In flooding the internet with malware, and by increasing wariness of data sharing, the NSA\u2019s actions have had a negative impact on the fight against cybercrime.<\/i><\/p>\n
Thousands of the world\u2019s security professionals, mostly of them middle-aged white males, gathered in San Francisco last week for the annual RSA Conference.<\/p>\n
Traditionally, it\u2019s the time of year vendors hawk their gear in halls containing a perturbing whiff of ammonia, research announcements provide relief from the festival of commerce, and government mandarins hobnob with corporate types – all with the implied intent to work together to protect people\u2019s data.<\/p>\n
Yet 2014\u2019s event was always going to be a bit different. RSA, the security company hosting the event, had to defend itself against criticism over an alleged $10m deal with the National Security Agency (NSA) to include flawed encryption in its products.<\/p>\n
The company\u2019s chief, Art Coviello, outright denied any wrongdoing, saying RSA was only following advice given by the US government\u2019s National Institute of Standards and Technology (NIST).<\/p>\n
RSA\u2019s excuses have convinced some onlookers, others remain sceptical. But the organisation that took far more flak this week was the NSA itself, which had its own booth on the trade floor, albeit a considerably plainer one than the surrounding neon-clad stalls of commercial firms.<\/p>\n
There was one criticism, amid the understandable ire around the damage done to global privacy, which stood out: that the NSA\u2019s mass spying had perversely made life easier for digital criminals.<\/p>\n
Data sharing in danger<\/b><\/p>\n
Cross-border data-sharing mechanisms – a critical part in both online and non-internet crime investigations – have come under threat since the Edward Snowden leaks. Even though information-sharing deals covering banking and airline passenger data just about survived calls to suspend them, the Snowden files have caused problems for collaboration between public and private bodies.<\/p>\n
The heightened tensions lie not between law enforcement agencies, but between police and other organisations that potentially hold valuable information for investigations. \u201cThe impact is more [with] third parties giving more consideration to sharing their data with agencies or other departments,\u201d said Charlie McMurdie, formerly the head of the defunct Metropolitan Police Central e-Crime Unit and now senior crime adviser at PricewaterhouseCoopers.<\/p>\n
\u201cThis can have a negative impact on law enforcement ability to respond to or progress investigations, but on the positive side [this] has also made third parties think more about where their data exists, security and sharing protocols, which isn\u2019t a bad thing.\u201d<\/p>\n
A recent European Commission report on trust between the US and the EU following the leaks last year said: \u201cInformation sharing is \u2026 an essential component of EU-US security cooperation, critically important to the common goal of preventing and combating serious crime and terrorism. However, recent revelations about US intelligence collection programmes have negatively affected the trust on which this cooperation is based. In particular, it has affected trust in the way personal data is processed.\u201d<\/p>\n
Discussions are ongoing about an umbrella agreement covering law enforcement data sharing, with much talk of the need to ensure safeguards are in place, with \u201cstrict conditions\u201d.<\/p>\n
The US government has already seen the impact. In response to a Guardian question on the effect of Snowden\u2019s revelations on data sharing, Phyllis Schneck, the chief cybersecurity official at the US Department of Homeland Security, said the government body\u2019s partners were \u201cfeeling it\u201d.<\/p>\n
She said the data sharing environment had to be improved if the nation was to protect against people who wanted \u201cto change and hurt our way of life\u201d. \u201cIt\u2019s so important to be able to combine what we know\u2026 We all have to make sure we get this right and we will, with full privacy and full civil rights,\u201d Schneck said during a panel at the conference.<\/p>\n
Steven Chabinsky, former deputy assistant director for the FBI\u2019s Cyber Division and now general counsel for offensive security firm Crowdstrike, said the information sharing problems that had emerged \u201chave to be resolved\u201d.<\/p>\n
Criminals learning from NSA<\/b><\/p>\n
Intelligence agency hacking techniques will also be adopted by criminals, according to security luminaries speaking with The Guardian. This has been seen in other nations in recent history.<\/p>\n
\u201cThe spear-phishing tricks we saw the Chinese secret police using against the Dalai Lama in 2008 were being used by Russian crooks to steal money from US companies by 2010. We predicted as much in \u2026 2009,\u201d said Ross Anderson, professor of security engineering at the University of Cambridge. \u201cA lot more people have become aware of what can be done.\u201d<\/p>\n
Cryptography expert and author Bruce Schneier said some of the techniques the NSA used to hack routers are starting to be seen in criminal cases, amongst other attack types. Indeed, from compromises of much used but vulnerable mobile applications, to spying on people through their web cams, dark web dealers were already using the same methods as the NSA. \u201cToday\u2019s secret NSA programs are tomorrow\u2019s PHD theses and the next day\u2019s hacker tools,\u201d he added.<\/p>\n
\u201cThe US has done an enormous amount of damage here. There is a basic level of trust that has been lost\u2026 There is a lot of international mistrust right now because the US was supposed to be a trusted keeper of everything, but it turned out they were subverting it with every chance they got. And the NSA keeps saying it\u2019s not as bad as you think, but who the hell believes that?\u201d<\/p>\n
The zero-day race<\/b><\/p>\n
Purposeful backdoors in security products – another revelation from leaked security agency documents – benefit all hackers. If firms have allowed for weaknesses in their product sets, they don\u2019t just open up holes for agents to exploit, but criminals too. Organised crime groups are pumping money into hunting for such vulnerabilities, placing the everyday user at ever greater risk.<\/p>\n
Those crooks and the NSA are racing to uncover and use zero-day flaws – previously-unknown, unpatched weaknesses in software and hardware. After governments buy, discover or use these vulnerabilities, they often filter down into the wider criminal community, says Jason Steer, director of technology strategy at FireEye.<\/p>\n
\u201cWe know that governments purchase undisclosed zero-day vulnerabilities, and the providers of such zero-days such as Vupen openly acknowledge that government are big buyers of their research in text on their website,\u201d Steer said. \u201cAll exploits have an inevitable lifecycle – from highly targeted usage to APT [advanced persistent threat] usage, then to broader cyber criminals and finally hacktivists.<\/p>\n
\u201cOnce an exploit is used in the wild, its effectiveness will drop as researchers in both the blackhat and whitehat communities discover it and learn about it. Once its effectiveness is weakened, any zero-day is picked up by the broader attacker community as this gives them an opportunity to monetise their window for a time, until the targeted software or hardware fixes the vulnerability – it\u2019s quite simply a race.\u201d<\/p>\n
Government malware = criminal malware<\/b>\u2028<\/b><\/b><\/p>\n
But the NSA isn\u2019t the only official body that is spurring on digital crime, whether willingly or unwittingly. In using offensive digital tools against one another, governments have brought about a degradation of co-operation on dealing with cybercrime, according to RSA chief Art Coviello.<\/p>\n
\u201cThe only ones deriving advantage from governments trying to gain advantage over one another on the internet are the criminals. Our lack of immediate, consistent and sustained cooperation, globally, gives them the equivalent of safe havens,\u201d Coviello said during his keynote.<\/p>\n
And the introduction of government-owned malware on global networks only gives criminals yet more tools to play with. \u201cThe genie is out the bottle on the use of cyber weaponry and unlike nuclear weapons, cyber weapons are easily propagated and can be turned on the developer,\u201d Coviello added.<\/p>\n
Anderson has concerns around organised criminals taking advantage. \u201cIf governments keep on giving millions of people access to this stuff, it\u2019s only a matter of time before serious organised crime gets in there.\u201d<\/p>\n
It\u2019s long been believed governments across the world are paying cyber criminals to help them attack foreign entities too. While this has never been detailed, Coviello and numerous others in the security industry have claimed knowledge of it happening.<\/p>\n
This has all combined to create a chaotic, dangerous environment, where attack numbers continue to rise and aggressive, sophisticated techniques have been given a sense of legitimacy, whether the targets are governmental data or individuals\u2019 money.<\/p>\n
\u201cParaphrasing a famous quote, those who seek military advantage riding the back of the tiger will end up inside,\u201d Coviello said during his keynote. Many are now calling for the NSA and other government bodies contributing to the rise in digital crime to get off that tiger.<\/p>\n