16.9 C
Byron Shire
October 22, 2021

After ‘WannaCrypt’, should governments stockpile software vulnerabilities?

Latest News

Charges laid after police pursuit at Murwillumbah

Officers from Tweed/Byron Police District have been investigating several incidents of stolen motor vehicles from within the Kingscliff area over the past month.

Other News

Library restrictions

Under Richmond Tweed Library restrictions announced today, our local libraries are now only offering click and collect, and online...

Teacher vax

Dear teachers and community members. I have recently received an email from within my school community that asks me...

COVID’s genetic solution?

A lucky few are unusually resistant to COVID-19. Scientists are trying to find a reason in their genes.

#BigBadBiomass – protesters reject burning trees for energy

North East Forest Alliance (NEFA) and the NSW Forest Defenders have thrown their support behind the protests against the burning of Biomass to generate electricity across Australia ahead of the Glasgow Climate Change Conference (COP) 26.

Perrottet & Opus Dei

Bugga! Just when we don’t need to expect the Spanish Inquisition, out pops its wolf-in-sheep’s clothing remake: Opus Dei....

Police raid ‘unauthorised events’ in national parks

Police say that eleven people have been charged following unauthorised gatherings held at national parks on the weekend.

Greg Austin, Monique Mann & Robert Merkel

The ‘WannaCrypt’ malware has disrupted vital infrastructure in almost 100 countries so far. Security analysts are concerned it may be part of a dump of security flaws a group called the Shadow Brokers claimed to have stolen from the United States’ National Security Agency.

In a blog post Sunday, Microsoft’s president and chief legal officer, Brad Smith, decried government stockpiling of software vulnerabilities.

‘We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,’ he wrote. ‘The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.’

We asked a panel of experts to weigh in: Should governments be allowed to stockpile exploits, or should they be made to disclose them to vendors, including Microsoft?

Greg Austin, professor, Australian Centre for Cyber Security, University of New South Wales. Photo TheConversation
Greg Austin, professor, Australian Centre for Cyber Security, University of New South Wales. Photo The Conversation

Greg Austin, professor, Australian Centre for Cyber Security, University of New South Wales

Vulnerabilities in commercially available software provide an easy way in for spy agencies and criminals to access adversary computer systems. I agree with the Microsoft proposition that the refusal of US agencies to publicise vulnerabilities can be compared with the US armed forces losing a Tomahawk Cruise missile. There are circumstance where it could be that serious.

Of course, our cyber intelligence agency, Australian Signals Directorate, may also be using vulnerabilities in software that Australian citizens rely on. So we need to ask the government about its policy in this regard. I doubt we will stop that practice in the current climate of global cyber escalation. But, in the medium term, Australia must commit to new ‘highly secure’ systems instead of using inherently vulnerable software and machines.

We must also commit to diplomatic agreement on the disclosure of vulnerabilities in commercially available systems. Countries with high levels of pirated software, like China and Russia, are vulnerable because patches sent by Microsoft to repair vulnerabilities only go to registered IP addresses with a licensed copy of the software. If a user has installed an unlicensed pirated version, they never get the patches.

The Australian government needs to have a more mature conversation with its citizens about what is really going on in cyber space. So far we have not had it, even though the Turnbull government deserves credit for starting down that path with its cyber security strategy.

 

Monique Mann, lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology
Monique Mann, lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology. Photo The Conversation

Monique Mann, lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology

In an escalating cryptowar with widespread uptake of end-to-end encryption, governments contend that they cannot always disclose cyber security vulnerabilities. This is because they use zero-day vulnerabilities to spy.

But state-sponsored programs of cyber warfare go beyond stockpiling vulnerabilities. Countries are actively developing digital weapons to hack into, infect, monitor and disrupt computer systems.

The Vault 7 disclosures, published by WikiLeaks in March, revealed both the extent of the Central Intelligence Agency’s hacking capabilities and its inability to keep them secure. An arsenal of malware, viruses, trojans and zero day exploits was taken and leaked.

Now Wikileaks says it wants to work with technology companies to address vulnerabilities and disarm these digital weapons. Yet, these could also have been sold or used for sinister purposes.

Digital weapons can fall into the wrong hands. The consequences, like ‘WannaCrypt’, can be disastrous.

Governments should be promoting cyber security rather than undermining it. Failing to disclose and address vulnerabilities weakens cybersecurity. There should also be limits on the development and deployment of digital weapons.

It is time for a digital Geneva Convention to protect the internet: the critical infrastructure and the citizens who depend on it.

 

Robert Merkel, lecturer in software engineering, Monash University. Photo TheConversation
Robert Merkel, lecturer in software engineering, Monash University. Photo The Conversation

Robert Merkel, lecturer in software engineering, Monash University

I’ve argued previously that Western governments should be far more careful with their use and distribution of stockpiled vulnerabilities in commercial software. But I wouldn’t hold my breath for it to happen.

For better or worse, intelligence agencies seem to have persuaded governments that the intelligence they gain from exploiting such vulnerabilities outweighs the risks when those exploits leak. Whether they are right is something only historians will be able to answer, given the decades it will take for contemporary intelligence operations to be declassified.

Even if Western intelligence agencies were required to cease stockpiling vulnerabilities and instead report them to vendors, their counterparts in Russian and Chinese intelligence agencies seem unlikely to follow suit. They face little domestic political pressure to behave ethically.

Indeed, while the vulnerability used by the ‘WannaCrypt’ ransomware is thought to have come originally from the National Security Agency, the public disclosure of the vulnerabilities is believed by some US officials to have been the work of the Russian intelligence services.

Russian IT systems were among the most heavily affected by ‘WannaCrypt’. If the release was in fact the work of Russian intelligence, the blowback, in terms of inconvenience and expense for Russian companies and other branches of the Russian government, has been substantial. It was also foreseeable – and they did it anyway.

While Microsoft’s call for governments to think harder about the real-world costs of their espionage techniques is admirable, it’s hard to imagine it actually happening any time soon.

This article was first published in The Conversation.


Support The Echo

Keeping the community together and the community voice loud and clear is what The Echo is about. More than ever we need your help to keep this voice alive and thriving in the community.

Like all businesses we are struggling to keep food on the table of all our local and hard working journalists, artists, sales, delivery and drudges who keep the news coming out to you both in the newspaper and online. If you can spare a few dollars a week – or maybe more – we would appreciate all the support you are able to give to keep the voice of independent, local journalism alive.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

#BigBadBiomass – protesters reject burning trees for energy

North East Forest Alliance (NEFA) and the NSW Forest Defenders have thrown their support behind the protests against the burning of Biomass to generate electricity across Australia ahead of the Glasgow Climate Change Conference (COP) 26.

Call to reject Evans Head Iron Gates DA over failure to recognise Indigenous heritage

Evans Head locals call for rejection of Iron Gates DA and recognition of the national significance of the site and its incorporation into the Broadwater National Park.

Chainsaw accident Ewingsdale

A 44-year-old arborist suffered a serious lower leg injury following a chainsaw accident at a Ewingsdale property yesterday.

New COVID cases in Ballina and Clarence Valley

Two new cases of COVID-19 have been reported for Northern NSW Local Health District (NNSWHD) in the 24 hours to 8pm 19 October.