US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'
from the adding-up-wrongs-to-make-a-right dept
The US government seems to be responding to "cyber Pearl Harbor" by heading out on bombing runs of its own. All the concern for the safety of the American public displayed in Congress during the CISPA push seems to have been nothing more than the empty words we expect from our representatives. Americans and American companies are now being caught in the crossfire -- some of it "friendly."The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.
Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.
"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."
Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.
When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.
As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."
The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.
Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.
The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, cyberwar, hacks, security, us government, zero day
Reader Comments
Subscribe: RSS
View by: Time | Thread
The reality of governing
Getting rid of child porn, the war on terror, the war on piracy, the war on drugs, the war on cyber crime. Nothing that has been done so far has been effective in actually stopping those things but politicians look good because they are seen to be doing something. The majority of the public are too easily manipulated.
[ link to this | view in chronology ]
Re: The reality of governing
A little reverse psychology.
I think this is intentional. Fear is the most dangerous emotion humans have, and amongst its many pernicious effects are two that are particularly useful to would-be tyrants: fear makes people compliant and unthinking.
[ link to this | view in chronology ]
Re: Re: The reality of governing
Frightened of the government and who it's working for..."
https://www.youtube.com/watch?v=Tjus8cfLFJw
[ link to this | view in chronology ]
Re: The reality of governing
[ link to this | view in chronology ]
Re: Re: The reality of governing
[ link to this | view in chronology ]
Re: Re: The reality of governing
[ link to this | view in chronology ]
Re: The reality of governing
that *is* the superficial takeaway, but the REAL goal is to use such FUD to generate monies for their cronies, who then give them 'donations' (read: legalized bribes), who then pass laws to benefit their cronies, who then donate more money to the compliant kongresskritters, who pass more laws to benefit their cronies...
repeat as necessary...
the bullshit concern for the merikan people is mere window dressing, con artist patter to separate us from our money, honey...
kongresskritters are the masters of 3 card monty...
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Re: The reality of governing
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why not follow private sector's lead?
[ link to this | view in chronology ]
Re: Why not follow private sector's lead?
[ link to this | view in chronology ]
Japan bombed Pearl Harbor as a preemptive strike to try and keep the USA out of WWII. This of course was a gross miscalculation that they later regretted.
We now have the US government looking to make preemptive strikes against the internet as a whole..... Question is, will they realize before it is too late that it is them in the bombers launching the attack?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
IF gov't would save us from Microsoft's exploitable mono-culture,
Back in the halcyon 80's, the notion was that computers would run so fast that software could practically be write-once-run-anywhere, so having multiple OSs wouldn't matter. Somehow Microsoft stole that dream, along with nearly all others; now they've delivered a massive OS with built-in spyware, plus DRM (of course that doesn't work, right?), proprietary lock-ins, and a toy UI that no one wants and has to be fixed.
[ link to this | view in chronology ]
Re: IF gov't would save us from Microsoft's exploitable mono-culture,
Of course the MSFT mono-culture has something to do with it. Which Federal Judge oversaw the MSFT anti-trust settlement? Collen Kollar-Kotelly. Which start chamber was Judge Kollar-Kotelly part of? That's right, FISA! (http://en.wikipedia.org/wiki/Colleen_Kollar-Kotelly). Internal collusion anyone?
After the Jane Harman scandal (http://www.salon.com/2009/04/20/harman/) we have to assume that at least some members of the US Congress are, um, "in debt" to the US intelligence community. Why not Federal Judges, too? Sure, it's a high-stakes game, but it's one that J. Edgar Hoover perfected a long time ago.
[ link to this | view in chronology ]
Re: IF gov't would save us from Microsoft's exploitable mono-culture,
[ link to this | view in chronology ]
Infact the govt. is behaving just like a parasite - adapting itself in such a way that the medicines (i.e. people with an ability to think deeply, rather unfortunately at present far outnumbered by those who can't) do not have their desired effects and, in the worst case scenario, these medicines themselves are treated as something unwanted and, ultimately, flushed out of the system (a highly efficient way to survive indeed!).
[ link to this | view in chronology ]
Re:
I continue to have problems understanding how "government" is separate from private companies. If you remove government and allow private companies to operate without any constraints, seems like you would get more of the same or worse.
Here's what that article said:
Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren't connected to anything.
So private contractors finding flaws and developing ways to exploit them would likely continue. They would just find people other than government to sell their info and programs to.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
This is a very real threat against our country and freedom as demonstrated by these GIJoes. As you can see a member of the terrorist organization Cobra is slipping by these strategically placed Joes undetected with a AA Battery Bomb.
Here you can see the effects of the AA Battery Bomb replicated by smashing this Lego city with a hammer. The destruction is incalculable.
We must act now before it is too late.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So who's the threat now?
What better way to claim that laws and defense are needed than to create the situation so they can point at it...
See those zombie bot nets are DDOS'ing Wall Street and US banks, we NEED more legislation so that we can stop these attacks (that we initiated...)
It's worked well before and it will probably continue to work... To "Steal" from a popular poster company,
Government:
"You think our problems are bad, wait until you see our solutions."
Consulting:
"Even when you are the only solution, there is money to be made in prolonging the problem."
Where's the "Sad but true" button when you need it?
[ link to this | view in chronology ]
Freemarket Fail
Further they are offering such high prices they are subsidizing the bug creation for other countries.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We decry these actions taken by other nations because they are dictators, except we have been shredding our citizens rights so our leaders can behave like those dictators.
So focused on "winning" we ignore that the thing we are protecting has been the first casualty.
More concerned with keeping contractors fat and happy we sacrifice the citizens rights, and those citizens are so brainwashed by soundbites they willingly accept the slide away from freedom.
People willingly accept 'collateral damage' as acceptable to hunt terrorists, ignoring we are killing innocent people to obtain our goals... just like how terrorists operate.
The only difference is we have a flag, and some words on a piece of paper we stopped understanding a long time ago.
[ link to this | view in chronology ]
The Last Word
“We decry these actions taken by other nations because they are dictators, except we have been shredding our citizens rights so our leaders can behave like those dictators.
So focused on "winning" we ignore that the thing we are protecting has been the first casualty.
More concerned with keeping contractors fat and happy we sacrifice the citizens rights, and those citizens are so brainwashed by soundbites they willingly accept the slide away from freedom.
People willingly accept 'collateral damage' as acceptable to hunt terrorists, ignoring we are killing innocent people to obtain our goals... just like how terrorists operate.
The only difference is we have a flag, and some words on a piece of paper we stopped understanding a long time ago.