Global InformatIon SocIety Watch 2014 Communications surveillance in the digital age This report was originally published as part of a larger compilation, which can be downloaded from GISWatch.org AssociAtion for Progressive communicAtions (APc) And HumAnist institute for cooPerAtion witH develoPing countries (Hivos) ISBN: 978-92-95102-16-3 APC-201408-CIPP-R-EN-DIGITAL-207 Creative Commons Attribution 3.0 Licence <creativecommons.org/licenses/by nc nd/3.0> Cyber security, civil society and vulnerability in an age of communications surveillance Alex Comninos and Gareth Seneque “the crossing of the Rubicon” (a point of no return) 6 Justus-Liebig University Giessen and Geist Consulting 1 for the use of state-sponsored malware. A number Comninos.org of similar worms, some of which have implemented Stuxnet’s source code, have arisen.7 Introduction Civil society organisations and human rights defenders are becoming victims of surveillance Cyber security is increasingly important to internet software. Some of this software is sold to law en- users, including stakeholders in governments, the forcement and intelligence agencies in repressive private sector and civil society. As internet users regimes. “Remote Access Trojans” can be bought 2 increase, so does the amount of malware, fuelled both legally and on the black market, as well as by ubiquitous smartphones and social network- downloaded for free, and are used to control mobile ing applications offering new vectors for infection. devices, laptops and computers remotely, capturing Botnets – networks of infected devices controlled all the information input/viewed by the user. Such by malicious operators – are used as proxies to software has been used to target activists in Bah- commit criminal acts including fraud and identity rain and Syria.8 or data theft. According to the antivirus company Edward Snowden’s disclosures of documen- Symantec, in 2013 data breach incidents resulted tary evidence regarding mass surveillance by the 3 in the exposure of 552 million personal identities. NSA, Government Communications Headquarters In May 2014, eBay announced that hackers had (GCHQ) in the United Kingdom, and other intelli- gained access to the personal data of 145 million gence agencies of the “Five Eyes”9 countries have customers and urged all customers to change their shown just how vulnerable the average netizen’s 4 passwords. Infrastructures connected to the inter- communications are to interception and surveil- net, such as power grids, are also vulnerable, and lance. The disclosures have also demonstrated how severely lacking security updates. A growing “inter- surveillance activities can negatively affect the cy- net of things”, which includes ubiquitous devices ber security of all internet users. from sensors in homes and cars to medical technol- It is tempting to think that more “cyber security” ogy, presents a plethora of new vulnerabilities to would be a means of countering the global privacy cyber security incidents. invasion caused by mass surveillance. However, cy- Increasingly, states are establishing military ber security discourse is dominated by states and “cyber units” or “cyber commands”, many of which corporations and focuses mainly on their security, 5 have offensive hacking capabilities. Michael rather than the security of civil society and of in- Hayden, a former director of both the CIA and the ternet users. Civil society needs a vision of cyber National Security Agency (NSA) has stated that Stux- security that puts the digital security of internet net, a state-sponsored computer worm discovered users at the centre of its focus. Attaining cyber in 2011 and designed to attack and incapacitate nu- security that protects human rights, including the clear reactors in the Natanz facility in Iran, marked 6 Healy, J. (2013, April 16). Stuxnet and the Dawn of Algorithmic 1 Alex Comninos is a doctoral candidate in the Department of Warfare. The Huffington Post. www.huffingtonpost.com/jason- Geography at Justus-Liebig University Giessen; Gareth Seneque is healey/stuxnet-cyberwarfare_b_3091274.html a Unix architect at Geist Consulting. 7 Bencsáth, B. (2012). Duqu, Flame, Gauss: Followers of Stuxnet. 2 Malware is malicious software that includes viruses, Trojan horses Presentation at the RSA Conference Europe 2012, Amsterdam, and spyware. the Netherlands, 10 October. www.rsaconference.com/writable/ 3 Symantec 2014 Internet Security Threat Report, Volume 19. www. presentations/file_upload/br-208_bencsath.pdf symantec.com/security_response/publications/threatreport.jsp 8 McMillan, R. (2011, August 7). How the Boy Next Door 4 Perlroth, N. (2014, May 21). eBay Urges New Passwords After Accidentally Built a Syrian Spy Tool. Wired. www.wired.com/ Breach. New York Times. www.nytimes.com/2014/05/22/ wiredenterprise/2012/07/dark-comet-syrian-spy-tool technology/ebay-reports-attack-on-its-computer-network.html 9 The “Five Eyes” countries are Australia, Canada, New Zealand, 5 Comninos, A. (2013). A cyber security agenda for civil society: What the United Kingdom and the United States, which are part of a is at stake? Johannesburg: APC. www.apc.org/en/node/17320 multilateral agreement on cooperation in signals intelligence. 32 / Global Information Society Watch right to privacy, while also ensuring an open and se- flict of interest in securing information: militaries, for cure internet, will not be possible unless dominant example, may want to develop offensive weapons, discourses on cyber security radically change. while intelligence agencies may rely on breaking or circumventing information insecurity in order to sur- The problems with “cyber security” veil better. Cyber security may also be used to protect The term “cyber security” often lacks clear defini- state secrets, and criminalise whistleblowers as cy- tion. It is used as an umbrella concept covering a ber security threats. Focusing on the state and ‘‘its’’ range of threats and responses10 involving national security, “crowds out consideration for the security of infrastructure, internet infrastructure, applications the individual citizen, with detrimental effects on the and software, and users. Sometimes it is even used security of the whole system.”15 to refer to the stability of the state and political Cyber security often disproportionately focuses structures. The inexact terminology of cyber secu- on the protection of information, databases, devices, rity “mixes legitimate and illegitimate concerns and assets and infrastructures connected to the internet, conflates different types and levels of risk.” This rather than on the protection of connected users. “prevents genuine objective scrutiny, and inevitably Technological infrastructures and the assets of cor- leads to responses which are wide-ranging and can porations are put at the centre of analysis, rather than easily be misused or abused.”11Cyber security not human beings. Human beings are seen as a threat in only leads to overly broad powers being given to the the form of bad “hackers” or as a weak link in infor- state, it also “risks generating a consensus that is mation systems, making mistakes and responding illusory” and not useful for the problems at hand.12 to phishing or “social engineering” attacks.16 Putting We need to carefully unpack the relevant issues and humans at the centre of cyber security is important. develop “a clear vocabulary of cyber security threats A definition of cyber security as purely protecting in- and responses,” so as to enable “targeted, effective, formation avoids ethical challenges. Cyber security and rights-respecting policies.”13 If we do not, cyber should not protect some people’s information at the security can be used by governments as a justifica- expense of others. It should also not protect infor- tion to censor, control or surveil internet use. mation about state secrets in order to enable mass Viewing cyber security as an issue of national surveillance and privacy invasion of individual users. security is perilous and unhelpful. We should distin- guish between, and not conflate, on the one hand, Cyber security and vulnerability protecting computers, networks and information, Cyber security discourse should focus more on in- and on the other hand using technological tools to formation security vulnerabilities, rather than on achieve security objectives. Using “cyberspace as threats and responses. This focus would help to a tool for national security, both in the dimension delineate what constitutes a cyber security issue, of war fighting and the dimension of mass surveil- avoid cyber security escalating to a counter-produc- lance, has detrimental effects on the level of cyber tive national security issue, and place a practical security globally.”14 When cyber security is framed as focus on the protection of all internet users. a national security issue, issues regarding technol- A security vulnerability, also called a “bug”, is ogy and the internet are securitised – brought onto a piece of software code that contains an error or the security agendas of states. This may be counter- weakness that could allow a hacker to compromise productive. The state, law enforcement, military and the integrity, availability or confidentiality of infor- intelligence agencies may not have the best skills or mation contained, managed or accessed by that knowledge for the job. State actors may have a con- software.17 When a vulnerability is discovered, a malicious hacker may make an “exploit”18 in order 10 Center for Democracy and Technology.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-