The Role of Governments in Cyber Security – A Double-Edged Sword

The Role of Government in Cybersecurity

By Noa Bar-Yosef on May 27, 2011

As the governments of the world work to establish the right balance between control and freedom, it has proven to be a double-edged sword.

In politics and warfare, there are many so-called “doctrines.” There are several famous ones, such as the Powell Doctrine, Bush Doctrine and Reagan Doctrine. Has a cyber security doctrine emerged?  In these past weeks, the topic of much of the security talk is Obama’s cyber security legislative proposal. According to cyber-tzar  Howard Schmidt, “this is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government.” While it’s too early to call it a doctrine, there is need to ensure a safe online environment for the nation’s citizens. So far, we have seen governments around the globe adopt very different approaches to how citizens engage online. Sometimes it has proven to be a double-edged sword.

Doctrine #1:  Cyber Suppression of Cyber-Riots

Two years ago, a contentious presidential election in Iran sparked a wave of protest and government crackdowns that ultimately left scores of people dead. In years past, the rallying cries of such protests may have come in the form a bullhorn, but in the age of social media, that bullhorn has taken on a new form: Twitter.

 Along with Facebook, Twitter emerged as a major news outlet to report the rioting as well as the government’s forceful reaction via real-time updates. It was a cyber-battle for control over the flow of information, one where a multitude of self-made reporters and frustrated citizens could vent their sentiments to the world. But the Iranian government was not without weapons of its own, and it countered the growth of citizen journalism with one simple maneuver – blocking all of the country’s access to Twitter and Facebook.

In effect, Iran conducted a political, state-sponsored cyber-attack. A nation-backed attack?!  I think we’ve heard that one before – Advanced Persistent Threat (APT).

Doctrine #2:  APT for Cyber Repression  

A few months later, and the term APT suddenly became one the most common terms circulating the security industry. Awareness of the term could be attributed to Google’s statement released early last year that their infrastructure was targeted by attackers originating from China. The attackers got away with Google’s intellectual property, but even more noteworthy was Google’s speculation, “that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” The Great Firewall of China is nothing new. But, having an active adversary from within was the game-changer. It is also noteworthy that Google’s market share in China has dropped dramatically, putting Google in an unusual position where it is not the market leader.

Another example comes from Tunisia.  Anonymous – a "hacktivist" group known to DDoS companies who have severed ties with WikiLeaks – began their political cyber-protests against Tunisia when they targeted government-controlled websites. These particular DDoS attacks were tied in with WikiLeaks’ publication of information about government corruption.

As more and more cables were released focusing on the corrupt leaders, the first “Wikileaks Revolution” took place. In response to the use of social media to spread information and rally protestors, the government tightened its grip on the Internet. The country had modified all login requests from within the country to Gmail, Yahoo! and Facebook accounts to allow interception. Although the country controls all the ISPs, login credentials to these applications are sent in encrypted format thus preventing Tunisia from eavesdropping. Tunisia worked around this obstacle by hacking their own citizens: since the login page itself was not encrypted, the Tunisian government was able to inject Javascript code to these applications’ login page. That extra piece of code allowed all credentials to be re-routed to a Tunisian controlled site.

Syria launched a “Nation-in-the-Middle” attack as well, as it sought to intercept Facebook communications. Unlike Tunisia though, the Syrian government faced problems because the login page was already encrypted with the SSL protocol (i.e. using HTTPS), which provides both an encrypted transport and ensures that the server and the communications are not tampered with. The protocol achieves this by having the server provide its own digital certificate, which is then validated by the Certificate Authority (CA). The browser does this automatically, and a user does not even realize what occurs behind the scenes.

In the case of the Syrian government, the government created a certificate signed by an unknown CA. Syrian Facebook users were most likely greeted first by some browser warning, but the government relied on the fact that most would just click the ignore button and proceed to the website. Most likely they achieved their goal – after all, how many times have users received similar errors on expired certificates yet dismissed those announcements as annoying browser requests?

Doctrine #3: Keep a Cyber Kill Switch  

After the overthrow of former Tunisian President Zine El Abidine Ben Ali, Egypt began to experience unrest of its own. Once again, social media served as a rallying point for protestors. As riots raged on the streets of Cairo, the Egyptian government retaliated against their citizens and disconnected them from social networks. As the demonstrations escalated, Egypt disconnected the Internet in the country. Libya, the next in line, followed Egypt’s example and took their country offline as well.

Internet Censorship in Democratic Countries?

All this leads us to wonder – whether countries that are not led by dictators can perform similar acts of Internet censorship. The shutting down of the Internet would probably be harder in these countries than in Egypt, for example, due to the multitude of independent Internet service providers (ISPs). However, given the right power of authority, the major ISPs can be instructed to shut down their equipment. Alternatively, governments, through their agencies, may already have "sleepers" introduced to major ISPs which perform the necessary sabotage upon command. The US debate regarding the prospect of an “Internet kill switch” that would allow the president to virtually shut down the Internet, has raised this issue and indicates that the US government (through its agencies) has these capabilities.

We usually think of the term APT as an attack form against a specific targeted nation or company as opposed to a government-led attack against its own citizenry. Yet all the above examples show these to be Advanced (i.e. re-routing Facebook), Persistent (ultimately, if some attacks don’t work, the country takes itself offline), Threats (control of the citizens).

As the governments of the world work to establish the right balance between control and freedom, they also need to work to develop strategies for dealing with cyber-crime. Stay tuned for my next column in which I’ll discuss the state of the nation… and cyber-security.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s