Periodically I read about efforts by China, or Russia, or North Korea, or other countries to replace American software with indigenous or semi-indigenous alternatives. I then reply via Twitter that I love the idea, with a short reason why. This post will list the top five reasons why I want China and other likely targets of American foreign intelligence collection to run their own software.
1. Many (most?) non-US software companies write lousy code. The US is by no means perfect, but our developers and processes generally appear to be superior to foreign indigenous efforts. Cisco vs Huawei is a good example. Cisco has plenty of problems, but it has processes in place to manage them, plus secure code development practices. Lousy indigenous code means it is easier for American intelligence agencies to penetrate foreign targets. (An example of a foreign country that excels in writing code is Israel, but thankfully it is not the same sort of priority target like China, Russia, or North Korea.)
2. Many (most?) non-US enterprises are 5-10 years behind US security practices. Even if a foreign target runs decent native code, the IT processes maintaining that code are lagging compared to American counterparts. Again, the US has not solved this problem by any stretch of the imagination. However, relatively speaking, American inventory management, patch management, and security operations have the edge over foreign intelligence targets. Because non-US enterprises running indigenous code will not necessarily be able to benefit from American expertise (as they might if they were running American code), these deficiencies will make them easier targets for foreign exploitation.
3. Foreign targets running foreign code is win-win for American intel and enterprises. The current vulnerability equities process (VEP) puts American intelligence agencies in a quandary. The IC develops a zero-day exploit for a vulnerability, say for use against Cisco routers. American and Chinese organizations use Cisco routers. Should the IC sit on the vulnerability in order to maintain access to foreign targets, or should it release the vulnerability to Cisco to enable patching and thereby protect American and foreign systems?
This dilemma disappears in a world where foreign targets run indigenous software. If the IC identifies a vulnerability in Cisco software, and the majority of its targets run non-Cisco software, then the IC is more likely (or should be pushed to be more likely) to assist with patching the vulnerable software. Meanwhile, the IC continues to exploit Huawei or other products at its leisure.
4. Writing and running indigenous code is the fastest way to improve. When foreign countries essentially outsource their IT to vendors, they become program managers. They lose or never develop any ability to write and run quality software. Writing and running your own code will enroll foreign organizations in the security school of hard knocks. American intel will have a field day for 3-5 years against these targets, as they flail around in a perpetual state of compromise. However, if they devote the proper native resources and attention, they will learn from their mistakes. They will write and run better software. Now, this means they will become harder targets for American intel, but American intel will retain the advantage of point 3.
5. Trustworthy indigenous code will promote international stability. Countries like China feel especially vulnerable to American exploitation. They have every reason to be scared. They run code written by other organizations. They don’t patch it or manage it well. Their security operations stink. The American intel community could initiate a complete moratorium on hacking China, and the Chinese would still be ravaged by other countries or criminal hackers, all the while likely blaming American intel. They would not be able to assess the situation. This makes for a very unstable situation.
Therefore, countries like China and others are going down the indigenous software path. They understand that software, not oil as Daniel Yergen once wrote, is now the “commanding heights” of the economy. Pursuing this course will subject these countries to many years of pain. However, in the end I believe it will yield a more stable situation. These countries should begin to perceive that they are less vulnerable. They will experience their own vulnerability equity process. They will be more aware and less paranoid.
In this respect, indigenous software is a win for global politics. The losers, of course, are global software companies. Foreign countries will continue to make short-term deals to suck intellectual property and expertise from American software companies, before discarding them on the side of Al Gore’s information highway.
One final point — a way foreign companies could jump-start their indigenous efforts would be to leverage open source software. I doubt they would necessarily honor licenses which require sharing improvements with the open source community. However, open source would give foreign organizations the visibility they need and access to expertise that they lack. Microsoft’s shared source and similar programs were a step in this direction, but I suggest foreign organizations adopt open source instead.
Now, widespread open source adoption by foreign intelligence targets would erode the advantages for American intel that I explained in point 3. I’m betting that foreign leaders are likely similar to Americans in that they tend to not trust open source, and prefer to roll their own and hold vendors accountable. Therefore I’m not that worried, from an American intel perspective, about point 3 being vastly eroded by widespread foreign open source adoption.
TeePublic is running a sale until midnight ET Thursday! Get a TaoSecurity Milnet T-shirt for yourself and a friend!
The Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts has pleaded guilty to his crimes.29-year-old Mark Vartanyan, who went by the online handle of “Kolypto”, was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI. His extradition to the United States occurred last December, against the wishes of Russia who argued that the evidence against Vartanyan was weak and the case was politically-motivated.Nonetheless, Vartanyan has now admitted his guilt as a plea bargain with US federal prosecutors who have agreed not to seek a prison sentence of more than ten years.A maximum term of ten years may still sound like a lot of time for anyone to waste their life behind bars (it is!) but it’s still a lot better than the 25 or more prosecutors might have sought instead.The Citadel malware first caught the attention of security researchers in late 2011, when it was found being made available for sale on Russian-language crime forums.Citadel made it relatively easier for online fraudsters to steal banking credentials, credit card information, and personal data with the intention of breaking into victim’s bank accounts and making unauthorised transactions.
In addition, Citadel could hijack control of users’ Windows PCs and even attempt to grab the master passwords of some third-party password managers, and block access to anti-virus vendor websites.To increase its chances of success, Citadel could be used in targeted attacks exploiting Microsoft zero-day vulnerabilities to infect firms, as well as more traditional attacks.And it’s clear that Citadel was very much a serious commercial enterprise for its developer. Some editions of the malware even incorporated a built-in Customer Relationship Management (CRM) system to provide quick and effective support to its criminal customers, which the developers were happy to brag about in online postings:“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers. One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”Vartanyan may be heading rapidly to prison, but his malware is still out there in the hands of many other criminals who could potentially exploit it to steal from innocent computer users. One of the frustrations with fighting malware is that even after the perpetrators have been put away, the crimes can keep being committed.Vartanyan, who is scheduled to be sentenced in June, isn’t the first person to be charged in connection with the Citadel malware.In September 2015, 22-year-old Russian national Dmitry Belorossov – who went by the online handle of “Rainerfox” – was sentenced to 4.5 years in prison after he admitted using the Citadel malware to commit fraud, and hijacking control of some 7000 computers. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.