Cyberattacks and espionage – Risks and Prevention

It’s not quite as cool as Bond in his Tom Ford suit leaning on his wonderful Aston Martin while he plots his next move to unseat some despot. All the same, Germany’s recent apparent spate of typewriter purchases points to a renewed sense of fear of being overheard and compromised in an era of digitally pervasive content, vulnerable networks and indelible conversations. Spying and intelligence concerns coalesced with subject matter we’ve previously written about – including online privacy, governance, security and the internet of things – in a special report in last week’s The Economist, which produced eight articles on the subject of security in a digital landscape. Some highlights:

• Cybercrime is costly. The Centre for Strategic and International Studies estimates the annual global cost of digital crime and intellectual-property theft at $445 billion – a sum “roughly equivalent to the GDP of a smallish rich European country such as Austria”.

• Focus on prevention rather than reaction. As with many things, the best way to make sure cyberattacks aren’t too damaging to your business is to make sure they never happen in the first place. It’s more difficult (and costly) with digital security because the process can easily feel like a Sisyphean struggle; businesses invest in new technology only to see it circumvented by more hacking, perhaps exposing a different loophole or vulnerability. But an iterative approach is better than leaving the door open and spending more money after the fact.

• Honesty is the best policy. After being hacked, a company can find it hard to admit it. This is understandable. Not only is it somewhat embarassing, it admits to customers and shareholders that the company is vulnerable, but it also suggests that their data is not safe with said company; perhaps they should shop elsewhere. However, transparency in such a situation is paramount if others are to learn how to combat such attacks. One suggestion is that the US government “create a cyber-equivalent of the National Transportation Safety Board, which investigates serious accidents and shares information about them”.

• Who to complain to? The perpetrators of cybercrimes are no longer limited to the teenaged hackers of yesteryear. Though ideological groups like Anonymous serve as a disruptive influence, often the biggest problems are caused by the governments charged with protecting things like individual privacy, security and freedom of speech. From the US to China, authorities “do not hesitate to use the web for their own purposes, be it by exploiting vulnerabilities in software or launching cyber-weapons such as Stuxnet, without worrying too much about the collateral damage done to companies and individuals”.

• External trends point to a worsening of the problem. The Internet of Things as a trend will have billions of devices connected to each other via the Internet over the next few years. With one of the fundamental ideas being that the user isn’t really aware of the connection, the likelihood of spotting a hacked device becomes all the smaller. This isn’t a huge problem in cases like a connected fridge receiving spam email, but it becomes more of a problem when hackers can gain remote control of your car. One of the barriers to improved security for everyday devices is that the margins are razor-thin, as are the chips to connected to the devices, in order to keep the product small. Any added security software or hardware and the cost and size of the product increases.

Zeitgeist believe the risk to IoT devices will be one of the key areas that businesses and regulators will need to focus their efforts in the future. Because it is still a relatively fledgling sector, the issue is not being discussed yet in many places. Deloitte, in association with the Wall Street Journal, recently reported on the nature of cyberrisks and how companies can help mitigate them. Well worth a read.

“Lots and lots of files” – Privacy, data and a new currency

One of the seminal television shows of the 1990s, The X-Files played on myths, legends and government paranoia to worldwide critical and popular acclaim. One of the key episodes of the series found the lead characters, FBI agents Mulder and Scully, happening upon an abandoned mining facility. Contained inside were row upon row of filing cabinets. Inside, thousands of names spilled forth. The sheer number of file drawers is a visual feast for the viewer. But there is more; one of the agent’s names is in those files. Personal data on her (in the form of a tissue sample) has been taken without consent. Down the rabbit hole we go…

We have always operated under the assumption that governments must surveil in order to protect its citizens. The difference today, as Edward Snowden has so plainly shown, is firstly that you are the one being watched, and secondly that the sheer extent of the surveillance and the pervasive nature of its collection is staggering. The pervasiveness of all this is a key point. Not much in the way of policy has changed really in the past fifty years, it’s just that spying on swathes of the world’s population has become increasingly easier and cheaper. Back in 2006, the UK’s Information Commissioner’s Office warned that the country was moving “towards pervasive surveillance”. Such a prophecy seems to have turned into reality. It creates an uncomfortable feeling that those in charge do not have our best interests at heart, or at least that the ends do not justify the means.

Some of the finest publications in the world have been struggling to make sense of what all this means; Zeitgeist is using this post to highlight some of those key thoughts and issues covered. Back in September, The New York Times reported, paradoxically,

“Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and ‘leverage sensitive, cooperative relationships with specific industry partners’ to insert vulnerabilities into Internet security products.”

Zeitgeist remembers dining alone in New York in September poring over the news. The NSA tried to ask for permission to legally insert a ‘backdoor’ into all digital encryption, but were denied. So they went ahead and did it anyway. They influenced government policy that led to fundamental weaknesses in encryption software. Last week, a federal judge considered the constitutionality of the US’s surveillance programmes. He called the technology used by the NSA “almost Orwellian” and ordered it to stop collecting the telephone records of two plaintiffs. It is one of several cases currently underway.

Click to see The New Yorker’s infographic on what personal data is made available to social networks and their advertisers

Of course, such spying would have not have been possible without the consent – tacit or otherwise – of companies in the private sector. There is clamor in the US, UK, Brazil and other countries for more restrictive regulation that makes it harder to collect consumer data. Such policy could make data analysis and collection onerous and might have a significant impact for those businesses that make a living out of using such data. As The Economist puts it,

“Should all this make it harder and costlier for companies to gather information, that would hurt the likes of Facebook and Google, which depend on knowing enough about their customers to ping them with ads that match their tastes.”

The New Yorker recently featured a fascinating article complete with unnerving infographic (excerpted image above) showing just how much information we display on our various social networks is then shared with the platform and its advertisers. This month, a new film, Her, arrives in cinemas, from the director of Being John Malkovich. The heroine is a disembodied voice – acted by Scarlett Johansson – who serves as operating system. The line between her servitude and rapid consumption of all her user’s data quickly becomes blurred. As the reviewer Anthony Lane puts it, also for The New Yorker,

“Who would have guessed, after a year of headlines about the N.S.A. and about the porousness of life online, that our worries on that score—not so much the political unease as a basic ontological fear that our inmost self is possibly up for grabs—would be best enshrined in a weird little [film]?”

Unsurprisingly, the results of a recent YouGov poll in the UK showed consumers were now far less willing to part with their own data. Almost half would be less willing to share their personal data with companies in the next five years. A mere 2% said they would be more willing to do so. Part of the problem lies in a lack of transparency: who is using my data, which piece of information exactly, and how does it benefit them? More importantly, what am I getting in return for surrendering my data? Steve Wilkinson of Ernst & Young offered little in the way of cheering news, “Many customers have recognised that businesses are using their personal information to help increase revenues, and are starting to withdraw access to their private data… In spite of this, there is a reluctance to adopt incentives that encourage consumers to part with personal data”.

Writing in the FT yesterday, Evgeny Morozov penned an excellent article claiming the media was spending far too much time on the intricacies of government involvement rather than how the whole cocktail mixes together. The overreach, according to the author, is being treated as an aberration, that will disappear in the face of tighter controls and the harsh light of day. It should instead, Morozov argues, be treated as part of a worrying trend in which “personal information – rather than money – becomes the chief way in which we pay for services – and soon, perhaps, everyday objects”. The article continues,

“Now that every piece of data, no matter how trivial, is also an asset in disguise, they just need to find the right buyer. Or the buyer might find them, offering to create a convenient service paid for by their data – which seems to be Google’s model with Gmail, its email service… [W]e might be living through a transformation in how capitalism works, with personal data emerging as an alternative payment regime. The benefits to consumers are already obvious; the potential costs to citizens are not. As markets in personal information proliferate, so do the externalities – with democracy the main victim. This ongoing transition from money to data is unlikely to weaken the clout of the NSA; on the contrary, it might create more and stronger intermediaries that can indulge its data obsession.”

Morozov also questions the meaning behind such data, as Zeitgeist has done in a previous article. Such information risks becoming seen as an objective answer without providing a solution or insight.

“Should we not be more critical of the rationale, advanced by the NSA and other agencies, that they need this data to engage in pre-emptive problem-solving? We should not allow the falling costs of pre-emption to crowd out more systemic attempts to pinpoint the origins of the problems that we are trying to solve. Just because US intelligence agencies hope to one day rank all Yemeni kids based on their propensity to blow up aircraft does not obviate the need to address the sources of their discontent – one of which might be the excessive use of drones to target their fathers. Unfortunately, these issues are not on today’s agenda, in part because many of us have bought into the simplistic narrative – convenient to both Washington and Silicon Valley – that we just need more laws, more tools, more transparency.”

Touching on similar points and themes, the most enjoyable recent article on the subject was written by famed author Margaret Atwood for The New York Times earlier this month. It had recently emerged that intelligence agencies had been using MMO games like World of Warcraft in an attempt to discover terrorists and other less enjoyable parts of the internet. Atwood has predicted just such a thing in her books, written some twelve years ago. Atwood struggles to make sense of her thoughts coming to life, wondering whether to treat it as comedy or tragedy. She elaborates, crystallising all our fears about the empty truth behind data,

“I hope for the comedy… I suspect the horror. Possibly in the future you’ll no longer be permitted to be who you think you are, or even who you’re pretending to be: You will be who they say you are, based on your data-mined, snooped-upon online presence. You’ll be stuck with that definition of yourself. You won’t be able to take off the mask.”

Such disconcerting thoughts on having your own personality dictated to you might once have been the stuff of science-fiction, apt for an episode of The X-Files. Besides adages of truth being stranger than fiction, the clarion call of these publications appears to be that people should be sitting up and taking notice of what has been going on over the last ten years with extensive policy / data / consumerism creep. It is not just the NSA, but the way society intertwines information for monetisation that must be scrutinised if we are to avoid having to worry about trivial things like playing videogames in peace.

Before and after Prism – On liberty in a digital age

First aired on PBS in 1985, filmmaker Ken Burns’ documentary on the Statue of Liberty was on Zeitgeist’s TiVo watch list this weekend. It’s really quite staggering to note how issues being discussed then are even more relevant three decades on.

It goes back to an article we wrote recently on the US government’s more legitimate efforts to collect data. These myriad agencies are working so fast to see whether it’s possible to collect this or that piece of data on someone, they are not stopping to think whether they should, and what the long-term implications are. By long-term, we mean what such a “Faustian bargain” means for the civil rights of citizens – particularly of course in the relation of the right to privacy – and what such machinations do to the long-term standing of the country as a whole – particularly from the outside looking in.

How certain is our moral footing on criticising Chinese cyber-attacks when we are hacking ourselves?

“Spying in a democracy depends for its legitimacy on informed consent, not blind trust”, wrote The Economist in this week’s lead article. Not so anymore, seemingly. The recent revelations that the NSA have been collecting masses of data from Facebook, Twitter, Google et al., with little thought for due process and with a focus on communications outside the US, and that at least one telco, Verizon, was ordered to provide significant amounts of user data to the government, is disconcerting to say the least. Zeitgeist wrote a letter, recently published in the Financial Times, before this story broke, that attempted to convey that the true worry for those opposed to such overreach is the high possibility of neglect or abuse, rather than intentional Machiavellian manipulation. Government ineptitude is more likely, and far more dangerous. Clarity and transparency are the enemies of such ineptitude.

As former New York governor Mario Cuomo admits in the clip at the beginning of this post, it can be very tempting to squash a little liberty here and there in return for added security. The situation, which arises at a time when the US is supposed to be taking China to task over its own extensive cyber-espionage (see above graphic), where we are, as one CNBC commentator described recently “hacking ourselves”, must give us pause, and begs us to re-examine what our notions of liberty are in an age of digital disruption.