US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'

from the adding-up-wrongs-to-make-a-right dept

Tue, May 14th 2013 8:44am — Tim Cushing

The US government seems to be responding to "cyber Pearl Harbor" by heading out on bombing runs of its own. All the concern for the safety of the American public displayed in Congress during the CISPA push seems to have been nothing more than the empty words we expect from our representatives. Americans and American companies are now being caught in the crossfire -- some of it "friendly."

The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.

As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."

The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, cyberwar, hacks, security, us government, zero day

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Zakida Paul (profile), 14 May 2013 @ 8:51am

The reality of governing
It doesn't matter if people are actually safer. It is all about creating the illusion of safety.

Getting rid of child porn, the war on terror, the war on piracy, the war on drugs, the war on cyber crime. Nothing that has been done so far has been effective in actually stopping those things but politicians look good because they are seen to be doing something. The majority of the public are too easily manipulated.
[ link to this | view in chronology ]
- John Fenderson (profile), 14 May 2013 @ 9:03am
  
  Re: The reality of governing
  Actually, I think it's about the opposite: making us feel like we're in danger (and only the decreased liberty can save us). The TSA is the best example of this, but I think the psychology goes like this: the more the public sees that they are paying a price to be safe, the greater the underlying sense that if they're being asked to pay a price, there may be an underlying danger that is about equally strong.
  
  A little reverse psychology.
  
  I think this is intentional. Fear is the most dangerous emotion humans have, and amongst its many pernicious effects are two that are particularly useful to would-be tyrants: fear makes people compliant and unthinking.
  [ link to this | view in chronology ]
  - Anonymous Coward, 14 May 2013 @ 9:19am
    
    Re: Re: The reality of governing
    "Frightened of bureaucracy and frightened of the law
    Frightened of the government and who it's working for..."
    
    https://www.youtube.com/watch?v=Tjus8cfLFJw
    [ link to this | view in chronology ]
  - The Libertarian, 14 May 2013 @ 11:21am
    
    Re: The reality of governing
    Isn't bravery and courage more powerful than Fear? A fearful person is more easily controlled than one who has nothing to fear.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 14 May 2013 @ 1:38pm
      
      Re: Re: The reality of governing
      Someone is brave when they can act in the face of fear. It's not really an emotion on its own. Someone who is without fear cannot be brave, by definition.
      [ link to this | view in chronology ]
  - Anonymous Coward, 14 May 2013 @ 11:24am
    
    Re: Re: The reality of governing
    It's about both. The most successful politicians will trump up a "danger" we all need to be afraid of and then offer a solution for it to make us all "safe," despite both being complete BS.
    [ link to this | view in chronology ]
- art guerrilla (profile), 14 May 2013 @ 12:37pm
  
  Re: The reality of governing
  well, i think you know better...
  that *is* the superficial takeaway, but the REAL goal is to use such FUD to generate monies for their cronies, who then give them 'donations' (read: legalized bribes), who then pass laws to benefit their cronies, who then donate more money to the compliant kongresskritters, who pass more laws to benefit their cronies...
  repeat as necessary...
  
  the bullshit concern for the merikan people is mere window dressing, con artist patter to separate us from our money, honey...
  
  kongresskritters are the masters of 3 card monty...
  
  art guerrilla
  aka ann archy
  eof
  [ link to this | view in chronology ]
- Faizan, 15 May 2013 @ 12:28am
  
  Re: The reality of governing
  I agree with what you say, Obama (in order to look good) has made another bill in which the Authorities can Look in to our emails (source: http://goo.gl/K7DKy). Whereas they should be doing about the real issues which you have highlighted instead of harassing the general public!
  [ link to this | view in chronology ]
Anonymous Coward, 14 May 2013 @ 9:11am

what seems to be happening here is exactly what i remember seeing after the worst 'terrorist attack' ever. that terrorists wont have to do anything because the 'defenders against terrorism will do more harm than the terrorists themselves could ever hope to do'. those words seem to have a lot of truth attached to them. what a shame.
[ link to this | view in chronology ]
Kevin L (profile), 14 May 2013 @ 9:12am

Why not follow private sector's lead?
Instead of spending millions on in-house exploit hunting, why not follow Google's lead and offer bounties for discovering exploits which will then be put in a public database? Economically, if the value of the bounty is greater than the value of using or selling the exploit (monetarily or otherwise) then hackers will be happy to collect the bounty. And since multiple hackers can find the same exploit, there will be competition to be the first and/or the lowest bidder.
[ link to this | view in chronology ]
- Josh in CharlotteNC (profile), 14 May 2013 @ 9:19am
  
  Re: Why not follow private sector's lead?
  The government is already following the private sector's lead. Just not the "white hat" side of it. Sure, they're paying bounties for exploits - but they don't end up in public databases, they are not reported to the software company, and are not fixed or patched. This isn't new. Remember the HBGary hack? Similar presentation slides were found boasting of knowledge of exploits that were not public knowledge and able to be used for offensive purposes.
  [ link to this | view in chronology ]
Machin Shin (profile), 14 May 2013 @ 9:16am

"cyber Pearl Harbor" might not be as bad a name for what is coming as people think....

Japan bombed Pearl Harbor as a preemptive strike to try and keep the USA out of WWII. This of course was a gross miscalculation that they later regretted.

We now have the US government looking to make preemptive strikes against the internet as a whole..... Question is, will they realize before it is too late that it is them in the bombers launching the attack?
[ link to this | view in chronology ]
Kevin L (profile), 14 May 2013 @ 9:17am

Also, kudos to whoever at Reuters wrote:
emails published by hackers acting under the banner Anonymous.
That's the first time I've seen anything like an understanding of what "Anonymous" is from major news sources.
[ link to this | view in chronology ]
out_of_the_blue, 14 May 2013 @ 9:42am

IF gov't would save us from Microsoft's exploitable mono-culture,
this'd be automatically nearly wiped out. -- Of course Apple and Google aren't real alternatives. Not only do they provide backdoors for the gov't, but even outside that, just look at how fast Google's latest Precious, Glass, was broken into.

Back in the halcyon 80's, the notion was that computers would run so fast that software could practically be write-once-run-anywhere, so having multiple OSs wouldn't matter. Somehow Microsoft stole that dream, along with nearly all others; now they've delivered a massive OS with built-in spyware, plus DRM (of course that doesn't work, right?), proprietary lock-ins, and a toy UI that no one wants and has to be fixed.
[ link to this | view in chronology ]
- Arthur Treacher, 14 May 2013 @ 10:07am
  
  Re: IF gov't would save us from Microsoft's exploitable mono-culture,
  I call BS. This isn't OOTB1 (legally-trained shill) or OOTB2 (sweat-of-the-brow irrational "intellectual property" owner).
  
  Of course the MSFT mono-culture has something to do with it. Which Federal Judge oversaw the MSFT anti-trust settlement? Collen Kollar-Kotelly. Which start chamber was Judge Kollar-Kotelly part of? That's right, FISA! (http://en.wikipedia.org/wiki/Colleen_Kollar-Kotelly). Internal collusion anyone?
  
  After the Jane Harman scandal (http://www.salon.com/2009/04/20/harman/) we have to assume that at least some members of the US Congress are, um, "in debt" to the US intelligence community. Why not Federal Judges, too? Sure, it's a high-stakes game, but it's one that J. Edgar Hoover perfected a long time ago.
  [ link to this | view in chronology ]
- Anonymous Coward, 14 May 2013 @ 10:24am
  
  Re: IF gov't would save us from Microsoft's exploitable mono-culture,
  Linux is a viable alternative, and you can look at the source code.
  [ link to this | view in chronology ]
Anonymous Coward, 14 May 2013 @ 10:13am

That's the strategy US Govt. has adopted all-along - supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it's not in the best interest of the public).

Infact the govt. is behaving just like a parasite - adapting itself in such a way that the medicines (i.e. people with an ability to think deeply, rather unfortunately at present far outnumbered by those who can't) do not have their desired effects and, in the worst case scenario, these medicines themselves are treated as something unwanted and, ultimately, flushed out of the system (a highly efficient way to survive indeed!).
[ link to this | view in chronology ]
- Suzanne Lainson (profile), 14 May 2013 @ 11:13am
  
  Re:
  That's the strategy US Govt. has adopted all-along - supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it's not in the best interest of the public).
  
  I continue to have problems understanding how "government" is separate from private companies. If you remove government and allow private companies to operate without any constraints, seems like you would get more of the same or worse.
  
  Here's what that article said:
  
  Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren't connected to anything.
  
  So private contractors finding flaws and developing ways to exploit them would likely continue. They would just find people other than government to sell their info and programs to.
  [ link to this | view in chronology ]
Ninja (profile), 14 May 2013 @ 10:29am

The US has been at war with all sorts of real, semi-real and imaginary enemies since 1700 something. I think we need to give these politicians some GIJoe play kits that include some pseudo cyber attackers so they can spend their time less productively. And by productively I mean screwing up people and being morons.
[ link to this | view in chronology ]
- Anonymous Coward, 14 May 2013 @ 11:45am
  
  Re:
  Mr. President,
  This is a very real threat against our country and freedom as demonstrated by these GIJoes. As you can see a member of the terrorist organization Cobra is slipping by these strategically placed Joes undetected with a AA Battery Bomb.
  Here you can see the effects of the AA Battery Bomb replicated by smashing this Lego city with a hammer. The destruction is incalculable.
  We must act now before it is too late.
  [ link to this | view in chronology ]
Anonymous Coward, 14 May 2013 @ 11:03am

What I don't get is the whole "If we change as a society, if we give up what makes us a free country, the terrorists have won" speech they all gave us. Exactly what hasn't changed for the worse? We have given up so many freedoms in the name of security that I really don't see how the terrorists didn't win. They succeeded in making the whole free world worse, but the free world leaders are to blame, not the terrorists or hackers or whatever the buzzword for "bad guy" is nowadays.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2013 @ 1:47pm

So who's the threat now?
Well if there isn't a "Cyber-Security" threat out there, then leave it to our government to create one.

What better way to claim that laws and defense are needed than to create the situation so they can point at it...

See those zombie bot nets are DDOS'ing Wall Street and US banks, we NEED more legislation so that we can stop these attacks (that we initiated...)

It's worked well before and it will probably continue to work... To "Steal" from a popular poster company,

Government:
"You think our problems are bad, wait until you see our solutions."
Consulting:
"Even when you are the only solution, there is money to be made in prolonging the problem."

Where's the "Sad but true" button when you need it?
[ link to this | view in chronology ]
toyotabedzrock (profile), 14 May 2013 @ 3:18pm

Freemarket Fail
The cyberware people seem to be forgetting that a bug is not a physical object that can only be sold once.

Further they are offering such high prices they are subsidizing the bug creation for other countries.
[ link to this | view in chronology ]
BentFranklin (profile), 14 May 2013 @ 5:16pm

the Internet is basically US territory. Everything we do, we do on the Internet. I can't think of anything stupider than inviting warfare on one's own territory.
[ link to this | view in chronology ]
That Anonymous Coward (profile), 14 May 2013 @ 5:22pm

We have become the enemy, the enemy is us.

We decry these actions taken by other nations because they are dictators, except we have been shredding our citizens rights so our leaders can behave like those dictators.

So focused on "winning" we ignore that the thing we are protecting has been the first casualty.

More concerned with keeping contractors fat and happy we sacrifice the citizens rights, and those citizens are so brainwashed by soundbites they willingly accept the slide away from freedom.

People willingly accept 'collateral damage' as acceptable to hunt terrorists, ignoring we are killing innocent people to obtain our goals... just like how terrorists operate.

The only difference is we have a flag, and some words on a piece of paper we stopped understanding a long time ago.
[ link to this | view in chronology ]