There’s never a shortage of headlines in the world of cybersecurity and recent weeks have been no exception. I’m referring to the landmark privacy case between the FBI and Apple and the Berlin debut of the documentary “Zero Days,” which delves into the 2010 Stuxnet worm. The two events have brought the encryption vs. government oversight debate into the public arena in a very real way.
At first glance, these are two separate issues. One is allowing the government to get into a device of a suspected terrorist. In the other case, we’re talking about government-backed cyber-warfare. However, I believe the parallels are clear, and in my opinion, both cases have simple resolutions: If governments really want to keep their citizens safe, they need to focus more on defense than offense.
Offensive cybersecurity tactics offer short term benefits but have long term consequences. A government focused on offense is motivated to hide vulnerabilities for later exploit. This puts every citizen at risk, as bad actors will surely find these holes too.
Governments too focused on offense are also motivated to weaken security for their own purpose. To use the Apple case as an example, the FBI wants to remove security features designed to keep criminals out of consumer devices for the sake of learning more about one dead terrorist. Unfortunately, purposely weakening defense in this way could expose new risks, which no one can guarantee won’t fall into the wrong hands. This also applies to governments hoping to maintain some “master key” for public encryption solutions.
Not having seen the “Zero Days” documentary yet (it releases in the US in May), I can’t yet comment on its accuracy or content. That said, I’m not surprised to hear that governments—including our own—are planning, or have already carried out offensive cyber campaigns.
If you’ve followed information security the past five or so years, you've seen plenty of evidence showing governments creating “red teams” trained to launch computer and network attacks. You’ve seen the details about Operation Olympic Games, experts have analyzed Stuxnet, you’ve followed the Snowden leaks, you’ve seen government cyber budgets expand, and most recently, you’ve probably heard Ukraine accuse another country of attacking its critical infrastructure. With all of this evidence, it should not come as a surprise that governments are considering cyber attacks… However, it should concern you greatly.
These types of “cyber” attacks—ones that target critical infrastructure and pose physical, real-world ramifications—are not only possible but increasingly probable. Stuxnet proved that. Furthermore, I believe digital attacks can result in real human death. Many of our most critical systems rely heavily on computers and cyber networks, which don’t always have the protection they should. Alex Gibney’s Stuxnet documentary will reportedly suggest that the US government planned to launch a digital attack on the Fordo nuclear facility in Iran. While such a plan might seem like science fiction to some, and would certainly pose difficulties (the facility has more defenses than most), the past has proven that motivated, persistent attackers with money can often breach the strongest defenses.
Are the governments considering launching such attacks really prepared to defend themselves from these same attacks? The short answer is no. Even the former director of the CIA and NSA says that we’re not prepared. In fact, with calls to create “backdoors” and encryption master keys, they’re actively tearing down our defenses, thus making everyone’s problem worse.
Government, heal thyself
Countless government breaches, like ones affecting the State Department, White House email, and the OPM, have proven attackers can infiltrate government networks and hijack the accounts of key government employees, showing government defenses are less than perfect. Shouldn’t they be spending more time building their defenses rather than knocking their citizens’ down?
When governments make commercial software and public networks part of their "cyber battleground,” they expose private citizens and organizations to the “war.” Unfortunately, I expect future “state-sponsored" attacks will include private targets, like we saw with Sony Pictures in 2014. With governments weakening the security of consumer products, how will their citizens survive such attacks?
The very act of promoting a red team, responsible for carrying out cyber attacks, is at odds with the motivation of building a defense team. By definition, a red team is motivated to find ways to defeat defenses, and more importantly, stock-pile and hide those attack techniques so that they can continue to use them. How do you fix a problem you don’t know about, when it’s in the red team’s best interest to keep that problem hidden?
If a government red team finds a new zero day flaw in commercial software, will they share it with the world so we can fix it and all be safe, or will they hold onto it for their next attack campaign, leaving the potential for other bad actors to find it and exploit the flaw as well? Do governments realize that leaving their citizens exposed to such flaws will likely affect their own country as well? I would like to think the answer is, yes, but hearing of authorities around the world exploiting blackhat hacking techniques to catch criminals makes me think otherwise.
Yes, I agree that it’s great that we caught a nasty criminal, but do you realize the public safety you might be sacrificing so the police can hang on to their favorite 0day?
In my opinion, the ends don’t always justify the means. If the means include citizens of a free democracy sacrificing privacy, freedom, and security all for the sake of some vague idea of safety that governments can never really deliver on, I say to heck with those means.
Rather, if governments are really serious about our digital security, they need to get serious about information security. They should spend their time making Apple, and all other public and private vendors’ security features stronger; they should create unbreakable encryption that protects all citizens’ communications; and they should find and plug every zero day vulnerability they can, so no terrorist or nation state can leverage it to gain asymmetric power over others.
As I believe Gibney’s documentary will illustrate (and I argued a year ago), Stuxnet opened the Pandora’s box of the cyber arms race. If we want to close that box, we should focus less on the arms and more on building better armor.