The Government Policy That Wastes Billions -- Offensive vs Defensive Cybersecurity

With the release of Wikileak's Vault7 repository, we have a major leak of the US Central Intelligence Agency's cyberweapon arsenal on the loose and circulating around the internet. This follows a regular pattern of these sorts of leaks of information. In the past few years we have seen:

The Snowden Documents Leak
Stratfor Cyberweapons Leak
HackingTeam Cyberweapons Leak
Gamma / Finfisher Cyberweapons Leak
The NSA ShadowBrokers Leak

And now we have the CIA Vault7 leak emerging at the time of the writing of this article.

These leaks force us to acknowledge a few key points that cryptographers and security experts have been stating unanimously for years.

1. Governments are hoarding vulnerabilities for themselves for offensive cyberwar campaigns, leaving their populations at serious risk.

2. Governments are unable to protect these weapons, leading to massive leaks of immensely dangerous flaws.

3. Governments are spending immense resources to find these flaws.

4. Closed software development favors this toxic computing environment.

What does it cost?

This is the important matter to consider when we talk about this policy. In many ways this is society fighting against itself in the same ways that the clandestine agencies were secretly operating large drug trafficking operations while the DEA and ATF were wasting resources going after drug cartels.

We have a similar situation today, only it involves pitting different branches of our government and our economy, wittingly or unwittingly against one another. We have the FBI, CIA, NSA, and other agencies spending billions on state of the art splitter technologies for fiber optics, hundreds of millions per year on security research to find flaws in software that is created by American and EU companies, even more money developing those flaws into easy to use exploits in the field, and more money again to house all of this collected data in mass repositories around the US.

But that is only the surface cost of their activities, which we can safely say runs well into the billions of dollars per year.

This research for exploits for offensive operations also relies on keeping these exploits unknown to the creator of the software. This means that Microsoft, Apple, Google, Cisco, Juniper, Dell, HP, and more have to have these flaws present for them to be exploited.

The problem here is that these flaws can be found by anyone, whether it is a criminal network looking to build the new ransomware or an adversary looking to steal data. Finding these flaws and then not disclosing them is irresponsible to extremes when the world is dealing with $500 Billion in losses annually to cyber threats. This figure does not include losses from a lack of trust in software or hardware to properly protect data, a huge hidden cost in innovation as well as adoption rates of cutting edge technology.

What can we do?

This is not a lost cause.

The fundamental things that allow this unsafe cyberspace to exist circulate around unsafe code being hidden behind secrecy (closed-source software) and severe under-spending on defensive cybersecurity research. Right now we collectively spend less than 1% of our cybersecurity budgets on defense, with the rest going to these damaging and outright dangerous offensive operations.

We need to use open source technologies everywhere possible, and we need to convince companies that open-source is a worthy pursuit, and we need to support organizations that create, audit, and harden open source technologies.

The Free Software Foundation
The pEp Foundation
The Open Source Technology Improvement Fund (disclosure: A VikingVPN partner founded it)

Also there is currently a huge community push to let AMD know that we want CoreBoot for AMDs new CPUs and motherboards. You can read more about it here:

Coreboot and Libreboot are absolutely crucial, because it is the most fundamental piece of software that runs on your system. Having these be free and open means that architecture can be layered on top of it to create a completely open and free software stack. Right now this is not possible on modern AMD, Intel or ARM technologies. Support from AMD on this would be an enormous boon for security and privacy around the world.

< last
next >