Connect with us

Hi, what are you looking for?


Incident Response

Who Watches the Watchers?

How Much Security Technology is Ending up in the Hands of Those We’d Rather it Not?

How Much Security Technology is Ending up in the Hands of Those We’d Rather it Not?

Once again, specialized security technology from a western vendor was found being used by foreign regime on the U.S. trade embargo list. This most recent incident involves Blue Coat Systems and Syria.

It’s no secret that many states and nations are censoring and monitoring the Internet. Many of these governments are considered authoritarian regimes, often times with trade restrictions and other sanctions against them.

Government Monitoring Internet UsageThe intent, morality and effectiveness aside, it should be obvious to anyone with more than a passing familiarity with the topic, that most of these censorship programs will be based on proprietary, enterprise hardware and solutions. It is not that impossible to build your own nationwide filtering solution. But it is impractical and requires a lot of know-how and skill. Knowledge and skill that is primarily to be found in the west, and requiring resources that few but the likes of China and Saudi Arabia possess.

The big fat elephant in the room has always been, “How, and what with?” That is the question we should be asking ourselves. Whether knowingly, or by subterfuge as Blue Coat have claimed, there must be many more instances of this out there than we currently know about. How many services and devices are actually being used by people we would rather not have these abilities at their fingertips? How long until they are used against us, even if indirectly?

At which point do we have to stop looking at Information Security as a market, and begin viewing it as a matter of defense and (inter)national security?

We have long passed that point. The specific devices in this incident were used to suppress and monitor dissident activity in Syria, possibly leading to their arrest and physical harm. Similarly, and also in recent news, the compromise of the Certificate Authority Diginotar endangered Iranian dissidents and Opposition members.

In the wrong hands, security solutions can turn into weapons or tools of slavery and oppression. The people usually involved in deciding in whose hands these tools end up, are sadly often torn between conflicting interests, like sales targets. But there should be a level of responsibility involved that does not begin and end with a sales order. These are after all meant to be “Security” companies, and security competence and mindedness should not be solely contained only in the service you are offering.

Taking the Blue Coat incident as an example, and basing this on my several years experience with software vendors, these devices require support, maintenance and database updates. Surely there should have been a point somewhere along the line where Blue Coat could have got suspicious? Why are the locations of IP’s used to update these devices not verified? Blue Coat Systems told the Wall Street Journal that the appliances were transmitting automatic status messages back to the company as the devices censored the Syrian Web, but said it “doesn’t monitor where such ‘heartbeat’ messages originate from.” There was plenty that could have been done to prevent this happening in the first place, or to find out in the meantime. But that is a cost that cuts into the bottom line and brings no profit.

Advertisement. Scroll to continue reading.

This has stopped being a game, or just a “business”. It has become deadly serious. In the past decade, the threat landscape has evolved and mutated into a full-blown battlefield. Ten years ago, the biggest danger to an organization’s information security were teenagers and disgruntled employees. Now we are facing hardened criminal gangs, fanatical terrorists and highly proficient and skilled special ops agents.

We sell, provide and manage services that in any other context would be left to soldiers, policemen, or intelligence agencies. But we do not yet treat it that way. We are treating it like any other business, focusing more on sales targets than on defence targets, without really assessing the impact and consequences this has.

We sell security; Instead we should be providing Security.

We get it enough to pitch it. We get it enough to use it in our marketing. We get it enough to write articles on it.

Why don’t we get it enough to act on it? Do we also need to be regulated?

Quis custodiet ipsos custodes? Who watches the watchers indeed.

Related Reading: ‘Internet Kill Switch’ – Is this Technically Feasible in the US?

Written By

Oliver has worked as a penetration tester, consultant, researcher, and industry analyst. He has been interviewed, cited, and quoted by media, think tanks, and academia for his research. Oliver has worked for companies such as Qualys, Verizon, Tenable, and Gartner. At Gartner he covered Security Operations topics like SIEM, and co-named SOAR. He is the Chief Futurist for Tenzir, working on the next generation of data engineering tools for security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...