Read Time: 8 Minutes
I recently participated in a European Union Parliament hearing on the cyber security aspects of the European Digital Agenda. The purpose of the hearing was to discuss ways to improve trust and security in the so-called Digital Single Market in the EU with European lawmakers.
The main interest of lawmakers naturally lies in regulatory measures that can be applied on the EU level. Due to the nature of EU processes, whatever is suggested now will not take effect until years from now. There appeared to be a shared consensus that cyber security has already grown big enough to warrant regulation.
Coming from a small European-based company, I was happy to share our insights on what would make EU a more appealing and healthy market for us to conduct fair business in.
While presenting, it clearly emerged that we increasingly face threats from a group that does not quite seem to fit into the typical hacker categorization: the corporations. How is that?
Online advertising and profiling companies harvest users’ personal information en masse. Some weeks ago, our own Sean Sullivan wrote an interesting piece about browsing trackers, where he showed that an ordinary IKEA web page will invite a stunning total of 49 trackers leeching information from the user. These trackers are not limited to IKEA, but instead follow your movements as you continue to browse the net. If you were not tagged by them by then, IKEA just did you a disservice by inviting them all after you. If you are interested in learning more about online profiling, read “The Daily You” by Joseph Turow.
Many will find it shocking that this type of tracking doesn’t benefit you in any way. In addition to significantly slowing down your browsing, tracking will allow advertisers to learn quite a lot that you might not be willing to share openly about you and your friends.
At the same time, breaches into organizations that stockpile personal information are on the rise. Each week there appears to be a new online service, retail chain, or government agency that is penetrated and as a result, the personal information of millions of users is stolen. The security community has gotten tired of organizations that offer “free credit monitoring” for the affected users. To many, this is seen an act of corporate cynicism: Failed to protect your customer data? Give me ten Ave Marias and continue as you were.
There appears to be a subculture of corporate executives who refuse to take adequate action to invest in their cyber security until the worst happens. They go on the cheap or refuse to exercise any strategic thought on why cyber security should matter to their business. Examples such as Target, Sony, Gemalto, OPM, and Ashley Madison show that many of these organizations have been easy targets in the first place. Lapses like these have a tendency to erode trust in the brands. Continuous mishaps and evasive moves will eventually make people skeptical of online commerce and the Internet of Things.
In my presentation I encouraged lawmakers to come up with a way to identify signs of gross negligence in terms of cyber security and provide competent authorities with the means to pursue cases against such behavior. After-the-fact policing would provide a sufficiently lean mechanism that would not introduce artificially high costs, which would only serve as barriers against entry into the market. Even modest requirements – along with a threat of sanctions – help make a difference as it helps bring the topic of cyber security on the C-suite agenda.
Okay, this would take care of sloppy practices. But what about calculated unethical business practices?
Corporate hacking – for profit and market dominance
We here at F-Secure like to think of ourselves as hackers, the good kind of hackers. The kind of hackers that get intellectual satisfaction from figuring out ways to use software products (or for that matter, any product) in ways not originally imagined. That’s why hackers love it when Internet routers start citing Star Wars manuscripts and old matrix printers or floppy disks play hit tunes.
This is also how security vulnerabilities and hidden unwanted features are traditionally found. In the right hands, hacking is a valuable tool and a noble endeavor. We have built our business around the notion of hacking – every day we try to outsmart the criminals and malware writers out there by hacking better than they ever can.
How come it came as a surprise to us that corporate executives want to play this game too? Let’s take a moment to think about Volkswagen and their still-unfolding fiasco with the US Environment Protection Agency.
A gallery of cyber security threats. White-collar hackers brought in as a sixth category along the more traditional ones: curious hackers, hacktivists, criminals, governments, and extremists. Photo of Mr. Winterkorn: The Telegraph.
VW determined that achieving low enough levels of emissions on diesel engines would be against the perceived customer’s wishes. They saw that customers are interested in torque, not achieving strict pollution levels. VW also feared that the emissions target was challenging to achieve in a technically sustainable fashion. Committed to pass the regulatory inspections in one way or another, they chose to tinker with the vehicle’s software: whenever the onboard computer would detect that it is being audited, the motor would switch into a “demo mode”, where emissions would be cut down to one fortieth. After the audit, the engine would continue to operate normally, polluting our children’s future away.
Let’s be honest, if your organization has a certificate of any sorts, I bet someone in your organization has envisioned ways to fool the inspectors, to hack your way through to the certified status. Luckily, for most organizations this is just a passing thought that is never actually followed through in real life.
But VW chose to follow that path. The general public would imagine that car hacking was invented by Charlie Miller and Chris Valasek. Instead, an old established car manufacturer from the heart of Europe decided to install anti-debugging feature of sorts in their car! They would have been fine with continuing to conduct illegal business if only they were not exposed.
Is it feasible to think that Volkswagen was the only one? How about aircrafts? Trains? Television sets that spend more time watching people than they do watching TV? Is there a way to force more of these cases into public scrutiny? Let’s see how some previous cases of White-collar hacking were spotted:
Remember Sony BMG and their rootkit-laden CDs? This was discovered accidentally by a curious – yet world-class – hacker. Should we expect security researchers to purchase the items themselves and stumble upon findings like this? This would leave Learjets and most factory floor automation out of scope, you’d presume.
Ever suspected that your personal data is not deleted after you revoke your user profile? In the case of Ashley Madison we now know that it happens, thanks to anonymous group of hackers that broke into their network, stole away all their secrets and laid it out into the internet for everybody and their cousins to see. Hardly a sustainable solution, is it?
Lenovo has repeatedly (here, here, and here) been suspected and even caught installing backdoors and questionable tracking software in their laptops. These have been found by hackers already suspicious of the pre-installed bloatware (or ‘crapware’) that comes along with laptops. Why should it be the lone end-user who always has to take the burden of finding things out?
Now we need to add Volkswagen to the list for rigging their software to cheat the US Environmental Protection Agency. Aren’t we just happy that the activists chose to really examine what was taking place? Why were the authorities just happy to accept figures provided by the manufacturers at their face value?
A European solution?
My suggestion for the lawmakers? The EU should actively promote security research and reward responsible disclosure. There should be an absolute minimal level of administrative burden for the majority of law-abiding businesses, especially given that European companies are, generally speaking, smaller than their American or Chinese competitors. However, the risk of sanctions should be high enough to make even the most cynical business executive back away from engaging in unfair hacks.
Existing agencies such as ENISA and JRC can provide in-house talent and coordination. The actual task of finding out security problems in software can be funneled through EU-wide funding and procurement processes that are open to the private sector.
There is a chance for the EU to gain some moral high ground by refusing to stockpile zero-day hacks, but instead communicating software vulnerabilities to vendors through responsible disclosure and taking instances of misconduct to the relevant oversight bodies for litigation.