A Geneva convention, for Software

The anti-pattern “X for Y” is a sketchy way to start any tech think piece, and with “cyber” stories guaranteeing eyeballs, you’re already tired of the many horrible articles predicting a “Digital Pearl Harbour” or “cyber Armageddon”. In this case however, we believe this article’s title fits and are going to run with it. (Ed’s note: So did all the other authors!)


The past 10 years have made it clear that the internet, (both the software that both powers it and the software that runs on top of it) are fair game for attackers. The past 5 years have made it clear that nobody has internalized this message as well as the global Intelligence Community. The Snowden leaks pulled back the curtains on massive Five Eyes efforts in this regard, from muted deals with Internet behemoths, to amusing grab-all efforts like grabbing still images from Yahoo webcam chats(1).


In response to these revelations, a bunch of us predicted a creeping Balkanization of the Internet, as more people became acutely aware of their dependence on a single country for all their software and digital services. Two incidents in the last two months have caused these thoughts to resurface: the NotPetya worm (2), and the accusations  against Kaspersky AV.


To quickly recap NotPetya: a mundane accounting package called M.E.Doc with wide adoption (in Ukraine) was abused to infect victims. Worms and Viruses are a dime a dozen, but a few things made NotPetya stand out. For starters, it used an infection vector repurposed from an NSA leak, It seemed to target Ukraine pretty specifically, and it had tangible side effects in the real world (Maersk shipping company reported loss upto  $200 million due to NotPetya (3)). What interested us most about NotPetya however was its infection vector. Having compromised the wide open servers of M.E.Doc, the attackers proceeded to build a malicious update for the accounting package. This update was then automatically downloaded and applied by thousands of clients. Auto-updates are common at this point, and considered good security hygiene, so it’s an interesting twist when the update itself becomes the attack vector.


The Kaspersky saga also touched on “evil updates” tangentially. While many in the US Intelligence Community have long looked down on a Russian AntiVirus company gaining popularity in the US, Kaspersky has routinely performed well enough to gain considerable market share. This came to a head in September this year when the US Dept. of Homeland Security (DHS) issued a directive for all US governmental departments to remove Kaspersky software from their computers (4). In the days that followed, a more intriguing narrative emerged. According to various sources, an NSA employee who was working on exploitation and attack tooling took some of his work home, where his home computer (running Kaspersky software) proceeded to slurp up his “tagged” files.


Like most things infosec, this has kicked off a distracting sub-drama involving Israeli, Russian and American cyber-spooks. Kaspersky defenders have come out calling the claims outrageous, Kaspersky detractors claim that their collusion with Russian intelligence is obvious and some timid voices have remained non-committal while waiting for more proof. We are going to ignore this part of the drama completely.


What we _do_ care about though is the possibility that updates can be abused to further nation state interests. The American claim that Russian Intelligence was pushing updates selectively to some of its users (turning their software into a massive, distributed spying tool) is completely feasible from a technical standpoint. Kaspersky has responded by publishing a plan for improved transparency, which may or may not maintain their standing with the general public. But that ignores the obvious fact that as with any software that operates at that level, a “non-malicious” system is just one update away from being “malicious”. The anti-Kasperskians are quick to point out that even if Kaspersky has been innocent until now, they could well turn malicious tomorrow (with pressure from the GRU) and that any assurances given by Kaspersky are dependent on them being “good” instead of being technical controls.


For us, as relative non-combatants in this war, the irony is biting. The same (mostly American) voices who are quick to float the idea of the GRU co-opting bad behaviour in  Russian companies claim that US based companies would never succumb to US IC pressure, because of the threat to their industry position should it come out. There is no technical control that’s different in the two cases; US defenders are betting that the US IC will do the “right thing”, not only today but also far into the future. This naturally leads to an important question: do the same rules apply if the US is officially (or unofficially) at war with another nation?


In the Second World War, Germany nationalized English assets located in Germany, and the British did likewise. It makes perfect sense and will probably happen during future conflicts too. But Computers and the Internet change this. In a fictitious war between the USA and Germany, the Germans could take over every Microsoft campus in the country, but it wouldn’t protect their Windows machines from a single malicious update propagated from Redmond. The more you think about this, the scarier it gets. A single malicious update pushed from Seattle could cripple huge pieces of almost every government worldwide. What prevents this? Certainly not technical controls. [Footnote: Unless you build a national OS like North Korea did, https://en.wikipedia.org/wiki/Red_Star_OS].


This situation is without precedent. That a small number of vendors have the capacity to remotely shutdown government infrastructure, or vacuum up secret documents, is almost too scary to wrap your head around. And that’s without pondering how likely they are to be pressured by their governments. In the face of future conflict, is the first step going to be disabling auto-updates for software from that country?


This bodes badly for us all; the internet is healthier when everyone auto-updates. When eco-systems delay patching, we are all provably worse off. (When patching is painful, botnets like Mirai take out innocent netizens with 620 Gbit/s of traffic (5)). Even just the possibilities  leads us to a dark place. South Korea owns about 30% of the phone market in the USA (and supplies components in almost all of them). Chinese factories build hardware and ship firmware in devices we rely on daily. Like it or not, we are all dependent on these countries behaving as good international citizens but have very little in terms of a carrot or a stick to encourage “good behavior”.


It gets even worse for smaller countries. A type of mutually assured technology destruction might exist between China and the USA, but what happens when you are South Africa? You don’t have a dog in that fight. You shovel millions and millions of dollars to foreign corporations and you hope like hell that it’s never held against you. South Africa doesn’t have the bargaining power to enforce good behavior, and neither does Argentina, or Spain, but together, we may.


An agreement between all participating countries can be drawn up, where a country commits to not using their influence over a local software company to negatively affect other signatories. Countries found violating this principle risk repercussions from all member countries for all software produced by the country. In this way, any Intelligence Agency that seeks to abuse influence over a single company’s software, risks all software produced by that country with all member countries. This creates a shared stick that keeps everyone safer.


This clearly isn’t a silver bullet. An intelligence agency may still break into software companies to backdoor their software, and probably will. They just can’t do it with the company’s cooperation. Countries will have a central arbitrator (like the International Court of Justice) that will field cases to determine if IC machinations were done with or without the consent of the software company, and like the Geneva convention would still be enforceable during times of conflict or war.

Software companies have grown rich by selling to countries all over the world. Software (and the Internet) have become massive shared resources that countries the world over are dependent on. Even if they do not produce enough globally distributed software to have a seat at the table, all countries deserve the comfort of knowing that the software they purchase won’t be used against them. The case against Kaspersky makes it clear that the USA acknowledges this, as a credible threat and are taking steps to protect themselves. A global agreement, protects the rest of us too.

No comments :

Post a Comment