Eric De Grasse
Chief Technology Officer
The Project Counsel Group
31 July (New York, New York) – I am at the U.S. Department of Homeland Security’s “National Cybersecurity Summit” in New York. They assembled an all-star government cast. An ineffective cast, perhaps, but I attend these things simply to meet and hear from high-level CxOs from the financial services, energy, information technology, and telecom sectors.
From the government:
- U.S. Vice President Mike Pence
- Secretary of Homeland Security Kirstjen M. Nielsen
- Secretary of Energy Rick Perry
- Federal Bureau of Investigation Director Christopher Wray
- Commander, U.S. Cyber Command and Director, National Security Agency General Paul M. Nakasone
The goal of the summit is to bring together government and private sector officials to lay out a vision for a collective defense model to protect the U.S. critical infrastructure. There are panels, keynote addresses, and breakout sessions.
Lots to cover but let’s limit this post to three key areas:
Federal officials are doubling down on sounding alarms about the risks of supply-chain security threats – attacks where hackers sabotage software or hardware before it’s sent to the customer – with warnings to businesses up against the theft of intellectual property, federal contractors up against espionage and telecoms who will soon face large-scale buildout of 5G networks.
Why it matters: It’s difficult to extract supply-chain-vulnerable products from the market. Many devices and networks include components from a variety of companies from all over the world, providing ample opportunity for bad actors to interfere. Banning certain products can combat such threats, but can also cause friction: Just look at the recent call to remove ZTE and Huawei products from the telecom networks.
Driving the news: Last week, the Office of the Director of National Intelligence issued a report Thursday that supply chain attacks used for economic espionage were on the rise. On Friday, the Department of Defense told reporters that it was compiling a list of software manufacturers with Chinese and Russian ties it thinks military branches and contractors should avoid.
- This comes on the heels of scandals at ZTE, Huawei and Kaspersky, where the government alleges foreign-made products were used to spy on domestic agencies and companies.
Why now: The United States is about to go through a massive infrastructure expansion project as mobile carriers and equipment firms roll out 5G technology. Meanwhile, rural communities are still building their first broadband networks.
- The U.S. has instructed telecom companies not to use products from the Chinese firms Huawei and ZTE — both of whom are suspected of sabotaging their own products to enable Beijing’s spying efforts.
- But telecom execs say that for smaller communities, low-cost Chinese equipment is the only economically viable way to expand infrastructure. Chinese equipment is not just cheaper, it’s also often the only one-stop shopping solution for telecommunications hardware and tend to offer affordable financing packages.
The government could dig its way out of the hole, but likely won’t. Jim Lewis, currently of the CSIS think tank and formerly a Department of Commerce official specializing in high tech issues involving China, estimates that the government could even the playing field and solve the telecom supply chain problem for a little over a billion dollars.
- That would involve funding rural providers purchasing less vulnerable equipment and issuing grants to ZTE and Huawei competitors for research, helping them compete with China’s massive state research budget.
- But, said Lewis, Congress loathes spending money, even when it is the only solution.
Messages sent on the instant messenger app Telegram were routed through Iran yesterday due to a glitch in a fundamental internet routing system many suspect was orchestrated by Tehran.
What happened: The glitch used the Border Gateway Protocol to reroute messages through Iranian servers.
Here’s how BGP works and why it’s vulnerable. The internet isn’t a single network. It’s actually a network of networks connected through the largely unsecure BGP. In the same way you can’t always get a direct flight between two airports, you can’t always get from one network directly to another network. BGP lets the networks coordinate how many hops away one network is from another.
Due to accidents or hijacking, sometimes networks claim to be closer to popular servers than they actually are, re-routing all the traffic through their own systems.
Activists in Iran note that a protest set for today was being planned on Telegram, raising fears that the hijacking was intentional.
The problem is that BGP “hijacks” happen all the time, where an intermediary illegitimately takes over groups of IP addresses so data originally destined for one place can be forcefully sent to another. In fact the U.S. intelligence services do it all the time. It was actually a discussion point during the Privacy Shield negotiations two years ago.
Once a valid BGP hijack occurs, the hijacker can perform man-in-the-middle attacks, eavesdropping, etc. And organizations whose traffic is hijacked currently have no effective technical means to prevent such attacks.
Earlier today, Facebook said that it had discovered a sophisticated coordinated disinformation operation on its platform involving 32 false pages and profiles engaging in divisive messaging ahead of the U.S. midterm elections. They said the profiles shared a pattern of behavior with the previous Russian disinformation campaign in 2016, which was led by a group with Kremlin ties called the Internet Research Agency. In a press release Facebook said:
It’s clear that whoever set up these accounts went to much greater lengths to obscure their true identities than the Russian-based Internet Research Agency (IRA) has in the past. We believe this could be partly due to changes we’ve made over the last year to make this kind of abuse much harder. But security is not something that’s ever done. We face determined, well-funded adversaries who will never give up and are constantly changing tactics. It’s an arms race and we need to constantly improve too.”
Hmmmm … let’s see, they did it before, got caught, and now they’re doing it again? Kind of makes you wonder if the punishment wasn’t quite enough to reinforce the idea that the benefits of successful hacking do not outweigh the costs of such interference, right? I mean, “Not one single vote was changed”. Right?
There are far, far bigger issues here, beyond the scope of this “newsy” post. But I will say this (parroting my boss): the work of surveillance, it appears, is not to erode privacy rights but rather to redistribute them. Instead of many people having some privacy rights, these rights have been concentrated within the surveillance regime. “Surveillance capitalists” have extensive privacy rights and therefore many opportunities for secrets. These are increasingly used to deprive populations of choice in the matter of what about their lives remains secret. This concentration of rights is accomplished in two ways. In the case of Google, Facebook, and other exemplars of surveillance capitalism, many of their rights appear to come from taking others without asking.
Let’s face it: surveillance capitalists have skillfully exploited a lag in social evolution as the rapid development of their abilities to surveil for profit outrun public understanding and the eventual development of law and regulation that it produces. Tech will always outrun the law. C’est la vie.
