How Much Security Technology is Ending up in the Hands of Those We'd Rather it Not?
Once again, specialized security technology from a western vendor was found being used by foreign regime on the U.S. trade embargo list. This most recent incident involves Blue Coat Systems and Syria.
It’s no secret that many states and nations are censoring and monitoring the Internet. Many of these governments are considered authoritarian regimes, often times with trade restrictions and other sanctions against them.
The intent, morality and effectiveness aside, it should be obvious to anyone with more than a passing familiarity with the topic, that most of these censorship programs will be based on proprietary, enterprise hardware and solutions. It is not that impossible to build your own nationwide filtering solution. But it is impractical and requires a lot of know-how and skill. Knowledge and skill that is primarily to be found in the west, and requiring resources that few but the likes of China and Saudi Arabia possess.
The big fat elephant in the room has always been, “How, and what with?” That is the question we should be asking ourselves. Whether knowingly, or by subterfuge as Blue Coat have claimed, there must be many more instances of this out there than we currently know about. How many services and devices are actually being used by people we would rather not have these abilities at their fingertips? How long until they are used against us, even if indirectly?
At which point do we have to stop looking at Information Security as a market, and begin viewing it as a matter of defense and (inter)national security?
We have long passed that point. The specific devices in this incident were used to suppress and monitor dissident activity in Syria, possibly leading to their arrest and physical harm. Similarly, and also in recent news, the compromise of the Certificate Authority Diginotar endangered Iranian dissidents and Opposition members.
In the wrong hands, security solutions can turn into weapons or tools of slavery and oppression. The people usually involved in deciding in whose hands these tools end up, are sadly often torn between conflicting interests, like sales targets. But there should be a level of responsibility involved that does not begin and end with a sales order. These are after all meant to be “Security” companies, and security competence and mindedness should not be solely contained only in the service you are offering.
Taking the Blue Coat incident as an example, and basing this on my several years experience with software vendors, these devices require support, maintenance and database updates. Surely there should have been a point somewhere along the line where Blue Coat could have got suspicious? Why are the locations of IP's used to update these devices not verified? Blue Coat Systems told the Wall Street Journal that the appliances were transmitting automatic status messages back to the company as the devices censored the Syrian Web, but said it “doesn't monitor where such 'heartbeat' messages originate from.” There was plenty that could have been done to prevent this happening in the first place, or to find out in the meantime. But that is a cost that cuts into the bottom line and brings no profit.
This has stopped being a game, or just a “business”. It has become deadly serious. In the past decade, the threat landscape has evolved and mutated into a full-blown battlefield. Ten years ago, the biggest danger to an organization's information security were teenagers and disgruntled employees. Now we are facing hardened criminal gangs, fanatical terrorists and highly proficient and skilled special ops agents.
We sell, provide and manage services that in any other context would be left to soldiers, policemen, or intelligence agencies. But we do not yet treat it that way. We are treating it like any other business, focusing more on sales targets than on defence targets, without really assessing the impact and consequences this has.
We sell security; Instead we should be providing Security.
We get it enough to pitch it. We get it enough to use it in our marketing. We get it enough to write articles on it.
Why don't we get it enough to act on it? Do we also need to be regulated?
Quis custodiet ipsos custodes? Who watches the watchers indeed.
Related Reading: 'Internet Kill Switch' - Is this Technically Feasible in the US?