US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'

from the adding-up-wrongs-to-make-a-right dept

The US government seems to be responding to “cyber Pearl Harbor” by heading out on bombing runs of its own. All the concern for the safety of the American public displayed in Congress during the CISPA push seems to have been nothing more than the empty words we expect from our representatives. Americans and American companies are now being caught in the crossfire — some of it “friendly.”

The US government is waging electronic warfare on a vast scale — so large that it’s causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to “offensive” cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

“If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users,” Clarke told Reuters. “There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn’t.”

I’m not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government’s willingness to sacrifice security for security (??) is the fact that it’s unwilling to share this information. What good are those provisions in CISPA and President Obama’s recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way – sweeping cybersecurity legislation being weighed by Congress and President Barack Obama’s February executive order on the subject – asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.

As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve “market value.”

The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.

Some of Endgame’s activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal “botnets” – networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet’s computers or warn the owners. Instead, Endgame’s customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

So, we’re engaged in a cyberwar that’s going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what’s being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We’ll just be asked to pretend the government’s saving us from something even worse.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'”

Subscribe: RSS Leave a comment
Zakida Paul (profile) says:

The reality of governing

It doesn’t matter if people are actually safer. It is all about creating the illusion of safety.

Getting rid of child porn, the war on terror, the war on piracy, the war on drugs, the war on cyber crime. Nothing that has been done so far has been effective in actually stopping those things but politicians look good because they are seen to be doing something. The majority of the public are too easily manipulated.

John Fenderson (profile) says:

Re: The reality of governing

Actually, I think it’s about the opposite: making us feel like we’re in danger (and only the decreased liberty can save us). The TSA is the best example of this, but I think the psychology goes like this: the more the public sees that they are paying a price to be safe, the greater the underlying sense that if they’re being asked to pay a price, there may be an underlying danger that is about equally strong.

A little reverse psychology.

I think this is intentional. Fear is the most dangerous emotion humans have, and amongst its many pernicious effects are two that are particularly useful to would-be tyrants: fear makes people compliant and unthinking.

art guerrilla (profile) says:

Re: The reality of governing

well, i think you know better…
that is the superficial takeaway, but the REAL goal is to use such FUD to generate monies for their cronies, who then give them ‘donations’ (read: legalized bribes), who then pass laws to benefit their cronies, who then donate more money to the compliant kongresskritters, who pass more laws to benefit their cronies…
repeat as necessary…

the bullshit concern for the merikan people is mere window dressing, con artist patter to separate us from our money, honey…

kongresskritters are the masters of 3 card monty…

art guerrilla
aka ann archy

Anonymous Coward says:

what seems to be happening here is exactly what i remember seeing after the worst ‘terrorist attack’ ever. that terrorists wont have to do anything because the ‘defenders against terrorism will do more harm than the terrorists themselves could ever hope to do’. those words seem to have a lot of truth attached to them. what a shame.

Kevin L (profile) says:

Why not follow private sector's lead?

Instead of spending millions on in-house exploit hunting, why not follow Google’s lead and offer bounties for discovering exploits which will then be put in a public database? Economically, if the value of the bounty is greater than the value of using or selling the exploit (monetarily or otherwise) then hackers will be happy to collect the bounty. And since multiple hackers can find the same exploit, there will be competition to be the first and/or the lowest bidder.

Josh in CharlotteNC (profile) says:

Re: Why not follow private sector's lead?

The government is already following the private sector’s lead. Just not the “white hat” side of it. Sure, they’re paying bounties for exploits – but they don’t end up in public databases, they are not reported to the software company, and are not fixed or patched. This isn’t new. Remember the HBGary hack? Similar presentation slides were found boasting of knowledge of exploits that were not public knowledge and able to be used for offensive purposes.

Machin Shin (profile) says:

“cyber Pearl Harbor” might not be as bad a name for what is coming as people think….

Japan bombed Pearl Harbor as a preemptive strike to try and keep the USA out of WWII. This of course was a gross miscalculation that they later regretted.

We now have the US government looking to make preemptive strikes against the internet as a whole….. Question is, will they realize before it is too late that it is them in the bombers launching the attack?

out_of_the_blue says:

IF gov't would save us from Microsoft's exploitable mono-culture,

this’d be automatically nearly wiped out. — Of course Apple and Google aren’t real alternatives. Not only do they provide backdoors for the gov’t, but even outside that, just look at how fast Google’s latest Precious, Glass, was broken into.

Back in the halcyon 80’s, the notion was that computers would run so fast that software could practically be write-once-run-anywhere, so having multiple OSs wouldn’t matter. Somehow Microsoft stole that dream, along with nearly all others; now they’ve delivered a massive OS with built-in spyware, plus DRM (of course that doesn’t work, right?), proprietary lock-ins, and a toy UI that no one wants and has to be fixed.

Arthur Treacher says:

Re: IF gov't would save us from Microsoft's exploitable mono-culture,

I call BS. This isn’t OOTB1 (legally-trained shill) or OOTB2 (sweat-of-the-brow irrational “intellectual property” owner).

Of course the MSFT mono-culture has something to do with it. Which Federal Judge oversaw the MSFT anti-trust settlement? Collen Kollar-Kotelly. Which start chamber was Judge Kollar-Kotelly part of? That’s right, FISA! ( Internal collusion anyone?

After the Jane Harman scandal ( we have to assume that at least some members of the US Congress are, um, “in debt” to the US intelligence community. Why not Federal Judges, too? Sure, it’s a high-stakes game, but it’s one that J. Edgar Hoover perfected a long time ago.

Anonymous Coward says:

That’s the strategy US Govt. has adopted all-along – supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it’s not in the best interest of the public).

Infact the govt. is behaving just like a parasite – adapting itself in such a way that the medicines (i.e. people with an ability to think deeply, rather unfortunately at present far outnumbered by those who can’t) do not have their desired effects and, in the worst case scenario, these medicines themselves are treated as something unwanted and, ultimately, flushed out of the system (a highly efficient way to survive indeed!).

Suzanne Lainson (profile) says:

Re: Re:

That’s the strategy US Govt. has adopted all-along – supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it’s not in the best interest of the public).

I continue to have problems understanding how “government” is separate from private companies. If you remove government and allow private companies to operate without any constraints, seems like you would get more of the same or worse.

Here’s what that article said:

Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren’t connected to anything.

So private contractors finding flaws and developing ways to exploit them would likely continue. They would just find people other than government to sell their info and programs to.

Anonymous Coward says:

Re: Re:

Mr. President,
This is a very real threat against our country and freedom as demonstrated by these GIJoes. As you can see a member of the terrorist organization Cobra is slipping by these strategically placed Joes undetected with a AA Battery Bomb.
Here you can see the effects of the AA Battery Bomb replicated by smashing this Lego city with a hammer. The destruction is incalculable.
We must act now before it is too late.

Anonymous Coward says:

What I don’t get is the whole “If we change as a society, if we give up what makes us a free country, the terrorists have won” speech they all gave us. Exactly what hasn’t changed for the worse? We have given up so many freedoms in the name of security that I really don’t see how the terrorists didn’t win. They succeeded in making the whole free world worse, but the free world leaders are to blame, not the terrorists or hackers or whatever the buzzword for “bad guy” is nowadays.

Anonymous Coward says:

So who's the threat now?

Well if there isn’t a “Cyber-Security” threat out there, then leave it to our government to create one.

What better way to claim that laws and defense are needed than to create the situation so they can point at it…

See those zombie bot nets are DDOS’ing Wall Street and US banks, we NEED more legislation so that we can stop these attacks (that we initiated…)

It’s worked well before and it will probably continue to work… To “Steal” from a popular poster company,

“You think our problems are bad, wait until you see our solutions.”
“Even when you are the only solution, there is money to be made in prolonging the problem.”

Where’s the “Sad but true” button when you need it?

That Anonymous Coward (profile) says:

We have become the enemy, the enemy is us.

We decry these actions taken by other nations because they are dictators, except we have been shredding our citizens rights so our leaders can behave like those dictators.

So focused on “winning” we ignore that the thing we are protecting has been the first casualty.

More concerned with keeping contractors fat and happy we sacrifice the citizens rights, and those citizens are so brainwashed by soundbites they willingly accept the slide away from freedom.

People willingly accept ‘collateral damage’ as acceptable to hunt terrorists, ignoring we are killing innocent people to obtain our goals… just like how terrorists operate.

The only difference is we have a flag, and some words on a piece of paper we stopped understanding a long time ago.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...