Security Experts:

The Role of Governments in Cyber Security - A Double-Edged Sword

As the governments of the world work to establish the right balance between control and freedom, it has proven to be a double-edged sword.

In politics and warfare, there are many so-called “doctrines.” There are several famous ones, such as the Powell Doctrine, Bush Doctrine and Reagan Doctrine. Has a cyber security doctrine emerged?  In these past weeks, the topic of much of the security talk is Obama’s cyber security legislative proposal. According to cyber-tzar  Howard Schmidt, “this is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government.” While it’s too early to call it a doctrine, there is need to ensure a safe online environment for the nation’s citizens. So far, we have seen governments around the globe adopt very different approaches to how citizens engage online. Sometimes it has proven to be a double-edged sword.

Doctrine #1:  Cyber Suppression of Cyber-Riots

.GovTwo years ago, a contentious presidential election in Iran sparked a wave of protest and government crackdowns that ultimately left scores of people dead. In years past, the rallying cries of such protests may have come in the form a bullhorn, but in the age of social media, that bullhorn has taken on a new form: Twitter.

 Along with Facebook, Twitter emerged as a major news outlet to report the rioting as well as the government’s forceful reaction via real-time updates. It was a cyber-battle for control over the flow of information, one where a multitude of self-made reporters and frustrated citizens could vent their sentiments to the world. But the Iranian government was not without weapons of its own, and it countered the growth of citizen journalism with one simple maneuver – blocking all of the country’s access to Twitter and Facebook.

In effect, Iran conducted a political, state-sponsored cyber-attack. A nation-backed attack?!  I think we’ve heard that one before - Advanced Persistent Threat (APT).

Doctrine #2:  APT for Cyber Repression  

A few months later, and the term APT suddenly became one the most common terms circulating the security industry. Awareness of the term could be attributed to Google’s statement released early last year that their infrastructure was targeted by attackers originating from China. The attackers got away with Google’s intellectual property, but even more noteworthy was Google’s speculation, “that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” The Great Firewall of China is nothing new. But, having an active adversary from within was the game-changer. It is also noteworthy that Google’s market share in China has dropped dramatically, putting Google in an unusual position where it is not the market leader.

Another example comes from Tunisia.  Anonymous – a "hacktivist" group known to DDoS companies who have severed ties with WikiLeaks – began their political cyber-protests against Tunisia when they targeted government-controlled websites. These particular DDoS attacks were tied in with WikiLeaks’ publication of information about government corruption.

HacktivismAs more and more cables were released focusing on the corrupt leaders, the first “Wikileaks Revolution” took place. In response to the use of social media to spread information and rally protestors, the government tightened its grip on the Internet. The country had modified all login requests from within the country to Gmail, Yahoo! and Facebook accounts to allow interception. Although the country controls all the ISPs, login credentials to these applications are sent in encrypted format thus preventing Tunisia from eavesdropping. Tunisia worked around this obstacle by hacking their own citizens: since the login page itself was not encrypted, the Tunisian government was able to inject Javascript code to these applications’ login page. That extra piece of code allowed all credentials to be re-routed to a Tunisian controlled site.

Syria launched a “Nation-in-the-Middle” attack as well, as it sought to intercept Facebook communications. Unlike Tunisia though, the Syrian government faced problems because the login page was already encrypted with the SSL protocol (i.e. using HTTPS), which provides both an encrypted transport and ensures that the server and the communications are not tampered with. The protocol achieves this by having the server provide its own digital certificate, which is then validated by the Certificate Authority (CA). The browser does this automatically, and a user does not even realize what occurs behind the scenes.

In the case of the Syrian government, the government created a certificate signed by an unknown CA. Syrian Facebook users were most likely greeted first by some browser warning, but the government relied on the fact that most would just click the ignore button and proceed to the website. Most likely they achieved their goal – after all, how many times have users received similar errors on expired certificates yet dismissed those announcements as annoying browser requests?

Doctrine #3: Keep a Cyber Kill Switch  

After the overthrow of former Tunisian President Zine El Abidine Ben Ali, Egypt began to experience unrest of its own. Once again, social media served as a rallying point for protestors. As riots raged on the streets of Cairo, the Egyptian government retaliated against their citizens and disconnected them from social networks. As the demonstrations escalated, Egypt disconnected the Internet in the country. Libya, the next in line, followed Egypt’s example and took their country offline as well.

Internet Censorship in Democratic Countries?

All this leads us to wonder – whether countries that are not led by dictators can perform similar acts of Internet censorship. The shutting down of the Internet would probably be harder in these countries than in Egypt, for example, due to the multitude of independent Internet service providers (ISPs). However, given the right power of authority, the major ISPs can be instructed to shut down their equipment. Alternatively, governments, through their agencies, may already have "sleepers" introduced to major ISPs which perform the necessary sabotage upon command. The US debate regarding the prospect of an “Internet kill switch” that would allow the president to virtually shut down the Internet, has raised this issue and indicates that the US government (through its agencies) has these capabilities.

Next Column – Governments Take on Protecting their Online Citizens

Part in a Series - Read Noa's Other Featured Columns Here

We usually think of the term APT as an attack form against a specific targeted nation or company as opposed to a government-led attack against its own citizenry. Yet all the above examples show these to be Advanced (i.e. re-routing Facebook), Persistent (ultimately, if some attacks don’t work, the country takes itself offline), Threats (control of the citizens).

As the governments of the world work to establish the right balance between control and freedom, they also need to work to develop strategies for dealing with cyber-crime. Stay tuned for my next column in which I’ll discuss the state of the nation… and cyber-security.

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.