Instead of being astonished by the ease with which an Israeli firm’s software can hijack ‘secure’ devices, we need to put in place laws governing how all actors can use this personal data.
An iPhone in front of NSO Group's headquarters in Herzliya, Israel, August 28, 2016.Jack Guez, AFP
“There is something intimate and insidious about a telephone,” observed former CIA officer William Johnson, in his 1987 monograph on the spy trade. “No matter how careful I am when using the telephone, I cannot help giving away information of value to somebody investigating me.”
If you want to put this to the test, try setting up a meeting with someone without using any words that could allow a third party to work out where or when it will take place, or the subject to be discussed.
Today’s spies are just as quick to acknowledge that phones — and especially smartphones — are not secure. These devices leak revealing personal information to anyone who takes an interest, and yet outside the intelligence community the news of the latest vulnerability is met with an amnesic surprise.
The most recent example was the discovery of Pegasus — malware developed by an Israeli company that, when installed by a user who unwittingly clicks on a link in a seemingly innocent text message, can in effect hijack the user’s iPhone or iPad. It can transmit all data stored on the device, from passwords, photos, calendars and address books to text messages, voice calls and the location of the device itself. In addition, it can commandeer the gadget’s microphone and camera, turning the user into a virtual spy.
These capabilities were revealed after Ahmed Mansoor, a human-rights activist from the United Arab Emirates, forwarded a suspicious text message containing a link to Citizen Lab. Researchers at the internet watchdog, which is based at the University of Toronto’s Munk School of Global Affairs, clicked on the link, studied the effects of the malware and notified Apple, which quickly released a security patch update for iOS, the operating system for the company’s mobile devices.
Pegasus is certainly one of the most complete hacking tools to come to the public’s attention. Any one of its capabilities are highly revealing; being able to build a map of someone’s location for example will quickly reveal their daily routine, friends, work, where their children go to school and much more. Combined, Pegasus’s capabilities would leave little personal information undiscovered if used against an unsuspecting target.
But it is naïve to think that Pegasus is unique in its invasiveness or sophistication, and equally naïve to think that such abilities are restricted to a handful of nation states. The company responsible for Pegasus is Israel’s NSO Group, set up by former members of Israel’s security services, and partly owned by an American private equity firm, Francisco Partners, with offices in London.
NSO Group has not been very discriminating with its customers. Pegasus is believed to have been sold to the governments of Yemen, Saudi Arabia, Uzbekistan, Mexico and other states. Yemeni intelligence officers demonstrated remarkable bravado in showing journalists that they can access their communications. The point is that this one tool has been supplied widely to some countries on the opposite end of armed conflicts, and there is evidence that it has been used by other cybersecurity companies. And there are many comparable tools.
The history of communications technology has developed along two consistent lines. Technologies have become more sophisticated, and have become steadily smaller and more user friendly. The phone itself is a case in point, from landline to mobile to smartphone, ever more powerful and convenient. There is every reason to think hacking tools will follow a similar trend, with less and less need for users to manually crack into a system, or to understand the underlying coding.
This poses some unpleasant problems that need to be faced. We often discuss the importance of privacy, but phones are neither private nor secure and the ability to access the treasure trove of personal information that they hold is going to become easier, and doable by a far broader range of actors. Moreover it is inconceivable that people are in consequence going to stop holding large volumes of personal information on smart devices. It is, quite simply, too convenient, and while some may fall victim to criminal hacking, for the majority the risk will have been worth it.
The public response to hacks tends to be a mixture of outrage, surprise, and an expectation that their devices are secured. Pegasus shows that we should be asking more fundamental questions. The first is that if these tools are going to be used by law enforcement — using location data from phones, for example, to link a suspect to a crime scene — we need very clear laws and oversight of how this data is accessed by police, what information should be available and what procedures should allow officers to access devices that alongside relevant evidence contain personal information that is not germane to the case, but cannot be readily distinguished from other data. There are some precedents for answering these questions.
There are far fewer precedents when we come to consider who should be allowed to manufacture and sell powerful tools like Pegasus, and to whom. If they are the weapons of cyberwarfare, should they be monitored with comparable rigor to arms? Should the use of such tools require licensing of the vendor, and proof of compliance?
Of particular relevance to Mansoor and other activists targeted by repressive states, is the question of public attitudes toward hacked information. There is a widespread acceptance that hacked information is the concealed truth made public. With the modern craze for mass data leaks little work is done to verify that the data has not been subtly tampered with.
But as was recently demonstrated in Russia, hackers manipulated records from the Open Society Foundation to try to link George Soros and Russian anticorruption activist Alexei Navalny. The fabrication was only noticed because two hacking groups independently released discrepant versions of the same material. To put this in the context of mobile devices, suppose a hacker were able to enter an iPhone and change the location data, placing someone at the scene of a crime when they were not. It is hard to imagine a jury, representative of the current pervasive attitude, seriously doubting the veracity of such evidence.
It is easy to look ahead and see a dystopian future, dominated by surveillance, public and private. Trying to counter these trends individually is a sure path to paranoia. But if we can get the frameworks surrounding the use of these powerful tools right, if we have those difficult conversations now, then we can hope to transform them from a sinister threat to another transformative step in the advance of technology.
Originaly published by Haaretz.
British experts say it’s impossible to prevent every cyber attack – but staff can be trained to notice more irregularities in the system.
Just before lunch on a spring day in London a financial officer received an email from their CEO asking that they make a payment to a supplier with whom the CEO had just had a meeting. The payment was large, but no larger than they had expected. Seeing the CEO’s secretary the financial officer asked when the payment needed to be made. “I’ll just check,” the secretary replied.
A few minutes later the secretary came back looking worried. The CEO had not sent an email requesting a payment. On closer inspection the financial officer noticed an ‘a’ replaced by an ‘e’ in the company email. At first there was a wave of relief - a fluke had saved the company from falling victim to a fraud – but then came the hard questions: how had the fraudsters known about the meeting with the supplier? How had they been able to so closely mimic the CEO’s writing style? Had the fraudsters hacked into the company system?
“This sort of attack wouldn’t normally be considered a cyber attack, unless they got access to the system,” explained Stephen Ridley, Senior Development Underwriter at Hiscox, who provide cyber insurance to over 3000 businesses in the UK. “But our policies trigger on a suspected data breach.”
Once hackers have access to a company’s system there are a range of ways they can get money, from gathering information to perpetrate fraud, to encrypting company records and demanding a ransom to return them. A compromised company can provide a backdoor for hackers into the databases of their partners, clients and suppliers. Companies have a responsibility to deal with suspected data breaches, and it comes at a high price.
“You have to find the breach, then shut it off, assess the system’s weaknesses and work out how to improve security, train staff, get legal support,” said Ridley. Even in the event of unsuccessful frauds, “the costs can be huge. Most claims are straight into the tens of thousands of pounds.”
And then there is PR. If it is found out that a system has been breached then the reputational damage can destroy a business. With an ever-growing volume of online transactions, who wants to give their data to a hacked company? For this reason companies often try and keep incidents quiet.
“We see non-disclosure to various degrees,” said Ridley.
Awareness of the threat is growing. Hiscox has reported a threefold increase in UK companies taking out cyber insurance over the past year, driven by a string of high profile hacks against large companies including Sony, Ashley Madison and Linkedin. But according to a survey by the Institute of Directors, only 57% of British businesses have cyber security strategies in place. That figure does not reflect the number of companies taking active security measures, which is far lower. Nor does it reflect the global picture, as the UK is far ahead of similarly developed economies.
“The problem is that a lot of people see minimum security standards as the target to meet,” said Peter Shepherd, Head of Digital Investigations at London based Hidden Security, who specialize in testing the vulnerability of Small and Medium Sized Businesses. “The attacker has the advantage. They will always get in. The question is how far?”
Describing a typical cyber operation Shepherd explained how a hypothetical criminal would scan an area for vulnerable devices: routers, using fake Wi-Fi to gain access to employees’ phones, and pulling company information from social media. A mixture of public and private information then allows for targeted attacks.
“In one case where we were testing a company we learned that they had just signed a deal with a sports company, so we sent around a fake email from the company to staff offering discounted tickets. A few people opened the link and we got access to their system.”
“However,” said Shepherd, “some reported the email to IT. So we sent another email pretending to be from IT warning about the previous email with a link to allow IT to check that their computer wasn’t affected. Everyone clicked on it. Then we had access to everything.”
The easiest way of converting a breach into cash is through ransom-ware, which encrypts a company’s system, demanding a payment to give back control. Ransom cases represent the largest proportion of cyber related claims according to Hiscox. But most cases go unreported.
“Ransoms used to be big,” said Shepherd. “Now they are typically around 250 pounds. At that cost it is easier – and cheaper – to just pay, which most victims do. But if you do these attacks across London, you are going to be collecting a lot of ransoms; earning more than your usual cyber security professional.”
Some frauds are more elaborate however. Many SME directors take the attitude that their businesses are too small to be the target of a major attack. With awareness of cyber crime driven by public hacks of major corporations and governments, there is a widespread perception that SMEs are below the radar.
In reality SMEs often provide the perfect entry into larger businesses. Big companies can afford to have dedicated security staff and sophisticated IT defenses. SMEs by contrast are, as Shepherd points out, “the weak link in the chain.”
“Big companies rely on SME partners, and once you get into the SME you can exploit the trust relationship between them and the big company to get into their systems.”
With 23% of transactions in the UK taking place online in 2016, and the proportion projected to grow dramatically, the exposure of SMEs, and therefore larger businesses is only going to increase. Britain is especially relevant because the UK is far ahead of the rest of the world, and so the cyber threat against the British economy showcases what others will face in years to come. Germany, the second most digitized economy currently has half as many online transactions each year, while the G20 average is just 6%. How Britain responds will provide lessons for others.
But countering the threat is difficult. Most breaches are the result of human error. There are ways of avoiding the simplest attacks, and ways of protecting vitally sensitive information systems by identifying and isolating the data, but cyber security experts acknowledge that almost any system will be breached under normal operational conditions. The biggest variable is awareness and attitude; two things that are currently in short supply.
“It is impractical to mandate security measures,” said Ridley. Hiscox does not insure based on a company’s infrastructure meeting arbitrary standards. “The assumption is that attacks will to some extent succeed.”
Instead Hiscox focuses its discussions with potential clients on their attitude. Shepherd agrees; strong defence is based on awareness. Companies can’t be vigilant 100% of the time, but they can encourage awareness by having their IT department send out fake fraudulent emails, and reward staff that spot it, while training staff who fall for the scam. Paying bonuses to IT staff who find breaches is another way of encouraging them to do the dull but essential task of scouring logs to look for irregularities, a job that is usually done around their core duties.
The growing volume of cyber fraud is also driven by a lack of policing. Government responses to cyber crime have been pioneered by the intelligence community, associated with the Government Communications Headquarters (GCHQ). The capability of law enforcement lags behind, and few victims expect to catch the perpetrators. Police do not always distinguish between cyber and traditional fraud, and investigation is hampered because plugging the breach often destroys the tracks of the criminals. As a senior security officer at Morgan Stanley put it, “the police just don’t have a clue.”
The Metropolitan Police declined to comment on this article.
Originally published by Haaretz.
A lack of transparency enables corrupt officials worldwide to continue in lucrative racketeering of state assets. A new initiative aims to establish set of global standards for defense governance.
In the summer of 2015, Lt. Col. Elie Tarpaga was commanding a battalion of Burkina Fasan peacekeepers in Timbuktu, the gateway to Mali’s vast northern desert. It was a tense time: With 850 men and minimal logistical support, he was responsible for protecting a disparate civilian population from raging banditry and rival armed groups with a limited regard for a recently signed truce.
In spite of his difficulties, Tarpaga had an affable and jocular manner. But his broad smile quickly disappeared when asked how he felt about such a large proportion of Burkina Faso’s army being sent abroad. “How do you know it is such a large proportion?” he asked.
The Burkinan Army is estimated to consist of around 6,500 men, of whom three battalions are trained for peacekeeping and are regularly deployed. Last summer, two were in Mali but Tarpaga shook his head. “You may think you know how many soldiers we have, but no one would tell you the exact numbers. And if they said they did, they would be lying. It’s sensitive information.”
He was reflecting an attitude that is common across many militaries: Defense spending, and the size of units, are important national secrets – because a potential enemy shouldn’t know your hand in the event of war.
In Africa, 40 percent of countries publish no official figures on defense spending, and the rest rarely publish any budget breakdowns. With upward of $40 billion spent annually on defense across the continent, oversight remains minimal.
Far from improving security, however, there are many reasons to believe that a lack of transparency makes states more susceptible to corruption, organized crime and state failure.
“A lack of accountability in the security sector and the growth of secretive defense spending is a major risk to international stability,” said Katherine Dixon, director of Transparency International UK’s Defence and Security Programme.
Mali is an excellent case in point. In the wake of a rebellion by Tuareg separatists in 2012, and an incursion of extremist groups in the country’s north, Mali has become a significant recipient of security aid, but doesn’t publish its defense spending or require competitive tenders for defense procurement.
In addition, the military is not subject to independent auditing and parliamentary scrutiny of its activities is minimal.
The irony is that, far from improving security, this culture of secrecy – and corresponding poor governance – was directly threatening the lives of Tarpaga’s men.
Earlier in the week, militants from Le Groupe Autodéfense Touareg Imghad et Allies (GATIA), a pro-government militia hostile to Tuareg independence, had ignored cease-fire lines agreed in early June and risked a firefight with separatists from the National Movement for the Liberation of Azawad (MNLA). Had fighting erupted, the peacekeepers would have scrambled to intervene – as has occurred on numerous occasions. Twenty-four soldiers from MINUSMA (the UN peacekeeping mission in Mali) were killed in the first six months of 2016.
“GATIA was armed by the government,” a senior MINUSMA officer, formerly responsible for operations in Kidal where the infraction took place, told Haaretz. “GATIA has heavy weapons. The MNLA, too, with 120mm. mortars, 107mm. recoilless rifles.” Mortars have been used to shell UN compounds.
“There is seepage of weapons from the government stockpiles to traffickers, but we don’t know how much,” the UN officer continued. “The armed groups all have connections with smugglers.”
This seepage to non-state actors is facilitated by the lack of transparency in procurement and budget secrecy in the Malian state. Arsenals are not subject to independent auditing, meaning the UN cannot establish the volume of arms moving out of government hands.
The lack of independent scrutiny enables corrupt officials to continue in lucrative racketeering of state assets, and allows shoddy record-keeping to go unnoticed and unpunished.
In one of the most egregious incidents, the Malian Armed Forces signed off on a contract after being invoiced for 500 percent of the budgeted cost.
MINUSMA Director of Communications Radhia Achouri notes that “there are many people who do not want a stable country” profiting from smuggling made possible by insecurity, and by a lack of transparency or governance, which sees heavy weapons flow into a smuggling route connecting Libya to the militant group Boko Haram in Nigeria.
Confronting corruption in the face of defense secrecy depends upon reshaping the attitudes of officers like Lt. Col. Tarpaga. Fortunately, a new initiative is seeking to do just that. According to Transparency International UK, over a dozen states – including major economies, arms exporters and regional powers – have expressed an interest in establishing a set of global standards for defense governance, aimed at strengthening oversight and security.
Although the terms of this agreement are yet to be set, at their core they will encourage states to publish defense budgets and set up procedures for independent oversight of procurement and expenditure, in line with national defense strategies.
The initiative is still at a very early stage, but there are many reasons for states to support it. From the point of view of Mali’s benefactors, ensuring their aid is well spent is a key interest. With the spread of terrorism, governance and the management of arms is a growing security interest, while corruption and the weakening of state institutions provides opportunities for non-state actors to thrive. Meanwhile, for those states rapidly increasing their defense spending, ensuring that they have a national strategy against which they can judge the utility of military programs, ensures greater value for their investment.
Jeff Kaye chairs Transparency International UK’s Defence and Security Programme and was a former director at British defense firm Marconi. “Large Western nations should be receptive to such standards,” he said, “as governments of the 21st century nation-state should be eager to show that their fundamental responsibility to ensure peace, safety and security for [their] citizens cannot be delivered without transparency and accountability.”
(Additional reporting by Paul Raymond in Mali).
Originally published in Haaretz.
Jack Merlin Watling
Jack is a journalist and historian. He formerly worked as planning editor at NewsFixed, and has contributed to Foreign Policy, Reuters, the Guardian, Vice, the Herald Group and the New Statesman.