The US agency responsible for keeping America ‘safe’, has been hacked by a group called Shadow Brokers, harvesting unlimited packages of code to re-purpose for cyber terrorism. The first related incident to make headlines was the subsequent attack on British NHS systems using the ransomware entitled, ‘WannaCry’.
Thankfully, enough professionals from an older, computer-less era, took charge, keeping most of the health service running by re-instating a paper based system until IT specialists could clean up the mess. This feels very much like a warning shot. The incident could have been much worse, with far greater fatalities. Who knows what and whose medical data were compromised during the attack.
The National Security Agency, in the US, claim that they are unsure as to what else was taken or how it might be used. Tim Stevens at Kings College, London, says “The US is battling a rear-guard action with respect to its reputation.”
Why haven’t they been taken to task over this glaring, potentially catastrophic failing in security? Why are UK agencies vulnerable to a systemic failure in the protection of US resources? The answer is simple. For many years now, surveillance agencies from the US and the UK, I hesitate to call them Intelligence Agencies, have spied on each other’s civilians in order to circumvent legislation. We Brits provide the majority of Intel regarding those on US soil and vice versa. Consequently, their failings leave us exposed.
One positive outcome though, has been a unilateral agreement over an open dialogue within NATO members regarding cyberthreats. NATO has requested contributions of cyber-capabilities alongside military hardware such as tanks and aircraft, but governments tread a very dangerous path in the exploitation of coding flaws. Disclosure to software giants such as Microsoft, allows the company time to patch the faults. By protecting their clients, they restrict government agencies from exploiting those flaws for national security. This balance between security and client privacy and protection has led to those agencies forming a panel to decide on which software flaws are disclosed, allowing them to retain the ability to spy on us all unchallenged.
Edward Snowden has criticised this legislative loophole, saying “The public harm of maintaining ten high security flaws, far outweighs the benefit of disclosing ninety low security ones.” Who gets to choose the disclosures, you might ask? Well, the panel of decision makers are almost entirely comprised of security and intelligence agencies, of course. Absolutely none of the panel are represented by software companies or the general public.
To add to the turmoil, regulation of potential cyberweapons is virtually impossible. How can you measure the catastrophic effects of a runaway trojan worm? How could weapons be inspected, with no physical counterpart? You could not check every electrical device with a memory storage in an entire country. The very act of exposing the cyberweapons would render them ineffective, since all potential targets would re-code in defence of the threat.
The UN set up a Group of Governmental Experts (GGE) in 2004, to debate global internet security issues. In 2013, twenty-five member states agreed that International Law DID apply to the internet. That created a whole new set of problems, with disagreements over how this could then be applied. Some nations argued to keep the internet free and unconstrained, while others wanted cyberspace boundaries that mirrored a country’s physical border, with similar methods of retaliation employed when under fire. In June 2017, NATO announced an extension of Article 5 of its Treaty, whereby a cyberattack on one NATO state, will be treated as an attack on all, with the potential for global mobilisation.
Politicians can argue until they are blue in the face. All this debate and governmental posturing, depends on the ability to pinpoint the perpetrator of the attack, which, historically, is extremely difficult to achieve without revealing details about secret security protocols. With this in mind, we will go on being at risk to cyberterrorism until such a time, when collaborating nations stop spying on each other, and work towards eradicating genuine sources of threat. Will that mean an end to our personal privacy? Most certainly. That’s if we ever had it in the first place.
Sam Nash is the author of the sci-fi conspiracy thriller, The Aurora Mandate. Release date TBA. You can find her at https://www.samnash.org or on Twitter @samnashauthor or Facebook.com/samnash.author.