I’m generally not a “the government is out to get me” kind of guy, and I suspect that in most democracies, government officials actually want to help their country and their citizens. That said, I think many of the decisions governments are making about information security (otherwise known as “cyber”) are making their citizens—and ultimately themselves—much more vulnerable.
It’s clear that “cyber” security has finally hit the global front stage, and has become a top issue for governments around the world. From the Estonian DDoS attacks, to Stuxnet and Regin, and now (allegedly) the Sony Pictures breach, we’ve seen nation states launching offensive network attacks. Governments are investing heavily in “red teams’—groups whose job is to carry out computer and network attacks. Recently, President Obama even declared he wants to ramp up the U.S.’s cyber security arsenal with a budget increase to $14 billion a year.
I’m not naïve. I recognize that in some situations nation-states may need to carry out espionage, or—in the worst case—use force (physical or digital) to protect their countries. However, I also believe that some of the steps governments have taken under the guise of improving their cyber arsenal will do more harm than good in the long run. Frankly, Stuxnet opened Pandora’s box, and in many case the ends don’t justify the means with these network attacks.
[Read the latest news about how a Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet.]
Let me be more specific. Here are three ways our governments are making us less secure:
Government malware accelerates the evolution of criminal malware.
Though some have recently argued that criminal malware is more advanced than some suspect, Stuxnet—a state sponsored threat—was vastly superior than any previously seen malware. Stuxnet leveraged multiple zero days to spread, exploited sophisticated evasion techniques to hide, and even used stolen digital certificates to make the installation process smooth, and interaction free. Once Stuxnet leaked to the security community, researchers decompiled it and shared their results. While such research is necessary for defense, it also tipped off criminals to all Stuxnet’s neat tricks. Criminals are nothing, if not opportunistic. Shortly after Stuxnet got dissected, criminal bot herders started copying its sophisticated techniques and exploits in malware like Zeus.
This has and will continue to happen. If criminals see a neat new trick that makes nation state malware more effective, they will copy it and use it in their private attacks. For instance, I expect more malware to start using tricky staged loading processes to get past host based antivirus (AV), as seen in suspected nation state threats like Regin. In short, when the sophisticated techniques used by nation-state malware go public, it accelerates the evolution in criminal malware, making it more advanced, and harder to defend against for the average target. Private businesses—small and large—are getting hit with much more targeted and advanced attacks then ever before.
Governments have fortified zero day vulnerability black markets.
I personally appreciate vulnerability researchers—especially ones that disclose responsibly (even if they share exploit code). However, I am sickened by the new zero day vulnerability market that has cropped up lately. I don’t mind the organizations that buy zero day exploits, and disclose them to the software vendors to fix. However, there is a more shady market that auctions zero day to the highest bidder, with no plans to disclose the flaws to anyone else. After all, if the buyer wants to weaponize these vulnerabilities, it’s not to their advantage to fix them.
Unfortunately, governments are one of the primary customers supporting these zero day vulnerability markets. This means the flaw, which is typically in commercial software everyone uses, does not get fixed, making us ALL more vulnerable. I don’t understand why governments don’t think that other attackers might not find that same flaw themselves, and use it to. If a government buys zero day and doesn’t disclose it, not only do they make their own citizens less secure, but they are likely also putting their own resources at risk somewhere as well. Rather than hording zero day, shouldn’t governments help fix them?
Governments try to restrict/backdoor/break encryption.
Everyone in a free society has the right to encryption to protect their privacy. Even if you never do anything wrong, you have a right to keep some things secret like your passwords or banking communications. Yet, governments—even so-called democratic and free ones—are trying to limit or weaken encryption. Recently, the director of the FBI has argued that Apple and Google need to leave holes in smartphone encryption for law enforcement. The British Prime Minister wants to decrypt IMs and other Internet communication.
This is ludicrous. I realize that bad guys may also use encryption to communicate, but that doesn’t mean law enforcement should have enough access to blanket surveillance. Furthermore, if you put backdoors or weaknesses in everyone’s encryption, others will find them. It’s only a matter of time. Weakening private encryption in tools everyone uses does more to expose a government’s citizens than it does to help them find criminals.
As much as I don’t like some of the governments’ current “cyber” policies, I don’t think they have nefarious goals in mind, and I think that we can help them fix this problem. So what should you do? Get involved!
If you’re reading this, chances are you’re an information security professional. You’re the expert governments rely on and listen to when considering network and computer security issues. Share your thoughts with your congressperson. Join InfraGuard and have your voice heard. Write about these issues and speak out publicly. Personally, I believe governments should focus much more on defending themselves and their citizens from “cyber” attack than they do on offensive campaigns. If they plug all our holes, they leave nothing for enemies to attack. If you believe the same, let them know.
Finally, my last tip is to up your defenses. Our governments’ current “cyber” policies have put us at risk, and increased the sophistication of today’s attacks. If you haven’t updated your defenses lately, by adopting new solutions such as advanced threat protection, now’s the time to do so. Governments certainly aren’t doing it for you.