Surveilled #80: the invisible arms race in our digital realm
Hi, Frederik here with *gasp* a new issue of Surveilled. The last one was eons ago, and I’m very grateful that you remained subscribed all this time. If this reminds you that you meant to unsubscribe but you haven’t gotten round to it yet, you can unsubscribe in one click, no hard feelings. I don’t think this is the start of a new, regular schedule, but I do intend for the next issue to come around sooner. Do drop me a line with any questions or comments just by replying to this message, I always enjoy hearing from you. And as always, thanks for reading!
Book review: This Is How They Tell Me the World Ends, by Nicole Perlroth
The rise to prominence of technology in our society and hacking have gone hand-in-hand from the start. Spotting a vulnerability in a system and then exploiting it to do something you’re not supposed to, like making free phone calls or downloading the personal information of all US government employees, is a source of pride for many an engineer. In the early days of computing and tech, pride was often the only motivation. With time, the hacker community started making a distinction between “white hats”, who published the vulnerabilities they found, enabling the tech companies to fix them, and “black hats”, that instead used them for nefarious purposes. White hats were offering their services to tech companies against payment, but this remained mostly a cottage industry for a long time. Meanwhile, national intelligence agencies and militaries had little interest in breaking into commercial software, and focused what electronic warfare abilities they had on their enemies’ systems.
All this started to change in the mid-2000s, when we started turning to the digital realm almost exclusively for our communications, financial transactions, and most everything else. Huge amounts of our most sensitive data were now stored on the systems of commercial companies, who in turn were focused on getting their products out as quickly and cheaply as possible. They were less focused on protecting their users’ data, witness the many data leaks that started occurring with increasing frequency since then.
Nation-states, for their part, quickly understood there was a massive trove of intelligence there for the taking, and grabbing it became one of their paramount objectives. Further, they realised that with computer systems more and more embedded in manufacturing processes or infrastructure like the power grid, methods for breaking into them—“zero-days” in the lingo—were turning into critical weapons of virtual war. Every nation-state therefore scrambled to develop its offensive abilities: accumulate an arsenal of zero-days to attack and commandeer not only an enemy’s computer systems, but also those of commercial companies, even if they were from the same or friendly nations.
Around the same time, commercial brokers for zero-days started to emerge. They paid large sums to hackers who would sell them vulnerabilities in widely used software, such as Microsoft’s web server or Oracle databases. On the buy side, nation-states quickly became their best customers, locked as they were in a virtual arms race with each other. Countries such as the US, Russia, China and India, but also the UAE, Saudi Arabia, Malaysia and Singapore started paying huge sums for zero-days, to supplement those that they developed in-house. Obviously, for some of these countries, there were suspicions that they’d target not just foreign threats, but also their own citizens. But such potential ethical concerns didn’t matter much to most brokers, who happily did business with everyone.
Before long, we started catching glimpses of these new weapons in action. 2009 saw arguably the first act of war in cyberspace. A nuclear enrichment facility in Iran was disabled by a US-developed computer worm called Stuxnet, that relied on a string of zero-day exploits to take over the computers controlling the enrichment process. Russia’s conflicts with Ukraine and Georgia were also punctuated by cyberattacks, with Russia at one point taking down Ukraine’s power grid for many hours. And China became notorious for breaking into all the systems it could, public or private, to gather as much intelligence and especially intellectual property as possible. This is not even to mention the pandemic of ransomware attacks in recent years, usually carried out by hacker groups with the tacit support of their governments. By now, announcements from one company or another that they’ve been attacked and their user data compromised is so frequent that we’ve become used to it.
This is essentially the story told in much more vivid and colourful detail in Nicole Perlroth’s book, which was named FT Business Book of the Year 2021. The story of the brokers and their clients is fascinating in itself, and by stringing together events that live disparately in our memory, the full magnitude of the danger we face is revealed. Even with the seemingly ever more frequent stories about data breaches and compromised systems, our intent to digitise continues unabated, and the market for zero-days keeps growing. At this stage, a cyberattack, intentional or accidental, could easily lead to a significant loss of life. So the question becomes, how can we defend against this? Unfortunately, the book has not much to offer here.
Most nation-states do not only have an offensive “cyberweapons” programme, but also defensive programmes, to protect their public and private infrastructure and intellectual property. However, far more funds tend to be dedicated to offense than defense, more than double in the case of the US’ NSA. Moreover, because of their pursuit of offensive zero-days, the interest of nation-states often conflicts with that of the tech companies wishing to secure their products. For it to have value, a zero-day needs to be secret, otherwise it can be fixed and thus become useless. And with the vast sums of money in play, the hackers who discover the zero-days have more incentive to keep them secret and sell them to brokers instead of highlighting them to the tech companies. Since the late 2000s, the tech sector has been trying to compete with the brokers by setting up bounty programmes that pay out significant sums for vulnerabilities, but this is arguably not enough to keep pace.
The book also mentions “Heartbleed”, a bad vulnerability in OpenSSL that was discovered in 2019. OpenSSL is the tool that encrypts data between your web browser and a web server, and this flaw allowed anyone to break the encryption and thus listen in. OpenSSL is used by millions of websites, and, like most of the internet’s infrastructure, it is open source, meaning that it is maintained by volunteers, in this case a single person. Perlroth points to this as a major weakness, probably with justification. Clearly I don’t think the open source model itself is at issue. Indeed, most of the high profile attacks over the past years were against “closed source” products, not least of which Windows, very much made by a for-profit company. But private companies relying on these open source products should probably contribute more, either with money or with their developers’ time.
Still, in the end the issue is that security vulnerabilities are a fact of life for complicated, open systems. The US Department of Defense already understood this in the 1960s: it mentioned in a report that “contemporary technology cannot provide a secure system in an open environment.” Even sixty years later, that statement still holds true. Defending against cyberattacks then primarily becomes a matter of good security hygiene: strong and unique passwords, patching systems as soon as updates become available, “air gapping” (disconnecting from the internet) critical systems, etc. The book mentions the example of Japan, which adopted a masterplan highlighting such best practice in 2005. By now, Japanese devices and networks are better protected than other countries with similar GDP. Even then, we know this will not be enough against a determined and resourceful nation-state attacker though. So perhaps the answer lies in international conventions regulating zero-days’ use, like conventional and nuclear weapons, however unsatisfying and insufficient that may seem. Whatever the response will be, the book makes crystal clear that it is way past time for the international community to wake up to the dangers in our digital realm.