Later On

A blog written for those whose interests more or less match mine.

Cyberwar on us

leave a comment »

Interesting note in this article:

. . .  But I think the real lesson of the hack – and of the revelations that followed it – is that the IT security industry, having finally gotten the attention of law makers, Pentagon generals and public policy establishment wonks in the Beltway, is now in mortal danger of losing its soul. We’ve convinced the world that the threat is real – omnipresent and omnipotent. But in our desire to combat it, we are becoming indistinguishable from the folks with the black hats.

Of course, none of this is intended to excuse the actions of Anonymous, who HBGary President Penny Leavy, in a conversation with Threatpost, rightly labeled “criminals” rather than politically motivated “hacktivists.” The attack on HBGary was an unsubtle, if effective, act of intimidation designed to send a message to Barr and other would be cyber sleuths: ‘stay away.’

We can see their actions for what they are, and sympathize deeply with Aaron Barr, Greg Hoglund and his wife (and HBGary President) Penny Leavy for the harm and embarrassment caused by the hackers from Anonymous, who published some 70,000 confidential company e-mails online for the world to see. Those included confidential company information, as well as personal exchanges between HBGary staff that were never intended for a public airing. Its easy to point the finger and chortle upon reading them, but how many of us (or the Anonymous members, themselves) could stand such scrutiny?

Its harder to explain away the substance of many other e-mail messages which have emerged in reporting by Ars Technica as well as others. They show a company executives like HBGary Federal CEO Aaron Barr mining social networks for data to “scare the s***” out of potential customers, in theory to win their business. While “scare ’em and snare ’em” may be business as usual in the IT security industry, other HBGary Federal skunk works projects clearly crossed a line: a proposal for a major U.S. bank, allegedly Bank of America, to launch offensive cyber attacks on the servers that host the whistle blower site Wikileaks. HBGary was part of a triumvirate of firms that also included Palantir Inc and Berico Technologies, that was working with the law firm of the U.S. Chamber of Commerce to develop plans to target progressive groups, labor unions and other left-leaning non profits who the Chamber opposed with a campaign of false information and entrapment. Other leaked e-mail messages reveal work with General Dynamics and a host of other firms to develop custom, stealth malware and collaborations with other firms selling offensive cyber capabilities including knowledge of previously undiscovered (“zero day”) vulnerabilities.

Look, there’s nothing wrong with private firms helping Uncle Sam to develop cyber offensive capabilities. In an age of sophisticated and wholesale cyber espionage by nation states opposed to the U.S., the U.S. government clearly needs to be able to fight fire with fire. Besides, everybody already knew that Greg Hoglund was writing rootkits for the DoD, so is it right to say we’re “shocked! shocked!” to read his e-mail and find out that what we all suspected was true? I don’t think so.

What’s more disturbing is the way that the folks at HBGary – mostly Aaron Barr, but others as well – came to view the infowar tactics they were pitching to the military and its contractors as applicable in the civilian context, as well. How effortlessly and seamlessly the focus on “advanced persistent threats” shifted from government backed hackers in China and Russia to encompass political foes like ThinkProgress or the columnist Glenn Greenwald. Anonymous may have committed crimes that demand punishment – but its up to the FBI to handle that, not “a large U.S. bank” or its attorneys.

The HBGary e-mails, I think, cast the shenanigans on the RSA Expo floor in a new and scarier light. What other companies, facing the kind of short term financial pressure that Barr and HBGary Federal felt might also cross the line – donning the gray hat, or the black one? What threat to all of our liberties does that kind of IT security firepower pose when its put at the behest of corporations, government agencies, stealth political groups or their operatives? Bruce Schneier – our industry’s Obi-Wan Kenobi – has warned about this very phenomena: the way the military’s ever expanding notion of “cyber war,” like the Bush era’s “War on Terror” does little to promote security, but a lot to promote inchoate fear. That inchoate fear then becomes a justification for futher infringement on our liberties.

“We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime,” Schneier observed. That kind of conflation is clear reading Barr’s e-mails where the line between sales oriented tactics and offensive actions blur. The security industry veterans I spoke with at this year’s show were as aghast at Barr’s trip far off reservation, but they also expressed a weary recognition that, in the security business, this is where things are headed.

What’s the alternative? Schneier notes that focusing on cyber crime as “crime” rather than “war” tends to avoid the problems with demagoguery. Focus on cyber crime and hacking in the same way as you focus on other types of crimes: as long term problems that must be managed within the “context of normal life,” rather than “wars” that pose an existential threat to those involved and must be won at all costs. The U.S. needs peacetime cyber-security “administered within the myriad structure of public and private security institutions we already have” rather than extra-judicial vigilantism and covert ops of the kind the HBGary e-mails reveal. Here’s hoping HBGary is the wake up call the industry needed to reverse course. . .

Written by LeisureGuy

25 February 2011 at 3:20 pm

Posted in Business, Technology

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.