One of the stories of the year so far for me has been the ongoing saga of the Hacking Team hack. The 400GB data dump uploaded earlier this month has allowed us to peek for perhaps the first time into the murky world of "lawful interception", and the legal global trade in software vulnerabilities. For CIOs it should represent yet more evidence that there's more to fear than mere financially motivated cybercriminals – nation states are increasingly prepared to invest in tools and technologies to spy on your business.
It's time we all demand our governments to stop this hypocrisy and criminalise the trade in software flaws.
Lifting the veil
Hacking Team is one of numerous 'legitimate' companies which make their money from selling lawful surveillance tools to governments around the world so that they can snoop on their citizens. What we didn't appreciate until now was that the firm also appears to have been researching and selling software vulnerabilities and proof-of-concept exploit code to these government clients. At the time of writing, three such flaws - in Adobe Flash Player - have been discovered and made public thanks to the doxing of the Hacking Team.
Unsurprisingly, it took less than a day before these flaws began to be exploited in the wild by cybercrooks. Adobe has been quick to respond, but it could take CIOs much longer to implement emergency patches to keep their organisations safe. This is the best example possible of why governments should get out and shut down this industry. Yet they're doing the opposite - driving up demand and prices for software bugs and exploits. It's enough to make researchers think twice about responsible disclosure, if they can make a small fortune selling flaws instead to companies like Hacking Team.
Harming the industry
There's little difference between what governments are doing here, and what cybercriminals do on Darknet sites and closed forums. It amounts to nothing less than the trade in software vulnerabilities and exploits to be used later to launch covert cyber attacks on citizens and businesses. Yet somehow this is not illegal. The hypocrisy will not be lost on CIOs, who have seen politicians in the US and UK on the one hand release state-sponsored guidelines on how they can improve data security and fortify defences against attack, but on the other call for backdoors in encrypted products and services which could actively put data at risk.
The hypocrisy rankles even more when we consider the Wassenaar Agreement - an arms control treaty that was extended last year to prohibit the export of various types of software exploits and tools. That agreement has been widely criticised for the effect it might have on the ability of white hats to share research and code with each other. The spirit of the treaty also runs at complete odds to the reality of governments, including Washington, buying up software bugs on the quiet.
How can a democratic government justify keeping a software vulnerability hidden from its vendor? They're effectively legitimising and feeding an industry of firms like Hacking Team that are actively making IT less secure. That's certainly not ethical. Ethical would be to notify the vendor as soon as they come across a zero day being offered up for sale. In fact, responsible disclosure should be made a legal obligation for any organisation - government or otherwise.
I doubt there are any software vulnerabilities that have ever been sold to governments or other private buyers which haven't eventually made their way into the wild and on to criminal forums. It's a matter of 'when' not 'if', and as Hacking Team has shown us, once the code does get out it can be exploited at great speed by the black hats.
So how can CIOs minimise the risk of data loss, given that even the 'good guys' are now acting like bad guys? Well, for starters consider a risk assessment on what software is running in your organisation. Flash is one of the most commonly targeted applications out there, so for some CIOs it might make sense to remove it altogether.
Then there are 'virtual patching' technologies you can invest in to keep systems safe and buy you extra time until you are ready to implement a patch. Advanced monitoring tools are also a good idea to spot APTs and targeted attacks, which - if they're well researched and planned - could contain exploits specifically crafted to bypass traditional filters.
People often ask me what keeps me awake at night, from a cyber security point of view. Well, it's no longer the cybercriminals and new strains of malware - it's nation states. With their unlimited budgets and increasingly reckless attitude towards software vulnerabilities, they threaten to undermine all our best efforts to make the digital world a safer place in which to work and live.
Raimund Genes is CTO of Trend Micro