February 16, 2015

Firmware Hijacked, No-one Safe… By and From the U.S. - Are we really surprised?

The New York Times reported February 16, in an article titled “U.S. Embedded Spyware Overseas” (link), that Russia’s renowned and respected Kaspersky Lab has unveiled that the U.S. “Equation Group” (AKA, apparently, the NSA and DoD’s U.S. Cyber Command) have – for more than 10 years – hidden malware and spyware deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers.

Doing this has given the U.S. the means to eavesdrop on the majority of the world's computers, according to Kaspersky, other cyber researchers and, reportedly, former U.S. operatives.

Surprised?  You shouldn’t be.  This pot’s been calling kettles black for so long you’d have to be idiot-thick not to figure out that they were over-compensating to veil their own transgressions.

So what now, now that we have relative certainty that the entire planet’s been compromised by U.S. intelligence agencies?  And, perhaps worse, they’ve been doing so in the context of accusing pretty much any and every other (other?) “bad guy” of doing the same thing while purporting to be holier than all those other “thou’s.”

But wait, the U.S. only conducts espionage to ensure our national security, not, for instance, to gather and store data on its own citizens or, ahem, to gain commercial benefit for American companies.


I'll leave the former be for now, but as for the latter, while there’s no evidence - yet - to believe the U.S. has stolen intellectual property from foreign firms with the express purpose of transferring such knowledge to domestic firms, that’s – perhaps - only because the need has not yet been perceived. 

But have American intelligence agencies eavesdropped on others to leverage benefits for American companies, for instance, in terms of intelligence related to the negotiation of trade agreements, etc.? 

Well, yeah.  Duh.  And, that, yes, confers commercial advantage.

Hey, I’m an American.  I get it.  I understand.  Indeed, I don’t oppose it, per se. 

What I oppose is the utter hypocrisy of painting other kettles blacker than our pots.

Look, national governments are national governments, and spies will be spies - humankind has conducted espionage on its neighbors since the first caveperson leaned out to peer into the neighboring hole to see how the “other side” were making their fires.  So let’s be intellectually honest about the whole thing.

So, before we let this latest revelation escalate us towards yet more techno-nationalist (nonsensical) market access barriers in one or another country, consider the below instead.  After all, none of this is sustainable - we are risking our future, a future largely and increasingly dependent on the global and interdependent information economy. 

Manifesto for a post-Cyber Future


- Our societies, businesses and personal lives have become ever more reliant on the Internet and connectivity, on a global and interdependent basis; 

- The development of networks has helped to advance social progress. Open networks have encouraged information flow and sharing, provided more opportunities for and lowered the cost of innovation, and have helped improve the world's health, wealth and prosperity.

- Today’s interconnected world is powered by global, intertwined infrastructures built on technologies provided by a wide range of information and communications technology (ICT) vendors sourcing inputs from a vast global supplier ecosystem, enabling networks that span multiple markets;

- This complex, intertwined ecosystem is potentially vulnerable to those that wish to use technology for purposes it was never intended, to steal, corrupt, damage or disable.

- In this context, the integrity of networks and data are essential to our societal and personal well-being, and that integrity is increasingly threatened;

- Maintaining or restoring confidence in network and data security is critically necessary to maintaining and enhancing the global digital economy and our day-to-day lives as individuals;

- Governments have a responsibility to secure the networks their citizens use, and to ensure the integrity of the data within such networks, as well as legitimate law enforcement and national security obligations;

- No longer is technology designed, developed and deployed only in one country; no longer can any country or large company claim to rely on a single sourcing model;

- Physical and digital supply chains fueling the information and communications technology industry eclipse borders;

- Geography-based or otherwise “techno-nationalist” approaches to securing networks and data are inconsistent with commercial and technological realities in what has become a global and interdependent information age;

- Network security and data integrity are not single country or company issues, they are functions of how ICT products are made, used, and maintained, not by whom or where they are made, or by the relationship any vendor may have with any particular government;

- Geographic-based restrictions in any form risk both retaliation, replication and the fragmentation of global ICT supply chains, as well as undermining the advancement of global best practices and standards on network security and data integrity;

- States should seek to agree appropriate conventions among themselves governing acceptable behavior in cyberspace, while refraining from hyperbolic rhetoric and market-distorting policies, laws, regulations and practices in the name of “cyber” or national security;

- Governments should offer additional clarity and transparency in terms of their mandates, regulations and practices related to data monitoring, collection, processing and storage;

- Industry should accelerate initiatives to defining certifiable standards, disciplines and best practices for network security and data integrity; from product conception through research and development; from coding to sourcing; from assembly to shipment; from deployment to servicing to end-of-life.

- Public-private partnerships should cement the results, codified as appropriate, whether through international covenants or global industry standards bodies.