Did you know it’s national cybersecurity awareness week?

Everyone I’ve told has replied “I wasn’t aware of that”, which suggests we need an awareness week for the awareness week. It’s an annual event in which governments and companies work together to, well, “raise awareness” of cybersecurity. Tips will be offered, threats will be warned about and products will be advertised. China will be mentioned a lot.

In the US, they have cybersecurity awareness month. Everything sure is bigger over there.

And, yes, we should take cybersecurity awareness seriously. Because most of the things you are told about cybersecurity are lies. As Crikey has demonstrated many times, the actual threat of cybercrime is grossly exaggerated by governments, the corporate media and cybersecurity companies. They exaggerate it with the goal of lifting sales of security products and justifying increases in state control of the internet.

The Australian Financial Review for some months has run a series of beat-ups on the issue, which all follow the same format: claiming routine common-or-garden efforts to access servers as “attacks”, portraying minor breaches as major hacking successes (one article claimed that an effort to access a publicly available stats database at the ABS website was a successful breach by hackers), invoking the threat of Chinese hackers, and quoting cybersecurity consultants and executives who are only too happy to agree that government agencies should spend more on security.

And, it seems, next week’s Four Corners will be running the same line, with its PR plug for Monday’s edition, titled Hacked! (behold the exclamation mark), claiming “a deafening silence surrounds this issue”. The sort of deafening silence in which governments and the media never shut up about it, presumably.

Anyone pointing out the self-interested nature of commentary from the cybersecurity industry, or the obvious flaws in the corporate media narrative of major security breaches, invariably elicits the reaction that they are pretending there is no cybercrime problem at all. In Crikey’s case, this is exactly the opposite of the truth. Crikey is the only media outlet or company in Australia that has undertaken substantive, independent research into the prevalence of cybercrime and established the scale of the problem, with a costing based on verifiable data.

But, in cybersecurity awareness week, this is not yet another article explaining how cybercrime has been exaggerated. This is an attempt to identify the real threat. While corporate media and governments like our own and that of the US repeatedly (and correctly) blame China for much cyberespionage and online crime, in fact the biggest source of cybercrime on the planet is the US government, aided and abetted by governments like our own.

Yes, we’re not the hapless victims of China in any “cyberwar”, we’re every bit as much the aggressors as any other participant.

The US  government is the biggest purchaser and producer of “cyberweapons” on the planet. A recent Reuters report by Joseph Menn contained comprehensive detail about how government agencies like the National Security Agency and the Pentagon are pouring money into “zero-day exploits”, vulnerabilities in commonly used systems and software.

US government agencies aren’t devoting significant resources to purchasing these exploits so that they won’t fall into the hands of criminals — they are purchasing them to use.

“… a surveillance state is exactly what governments and corporations, crying ‘cybersecurity’, want us to become.”

The big cybersecurity companies are heavily involved. Menn reported:

“Major players in the field include Raytheon Co, Northrop Grumman Corp and Harris Corp, all of which have acquired smaller companies that specialize in finding new vulnerabilities and writing exploits. Those companies declined to discuss their wares … Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves …”

This means that US government agencies have a significant financial stake in ensuring vulnerabilities are not detected or publicised. Not all — indeed, probably most — companies and users don’t update their software or install security patches as soon as software vendors release them. The less exploits are publicised, the more likely they are to remain useful in the wild.

This may help explain why a hacker who revealed security flaws at AT&T and downloaded publicly available data and passed it to the media was prosecuted by the US government and given an exemplary sentence of three years’ jail. Or why the US government is hunting people associated with Project PM, which has revealed the connections between the US government and cybersecurity agencies and government use of malware and mass surveillance.

The US government has also worked in collaboration with the Israeli government — Israel has a successful IT industry that produces some of the best spyware and malware in the world, and has even hacked the US government — to produce two high-profile pieces of malware, Stuxnet and Flame.

And while the overhyped Stuxnet wasn’t a threat unless you were operating centrifuges as part of a nuclear program, the US government has more prosaic plans for its citizens: the FBI was recently knocked back by a US court in its request to plant malware on a suspect’s computer that would have enabled it to spy on him. This calls to mind the German government’s notorious Bundestrojaner, the first piece of law enforcement malware found in the wild and an epically insecure piece of software that enabled third-party access to law enforcement servers and the target computer.

By the way, the ability of law enforcement and intelligence agencies to plant malware on computers is among the powers being sought by the Attorney-General’s Department (which is now the single greatest threat to the basic rights of Australians) in its current push for more national security powers.

The Gillard government has been an enthusiastic spruiker of cyberhysteria, and in January announced the establishment of an Australian Cyber Security Centre, a rebadged version of the Cyber Security Operations Centre within the Defence Signals Directorate, a key part of the Defence’s $500+ million a year intelligence operation.

The location of the centre within a Defence spy agency reveals something the Prime Minister never mentioned, that the ACSC is designed as much to be an offensive organisation as one protecting us against the wiles of Chinese hackers. How many zero-day exploits it uses, or how many bespoke pieces of malware it deploys, we will never be told, because of the greater level of opacity about Australian intelligence operations compared to the US.

Hackers, operating at the behest of, or employed by, the Chinese government, the Chinese security establishment and Chinese companies, are indeed a significant threat to Western companies and governments. But the focus on China obscures the extent to which the US remains the most potent, aggressive state cyberpower.

And there’s a lesson from China that the media might do well to learn. The reason China has such a flourishing culture of cybercrime and hacking is because its government devotes enormous resources to controlling the internet and monitoring citizens’ use of it. Chinese hacking is a direct outgrowth of the fact that it is a surveillance state.

And a surveillance state is exactly what governments and corporations, crying “cybersecurity”, want us to become.

Be aware of that.

Peter Fray

Help us keep up the fight

Get Crikey for just $1 a week and support our journalists’ important work of uncovering the hypocrisies that infest our corridors of power.

If you haven’t joined us yet, subscribe today and get your first 12 weeks for $12.

Cancel anytime.

Peter Fray
Editor-in-chief of Crikey