E-Spying: State-Sponsored Intrusion

Government-led spying on Internet users has now become the norm in many countries. The suggestion of state-sponsored computer intrusions or infections, though, still raises more than just an eyebrow and poses real ethical questions.

For example, how can we tell the difference between cyber-criminals and state-sponsored spying? And how should researchers respond?

It should come as no surprise to many when we say an increasing number of governments now spy on their citizens’ use of the Internet. As an example, Julian Assange of Wikileaks fame recently said during an interview for Russia Today that Facebook is “the most appalling spy machine ever invented.” And he said that “every time someone adds a friend to their Facebook page, they [are] doing free work for US Intelligence agencies, in building this electronic database.”

Many netizens of China, the US, or other developed countries would still agree to being spied upon, using familiar responses: “Well I have nothing to hide,” “My government is helping to keep me safe,” “It is necessary in the fight against terror,” “I don’t care if my government knows I add Mary to my Facebook page”. However, when we consider the possible widespread use of state-sponsored network and computer intrusion, with matched infection in the form of malware and Trojans, then a tangible sense of discomfort begins to appear.

The contents of a file found on a shelf at the State Security Investigation Department (SSI) headquarters in Cairo during protests in March has raised the tempo on this very issue. Documents discovered relate to computer intrusion tools offered for sale to Egypt’s then-government.

The documents provided detailed information about a product named FinFisher, an intrusion and spying tool. Gamma International UK Ltd, an Anglo-German Company, is behind the software, which has its own Website with clear information about what it can do.

For example, FinFisher can provide “full access to stored information with the ability to take control of the target systems functions to the point of capturing encrypted data and communications. In combination with enhanced remote infection methods, the Government Agency will have the capability to remotely infect target systems.”

So there's no doubt that government “agencies” use intrusion tools. But should we even be surprised at discovering this?

Perhaps not, but some answers are needed. F-Secure Corp. ’s chief researcher, Mikko Hypponen, raised an important point in his blog about the role of security companies and where to draw the line in protecting customers from attack. For example, should security companies comply with a government’s request to stop detecting the intrusions, malware, and Trojans that they are using? And where does that leave the customer?

Of course, added questions come to mind such as, "Which government, political party, or department is using intrusion tools -- and when?"

And then there is the basic question: Is a government above the law? Given that an administration can be changed fairly swiftly, as recent events have shown, today’s government soon becomes yesterday’s overthrown regime. So what was once legal or illegal may quickly be viewed in a different light. Where would that leave a security company “complying” with a request that was legal one day but illegal the next?

These questions present some very gray areas.

In the US, governments can practice “lawful intercept” under the Communications Assistance for Law Enforcement Act (CALEA) that requires a law enforcement agency (LEA) to deliver a request for surveillance to the service provider. However, “listening in and recording” is one thing; specific network intrusion and infection should be unlawful, whoever does it, and regardless of which particular political party is in control.

Increasingly, for security and threat researchers, the potential problem lies in interpretation of what we are observing. For instance, an intrusion via botnet “X” with malware “A” may be the result of cyber-criminals who must be exposed and defended against. But an intrusion via botnet “Y” with malware “B” could be a government operation, so hands off.

Perhaps it is time to compare computer intrusions and the use of cyber-weapons with conventional weapons and warfare. For the latter, we have internationally accepted rules via The Hague Convention and the United Nations. Typically, these are outlawed by international agreement.