Over the past generation and increasingly the past decade, information security has become a key arena for international warfare. Cyberwar, as it is commonly referred to, has the ability to forcefully derail economic, social, and combat capabilities absent of the direct physical confrontation previously required. The progression of human conflict into a domain where confrontation is defined by intellectualism, and casualties are measured in lost data, in no small way speaks to the advancement of humankind. However, these advancements have been coupled with global collaboration that have unified intellectuals of multiple nations in efforts of technical invention and innovation. There are no better examples of these unifications than within global corporate entities, where billions of people work collaboratively to continue growth.
Though we tend to view these entities as singular, they are actually large conglomerates of individuals. Individuals who hold multiple allegiances beyond the walls of their corporations and borders of their nations. In information security communities, where national security is not mutually exclusive of private sector security capabilities, when these allegiances come into conflict, questions arise. For example, when does a global company choose to publicly report covert operations conducted by a nation to hinder another nations ability to become a nuclear power? Indeed this question sounds like the premise of a cheesy suspense film, but was actually the specific question posed to Symantec analysts in the discovery of Stuxnet, a computer worm targeted against Iranian industrial control systems, likely built collaboratively by Israelis and Americans. This article will explore these conflicts as well as the role that the growing community of information security professionals currently play and indeed will likely continue to play in the realm of international conflict.
An Ever Shrinking Planet
It has been well over a half century since the United States and indeed much of the world could have claimed any real amount of isolationism. Rather, we live in a global economy where international relations and alliances can exist simply through adding friends on Facebook. Interconnection has altered the world in ways that even the brightest visionaries previously could not have imagined.
These advancements and collaborations may have been summed up best in a 2001 speech entitled, “Globalization, Free Trade, and National Security” delivered by Kenneth I. Juster, former Under Secretary of Commerce for Exporta Administration, when he stated:
“Advances in information and communications technology have made it much easier for companies in all sectors of the economy to “go global,” to create multinational workforces, to set up operations and facilities in remote areas of the world, and to market their products and services worldwide.”
Yet, while the affects of globalization are in many ways widely recognized, most studies and considerations surround economic implications and the relation of national security to nations economic stability. What separates information security beyond this realm is the antithesis of this relationship. Rather, what may be economically best for security companies may largely negatively impact national security. This is a distinct possibility in the aforementioned incident involving Iranian nuclear efforts. No doubt, Symantec made a few pennies off of the free publicity.
Amongst the unanticipated bi-products of technological innovation and indeed corporate globalization are new intersections between corporate interests and national security. Despite the numerous areas where these issues exist, few are as complex as within the realm of information security.
Information security in many ways is knee deep in espionage between corporations, and indeed governing entities. As a result, security researchers are often working directly on issues of national security without knowing it. Yet, while it is simple to report when a researcher finds a foreign country is hacking an organization, it can be far more difficult to determine when to report when the researchers own country is hacking another business.
Such has been the case in numerous instances, where researchers were paid to determine root cause analysis of attacks that infiltrated businesses or perhaps even disrupted capabilities. While a researcher uncovering their own nation state being the culprit behind the attack is rare, it does happen. This leaves the very simple question, when does one report that their own country is hacking another?
When to Report
The patriotic answer would seem quite simple, “this should never be reported.” However, the stark reality is not so black and white. There are issues with not reporting. Consider first, that there are of course security implications for failing to report information publicly or even privately within an organization. In certain cases, synthetic malware can be re-purposed for further attacks against other entities. Such was certainly the case for Flamer, which was re-purposed and utilized in an attack against Aramco. Without proper disclosure of the original piece of malware, detection would be more difficult and damages could be much greater.
In addition, there is a business component of not reporting. At this point in time, security research is being done by global vendors in a multitude of countries. Thus, as a result, if one entity fails to report an issue, it is not entirely unlikely that another entity will not fail to do so. There is therefore a level of marketing competitiveness involved in the reporting of issues.
These things considered, the answer becomes a bit convoluted, in fact the best answer is that it depends. One should report issues of state sponsored attacks from the country that they hail when it is first and foremost safe to do so, both at a personnel level and at a national level within their particular nation-state. Should one face jail time retaliation for such a disclosure, then the answer is simple, it shouldn’t be disclosed. It is a corporations responsibility to be a good citizen and protect their employee who was merely doing their job. If alternatively, a disclosure will be controversial but not particularly dangerous then that is the time to disclose. And yet, while these time frames seem rather simple, they still somehow manage to be incredibly complex. One thing is not complex though and is plain to see, security researchers will continue to play a large role in international relations whether they like it or not…