Fighting for peace is like screwing for virginity
Hello strangers, friends, and outer-worldly creatures,
Today is the day a new blog will see the internet via my website. I think this is a consistent trend of thoughts/stances that I keep repeating over time to people due to the same overarching topics being discussed. And to stop ranting about the same thing every time, I think it is useful to just throw it out there once and for all. This is my therapy, and you are my therapist… Enjoy!
On today’s menu;
governments fail at geopolitical themed cybersecurity strategies, here is a couple of reasons why, and here is how to possibly fix it, and here is also why I believe governments generally don’t fix it.
But before we start typing unfiltered and mildly schizophrenic thoughts, lets do with a couple of disclaimers;
- I don’t mention names of individuals that did not choose public responsibility for certain government jobs. I have no good reason to do so, especially as public servant you should anticipate taking responsibility for your actions, as any other individual should. But maybe I don’t have full context in every case, due to compartmentalization, to make the finger pointing concrete.
- I have not worked at mentioned government organizations, therefore this compilation of pitfalls is coming from personal experiences.
- This is written based on a few examples of Dutch/European government/political action, and might differ in your respective country of residence.
Now that this is settled, let’s start listing the pitfalls :)
Why are we failing?
Cybercrime
Cybercrime and espionage, two different ballgames. But still in the same sports category. Cybercrime is one of the more common forms of digital troubles seen these days. As a result, most people know about some form of it. More popularly, the ransomware scene, as you probably know something or someone that has fallen victim of that. These days you cant show up on a BBQ or party as an infosec person, and not get some half baked question about cybercrime after the question; “so you work in cybersecurity?” has been asked.
The fact that this is becoming a commodity/public interest is fun at first, as people are showing interest in your field of work. But gradually starts to cause worries after one realizes it is practically the same as classic crime. Namely;
- someone does something bad
- badness increases in volumes/victims
- badness gets half fix from some organization
- badness half fix gets reported on via media for morale boost
- badness is gone for limited time
- see step 1, while 1==1
Its easy to compare cybercrime fighting strategies to something from the classic crime circuit like “the war on drugs”. Its a downward spiral, race to the bottom, and at best a good business model for private security vendors (moreover later). Or to put it in the words of George Carlin;
Fighting for peace is like screwing for virginity
Wouldnt that be an amazing title of a blog xD
In the Netherlands organizations like, but not limited to, the Team High Tech Crime of the Dutch National Police are responsible for “fighting” cybercrime. This organization is a popular counter force for cybercrime on an international scene. Due to the dutch infrastructure being a major international vector, this organization has been forced to become such a large force. Though sadly the described patterns are all the more prevalent. As a result of failing strategic input, it has become an endless PR machine. Often when one paints this picture of reality, one is told to be a cybercrime promoter if you challenge the authority of such government bodies with one-liners like;
“What else are we supposed to do? Let them conduct criminal facts via domestic infrastructure?” “Takedowns really help, they start realizing this is not the place to host their illicit business.”
Among plenty of other fallacies, these don’t hold up against people with a slight sense of long-term vision. I am a firm believer that takedowns cause a myriad of long-term problems;
- Obduracy of the cybercrime climate; some actors like lockbit, ALPHV, Maze etc etc will invest and have been investing into more hardened malware/infrastructure that will impose costs on law enforcement, industry partners in infosec, and eventually society.
- Rinse and repeat; you can keep repeating this takedown strategy until you run out of public support/funds. Luckily for LE, people are stupid enough to like the “Operation “INSERT COOL MARKETING NAME” was a major success! We took down the largest botnet, now everyone is safe forever happy rainbows and flowers and unicorns with unlimited supplies of happiness” morale. Society buys into this credo as they usually do not posses the cerebral capacity to see the long term consequences of their own actions, let alone those of their government.
Espionage
I came to these conclusions of the cybercrime scene around 2020-2021, and I am yet to be convinced otherwise. I kinda hoped that the nation state scene would be different, but boy was I wrong xD Of course there is more nuance in the intelligence community of nation state threats, attribution and “take downs”. There are often cross overs between the nation state and cybercrime actors infrastructure or targets for example. But also the claims that intelligence agencies make about each other is limited, for a reason. I dont agree with much of his stances, but I feel like the old director of the MIVD (Pieter Cobelens) has captivated the nation state scene pretty accurately;
An intelligence agency is the ‘captain that sinks with the ship’, in times of troubles three/four letter agencies are the last communication bridge from a foreign policy perspective. While simultaneously detecting and eliminating factors that may challenge the authority of the state they try to keep intact.
I guess this is a double edged sword. I believe a country, or a group of individuals for that matter should have the ability to pose as a sovereign entity. Though I do not believe this should be done by every mean necessary. Furthermore I believe that the sovereignty of one, does not go above the other. I don’t want to make this political, but from a moral perspective; you must have some kind of evil in you to be able to live “freely” while someone else cant due to your own actions. Now to my point; I don’t believe that intelligence agencies in prominent western/eastern countries fulfill that moral stance. Moreover I believe the same methods applied in cybercrime fighting extend to the geopolitical intelligence realm.
To put that into an example;
- Soviet union fell impart due to western (namely US) influence
- Mostly Russia and Belarus remained salty at the west
- Commonwealth of Independent States became a free-state for cybercrime activity to bother the west
- Both the west and the east dance an everlasting tango with each other over the years about political and economic meddling using digital means (DNC attack, TriangeDB on Kaspersky, sanctions in the west against Kaspersky, Social media influence campaigns on twitter, espionage at OPCW etc etc etc)
And like cybercrime this is an everlasting cycle that involved parties are to scared to break because of the potential consequences. Welcome to modern society :)
Symptom therapy & commercial snake-oil
Now luckily there is a third Pokemon in our deck. One that is promising to change it all, but at best is an impressive failure and good money factory. We enter the realm of commercialism with earth shattering and industry changing names like “Gartner”, “Forrester”, “MITRE” among many other dead-end metrics that are used to convince C-level and acronyms like “XDR”, “GenAI”, “MDR” and plenty of other 3-6 letter fancy sounding combinations. This whole segment of this industry boils down to essentially one thing;
We want your money, you have fears. So as a painkiller to your fear you buy our bare minimum service/product and we’ll all be happy for a little while
The biggest issues with commercial bodies in infosec is over promising/under delivering and monopolies. Lets break it down
- Over promising/under delivering; Companies very much think in “Minimally Viable Products”, which is human for “what is the minimal amount of effort I can put in for the same money”. This is a problem, because as a society you want the best defense against a threat, not the cheapest “I guess this will work” defense. Because essentially, money drives the decision. In government, this is less of a factor, because you force people to pay taxes. Companies cant really force you to buy their product, unless…..
- Monopolies; ah yes, the amazing sight of a small group of large fish populate the entire pond. Lucky for us, this industry is not plagued by giants like Microsoft, Crowdstrike, Apple or “INSERT VENDOR NAME” that takes a majority market share. For the shareholders of these organizations its nice, for society, not so much. You see, when the stability of these organizations is being challenged by whichever force, shit’s about to go down. Recent example being crowdstrike, as they hold majority market share in the XDR space. Everyone and their mother has their XDR, intern makes an oopsie over night which causes software instability, tah dah, half of the world is in gridlock…
Now companies are not only bad, they have a bunch of unique expertise, and motivate competition sometimes. The problem is when such companies become to large for society to ignore. One creates a dependence on the whole “minimal effort” mentality. And then stuff goes wrong, which leads to a derailment of societal processes. Another issue that arises from companies is that they are often not bound to one country. Furthermore, companies start to take political influence as one of their key performance indicators when they reach a certain presence in society. Which could be harmful for those not in charge, as usually the incentives for change are centered around financial gains/stability rather than other well measured aspects of life.
How could we fix it?
For cybercrime and espionage the solutions are pretty straight forward; stop provoking and invest in (inter)national resilience. We have established that poking the metaphorical bear only causes it to become more aggravated and rarely contributes to prevent further attacks. The mindset of retaliatory hacks or take downs is futile and resembles a pointless race with no end, ultimately making society the victim of poor judgment.
An eye for an eye only makes the whole world blind - Ghandi
As for the (international) resilience part; when you have a company or government, you have various type of infrastructure. Be it gas lines, power lines, AC, Heating or a building. All of these have to comply to certain safety standards in order to be operable and considered covered. Now with IT these norms do not translate, instead companies live from attack to attack, and government only interferes when an attack is sizable enough in impact. In the mean while companies try to take matters into their own hands and purchase one of the earlier mentioned questionable commercial cybersecurity products/services they saw in some slimey magazine, and think the issue is dealt with.
I personally think governments should make concrete standards as to where companies should comply to in terms of their IT infrastructure. If these organizations are not taking this seriously, they should be fined for not complying, and if they persist in non-compliance be fully responsible for all the damages with bankruptcy as logical consequence. Be it a company in critical infrastructure, a governing body like NCSC/GovCERT should have the power to take over the company in order to minimize damage to society, like was the case in the Diginotar compromise which was taken over by GovCERT at the time.
Now despite all these efforts, and potential solutions a compromise may still happen and differences between nation states will persist. Agree to disagree is a better outcome than lets fight to the bone about our differences. I believe that intelligence agencies and commercial companies have a role in detecting sophisticated attacks that circumvent these IT infrastructure standards and notifying victims accordingly. I still don’t believe that these organizations should do that by any mean necessary (aka compromising another state to find out what they are doing before they are doing it). This will angry said nation state, and cause a snowball effect once more for short term gain.
As for the commercial snake-oil and monopolies; kerckhoffs principle. Just adhere to that man, you have made your profits on Windows OS already, most people use cracked keys anyways, or some shitty AutoKMS to activate your junk software. Just open source the OS already….. Same for other large vendors, when you posses a majority market share, you should be forced to publish what society depends on. Money is not gonna save the world. The open nature of software allows anyone to audit its security, address potential issues. And if not fixed by the vendor, release their own version of it.
Why dont we fix it?
Well, the moment of surprise; “we love money more than we love ourselves”. That’s really it, most of the reasoning as to why we dont fix this shit is because of that. Vendors want to keep their shareholders happy, so they dont open source vital components. nation states need yearly budget to conduct their operations, so they don’t break the endless conflict cycle if they are not forced to. Commercial infosec vendors love it because they exist in the spaces of stuff not dealt with by government, and behold it has become a multi billion industry with giants across the globe part taking in vulture-like behavior. Picking the last meat of the bones of dying and decomposing societies with a “free” market.
Conclusions
If you have only read this blog, this industry seems very fatalistic and depressing. It is that, but not only that. Despite all the nasty things happening there is a bunch of amazing research going on, that unveil possibilities and potential every day. I have seen many people try and get demotivated by the outright stupid problems in this industry. They either quit and become a goose farmer, or go and be part of the problem as quite evidently (and this is the last quote I promise) this industry boils down to this:
Welcome to the death of the age of reason, there is no right or wrong, not anymore. There is only being in - and then being out.” - House of cards
I am still in this industry because of the amazing research that I mentioned before, I have this issue where I like to solve puzzles. But to those that are still in fight with this, I can only advice you to ride the tsunami wave of life with a surfboard.
Godspeed, fear nothing!
- Yassir Laaouissi