An explication on Cyber-Warfare article in a national newspaper

Recently I was asked to comment on the ‘Flame’ malware by a journalist of a large Dutch newspaper (Volkskrant, June 1st 2012, Economie, pg. 22 “Bedreiging voor overheden en bedrijven”). Because of the readership, the space-constraints and of course the level of technobabble, my ‘contribution’ was shortened to an ominous warning that not just nation states should be worried, but companies as well.
 
While there is nothing wrong with that, I still feel it is necessary to explicate on that specific part.

In the era before the ‘Internet of things’, getting enough ‘dirt’ on someone to be able to blackmail them successfully consisted of a lot of physical work and physical proximity (photo’s, print-outs in dumpsters, tracking etc…).

Next came the social networks and we got a few gaffes there but nothing really scary yet. After all, the people that wield enough power that it matters either are illiterate in digital or they possess enough common sense not to post any dumb things, or both.

Then came the iPhone and it’s bewildering array of sensors. And the slew of competitors that followed.

And finally now there is ‘the cloud’, and it’s forced use of the ‘Internet of things’.

It has been shown in various scientific publications that companies like Google or Facebook (and in all likelihood Apple and Microsoft as well) can tell more about you than you can tell about yourself.

To be honest, this should not surprise people, since that is what science has been doing for centuries; observing evidence of events and then theorize and  prove the events have to be this or that, otherwise the evidence could not have been such and so.

At this point in time the social networks, the advertising networks, the app-stores and cloud providers have such detailed information about a person that they can almost completely model someone. And while modeling a person at this time would take quite some computing power, that does not mean it can not be done. The event is you, the evidence is your digital trail.

And not participating in social networks is not enough; probably at this very moment your mobile phone is contacting WhatsApp, Spotify, Facebook or one of any number of ‘cloud services’ and leaving a trail (the IP you are from, the size of data going back and forth, the frequency it contacts specific services, the time it goes on/off, the combination with frequencies used by the cell-tower etc.). After configuring your mobile phone and installing apps on it, it will be a sort of fingerprint for you specifically.

But it does not stop there… your phone may have it’s bluetooth turned on, giving a more precise location (without really connecting, it just broadcasts or responds to inquiries) to computers in the vicinity.

NFC enabled phones will positively identify you purchasing goods, adding to your digital evidence, and the location trail (either by cell-tower or public WiFi) will show what you did with your purchases (like, ‘did you really buy that box of chocolates for your partner?’).

Now, I am absolutely pro-technology, but I hate the apathy with which people (ab)use it.

Coming back to Flame and Duqu and Stuxnet… while these efforts may seem large and costly and the domain of nation states, this same idea existed until not very long ago about space transport. At the time of writing this, NASA is considering using a private contractor for doing all the surface-to-orbit logistics. This change happened within 50 years.

So we have all these people that need to be incorruptable as possible (presidents, CEO’s, security officers (nobody keeps track of their private lives, ever noticed that?), prime ministers, defense secretaries, bank managers etc…) and they usually have good physical protection by security companies, drive around in bullet-proof vehicles and have veritable fortresses for homes and/or offices.

But what worries me is that these people are bulletproof in physical reality, but they can get shot to pieces in no time in Cyberspace. Almost no security company has a decent(!) cyber-security department. They never analyze the apps their client installs, they never check his/her laptop or their client’s children’s devices….

Maybe they have a anti-malware installed like McAffee or Kaspersky, but they are just the equivalent of wearable security; they are no protection against a directed cyber-attack on a specific person. Basically, they are like wearing a bullet-proof and stab-proof vest when someone aims a guided missile at you.

I really think that just to be sure no criminal organization can manipulate the people that are at the helms of our societies (asking a bank director to launder millions, have a minister of defense sell army surplus to shady groups etc…) the people that protect VIP’s (or any other ‘personal security’ companies) really must add a good cyber-department that informs, scrutinizes and defends their clients in Cyberspace as much as their gun carrying counterparts do in physical space.