Social Cyber (In)Security, A Federal Policy

ūüá®ūüáĪ¬†Leer en espa√Īol

Hackers are evolving their capabilities. Intelligence agents are evolving their skills. Both have merged to become the new weapon of war. A weapon that is not perceived, but is affecting us. A weapon under the protection of the government, but without real control.

When I started being a user of computers and technology systems, I was quite interested in the underworld of the faceless people who were able to take advantage of the doors that all technology leaves open.

I remember several computer magazines that delivered utility-loaded cd-roms and, not infrequently, these applications would be hacking tools and¬†backdoors, which are programs that are installed on other computers to give unauthorized access to visitors, or to exploit vulnerabilities in Operating Systems like Windows or applications like Mosaic or Netscape (raise the hand those who¬†were “Netscapers” until Internet Explorer engulfed¬†it). Anyone with a little curiosity could become one of these anonymous “exploiters.”

The collective name of these types of exploiters is “hacker,” however this name covers a large number of different¬†marginal¬†technological activities, whether they’re¬†ethical, with some ethic, plainly unethical, or in those grey zones so hard to define.

Thanks to news in¬†last years, hackers activities and the security needed in response has gained enough awareness and media coverage, almost always with a negative connotation for the link to “felony” that comes in the stories.

We all know the importance of having an antivirus, for example. There is no serious company that does not have a security strategy, at least at a basic level, and the importance of having strong passwords has been revealed over and over in news with worldwide resonance, as with the Sony hacking in 2014 or the breaches in Yahoo between 2015 and 2016 (some even without needing to get the actual passwords), among so many other big companies that have suffered the cunning of anonymous anti-heroes.

When it comes to attacks on companies, it is easy to see the damage, from loss of credibility and trust in customers to information leakage and asset theft. But what is the harm to individuals and independent users when these attacks occur? The answer lies in an issue related to security, information management.

Big-Data

The Hunt For Information

The target of many attacks points to data, at all levels. Strategic information of companies or customers and users databases. For what? Probably for money, by selling or getting benefits derived from extortion, privileged knowledge of certain conditions or the possibility of accessing a jackpot, that leads to financial instruments or assets.

So, what is this information of everyday people¬†and what makes it so interesting and valuable? Well, a long time ago,¬†back in the ’60s, American Airlines started to use the data of their customers behavior to set the price for their tickets. This allowed them to maximize earnings with only marginal additional costs and initiated an era where information is¬†key to drive a successful business. From Data Warehouse to Business Intelligence to Big Data, the sophistication of techniques to handle ever more complex and larger bases has had a great impact on the marketing in every industry.¬†Even the political system.

According to sources, one of the key factors playing in the 2016 US Presidential Election was the use of Big Data in the Trump campaign. A company called Cambridge Analytica had¬†collected data from Facebook “likes” of 30 million people and categorized¬†the users and their interactions as per the OCEAN personality model¬†to know what different groups are “liking” and to predict what these groups “will like”. Trump used this information to carefully pick his audience, his topics, and his moments during the campaign. Remember those tweets we thought were¬†barbarian? They all might just be part of the plan. And it worked.

So the data that companies, governments, and politicians need from us is, well, everything they can get. The more info they collect, the more accurate their analysis and the more buyers will be. Who cares what your routine route from your work to home is, right? Maybe advertisers willing to know their audience, politicians willing to know their campaign efficacy, retailer willing to know potential customers for a new point of sale.

And that’s just the commercial use of the data. What happens when¬†unscrupulous hackers obtain this information?

ashley-madison.jpg
Millions of records from users who demanded discretion from Ashley Madison website were made public by hacktivists who considered the service “immoral.”

The Lost Of Information

When online dating company Ashley Madison, whose motto used to be “life is short, have an affair,” suffered a security incident and lost millions of accounts and data from its users, the root cause¬†was a breach in systems of¬†the company exploited as part of “hacktivism,” a kind of virtual protest usually against governmental and corporate targets, but it was the users who had to pay for¬†the consequences, not only because of¬†the attackers who stole the information, but because of¬†anyone who could have accessed it (it was left in public repositories) in order to extort people for whom they got an address, a phone number and a secret.¬†Of course, practically nobody took legal actions to avoid further exposition¬†as a user of the service.

Another example of a breach in¬†a service that should have been discreet happened with the¬†hacking against the Australian Red Cross in October 2016. More than half a million donors saw their data exposed, including their confidential statements about¬†“risky sexual behavior.”

Not only services where discretion should be obvious are affected in this way. One particularly serious example was the security breach recognized by the VTech technology toys manufacturer in 2015, where millions of records were exposed, specially¬†information of minors, including¬†their names, address, family, school¬†and financial data of the¬†children’s parents.

If we already deemed information as a transcendental element in cybersecurity, this kind of exposure of sensitive data leads to a related issue, but a world in itself: privacy.

We all have a right to privacy and we should exercise it as much as we can. However, the people does not receive education on this matter, mainly because it is not a right considered essential by the governments.

An example in US happened in April 2017, when Trump administration signed a repeal on privacy rules that would prevent Internet Service Providers to sell browsing history and metadata of their customers.

People could prefer services that encrypt communications, use VPN to hide their online movements, keep up-to-date antivirus and anti-malware bases, change passwords frequently, avoid entering sensitive data in online forms, specially on public networks, never upload pictures of their home with GPS enabled, never share info of children and a long et cetera.

But at the end, every day we are consciously willing to deliver personal data to large companies in exchange for “free” services. An Internet clich√© says that “if you do not pay for what you receive, you are the product”, but in reality the product is the data, both to individualize¬†consumers and to analyze behavior and trends¬†that are later used by the advertising machinery. Among others.

To some extent we endorse this transaction, but from another point of view we do not know exactly what we are giving away or the relevance of its content. Nor do we know to whom this information actually goes to¬†or could go to.¬†We know of one destination, the companies themselves that collect and share their databases for commercial purposes. And we know a second one by now, the “intruders” who can obtain that information for different purposes as mentioned. But there is a third destination worth discussing. One that happens to be the¬†least feared, but it is certainly the most powerful.

criticalInf.jpg
Critical Infrastructures are the focus of great spending for protection from city disruption attacks.

The Best Defense Is Attack

It is undeniable that technologies, and especially the Internet, represent an extension of public spaces, universities, companies, hospitals and our own homes. Therefore, if we protect, for example, our homes with locks, we should also think about protecting the technological extension of those homes. Our email, our bank accounts, our family privacy.

At the government level, the most important protection demand is that associated with so-called critical infrastructures, those facilities that allow a country to operate and not lose productivity, security or provisions. Hospitals are critical infrastructure because they are essential to ensure sanitary conditions. So are utilities like water and electricity. The energy ‚Äďin the form of fuel extraction, refining and distribution‚Äď is also. Telecommunications and the Internet itself have been declared critical infrastructure by various countries and states.

With all the importance of these areas, it is mandatory that governments have as a priority the defense of these facilities which includes their technological extensions of which they are all highly dependent. That is why budgets in cybersecurity have been multiplying year by year, especially in developed countries.

The problem occurs when governments¬†think that defense is not enough and, therefore, the strategy of cybersecurity is complemented with two types of offensive, a passive one ‚Äďthat is to gather intelligence on potential attacks and potential enemies‚Ästand the¬†active one, which is based on infiltrating and eventually exploiting vulnerabilities in potentially dangerous systems. There is a widely studied example of this offensive¬†in 2010, when the US intelligence apparatus helped the Israeli Intelligence Unit 8200 to implant the Stuxnet worm (a kind of computer virus) at Iran’s nuclear facilities, managing to delay Tehran’s plans of nuclear power for several years.

In recent months, the world has witnessed a number of events that have been attributed, with or without evidence, to state hackers. An example of an¬†allegation lacking evidence is the stealing¬†of thousands of emails from the US Democratic National Committee and the account of Hillary Clinton’s campaign chairman¬†in 2015-2016, John Podesta, both attributed to Russian hackers sponsored by the Kremlin government.

Russia, along with China, Israel and the US, are the most active nations sponsoring hackers. A recent example with plenty of evidence is pointing to the US intelligence agencies themselves, the CIA and the NSA.

Edward Snowden worked for both institutions and ended up deserting the NSA ranks in 2013, denouncing the agency’s large-scale espionage program where all Americans could be subject to wiretapping and gathering of communication data without the need for court orders or open investigations.

During 2017, WikiLeaks has been publishing documents under the title Vault 7 that show that the CIA has a department dedicated to creating malicious programs to intervene operating systems, smartphones, routers, including televisions and specific applications such as antivirus. Symantec, a computer security giant, recognized, among the Vault 7 documents, techniques and programs that coincide with a group classified as malicious that they codenamed “Longhorn” and to which they attribute responsibility in attacks against “40 objectives in 16 different countries.”

1984
A scene from 1984, the movie based on the work of George Orwell, where privacy was nowhere to be found and the government controlled every move. A prophecy fulfilled, some may say.

He Who Owes Nothing, Fears Nothing?

Or Why You Should Care About Privacy

Again we ask the question: To what extent do these government practices affect specific individuals?

The answer is the same, the diminution of the right to privacy, but this time based on sociopolitical interests.

Many people argue that “he who owes¬†nothing fears nothing,” saying¬†that there is no problem with others accessing our data if we have no crime to conceal nor a “stained” past or present. But this way of thinking is wrong because our privacy exists to protect us and not to hide anything. When we lose this protection, we are exposed in at least four¬†ways:

The first is interpretation, which is the meaning intended by the owner of the private data. Those who access our data can judge it as good or bad according to their own view, which may be different from that of the owner. For example, knowing that someone was involved in an abortion can be viewed as a crime by a person identified with pro-life movements or with compassion for someone who has gone through the same.

The second is contextualization, referring to properly understanding the private scenarios and symbols that are handled in the intimacy of family, friendship, work and other relationships.¬†The lack of context leads to incomplete depictions of reality.¬†For example: if an email is intercepted in response to a text message and this email is titled “Overthrowing the Government,” followed by a step-by-step action that would serve that purpose, it is easy to set up an accusatory conspiracy case. But what is missing? The text message that originated everything and may have said “I need to write a report, can you help me with a fictional political scenario?”

The third is containment, which means we know where our private data is and who access it in any given moment.¬†¬†Consider for a second¬†that we trust our government with the civil registry (vital records). Does that mean we trust in every member of the government, currently and futurely? Edward Snowden himself acknowledged he used¬†NSA bases to “check” on his¬†girlfriend, because he could. Barack Obama’s National Security Advisor, Susan Rice, used classified information (from “incidental” surveillance) to delegitimize current President Trump when he was on campaign.

The fourth¬†is transitivity, which is¬†to deem¬†privacy as an inalienable right to secure all other freedoms that any healthy democracy must guarantee. Perhaps this is best explained in¬†a phrase by Edward Snowden, who stated¬†that “saying that I do not care about the right to privacy because I have nothing to hide is like saying that I do not care about freedom of speech¬†because I have nothing to say”.

state-sponsored-hackers-suspected-targeting-kazakh-lawyers-dissidents-cyberattacks.jpg

Watching Those Who Watch

State-sponsored hackers, whether in Russia, China, Israel or the US, expose the privacy of their own citizens in all four areas when engaging in offensive cyber security activities. In addition, there are other harmful effects of these questionable activities. Julian Assange, editor of WikiLeaks, has reported that the CIA not only created an arsenal of cyber attack tools, but when they lost control of it, they did not inform vendors about vulnerabilities in different technology systems, exposing millions of users.

Recently, the hacking group The Shadow Brokers made it clear that the NSA incurred the same foul and have exposed dozens of millions of Microsoft Windows users. Microsoft stated that nobody had alerted them about the exploits, except reporters when they were made public. But a month before public release of the exploits, Microsoft had already issued a security patch, coincidentally for most of these exploits.

Independent publishers are leading the defense, but the Intelligence Community in US is retaliating. In April 2017, Mike Pompeo, CIA Director, accused WikiLeaks of being a hostile Intelligence Service and said Julian Assange “has no First¬†Amendment Right.”

According to reports by former NSA deputy director Rick Ledgett, 90% of US cybersecurity spending Is assigned to the offensive, only 10% is defensive. This is the best example of the new kind of wars that are upon us.

But the warning is summarized by WikiLeaks in this way:

Cyber ‘weapons’ are not possible to keep under effective control.

While nuclear proliferation has been restrained by the enormous costs and visible infrastructure involved in assembling enough fissile material to produce a critical nuclear mass, cyber ‘weapons’, once developed, are very hard to retain.

Cyber ‘weapons’ are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.

Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces…

That is why now the greatest threat, for states and individuals, is not the computer viruses that have been appearing since the 70s, nor the trojans or backdoors that proliferated with the growth of the Internet, not even the hacktivism that has been promoted by Anonymous, in the current century. The most dangerous hacker has at his command an overflowing and growing budget, unfathomable technical and processing capabilities and wears a credential that shelters him in the secretive protection of an intelligence agency.