The phrase “threat landscape” is a cliche of information security discussions but like many cliches it still means something.
In our case it usefully describes the actual type and level of threats that businesses face on a daily basis. And as we have seen those threats have moved on from malware into something far more sophisticated and wide ranging – malware is still a threat but it is simply a means to an end and its never ending stream has made it virtually impossible to deal with, as discussed in a previous blog and in FireEye’s most recent report on advanced threats.
Much of the threat landscape is made up of criminal hackers doing what they have always done; use malware, rootkits and botnets to steal data for financial gain. These have been the traditional enemy of those working in information security. However recent events suggest that businesses and organisations are facing much more than criminal hackers as they seek to protect data – they now face the might of state-funded cyber espionage. Whatever you think of Edward Snowden, his activities have certainly lifted the lid on what governments across the world are doing to gain competitive advantage (and much more) through covert cyber techniques.
Putting aside what the US government (probably rightly) defines as the treasonable activities of the now on-the-run NSA whistleblower, and the revelations of electronic surveillance of the US population, possibly the most amusing part of this whole episode is the US reaction to the accusation that it has been electronically spying on China – probably for years.
The accusation, based on Snowden’s revelations, is a gift to the Chinese government which has been on the backfoot after years constantly denying using cyber methods to infiltrate US and other Western companies and organisations. The US response to this has been muted and it has not actually denied such activity, instead it is concentrating on trying to extradite Snowden.
Well hoo-hah to all that but the US silence says a lot. There are two points about all this. First, is anyone surprised? Does anyone seriously think that the US is not capable of and willing to spy on its only serious global rival? It has the means and it has the motivation. And whether you believe Snowden’s revelations or like his methods, he has demonstrated to the world the true extent of state sponsored cyber activity that is taking place. We have learnt that the US spies on its friends as well as its enemies and its own citizens. It is the extent of the activity that is shocking rather than the activity itself. Cyber has made it possible to conduct mass surveillance on an unprecedented scale.
And the second point is that there is, anyway, very little morality in cyberspace just as in the real world of geopolitics. In reality, everyone is spying on everyone else. Here in the UK, the giant metallic doughnut that is GCHQ has not only been listening to its own citizens but also those allies visiting the country to attend such events as the G8 Summit.
The outrage expressed by governments that their enemies are using cyber attacks is for public consumption only – behind closed doors they are undoubtedly ramping up their own cyber efforts. And they would be foolish not to. Espionage was not invented in the internet age but cyber methods have made it so much easier to do and much harder to stop. It’s a case of fighting fire with fire.
If Snowden has achieved anything (apart from a rather lengthy stay in transit at Moscow Sheremetyevo Airport) is that he has blown the hypocrisy surrounding cyber espionage wide open.
The other curious nature of the cyber phenomenon is how long it took the US government to get round to accusing the Chinese openly of using such techniques. For many years its economic dependence on China tended to help turn a blind eye to the activities of China (while possibly maintaining its own cyber activities in return). But that has changed in recent years as Obama decided enough was enough and time to speak out. This co-incided with a huge budget increase for America’s cyber defenses – no surprise there.
The same attitude cannot be said of much of America’s business community who remain extremely reluctant to accuse China of anything lest it jeopardize contracts in the Chinese market – which don’t forget will soon be the largest market in the world for virtually everything. Surprisingly, this attitude is especially true of the high-tech sector – the very sector that the US government seeks to protect from Chinese snooping.
The UK, for its part, has a mixed approach. Like the US before it, it has so far refrained from actively naming or accusing China, instead it talks of the need for “international co-operation on cyber security” (usually at international conferences on cyber security) which is short hand for doing nothing.
Chinese telecom giant Huawei has been providing BT with infrastructure equipment for years despite security fears that it gave the Chinese a physical foothold in the country to perform cyber activities.
BT did the deal without telling the UK government and it was made mostly on cost, i.e. the Chinese option was much cheaper. Somewhat belatedly, a U.K. parliamentary committee earlier this month released a report saying Huawei’s strong presence in the country’s telecom sector raises potential national-security issues.
The US has banned Huawei from entering its own telecom equipment market. The UK of course, being a far weaker economy than the US cannot afford to be so bellicose. We need the Chinese more than they need us. Or perhaps we are smarter than we know. Could the chaps in the silver doughnut in Cheltenham be also monitoring what all those bits of Huawei kit, now embedded in BT exchanges up and down the UK, are actually doing? I have no idea but I’d like to think so.
About the Author:
Paul Fisher | @Pfanda | Pfanda.co.uk
Paul Fisher has worked in the technology media and communications business for the last 22 years. In that time he has worked for some of the world’s best technology media companies, including Dennis Publishing, IDG and VNU.
He edited two of the biggest-selling PC magazines during the PC boom of the 1990s; Personal Computer World and PC Advisor. He has also acted as a communications adviser to IBM in Paris and was the Editor-in-chief of DirectGov.co.uk (now Gov.uk) and technology editor at AOL UK.
In 2006 he became the editor of SC Magazine in the UK and successfully repositioned its focus on information security as a business enabler. In June 2012 he founded pfanda as a dedicated marketing agency for the information security industry – with a focus on content creation, customer relationship management and social media.
His heroes include David Ogilvy, Ludwig Mies van der Rohe, Ken Garland, William Bernbach, Andy Warhol, Richard Branson, Charles & Ray Eames, Steve Jobs and Paul Rand. And George Best. He comes from Watford but he thinks he comes from Manchester. If you came from Watford, you would too.
As an impulsive adopter of new technologies and an inability to stick to one ecosystem, he can be spotted around London’s finest WiFi hotspots variously sporting a Chromebook Pixel, an old Blackberry, Nexus 7 and a Nokia 920. He also has a Mac and an Xbox at home.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.