May 24, 2013

Cybersecurity awareness week: be aware you’re being lied to

It's cybersecurity awareness week. So you should be aware that you're being lied to about cybercrime, who's behind it, and how your rights and freedoms are under threat.

Bernard Keane — Politics editor

Bernard Keane

Politics editor

Did you know it's national cybersecurity awareness week? Everyone I’ve told has replied "I wasn’t aware of that", which suggests we need an awareness week for the awareness week. It’s an annual event in which governments and companies work together to, well, "raise awareness" of cybersecurity. Tips will be offered, threats will be warned about and products will be advertised. China will be mentioned a lot. In the US, they have cybersecurity awareness month. Everything sure is bigger over there. And, yes, we should take cybersecurity awareness seriously. Because most of the things you are told about cybersecurity are lies. As Crikey has demonstrated many times, the actual threat of cybercrime is grossly exaggerated by governments, the corporate media and cybersecurity companies. They exaggerate it with the goal of lifting sales of security products and justifying increases in state control of the internet. The Australian Financial Review for some months has run a series of beat-ups on the issue, which all follow the same format: claiming routine common-or-garden efforts to access servers as "attacks", portraying minor breaches as major hacking successes (one article claimed that an effort to access a publicly available stats database at the ABS website was a successful breach by hackers), invoking the threat of Chinese hackers, and quoting cybersecurity consultants and executives who are only too happy to agree that government agencies should spend more on security. And, it seems, next week’s Four Corners will be running the same line, with its PR plug for Monday’s edition, titled Hacked! (behold the exclamation mark), claiming "a deafening silence surrounds this issue". The sort of deafening silence in which governments and the media never shut up about it, presumably. Anyone pointing out the self-interested nature of commentary from the cybersecurity industry, or the obvious flaws in the corporate media narrative of major security breaches, invariably elicits the reaction that they are pretending there is no cybercrime problem at all. In Crikey’s case, this is exactly the opposite of the truth. Crikey is the only media outlet or company in Australia that has undertaken substantive, independent research into the prevalence of cybercrime and established the scale of the problem, with a costing based on verifiable data. But, in cybersecurity awareness week, this is not yet another article explaining how cybercrime has been exaggerated. This is an attempt to identify the real threat. While corporate media and governments like our own and that of the US repeatedly (and correctly) blame China for much cyberespionage and online crime, in fact the biggest source of cybercrime on the planet is the US government, aided and abetted by governments like our own. Yes, we’re not the hapless victims of China in any "cyberwar", we’re every bit as much the aggressors as any other participant. The US  government is the biggest purchaser and producer of "cyberweapons" on the planet. A recent Reuters report by Joseph Menn contained comprehensive detail about how government agencies like the National Security Agency and the Pentagon are pouring money into "zero-day exploits", vulnerabilities in commonly used systems and software. US government agencies aren't devoting significant resources to purchasing these exploits so that they won’t fall into the hands of criminals -- they are purchasing them to use.
"... a surveillance state is exactly what governments and corporations, crying 'cybersecurity', want us to become."
The big cybersecurity companies are heavily involved. Menn reported:
"Major players in the field include Raytheon Co, Northrop Grumman Corp and Harris Corp, all of which have acquired smaller companies that specialize in finding new vulnerabilities and writing exploits. Those companies declined to discuss their wares … Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves ..."
This means that US government agencies have a significant financial stake in ensuring vulnerabilities are not detected or publicised. Not all -- indeed, probably most -- companies and users don’t update their software or install security patches as soon as software vendors release them. The less exploits are publicised, the more likely they are to remain useful in the wild. This may help explain why a hacker who revealed security flaws at AT&T and downloaded publicly available data and passed it to the media was prosecuted by the US government and given an exemplary sentence of three years’ jail. Or why the US government is hunting people associated with Project PM, which has revealed the connections between the US government and cybersecurity agencies and government use of malware and mass surveillance. The US government has also worked in collaboration with the Israeli government -- Israel has a successful IT industry that produces some of the best spyware and malware in the world, and has even hacked the US government -- to produce two high-profile pieces of malware, Stuxnet and Flame. And while the overhyped Stuxnet wasn’t a threat unless you were operating centrifuges as part of a nuclear program, the US government has more prosaic plans for its citizens: the FBI was recently knocked back by a US court in its request to plant malware on a suspect’s computer that would have enabled it to spy on him. This calls to mind the German government’s notorious Bundestrojaner, the first piece of law enforcement malware found in the wild and an epically insecure piece of software that enabled third-party access to law enforcement servers and the target computer. By the way, the ability of law enforcement and intelligence agencies to plant malware on computers is among the powers being sought by the Attorney-General’s Department (which is now the single greatest threat to the basic rights of Australians) in its current push for more national security powers. The Gillard government has been an enthusiastic spruiker of cyberhysteria, and in January announced the establishment of an Australian Cyber Security Centre, a rebadged version of the Cyber Security Operations Centre within the Defence Signals Directorate, a key part of the Defence’s $500+ million a year intelligence operation. The location of the centre within a Defence spy agency reveals something the Prime Minister never mentioned, that the ACSC is designed as much to be an offensive organisation as one protecting us against the wiles of Chinese hackers. How many zero-day exploits it uses, or how many bespoke pieces of malware it deploys, we will never be told, because of the greater level of opacity about Australian intelligence operations compared to the US. Hackers, operating at the behest of, or employed by, the Chinese government, the Chinese security establishment and Chinese companies, are indeed a significant threat to Western companies and governments. But the focus on China obscures the extent to which the US remains the most potent, aggressive state cyberpower. And there’s a lesson from China that the media might do well to learn. The reason China has such a flourishing culture of cybercrime and hacking is because its government devotes enormous resources to controlling the internet and monitoring citizens’ use of it. Chinese hacking is a direct outgrowth of the fact that it is a surveillance state. And a surveillance state is exactly what governments and corporations, crying "cybersecurity", want us to become. Be aware of that.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

9 thoughts on “Cybersecurity awareness week: be aware you’re being lied to

  1. Thomas McLoughlin

    I think another tone with the same content may be sensible with this kind of tech development.

    Personally I’m not at all surprised, conceptually, that big govt want the capacity to monitor everything. A major premise in the novel 1984 was the science fiction ability to ‘turn the flow of information around’ and make screens two way. That is give Big Brother his window into the home.

    Yes it’s creepy, yes it may lead to the tech version of planting bags of cocaine in the boot of critic’s car, or other corrupt behaviour for those bearing a grudge.

    The mass media reported last week a report of blackmail scam where unsolicited material (the worst kind) was pixt to a mobile phone, with a follow up threat to publicise and smear. This is nasty stuff to be sure.

    As always I revert back to the pre tech mind set of Gandhi, to be open about a non violent agenda for political reform/change/progress/idealism. Indeed nowadays the last thing I want is some paranoid spook to think I am hiding anything, except as required for client confidentiality in my chosen profession. In which case I fully expect my profession to back me up on that confidentiality.

  2. Faizan Ali

    Its true that the Govt and various authorities wants to keep an eye on us (people). Techweek Europe reported that the figures of cyber crime was greatly exaggerated. Maybe this is because that they wanted an excuse to retaliate against all those who have been attacking the US Govt. which also includes the Chinese Govt. (source:
    Im all for retaliating against those who mean to cause us harm but Grinding the citizens to achieve their own personal agenda is just not acceptable.

  3. klewso

    If these parties don’t scare the crap out of you, what are you going to buy from them?
    Like their “protection”?

  4. Matt Hardin

    And all of that with the protection of the Fourth Amendment in place! A Bill of Rights is obviously no protection.

  5. wbddrss

    Great piece of research, really makes the subscription price look cheap. I am better informed.


  6. supermundane

    When cryptographer Bruce Schneier is concerned about the emerging all-seeing, all-knowing corporate and government surveillance panopticon, we should be very afraid:

  7. supermundane

    When cryptographer Bruce Schneier is concerned about the emerging all-seeing, all-knowing corporate and government surveillance panopticon, we should be very afraid:

    www. technology/ 2013/may/16/ internet-of-things-privacy-google

  8. Kevin Tyerman

    In the US, they have cybersecurity awareness month. Everything sure is bigger over there.


  9. Dale Winters

    Knocked up, down and out, but must congratulate Keane on his research and diligence. The future of all this won’t be fulfilled until every single human being is being monitored 24/7 to verify proof of allegiance to a system of world govt, spiritual, financial and political. It’s coming.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details