Juniper Networks recently hit the news — yet again. Allegedly, the US-based communications equipment giant willfully installed an National Security Agency (NSA) backdoor into its products in 2015, thereby allowing the agency to access the networks of the company's customers. The plot thickened when foreign adversaries found the backdoor and abused it to their advantage. Newly surfaced information identifies this foreign actor as a Chinese-sponsored hacking group. Thus, a stunt that was supposed to serve the interests of US national security turned into a double-edged sword.
Obviously, this is not the first time we've learned about tech companies being recruited by the NSA — or other three-lettered agencies — to participate in national security efforts and thus allow for spying. Nonetheless, not all companies play "cybergames" the same way. Unfortunately, quite often, some participants are not even aware of the fact that they play a role in these cybergames. To simplify things, I think that most companies can be classified into the following categories:
Companies That Actively Assist the Government: Some Paid, Some Voluntarily
Thanks to the leaked Snowden documents, we have learned that RSA — a well-known and respected encryption technology development company — was paid millions of dollars by the NSA when it agreed to intentionally introduce a flaw into its cryptography system, allowing the NSA to crack their encryption.
Another well-documented example includes the collaboration between the NSA and AT&T. AT&T helped the NSA wiretap its networks and provided the agency with access to billions of emails as they traversed domestic communication infrastructure.
Recently we learned that Facebook disrupted a campaign of Iranian hackers by disabling their fake profile accounts. It turned out that the hackers — sponsored by the Iranian government — created fake profiles on the social network to lure western defense contractors to infected websites.
As a sidenote, it seems Facebook tends to pull the trigger of closing accounts not only on Iranian hackers but also on employees of corporations that challenge its cyber sovereignty. After Facebook discovered that the NSO group — a major player in the cyber-spying market — exploited a vulnerability in WhatsApp, in a somewhat retaliatory action Facebook deleted NSO's employees' accounts, which were reinstated after legal intervention.
Companies Reluctant to Participate in Cybergames
Microsoft is probably the poster child for denying to assist the government in cyberwar efforts. From fighting court battles, to signing petitions against aiding the government in cybergames, it was one of the pioneers to move this needle away from government's cyber needs. In fact, being reluctant to assist the government's cyber efforts is not new and can be viewed as a modern reincarnation of the "crypto wars."
Companies That Engage in "Cyber Laissez-Faire"
Although not all companies are happy to help the government, US-based corporations are compelled to do so by law (there are similar duties in other jurisdictions), including to turn over information about intelligence targets. The leaked PRISM documents tell us that companies like Apple, Yahoo, and others participate in such programs.
A prominent example in this category is of magic lantern – a key-logging malware that was delivered to victims via email attachments. When Bob Sullivan broke the story that this malware is developed and used by the FBI, the maker of McAfee antivirus products announces that they will refrain from detecting the malware, thereby non-interfering with FBI’s cyber operations.
Companies That Interfere With Cybersecurity Operations
A peculiar incident occurred recently where Google shut down a government cybersecurity operation. Google says its security teams noticed an active exploitation of several zero-day vulnerabilities by a Western state actor. Instead of turning a blind eye, Google decided to mitigate the attack and make this information public.
Google's incident is far from being a precedent of a private company thwarting government cyber operations. The most famous example of this is arguably from 2010 — when Symantec published a comprehensive report on the novel "Stuxnet" virus, thus giving the Iranians reason to suspect malfunctions in their centrifuges may be linked to the malware, thereby sabotaging an alleged US-Israeli cyber campaign.
Companies That Unknowingly Participate in Cybergames
Perhaps the largest group of cybergame players includes companies unaware that they're playing a role in a global cybergame. Some of them are hacked, merely to get access to their clients, as with SolarWinds and ASUS. The products of others — like Cisco and Crypto AG — are implanted with malicious hardware modules, during manufacturing or in transit to the customers. In most cases, those companies are a part of a supply chain of the victim and represent the easiest way in.
As we see, the cyber-spying field is quite vivid and has participants from across government and the industry. These strategies, tactics, and capabilities are not a monopoly of the US and its allies anymore but are becoming a global commodity. Nevertheless, those same agencies that invented this game are blaming other governments for playing the same hand, as we saw in the case of China and Huawei, or Russia and Kaspersky. Perhaps this blame game is yet another indication that the cybergame is getting out of control.