Governments are investing billions of dollars in the private security industry to develop digital weapons.
This is the view of Patrick Gray, host of the RiskyBusiness Security News Podcast, speaking during today's ITWeb Security Summit, held at the Sandton Convention Centre.
Gray is an international IT security news journalist and he revealed how Stuxnet, WikiLeaks and the militarisation of the Internet shaped information security.
He pointed to history examples in the World War II and the Cold War, where governments would do whatever they can to possess sophisticated technology for military use.
“Offensive digital security and military-grade hacking has become a military science, and this has become very important to governments.”
He said this was proved by the emergence of Stuxnet; of which Gray called a “greatly underestimated technology”.
“Mainstream media have largely ignored Stuxnet, because they can't seem to wrap their heads around it. Yet, Stuxnet is important because it delayed Iran's nuclear programme by two years.”
Gray added: “A clean win of this magnitude is only going to serve similar offences in the future. Stuxnet cost less than $10 million, and was a very cheap operation compared to a physical weapon.”
According to Gray the impact of Stuxnet means the world now has a public case study of a military attacks made by private hands. He indicated this could spur the public sector to build military-grade offensive tools.
“The stage is set for a big take-off in spending of digital weapons. There are astronomical amounts of money invested in the US defence sector. The US Air Force has an annual budget of $170 billion a year; that's more than $400 million dollars every day.”
Gray said military and government interest in security technology will result in new attacks, malware and attack classes that we haven't even thought of yet.
He said Stuxnet and WikiLeaks, in particular, have accelerated the trend of militarisation of the Internet.
“Stuxnet and WikiLeaks in isolation wouldn't have had a big impact on political and public psyche. But together, it became a massive wakeup call to government heads.” Gray said: “WikiLeaks is the most massive red hearing in the history of red herrings.”
He explained that the fact that WikiLeaks released secret documentation is not new or important. He said that it is rather a symptom of the inability for organisations to secure confidential information; which is the problem.
“Politicians around the world are finding that information is difficult to keep under lock and key. A lot of the best security talent will end up where the biggest pay checks are, and that is working for the military.”
Gray claimed the US government is spending billions of dollars in security offence, instead of improving cyber security defence.
Gray called for rules and guidelines be implemented. “We need regulations because the organisations that will dominate this space will be private companies working for the military. What happens when the military funds a private company that could be an adversary later?”
The militarisation of the Internet is accelerating, he said, adding that the biggest problem is the tenancy for these private companies to develop these technologies exclusively.
“Through loosely grouped hacking organisation, Anonymous, we now know for a certainty that private companies are developing weapons for government,” said Gray.
A few months ago, Anonymous hacked into security company HBGary Federal and stole most the company's e-mail and put it online in a searchable form.
It was found that HBGary was well-connected to the US military digital complex as well as End Game Systems. The company's founders were found to be writing rootkits to the government.
“It was proof, for the first time, that rootkits made by a private company was sold to the US government against its adversaries. When you have some of the finest minds being paid top dollar to build malicious code, you have problems,” he said.
Gray said that correspondence between HBGary and End Game Systems demonstrated that having that government is investment in “tax-funded malware”.
“Attackers are well-funded and will stay ahead of their defenders. The security industry is going to have to adapt and realise that we've built infrastructure on an unsecured foundation.
“It's too late now to go back and fix all the problems we have. Information will continue to leak and we need to find ways to mediate that. A technical solution to this problem is not attainable.”
Share