Flawed cyber security: Just how ‘we’ like it

After a cyber-surveillance leak or cyber hack, breakdowns on how such an intrusion has taken place alongside an assessment of potential future issues on cyber security dominate discussion. Although this is a noble and imperative thing to do, the blunt reality is that the ability to infiltrate, intercept and exfiltrate information is at the heart of a global multibillion pound industry.

This is not a reference to a ‘black market’. High tech hacking tools and surveillance equipment that can intercept and penetrate devices are for sale from ‘reputable’ and ‘legal’ conglomerates without universal unequivocal regulation. Why so? Put simply, flawed systems enable great cyber powers to engage in cyber espionage from a safe distance, reaping more information than a human spook. As a result, private vendors are not only willing to flood the world with cyber surveillance weapons to great powers, but to less powerful ‘rogue’ states led by authoritarian regimes. During Bashar Assad’s bloody crackdown on peaceful protests, Italian firm Area SpA willingly equipped “President Bashar al-Assad’s regime with the power to intercept, scan and catalogue virtually every e-mail that flows through the country”. Furthermore, Area SpA enabled the regime to “follow targets on flat-screen workstations that display communications and Web use in near-real time alongside graphics that map citizens’ networks of electronic contacts.”

In other words, there is a deeply rooted culture of cyber intrusion that is demanded and lusted for, irrespective of whether it be for the purpose of exfiltrating information for the state, a private company, or a teenage thrill.

However, it is important to note that there are elite cryptographers from across the world who convene to discuss encryption standards. Reuters reported that “an international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards”.

Suspicion of the U.S. at the International Organization of Standards “stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate”. However, we are yet to see, a conclusive deal in which the U.S. and its Five Eyes cyber surveillance partners (U.K. Canada, Australia and New Zealand) agree to cease trying to evade encryption of foreign nations in order to engage in cyber espionage. It is important to remember in this regard that the FBI’s fear of “going dark”, particularly in the San Bernardino iPhone case, led the Bureau to pay “1.3 million” to hack into the phone of the terrorist that apple was unable (refused) to unlock.  The FBI’s perception of “going dark” refers to two issues,

 “real-time court-ordered interception of what we call “data in motion,” such as phone calls, e-mail, and live chat sessions. The second challenge concerns court-ordered access to data stored on our devices, such as e-mail, text messages, photos, and videos—or what we call “data at rest.” And both real-time communication and stored data are increasingly encrypted…We may not have the capability to quickly switch lawful surveillance between devices, methods, and networks. The bad guys know this; they’re taking advantage of it every day.

To emphasize the concern that there is a culture and a demand for relatively porous security (ironically in the name of security), the FBI went on to state that “if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place”. The intellectual and technical expertise of the world’s most sophisticated intelligence services in conjunction with vast cyber security vendors are doing their utmost to undermine the work of Kaspersky and various other companies that are trying to increase security and encryption. In reality, both taps need to be turned off if this issue is to subside. Conversely, a situation arises where one’s weakness in cybersecurity becomes another’s strength.

If the history of international cooperation teaches us anything, it is that unity on national security is seldom forthcoming. Different states have national security issues that are sensitive and the huge possibilities for advancing national interests at the expense of an ‘enemy’ are so profound that they hinder any progress. For the U.S. the ability to have back doors may be of top priority given its global ‘war on terror’ which requires electronic surveillance to track people abroad. Russia and China however fear that advanced US cybersecurity capabilities will be directed at them.

Needless to say, the desired international standard on cyber security that would actually reduce cybersecurity concerns, will not be achieved until the culture and insatiable desire to keep electronic devices and forms of communication weak is reversed. Genuine agreements on cyber espionage and surveillance must be negotiated. But as the battle between unipolar bipolar and multipolar worlds are continuously shifting, such agreements do not seem to be conducive in meeting the demands an increasingly competitive global order.