Years ago, when one of my university friends, who later went on to become an academic mathematician, told me his research at Oxford University was being sponsored by the UK’s intelligence agency GCHQ, I asked him what he was working on.
“Tests for prime numbers.”
“Oh, that’s very relevant to code breaking, isn’t it Richard?”
He gave a polite smile. “I have no idea what you’re talking about.”
Richard went on to work for GCHQ directly, so he can say even less about what he is working on these days. His employer is keeping equally quiet about their involvement in the recently publicized Regin malware, though all the evidence points to the fact that it is being used for cyber espionage jointly by GCHQ and the NSA.
The Regin malware was discovered last year on computers at Belgacom, the Belgian ISP and phone carrier, and at the headquarters of the European Union. In the NSA papers leaked by Edward Snowden, the attack on Belgacom by GCHQ was described in detail. Belgacom hired the company Fox IT to clean up the infection. Ronald Prins, a Fox IT security expert is quoted as saying, “Having analyzed this malware and looked at the Snowden documents, I’m convinced Regin is used by British and American intelligence services.” Let’s assume he is correct.
One of the vectors used to spread this malware appears to be a vulnerability in Yahoo! Messenger. There is no evidence that this bug was deliberately planted by the NSA to facilitate their spying. It was used in 2011, and nobody else appears to have discovered it since that time, at least not publicly. We still don’t know exactly what this bug was or if it is still present in Yahoo! Messenger.
The computer security industry has a protocol called ‘responsible disclosure’ which says that if you discover a vulnerability in a software product, you should first notify the vendor so that they can come up with a fix, and then after a reasonable time make the details public so that everyone can apply the patch. It seems apparent that if the NSA becomes aware of a 0-day, they will use it for their own purposes rather than attempt to get it fixed. Some people argue that this makes all users of that software vulnerable to spying not just by the NSA, but by any other nation states or cyber criminals who may also discover the bug. As security guru Bruce Schneier recently wrote in a similar context:
We can’t choose a world where the US gets to spy and the Chinese don’t. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I’m tired of us choosing surveillance over security.
I don’t remember Richard being particularly paranoid at university (except, of course, for a completely justified fear of the head librarian at the University Library) but perhaps there is something about being a spy that makes you feel that you need to know everything about your friends as well as your enemies. Personally I side with Bruce Schneier and would like to see our security services prioritize security over vulnerability.