Security guru Mikko Hypponen pulled out of the RSA Conference earlier this year to protest the fact that a flaw in the RSA encryption algorithm let the NSA break into encrypted files. Either they did it deliberately, or it was an accident. Evil, or inept? It's bad either way. At the Black Hat 2014 conference in Las Vegas, Hypponen expanded on what we can expect when governments get into the malware-writing business.
Hypponen led with a small history lesson. "It's a common misconception," he said, "that if a company is hacked badly enough, they'll go bankrupt. But it's not so. Most large organizations recover quickly. Think of the Sony PSN breach." He went on to point out one notable exception. In 2011, Dutch firm Diginotar got breached by an outside attacker that used the company's certificate generation system to generate fake certificates for Google, Mozilla, Microsoft, Twitter, and more.
"This attack was used by the Iranian government to monitor and find dissidents in their own country," said Hypponen. "An attack like this is doable if you control the whole network of your country. Diginotar didn't fold because they were hacked; they folded because they didn't tell anyone. When it came out, they lost trust, and as a certificate vendor trust is what they were selling."
A Recent Change
"Think about the security industry's enemies for the last 20 years," said Hypponen. "It was just kids, hobbyists launching attacks because they could. Then 15 years ago, professional criminal gangs got into the business. Government malware activity has only been with us a bit over ten years."
"Not long ago, the idea that democratic western governments would be actively involved in this would have sounded ridiculous," continued Hypponen. "The idea of a democratic western government backdooring systems to spy on another democratic government? But that is where we are."
Hypponen compared the current buildup of government sponsored malware creation to the old nuclear arms race. He pointed out that there's no question of attribution when one country drops a nuke on another. The power of nuclear weapons is in deterrence, not in actual use. Cyber "arms" are completely different.
Your Government May Infect You
Hypponen laid out five purposes a government might consider for malware creation: law enforcement, espionage (in other countries), surveillance (of their own citizens), sabotage, and actual warfare. "My own country, Finland, made it legal this January for the police to infect yo with malware if you're suspected of a serious crime," noted Hypponen. "If tools like this are being used, we have to have a discussion. What crime is bad enough? I'd like to see statistics: last year we infected so many citizens, this many were guilty, this many weren't." He went on to suggest that if law enforcement infects you and you're innocent, they should own up. "I'd like them to say they're sorry," he added. "That would be fair."
The full presentation went into great detail about a number of specific government-sponsored malware attacks. You can read it here. Hypponen closed with a sobering point. According to the Geneva convention, the definition of a legitimate military target includes "those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage." "That's us," said Hypponen. "In war, antivirus companies are a legitimate target."
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
)