30 November 2014

Computer spying Attack of the cybermen

Nov 29th 2014 

Sophisticated viruses will be the workhorses of 21st-century spying. But there should be rules


IF ASKED why they spied on the computers of their rivals (and allies), the authors of Regin, a sophisticated computer virus that seems to have been designed by a Western government, would presumably echo the proverbial bank robber, and reply “because that’s where the secrets are”.

As the world has gone digital, spying has, too. Regin is just the latest in a trend that first came to public notice in 2010, when a piece of American and Israeli software called Stuxnet was revealed to have been responsible for sabotaging part of Iran’s nuclear programme. Since then have come Flame, Red October, DarkHotel and others (see article); more surely lurk undiscovered in the world’s networks. But unlike the indiscriminate surveillance revealed by Edward Snowden, these chunks of malware seem, like traditional spying, to be targeted at specific governments or even individuals.

For spies, such digital espionage has advantages over the shoe-leather sort. Computers are stuffed with data that can be copied and beamed around the world in seconds—so much easier than fiddling with microdots or smuggling sensitive documents past guards. The more complicated computer operating systems get, the more riddled they are with unnoticed security holes. Staying safe means plugging them all; an attacker need only keep trying until a single one gives way.

Computer espionage is usefully deniable, too: if programmers are careful it is hard to know who is behind an attack. (There are hints that Regin might be British—not least that one of its modules seems to be called “LEGSPIN”, a cricketing term. British spooks refuse to comment.) And it can be conducted from comfortable armchairs thousands of miles from the target, with no need to put human agents in harm’s way.

But cyber-spying raises two tricky issues. One is that the low cost of gathering information this way may encourage more of it, and a Hobbesian world of spiralling espionage would be bad for everybody. What’s more, since there is no sharp distinction between digital spying tools and weapons—Stuxnet, for instance, damaged systems as well as stealing secrets—there is a danger that the greater ease of attacking an enemy’s digital assets means that governments will make war on each other with greater abandon. There is a close parallel with drone warfare, which is similarly cheaper and less risky than its flesh-and-blood counterpart.

This is an argument for governments to be selective about how they use cyber-weapons not to withdraw them. Although cyber-weapons may lower the threshold for attacks, they don’t (yet) kill or maim people. If the choice is between a missile and a cyber-weapon, the latter is preferable.

Working for Main Street, not M

The other problem with cyber-weapons is that they encourage economic spying of a sort that has less to do with national security than corporate profits. The West has long complained that the Chinese and Russians help themselves to industrial secrets. But it is not clear that the West’s record is spotless: files leaked by Mr Snowden also suggest that American spies were keenly interested in Petrobras, Brazil’s state-controlled oil firm.

Here, the question is one of motives. It would be surprising if the West were not spying on Gazprom, for instance, which acts as an arm of the Russian state. But spying on foreign firms to help your own is merely another way of ignoring the intellectual property rules that underlie technological prosperity. Governments should not do it.

Cyber-warfare is an unruly business, where rules will be flouted. But it needs them. Cyber-warriors should remember that what they do to others will be done in turn to them.

No comments: