Security vs. Nations: a lost battle?

“Know the enemy” is one of the basic recommendations of the ancient Chinese military strategist Sun Tzu (544–496 BC). In the cyber-world, the usual suspects are not only script kiddies, criminals and hacktivists, but also nation states.

 

Companies worldwide have prepared their defences to fight off the first three. Likewise, CERN, despite its wish for academic freedom, is constantly considering how best to prevent successful attacks. But when nation states are the antagonists, defence is impossible (unless you have plenty of money).

Today, the most popular computing services in the western hemisphere are run from the US. We already know that the US and the UK are tapping into Facebook, Google, Yahoo and others (see our Bulletin article on “Prison or “Prism”? Your data in custody”). But what about one level down?

Nowadays, IT hardware (routers, laptops, smartphones, etc.) is built in China. How can we be sure that these hardware devices do not contain chips manipulating the device (spying on activities, stopping functions, destroying data) using an external trigger? Meanwhile, a lot of software is written in India. How can we be sure that this software does not contain bugs inserted during the implementation phase, allowing adversaries to (you guessed it) spy on activities, stop functions and destroy data?

Modern hardware and software are now so complex that uncovering malicious functions is difficult (impossible!) for most organisations. Chips are usually sealed to protect intellectual property (according to chip manufacturers). Software contains millions of lines of code. Even if this code is “open source” it can be cumbersome to sift through. And can you be sure that your compiler doesn’t add functionality? Finally, understanding the resulting “assembly” code is difficult in itself. And even if you discover a vulnerability, it will be labelled a bug - accidentally introduced by careless or untrained computer programmers, and not deliberately inserted by a nation. It is not without reason that many nations have their own “bounty” programmes, paying for newly discovered software bugs and vulnerabilities, and trying (and succeeding!) to break common encryption protocols. Russia is running one of the largest dark markets for vulnerabilities and stolen credentials.

Of course, there are many other nations preparing for our cyber-future. Still, the world is at a new watershed. With the “Internet-of-Things”, a term coined in 1999 by visionist Kevin Ashton, all our devices will be interconnected in the near future. In fact, we already live in symbiosis with the Internet-of-Things. We are sitting like the proverbial frogs in the slowly boiling water, while nations prepare the Internet-of-Things as a new battlefield to be infiltrated, undercut and controlled. The “Great Firewall of China” as well as the US’s “Prism” and the UK’s “Tempora” programmes that spy on innocent citizens are the first cuts to the free Internet. The “Stuxnet” cyber-attack against Iran, generally deemed to be one of the first ever conducted, exploited four unknown (until then) vulnerabilities (“zero-day exploits”) of the Windows XP operating system, presumably as part of the US and Israeli bounty programmes. In the civil war in Syria, the “Syrian Electronic Army” brought down the New York Times homepage and that of “Marines.com” to show off its power. They also threatened to strike back more severely once the US drops bombs on Syria.

Without being paranoid, is the battle already lost? Has the age of the free Internet already passed? Is our privacy gone? How much security are we willing to accept before our world turns into George Orwell’s 1984 or Aldous Huxley’s Brave New World? In the warmth of the upcoming holiday season, maybe this is the right time to reflect and discuss what we can all do to keep the Internet a free and public place, and not a battlefield for paranoid nations.

Enjoy the holiday season and have a Happy New Year 2014!

Take care of yourself, your family and your computers. Remember that, at home as well at CERN, you are responsible in first instance for: the computer security of the laptops, smartphones and PCs you use; the accounts and passwords you own; the files and documents you hold; the programs and applications you have installed or, in particular, you have written; and the computer services and systems you manage. At CERN, the Computer Security Team is ready to help you with this responsibility.


For further information, visit the Computer Security website or contact us at Computer.Security@cern.ch.

If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.


Access the entire collection of Computer Security articles here.

by Computer Security Team