The US government is keeping system security flaws hidden so it can build super viruses based on “zero days”—and in the process, it’s leaving state secrets unthinkably vulnerable and then spending billions trying to protect itself from the very threats it helped to create.
Welcome to the age of cyberwar. For years now, the US government, along with other leading world governments, have been building super viruses based on flaws that were unknown to the software makers. They can infect almost any system and perform such feats as stealthily “jailbreaking” an iPhone, and turning it into a spy device. Victims have ranged from Iranian nuclear centers to politicians, journalists and human rights activists.
Aside from the obvious potential for abuse, this has created a massive underground supply and demand chain, where skilled programmers have been incentivized to keep flaws they discover secret and sell them for a hefty sum to private buyers—rather than report them to software firms such as Apple and Microsoft.
The US government itself has become complicit in keeping those flaws, known as “zero day vulnerabilities” or “zero days,” secret, leaving millions of unsuspecting users, including its own employees, vulnerable. According to the latest leaks attributed to Edward Snowden, the US government and the UK government both went as far as to tamper with some of the popular antivirus companies in the world, whose work impeded their hacking spree. But for the number one economy in the world, which is heavily dependent on digital technology, this is akin to playing with fire in a wooden house.
It is a particularly bad idea if your opponents are better protected from cyber warfare than you are: as opposed to the US practice, key government systems in countries such as Russia and China are completely isolated from the outer internet (“air-gapped”), says Victor Mizin, vice president of the Center for Strategic Assessments in Moscow.
“The problem with the American networks is that they are so open. That’s why many hackers, including Russian ones, try to penetrate them,” said Mizin. And many, as recent headlines attest, succeed.
State Secrets Anyone? Trade Secrets? Blackmail Material? Help Yourself!
Just a week or so ago it turned out that 90 percent of security clearance holders over the past three decades—including CIA and NSA agents—were compromised in a highly embarrassing and harmful hack attributed to the Chinese government.
“They got everyone’s SF-86,” an unnamed Pentagon official complained to the Navy Times.
To put that into plain language: the document in question, Standard Form 86, is an exceptionally intrusive 127-page questionnaire that is part of the background checks required by those seeking a security clearance. Applicants are required to list past mental illness, drug use and extramarital affairs among other damaging information that even their families may not know about.
Originally, the purpose of this document was to prevent foreign spy services from using these liabilities to blackmail federal agents. Now, in the hands of a foreign government, they could enable just that. From spies to security contractors to Department of Defense personnel to White House aides—up to 18 million could have been affected, by current estimates.
“Having access to such information about the people who keep a nation’s secrets is the same as knowing the secrets,” Vesselin Avraamov, an independent analyst based in Bulgaria, told WhoWhatWhy.
Help Yourself to Secret Nuclear Talks
As serious and embarrassing as this incident is, it is only the tip of the iceberg—and it’s not just global rivals who are rushing to take a cyber-swipe at the US. Recently it was also revealed that a sophisticated cyber attack had been used to spy on the P5+1 nuclear talks with Iran, as well as the leading Russian security firm Kaspersky.
The digital fingerprints point to Israel, which has implausibly denied involvement: the virus used, called Duqu 2.0, was an upgrade of an earlier virus attributed to Israel. The motive was there, too—the US and Israel have been having a public disagreement over the Iranian nuclear talks for some years now, and Israel has been accused before of spying on the talks.
Kaspersky stopped short of naming Israel, but claimed that the attack was so complex that only a nation-state could have carried it out.
“This highly sophisticated attack used up to three zero-day exploits, which is very impressive—the costs must have been very high,” said Costin Raiu, Director of Kaspersky Lab’s Global Research & Analysis Team, in a press release.
The big irony? Duqu is also a cousin of Stuxnet, the virus used to attack the Iranian nuclear centrifuges half a decade ago, which was reportedly co-developed by the US and Israel. Now, as the cyber fault lines have shifted, the weapon is coming back to hit one of its makers.
Then again, with the US and Germany still muddling through the controversy of whether or not the NSA tapped German Chancellor Angela Merkel’s phone for 10 years, who could the US complain to?
Rats Under the Table Grab Scraps
Not to mention that less well-funded hackers, such as those belonging to criminal groups, have followed in the footsteps of the government actors, often relying on recently discovered flaws that users who have not yet updated their software are vulnerable to. Last year, for example, saw a 113 percent increase in ransomware attacks, which lock users out of their computers and demand payment to unlock them, security firm Symantec reported.
Amid a flurry of attacks compromising the privacy of millions, governments around the world are rushing to build powerful firewalls and even “national” internet spaces that threaten to fragment the internet and stem the free flow of ideas that shaped the early digital experience.
It’s akin to building digital walls around one’s borders—the very borders that the internet was once all about making obsolete. But now monikers such as “The Great Firewall of China” and the “Halal Internet” of Iran have entered common usage, while countries as diverse as Russia, Turkey, and Germany have toyed with different versions of the idea.
The Militarization of the Internet
The US alone has been spending billions trying to protect itself from the very threats it helped create. Next year’s cybersecurity budget is expected to hit $16 billion. And it doesn’t appear to have made any of us any safer. Cyber attacks are likely to increase, a recent Pew Research opinion poll of 1,642 experts indicated, with some 61 percent predicting at least one major cyber attack on a country by 2025.
The definition of a major cyber attack hinges on its consequences: “significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.”
“Unfortunately now I think that all major experts would agree with me that the cyber war is the new dimension of warfare,” says Mizin.