Last week, Kaspersky Lab announced the discovery of Flame, a malicious program with “complexity and functionality…exceed[ing] those of all other cyber menaces known to date.” Once installed on a computer, Flame conducts espionage using a bag of tricks including screen shots, recording of audio conversations, and network traffic monitoring. It is believed by some experts to be the work of a nation state, and has primarily been targeting systems in the Middle East. As a Kaspersky Lab representative explained in a Q&A, there “doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions.”
This has added fuel to the ongoing debate regarding a possible international treaty banning cyberweapons. It’s an important topic that deserves proper consideration. But the publicity around Flame furnishes an opportunity to consider other cybersecurity questions as well. Here, in particular, are five worth asking:
1. What is the true scope of cyberattacks going on today?
It has long been recognized that our systems are vulnerable to compromise. What is more recent and far more sobering is the realization that many of them may already be compromised. Flame has apparently been delivering espionage data to its makers for at least two years and likely longer. Stuxnet, which is reportedly the result of American and Israeli collaboration, was initially launched in June 2009. The full list of cyberattacks going on at this very moment is probably stunning in its length, in the breadth and geographical scope of its targets, and in the diversity and sophistication of the attackers. The resulting implications for foreign policy, intellectual property security and individual privacy are profound.
2. Will infection with some form of malware soon become the rule rather than the exception?
In an age when attacks can be hidden in apparently innocuous websites and documents, this is an important question. Perhaps cybersecurity efforts of the future will no longer be able to aspire to the impossible goal of ensuring perfectly clean systems, but instead will need to engage in a process of triage, focusing on the more serious viruses and giving lower priority to those that are the digital equivalent of the common cold.
Of course, the computer security industry has long prioritized its efforts to focus on the most potent threats. However, the concept that some background level of minor, low-level infection may become the “new normal” is not one that most people are ready to accept. If system complexity continues to increase at present rates— and there’s no indication that it won’t— we may soon have no choice.
3. In the future, will nations outsource domestic espionage?
Unsurprisingly, intelligence services do not always feel compelled to follow the laws of foreign countries in which they operate. In a recent piece in Politico, former CIA Clandestine Service operations officer Henry Crumpton wrote that “I often had to explain [to the FBI] that the CIA did not break U.S. laws— just foreign laws.”
If U.S. intelligence services were to release malware that gathered screen shots and audio recordings from computers in countries such as China or France, they might argue that doing so does not violate any American laws. And, if Chinese or French intelligence services were to deploy similar malware to gather data from computers in the United States, they could argue that no Chinese or French laws were violated.
This creates the very disturbing possibility of the cyber espionage analog to extraordinary rendition. Nations prevented by their own laws from spying on their citizens could, in effect, outsource the job to the intelligence services of other countries. One can imagine all sorts of back-room diplomatic horse-trading involving the collection and use of this information.
4. Is forging digital certificates fair game for nation states?
In the view of Flame’s creators, apparently so— at least if, as is widely believed, it is the product of a nation state. As the Microsoft Security Response Center explained in a June 3 blog post, “some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.” In a related security advisory, Microsoft stated that an “unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.”
Trusted digital certificates are a vital part of online financial transactions, software distribution, and other applications. Fake certificates undermine trust, creating collateral damage and unintended downstream consequences not only for the companies whose certificates are faked, but for all participants in the online ecosystem.
5. Is Flame one more reason to increase cybersecurity spending?
The attention surrounding Flame will no doubt help spur new calls to pass cybersecurity legislation and to increase spending on government and corporate computer security. But simply throwing more money at the problem can be akin to hiring more doctors to treat a population that keeps falling ill from drinking a tainted water supply. The doctors can do plenty of good, but the long-term solution lies in fixing the water supply itself.
The uncomfortable reality is that from the power grid to the financial system to personal computers and smartphones, our systems and devices have been designed with insufficient security protections. Continuing to apply expensive, partially effective band-aids won’t solve the underlying problem. What’s needed is a rethink of how we should be designing and building sophisticated, highly interconnected systems.