US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'

from the adding-up-wrongs-to-make-a-right dept

The US government seems to be responding to "cyber Pearl Harbor" by heading out on bombing runs of its own. All the concern for the safety of the American public displayed in Congress during the CISPA push seems to have been nothing more than the empty words we expect from our representatives. Americans and American companies are now being caught in the crossfire -- some of it "friendly."
The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."
I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.
Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.
Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.

As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."

The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.
Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.
So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Zakida Paul (profile), May 14th, 2013 @ 8:51am

    The reality of governing

    It doesn't matter if people are actually safer. It is all about creating the illusion of safety.

    Getting rid of child porn, the war on terror, the war on piracy, the war on drugs, the war on cyber crime. Nothing that has been done so far has been effective in actually stopping those things but politicians look good because they are seen to be doing something. The majority of the public are too easily manipulated.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    John Fenderson (profile), May 14th, 2013 @ 9:03am

    Re: The reality of governing

    Actually, I think it's about the opposite: making us feel like we're in danger (and only the decreased liberty can save us). The TSA is the best example of this, but I think the psychology goes like this: the more the public sees that they are paying a price to be safe, the greater the underlying sense that if they're being asked to pay a price, there may be an underlying danger that is about equally strong.

    A little reverse psychology.

    I think this is intentional. Fear is the most dangerous emotion humans have, and amongst its many pernicious effects are two that are particularly useful to would-be tyrants: fear makes people compliant and unthinking.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 9:11am

    what seems to be happening here is exactly what i remember seeing after the worst 'terrorist attack' ever. that terrorists wont have to do anything because the 'defenders against terrorism will do more harm than the terrorists themselves could ever hope to do'. those words seem to have a lot of truth attached to them. what a shame.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Kevin L (profile), May 14th, 2013 @ 9:12am

    Why not follow private sector's lead?

    Instead of spending millions on in-house exploit hunting, why not follow Google's lead and offer bounties for discovering exploits which will then be put in a public database? Economically, if the value of the bounty is greater than the value of using or selling the exploit (monetarily or otherwise) then hackers will be happy to collect the bounty. And since multiple hackers can find the same exploit, there will be competition to be the first and/or the lowest bidder.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Machin Shin (profile), May 14th, 2013 @ 9:16am

    "cyber Pearl Harbor" might not be as bad a name for what is coming as people think....

    Japan bombed Pearl Harbor as a preemptive strike to try and keep the USA out of WWII. This of course was a gross miscalculation that they later regretted.

    We now have the US government looking to make preemptive strikes against the internet as a whole..... Question is, will they realize before it is too late that it is them in the bombers launching the attack?

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Kevin L (profile), May 14th, 2013 @ 9:17am

    Also, kudos to whoever at Reuters wrote:
    emails published by hackers acting under the banner Anonymous.
    That's the first time I've seen anything like an understanding of what "Anonymous" is from major news sources.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 9:19am

    Re: Re: The reality of governing

    "Frightened of bureaucracy and frightened of the law
    Frightened of the government and who it's working for..."

    https://www.youtube.com/watch?v=Tjus8cfLFJw

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Josh in CharlotteNC (profile), May 14th, 2013 @ 9:19am

    Re: Why not follow private sector's lead?

    The government is already following the private sector's lead. Just not the "white hat" side of it. Sure, they're paying bounties for exploits - but they don't end up in public databases, they are not reported to the software company, and are not fixed or patched. This isn't new. Remember the HBGary hack? Similar presentation slides were found boasting of knowledge of exploits that were not public knowledge and able to be used for offensive purposes.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    out_of_the_blue, May 14th, 2013 @ 9:42am

    IF gov't would save us from Microsoft's exploitable mono-culture,

    this'd be automatically nearly wiped out. -- Of course Apple and Google aren't real alternatives. Not only do they provide backdoors for the gov't, but even outside that, just look at how fast Google's latest Precious, Glass, was broken into.

    Back in the halcyon 80's, the notion was that computers would run so fast that software could practically be write-once-run-anywhere, so having multiple OSs wouldn't matter. Somehow Microsoft stole that dream, along with nearly all others; now they've delivered a massive OS with built-in spyware, plus DRM (of course that doesn't work, right?), proprietary lock-ins, and a toy UI that no one wants and has to be fixed.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Arthur Treacher, May 14th, 2013 @ 10:07am

    Re: IF gov't would save us from Microsoft's exploitable mono-culture,

    I call BS. This isn't OOTB1 (legally-trained shill) or OOTB2 (sweat-of-the-brow irrational "intellectual property" owner).

    Of course the MSFT mono-culture has something to do with it. Which Federal Judge oversaw the MSFT anti-trust settlement? Collen Kollar-Kotelly. Which start chamber was Judge Kollar-Kotelly part of? That's right, FISA! (http://en.wikipedia.org/wiki/Colleen_Kollar-Kotelly). Internal collusion anyone?

    After the Jane Harman scandal (http://www.salon.com/2009/04/20/harman/) we have to assume that at least some members of the US Congress are, um, "in debt" to the US intelligence community. Why not Federal Judges, too? Sure, it's a high-stakes game, but it's one that J. Edgar Hoover perfected a long time ago.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 10:13am

    That's the strategy US Govt. has adopted all-along - supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it's not in the best interest of the public).

    Infact the govt. is behaving just like a parasite - adapting itself in such a way that the medicines (i.e. people with an ability to think deeply, rather unfortunately at present far outnumbered by those who can't) do not have their desired effects and, in the worst case scenario, these medicines themselves are treated as something unwanted and, ultimately, flushed out of the system (a highly efficient way to survive indeed!).

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 10:24am

    Re: IF gov't would save us from Microsoft's exploitable mono-culture,

    Linux is a viable alternative, and you can look at the source code.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Ninja (profile), May 14th, 2013 @ 10:29am

    The US has been at war with all sorts of real, semi-real and imaginary enemies since 1700 something. I think we need to give these politicians some GIJoe play kits that include some pseudo cyber attackers so they can spend their time less productively. And by productively I mean screwing up people and being morons.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 11:03am

    What I don't get is the whole "If we change as a society, if we give up what makes us a free country, the terrorists have won" speech they all gave us. Exactly what hasn't changed for the worse? We have given up so many freedoms in the name of security that I really don't see how the terrorists didn't win. They succeeded in making the whole free world worse, but the free world leaders are to blame, not the terrorists or hackers or whatever the buzzword for "bad guy" is nowadays.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Suzanne Lainson (profile), May 14th, 2013 @ 11:13am

    Re:

    That's the strategy US Govt. has adopted all-along - supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it's not in the best interest of the public).

    I continue to have problems understanding how "government" is separate from private companies. If you remove government and allow private companies to operate without any constraints, seems like you would get more of the same or worse.

    Here's what that article said:

    Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren't connected to anything.

    So private contractors finding flaws and developing ways to exploit them would likely continue. They would just find people other than government to sell their info and programs to.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    The Libertarian, May 14th, 2013 @ 11:21am

    Re: The reality of governing

    Isn't bravery and courage more powerful than Fear? A fearful person is more easily controlled than one who has nothing to fear.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 11:24am

    Re: Re: The reality of governing

    It's about both. The most successful politicians will trump up a "danger" we all need to be afraid of and then offer a solution for it to make us all "safe," despite both being complete BS.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 11:45am

    Re:

    Mr. President,
    This is a very real threat against our country and freedom as demonstrated by these GIJoes. As you can see a member of the terrorist organization Cobra is slipping by these strategically placed Joes undetected with a AA Battery Bomb.
    Here you can see the effects of the AA Battery Bomb replicated by smashing this Lego city with a hammer. The destruction is incalculable.
    We must act now before it is too late.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    art guerrilla (profile), May 14th, 2013 @ 12:37pm

    Re: The reality of governing

    well, i think you know better...
    that *is* the superficial takeaway, but the REAL goal is to use such FUD to generate monies for their cronies, who then give them 'donations' (read: legalized bribes), who then pass laws to benefit their cronies, who then donate more money to the compliant kongresskritters, who pass more laws to benefit their cronies...
    repeat as necessary...

    the bullshit concern for the merikan people is mere window dressing, con artist patter to separate us from our money, honey...

    kongresskritters are the masters of 3 card monty...

    art guerrilla
    aka ann archy
    eof

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    John Fenderson (profile), May 14th, 2013 @ 1:38pm

    Re: Re: The reality of governing

    Someone is brave when they can act in the face of fear. It's not really an emotion on its own. Someone who is without fear cannot be brave, by definition.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, May 14th, 2013 @ 1:47pm

    So who's the threat now?

    Well if there isn't a "Cyber-Security" threat out there, then leave it to our government to create one.

    What better way to claim that laws and defense are needed than to create the situation so they can point at it...

    See those zombie bot nets are DDOS'ing Wall Street and US banks, we NEED more legislation so that we can stop these attacks (that we initiated...)

    It's worked well before and it will probably continue to work... To "Steal" from a popular poster company,

    Government:
    "You think our problems are bad, wait until you see our solutions."
    Consulting:
    "Even when you are the only solution, there is money to be made in prolonging the problem."

    Where's the "Sad but true" button when you need it?

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    toyotabedzrock (profile), May 14th, 2013 @ 3:18pm

    Freemarket Fail

    The cyberware people seem to be forgetting that a bug is not a physical object that can only be sold once.

    Further they are offering such high prices they are subsidizing the bug creation for other countries.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    BentFranklin (profile), May 14th, 2013 @ 5:16pm

    the Internet is basically US territory. Everything we do, we do on the Internet. I can't think of anything stupider than inviting warfare on one's own territory.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    That Anonymous Coward (profile), May 14th, 2013 @ 5:22pm

    We have become the enemy, the enemy is us.

    We decry these actions taken by other nations because they are dictators, except we have been shredding our citizens rights so our leaders can behave like those dictators.

    So focused on "winning" we ignore that the thing we are protecting has been the first casualty.

    More concerned with keeping contractors fat and happy we sacrifice the citizens rights, and those citizens are so brainwashed by soundbites they willingly accept the slide away from freedom.

    People willingly accept 'collateral damage' as acceptable to hunt terrorists, ignoring we are killing innocent people to obtain our goals... just like how terrorists operate.

    The only difference is we have a flag, and some words on a piece of paper we stopped understanding a long time ago.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Faizan, May 15th, 2013 @ 12:28am

    Re: The reality of governing

    I agree with what you say, Obama (in order to look good) has made another bill in which the Authorities can Look in to our emails (source: http://goo.gl/K7DKy). Whereas they should be doing about the real issues which you have highlighted instead of harassing the general public!

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This