A Modern Moral Dilemma – Government Cyber Friend or Foe?

Posted on February 21, 2015


Biological warfare has been outlawed by international convention for many years now. More than 100 nations signed the 1972 Biological Weapons Convention treaty and declared germ weaponry “repugnant to the conscience of mankind.”

When one door closes another opens, and we are now confronted with a similar dilemma in the handling of Cyber attacks. Overdramatic? Read on …

With current trends and attitudes at Government level to Cyber warfare, the cavalier attitude of nation state funded actors who are deploying the equivalent of Digital ordinance against foreign powers raises worrying legal and ethical questions. Questions that we can only start to get answers too through a similar Convention or Treaty engagement process that may help to bring this nefarious practice out into the open and public debate. It will not stop it, but shine some much needed light and awareness onto what is increasingly putting more than our privacy at risk, but driving to the heart of our liberty.

In any other traditional form of unprovoked destructive offensive engagement against a foreign power, with a real risk to life, would be classed as an ‘Act of War’. Yet this is happening under our very noses, and dizzily accepted by aggressor and defenders alike!

State actors are deploying high-grade Cyber ‘weapons’ against each other, reaching into others sovereign territory and destroying property in a way that has lead to loss of life. This is before the huge and real risk that comes from the potential of unintended consequences when deploying a new class of weapon. After all, even the malware has software bugs in it that means there is going to be unknown consequences of some order!

These Cyber weapons are not fiction but very much fact:

  • Duqu – A reconnaissance tool researchers say was used to copy blueprints of Iran’s nuclear program.
  • Stuxnet – A worm used to damage Iranian uranium enrichment installations. Created it is understood by a joint US/Israel cyber task force as an alternative to strategic air strikes by Israel on Iran.
  • Flame – A Virus designed to steal information from computers across the Middle East.
  • Gauss – A Trojan based on the Flame platform, its main purpose targeting banking information from Lebanese banks as well as Citibank and PayPal.
  • Regin – Targeting the manipulation and surveillance of mobile networks in the Middle East.

These reflect a dramatic escalation in the technical dexterity and capability of the more traditional profile of malware. When initially detected these malware packages identified themselves with nation state pedigree’s due to the level of investment and complexity that has had to go into creating such complex and advanced packages. These are altogether more complex and professional in nature than has ever been seen from the hacker, hacktivist or criminal communities. More leaked documents by Snowden confirmed US and Israel were behind those listed above, amongst others.

Having been identified and reverse engineered these software ‘weapons’ provide a blueprint for copycat threats to be produced by criminals and hackers at a fraction of the original investment.

A dark side to Cyber warfare is the real fact that when you launch malware you do so with the inevitable eventual outcome that it will be discovered and reverse engineered. This discovery and reverse engineering is the equivalent of deploying conventional weapons and sending the blueprints to the enemy. Like a boomerang, it will come back at you, so be dammed sure you are not similarly exposed. Which presents a dilemma with Cyber weapons; the very software security holes a weapon will leverage are the same weaknesses in ones own back yard.

Cyber warfare could be said to be the modern equivalent of building a virtual Maginot Line.

Strike 1 – Nation State actors are inadvertently accelerating the advancements of cyber threats against us all even with their excuse that these are highly targeted Digital Weapons. The guns are in virtual terms being left lying in plain view for anyone to pick up and turn on their own target of choice. The code these Cyber Warheads of speak for themselves. Leaving traces and pointers back to the perpetrators such as:

Since 2001, the Equation group has been busy infecting thousands, or perhaps even tens of thousands of victims throughout the world. They are also thought to be responsible for a much more pernicious and pervasive attack profile and payload, known as ‘Implants’ (advanced Trojan class). The activities of the Equation group going back as far as 2001 and some thing even earlier with traces in 1996, and reaching deep into the cutting edge of technology compromise.

For example the mysterious and powerful module attributed to the Equation group known only by a cryptic name: “nls_933w.dll” , allows them to reprogram the hard drive firmware of over a dozen different hard drive brands from Seagate, Western Digital, Toshiba, Maxtor and IBM. This is an astonishing technical accomplishment and is testament to the group’s abilities and the risks if you are an individual or enterprise targeted. This level of attack is simply impossible to identify without access to specialist forensic equipment and experience and impossible to clean, hammer (or drill) and a little elbow grease to destroy the Hard Drive is the only guaranteed protection. Little consolation … you will not know that the next hard drive you buy is not already compromised, rewind and repeat ….

This is your government spending your tax dollars to weaken your own technology! Someone should be sacked if not put on trial for this.

That is the tip of the iceberg. In 2011 according to some of the documents leaked by the whistleblower Snowden, the US Government executed 231 offensive Cyber operations against foreign countries, of which 75% targeted Iran, Russia, China and North Korea.

The size of the US investment in cyber warfare is evident in their 2013 budget of $652million spent by the NSA, CIA and other clandestine US military operations teams in planting covert digital bugs in more than 90,000 computers, routers, and firewalls and other embedded devices around the world. Whilst some of this is executed remotely using known systems security weaknesses (Zero Day Exploits) many of the most valuable compromises are using ‘Interdiction’.

Interdiction is a process whereby the CIA or FBI intercept legitimate deliveries of hardware in transit to customers and retrofits compromised components or firmware so that the receiving customer is none the wiser, and the state actors have a ready made back door into that corporate network. This grade of compromise tends to be persistent and not lost when systems are upgraded or reconfigured. These ‘implants’ can then be turned on or off remotely to undertake Computer Network Exploitation (CNE) at will.

Strike 2 – Implants are often hardwired into expensive corporate, industrial or national infrastructure environments. It is not beyond the bounds of past experience that such backdoors into systems get discovered by hackers. In so doing providing hackers with free access to any such compromised system or network. This is a phenomenally arrogant and high-risk strategy that communicates the wherewithal that leaves US infrastructure open to the same attacks.

It does not end there. More from the Snowden dossiers reveal in 2013 The US National Security Agency (NSA) budget over $20million dollars to purchase and acquire covertly and to stockpiling software vulnerabilities like old wartime munitions. Purchased from the ‘Zero Day Grey Market’ populated by traditional arms suppliers now extending their repertoire into cyber espionage.

Strike 3 – Government fostering a persistence of unpublished (Zero Day) security vulnerabilities in consumer, commercial and industrial software systems and hardware. Zero Day Vulnerabilities or Exploits the holy grail of the Cyber battlefield that can be exploited for nefarious or destructive ends.

As President Obama in October 2012 confirms in a Top Secret Presidential Directive leaked by Snowden instructed a list to be drawn up of potential foreign targets, quoting: “unique and unconventional opportunities to advance US national objectives around the world”.

So instead of the more conventional and one would argue responsible practice of researchers and security professionals notifying the vendors of security weaknesses in their systems so they can be fixed. Governments are pursuing a practice of preserving any exploits they find. Building up veritable warehouses of thousands, yes 1,000’s, of Zero Day exploits that cover everything from domestic software used by consumers through to Industrial Control Systems (ICS’s) that operate anything from your Smart TV, through railway infrastructure right the way up to nuclear installations.

You can bet that if a US Cyber team can find a Zero day exploit then a Russian team can too. So all that is happening is Governments persisting weaknesses at our expense first and ultimately theirs.

The debate rumbles on as to the legitimacy of these actions. Bizarrely very little issue seams to be made of the fact that there has been limited public debate on the safety and use of these immature weapons and the wanton violation of third parties sovereign Cyber Space. The long-term consequences of this new form of attack remaining largely unknown. What though is clear is the use of Cyber Weapons has now been given the green light, the US in their role as global policeman cannot put that genie back in the bottle or criticize other nations for doing what they have led the way in.

Strike 4 – Governments are acting like ‘God’. Deciding when and who will be hit or who will be protected. This is morally repugnant, as they leave us all exposed to compromise in our digital lives as they persist the pervasive nature of these security weaknesses not just in our consumer systems but the very infrastructure that runs our lives, we travel on and rely on.

By now you should be getting the hint. Is it not bad enough that we are open to 24x7x365 attack from the hackers and the criminal fraternity. Instead this attack community is fuelled by our own tax Dollars through the cavalier attitude of our governments who are indirectly providing the training and raw material escalating the threats.

The very fact that these covert government departments perform ‘Equity Tests’ to determine whether an exploit should be communicated to a vendor and fixed or retained surreptitiously for their own manipulation or abuse does not make it any easier to accept. The ‘Equities Test’ more recently highlighted in the Hollywood blockbuster Alan Turing biopic ‘The Imitation Game’, illustrates the moral and legal challenges faced. The decision to use it judiciously so as not to tip the Germans off that their code machine had been compromised meant sacrificing innocent lives. In the film it was vividly illustrated when the government decided to allow the Germans to sink a boat full of service men rather than risk tipping the Germans off that they had cracked the code.

Strike 5 – As if this was not enough. The most repugnant pact is the US in its headlong rush into aggression has abused the very trust system the Internet is based on. In order to get their malicious code deployed the US manipulated root Certificate servers stealing certificates so that they could sign their Cyber Weapons with legitimate third party certificates. The equivalent of the Internets digital passport system that validates good software from suspect or dam right malicious. I guess they feel they do it with National Passports or ID cards when they want, so why not the Internet’s equivalent. Well for a start, the Internet is not owned by any one nation!

A very real modern moral dilemma, should we not expect at the very least our Governments to act in our nations interests and remedy digital security threats rather than stockpiling them?