was comfortable for it. In the Cold War, the United States intervened early and, at least in Europe, had no casualties. Based on this, the United States has a core policy imperative that is almost automatic: When a potential European hegemon arises, the United States will act early, as in the Cold War, in building alliances and deploying sufficient force in primarily defensive positions.
This is happening now against Russia. Though we forecast the decline of Russia, Russia poses danger in the short term, particularly with its back against the wall economically. Moreover, whatever we forecast, the United States cannot be certain that Russia will decline and indeed, if it launches a successful expansionary policy (politically, economically or militarily), it may not decline. Therefore, the United States will take measures according to its imperative. It will try to build an alliance system outside of NATO, from the Baltics to Bulgaria, encompassing as many nations as possible. It will try to involve Turkey in the alliance and have it reach to Azerbaijan. It will deploy forces, proportional to the threat, in those countries.
This will be the primary focus in the early part of the decade. In the second part, Washington will focus on trying to assure that Russia's decline does not result in nuclear disaster. The United States will not become involved in trying to solve Europe's problems, it will not have a war with China, and its involvement in the Middle East will be minimal. It will conduct global counterterrorism operations but will do so with the full knowledge that those operations will be only partially effective at best.
The Americans will have an emerging problem. The United States has 50-year cycles that end with significant economic or social problems. One cycle began in 1932 with the election of Franklin Roosevelt and ended with the presidency of Jimmy Carter. It began with a need to rebuild demand for products from idle factories and ended in vast overconsumption, underinvestment and with double-digit inflation and unemployment. Ronald Reagan's presidency laid the groundwork for restructuring American industry through a change in the tax code and by shifting the focus from the urban industrial worker to the suburban professional and entrepreneur.
We are now about 15 years from the end of this cycle, and the next crisis will make itself felt in the second half of the next decade. It is already visible. It is the crisis of the middle class. The problem is not inequality; the problem is the ability of the middle class to live a middle class life. Currently, the median household income in the United States is about $50,000. Depending on the state you live in, this is actually about $40,000. That allows the literal middle to buy a modest home and live frugally outside major metropolitan areas. For the lower middle class, the 25th percentile, this is almost impossible.
There are two causes. One is the rise of the single-parent household. Having two households is twice as expensive. The other problem is that the same incentives that led to the badly needed re-engineering of the American corporation and vastly improved productivity also limited job security and income for the middle class. This is not a political crisis yet. It will become one toward the end of the next decade, but it will not be addressed until the elections of 2028 and 2032. It is a normal, cyclical crisis, but painful nonetheless.
There is no decade without pain, and even in the most perfect of times, there is suffering. The crises that we expect in the next decade are far from the worst seen in the past century, and they are no worse than those we will see in the next. There is always the expectation that what we know now as reality will define the future. There is also the belief that our pain now is the most extraordinary anguish that has ever been. This is simply narcissism. What we have now will always change — usually sooner than we believe possible. The pains we are having now are merely the normal pains of being human. This is not a comfort, but a reality, and it is in this context that this decade forecast should be read.
Posted by CAMACOL at 7:31 AM
Tuesday, February 24, 2015
Friday, February 20, 2015
Inserting a certificate at the factory undermines VPN, database, and software update connections. All to put ads on secure shopping websites.
Lenovo confirmed it had been installing Superfish adware on some of its laptops, and that it inserted a Superfish public key into the Windows Certificate Store as part of this installation. This means affected users cannot trust their computer when it says "this connection is secure." It also undermines trust in every other kind of secure communication the laptop might try to make: database connections, VPN connections, software updates, you name it.
It is nominally authorised by one of the numerous terms and conditions that a user "accepts" when they first use their laptop. In Lenovo's blog post on how to remove Superfish, the company claims that it has only been installing it on consumer notebooks between October 2014 and December 2014; however, users have been complaining about it for far longer. The company states it stopped preloading the software in January 2015.
Root cause of mistrust
First reported by Chris Palmer from the Google Chrome security team, Superfish installs a certificate in the Windows Certificate Store. Certificates are how the web browser knows a fake Bank of America website from the genuine one. With Superfish's Visual Discovery enabled, a banking customer going tohttps://www.bankofamerica.com/ will have its secure connection silently decrypted by Superfish (running on their own laptop, not somewhere else), inspected for suitability of advertisements, and then a new encrypted connection will be made from the Superfish process to the real Bank of America. Presumably the web page for Bank of America has advertisements inserted or somehow overlaid into the HTML by Superfish.
If you trust Superfish, you trust everyone
By trying to insert advertisements into web pages, they undermine every secure connection the Windows computer might make. All software that tries to make secure connections -- way beyond web browsers -- use the certificate store to verify the authenticity of certificates.
Cisco VPN clients use the Windows Certificate Store to verify that they're talking to the right end point. Database consoles like Toad or SQL Developer will use Windows to verify that they are connected securely to the database server. Programs like TweetDeck will use the Windows Certificate Store to check the identity of Twitter before connecting.
Of public and private keys
The public key is suspected to be the same on all laptops; this means that one private key can sign things that all affected laptops will accept as genuine. The private key was also shipped on laptops and has been extracted. Now that the private key is known, anyone can issue certificates for websites or VPN concentrators and sign them. Users of Lenovo laptops who trust the Superfish key will accept those certificates as genuine.
The password for the private key was komodia, which is the Greek word for comedy. And indeed, this vulnerability has made secure web browsing into a farce.
It's only a matter of time
Here is just one example of what is possible. An employee from ExampleCo sits down in a coffee shop, airport, hotel, or similar public place and joins the free Wi-Fi. Being the good corporate citizen, the first thing he does is connect to his company's VPN. This will prevent anyone from sniffing or performing a man-in-the-middle attack on any of his network communications. Unfortunately, a bad guy is on the same network, or maybe the bad guy set up a malicious "free Wi-Fi" hotspot that the victim joined. The bad guy redirects the victim to a fake VPN concentrator. Normally, this fake VPN concentrator would present a bogus certificate claiming to be the ExampleCo VPN. The user would get a warning dialog and (in our fantasy world) would do the right thing instead of just clicking OK.
In this case, the bad guy has issued a certificate for his VPN system that is signed by the Superfish certificate. And our ExampleCo employee who is using an affected Lenovo laptop sees no warning at all. The employee might use two-factor authentication, but at this point the malicious VPN can perform a man-in-the-middle attack and watch all that VPN traffic decrypted. Since it is decrypted from the attacker's point of view, he can even perform more man-in-the-middle attacks, like DNS spoofing. There are some VPN techniques that will protect users even in this situation (such as client-side certificates). But there are lots and lots of VPNs out there where this attack would work just fine.
With this Superfish certificate trusted, all bets are off. Lenovo laptops that have it preinstalled cannot distinguish friend from foe. It's only a matter of time before fake websites, VPN concentrators, and software update sites start popping up with certificates issued by the Superfish certificate. They can even issue Extended Validation certificates for extra trust.
Check whether you're vulnerable
If you want to know whether or not you are vulnerable, use Internet Explorer on your Lenovo laptop to visithttps://www.canibesuperphished.com/. If you see a warning, you are not vulnerable. If you see a web page, you are vulnerable.
Removing the software
While it is true that Lenovo's instructions for removal will remove the ad software, the company fails to point out how insecure the user remains. They explicitly acknowledge "Registry entry and root certificate will remain as well." (emphasis is Lenovo's). Lenovo does not provide instructions that make the laptop trustworthy again. Until that Superfish certificate is removed from the PC, the user cannot trust any TLS connection -- website, software update, or otherwise.
To remove the certificate from Windows, use Certificate Manager. The steps are:
- Run "certmgr.msc" to launch the Certificate Manager.
- Open the Trusted Root Certification Authorities.
- Look in the list of certificates.
- If there are any certificates labeled Superfish, Inc. delete them.
The moral of the story
This is not the first time adware has been installed surreptitiously on laptops -- 12 years ago Gator did the same thing. These ham-fisted attempts to insert advertisements undermine users' trust in manufacturers, software developers, and the security claims of well-intentioned websites and services. It's shocking that enough people understood cryptography well enough to implement this as a service, yet no one who understood it was able to get Lenovo and Superfish to understand what a catastrophically bad idea it was.
PKI is fundamentally broken, but it's all we have. Undermining the entire root of trust in our PKI is never the right answer.
Posted by CAMACOL at 6:54 AM
Thursday, February 19, 2015
Summary: Windows 8 was filled with bold ideas, designed to move Windows forward in one giant leap. Three years later, as Windows 10 nears its release date, many of those innovative ideas are gone. Here's a look at what's been tossed away, and why.
The Start screen
If Windows 8 haters had a single feature that they pinned to targets on the firing range, this is it.
The Start screen was the full-screen, brightly colored replacement for the familiar Start button and Start menu. Although it was possible tocustomize it to be more palatable to desktop diehards, it was much easier to just buy a Start menu replacement.
Windows 8.1 brought the Start button back as a way to reach the Start screen. But in Windows 10, the Start screen is officially gone, replaced by a Start menu that can be expanded to full screen in Tablet mode.
The new Start menu is scheduled for a lot of further development before Windows 10 ships. But even in its current state it's hard to look at this design evolution as anything more than a full-scale retreat from the original Windows 8 vision.
The Charms menu
Along with the Start screen, the Charms menu qualifies as a signature feature of Windows 8. When Windows 8 debuted, way back in 2011, this was the first feature to be shown off.
In its explanations of the Windows 8 design, Microsoft explained the scientific rationale behind the Charms menu in excruciating detail. But in practice, it was unloved and difficult to master.
There is literally no trace of the Charms menu in Windows 10. Instead, swiping from the right reveals the new Action Center, packed with notifications and small task-specific buttons at the bottom of the pane.
It's unlikely to be missed.
When Windows 8 shipped, the desktop had a taskbar, but the left side was curiously empty. Where was the Start button? Ah, just move the mouse pointer to the lower left corner and leave it there for a second and something that looked vaguely like a Start button would appear.
The other three corners offered similar behaviors when users learned to point to them. Unfortunately, those corner actions sometimes triggered when they weren't expected, driving Windows 8 users quietly mad.
Windows 8.1 offered more control over corners (as shown here). In Windows 10, the corners are no longer active parts of the user interface.
Windows 8 debuted Internet Explorer 10, which included two personalities that shared a single rendering engine.
The Metro-style browser, shown here, used the full screen and supported only one add-in: Adobe's Flash Player, which was built in.
The desktop version of Internet Explorer looked like its predecessors, with the ability to use plugins and run in a window.
If you ever had to explain to a Windows 8 user why sometimes they saw one browser and other times another, you understand what a usability nightmare it is.
Windows 10 is going to introduce a brand new browser, code-named Spartan. We've seen only hints of it so far, but if it doesn't exhibit the schizophrenia of Internet Explorer, we'll take it.
The People hub
The People hub was part of the unified Windows 8 communication suite that also included Mail and Calendar capabilities.
Its vision was truly grand. When you connected accounts to Windows 8, you could see everything related to a person in a single master view rolling email, tweets, Facebook posts, Skype messages, and more into one page.
That vision has been scaled back dramatically for Windows 10, with a new Mail and Calendar app coming that looks frankly much better than its predecessor. Will there be a People app?
Windows Media Center
Technically, I suppose Media Center doesn't even belong on this list. It was a signature feature of the Windows "premium" editions for consumers, but development ended in 2009, when Windows 7 was released to manufacturing.
To placate the vocal Media Center enthusiast community, Microsoft released the Windows 8 Media Center Pack, an extra-cost add-on for Windows 8 Pro. But in the blog post announcing the availability of this add-on, Microsoft pointedly declared that Media Center was not part of "the future of entertainment in Windows."
Microsoft hasn't made any announcement about Media Center in Windows 10, but I'll be shocked if it's available. I expect I'll be writing my Media Center obituary in a few months.
Out of respect for your eyes, I chose this screenshot of Windows RT instead of the scary dancing schoolgirls in that "What were they thinking/smoking?" TV ad.
As a brand, Windows RT will not survive into the Windows 10 era. And some commentators seem downright gleeful about the prospect of shoveling dirt onto its grave.
Ironically, though, the concept of Windows RT is alive and well in Windows 10, which will be sold on ARM-based phones and small tablets that will run Windows universal apps but won't have a Windows desktop.
Full-screen Metro apps
At one time, Microsoft proudly referred to its Windows 8 interface design using the "Metro" brand. And then, for reasons that have never been officially explained, that brand name went down the memory hole.
And in the post-Windows 8 era, the Metro name wasn't the only piece of the original design to be changed.
In Windows 8, Metro apps ran full screen or snapped to one edge. In Windows 10, modern apps (the new name) can run in their own windows, on the desktop, alongside desktop apps.
In Windows 8, Metro apps had menus along the top and bottom that were completely hidden by default. In Windows 10, modern apps havehamburger menus.
If you use Windows with a keyboard and mouse, these changes are no doubt for the better. But they're a far, far cry from the original Metro vision.
From SkyDrive to OneDrive
If you followed the development of Microsoft's consumer cloud storage service, let me give you the name of my chiropractor, because you probably have whiplash.
In Windows 8, it was called SkyDrive. Then Microsoft lost a trademark battle and had to rename it OneDrive.
Windows 8.1 rolled out a killer new feature called "smart files," which was announced with great fanfare. Thanks to these clever placeholders, you could browse your entire cloud storage in File Explorer even if it wasn't synced locally.
In Windows 10, that feature has been yanked out, to the great consternation of beta testers. A replacement sync engine is coming, but its details are still fuzzy.
The road map for the new OneDrive sync client is a year long. That's plenty of time for even more wrenching changes.
Most of the functions available from the now-defunct Charms menu have moved to other places. But one signature feature, the Share charm, has been mostly lost in the shuffle in the first wave of Windows 10 previews.
The idea behind the Share charm is admirable: if you see something in one app, you can send it to another app, with the Share charm handling the handoff.
Send a link to Twitter. Send a paragraph of text to an email message. Share some photos to Facebook. And developers don't have to do anything special to enable this universal sharing.
The Share functionality is still available in Windows 10 apps, but you have to dig for it. In the new Photos app, there's a Share icon at the top of the App window. In other apps, you have to open the hamburger menu to find this option.
Share contracts will live on in Windows 10, but who knows what form they'll take?
Posted by CAMACOL at 7:46 AM