Lessons from the Equation Group

A team of brilliant security software developers nicknamed, The Equation Group, by Kaspersky Labs has taught us all some great lessons about computer security. You can read up on the breakthrough capabilities of the Equation Group on dozens of websites from Ars Technica to ZDNet. I saw reports of the existence of malware that can live inside hard drives in such a way that reinstalling the operating system or wiping the hard drive with military grade tools cannot remove the malware. It seems the malware is so well written as to be beyond the reach of most anti-malware tools. The experts in many of the articles suggest simply destroying the hard drive once you know you are infected.

That is not the lesson though. The lesson confirms what many of us with strong insight into technology long suspected. Conventional computer technology cannot guarantee security. An article on Ars Technica is titled, Obama: “Everybody’s online and everybody’s vulnerable”, that shares a common sentiment about computer security. None of this is new information today. Things you do on a computer may only be temporarily private.

What is new to me, or perhaps I must finally admit it, is the impact on encryption. Hardware level malware defeats encryption. Code embedded in hardware firmware is the ultimate trump card in the current design of computer systems. The revelations do not negate the value of information systems but simply limit their usefulness in terms of private information and communication.

Other choices are possible. Starting over is an option. Accelerating security development through an open systems technology culture. Developing a practice of shrewd use of technology where privacy stakes are not as high.

  • Pessimistic, realistic view: Rejection of the technological path we have undertaken.
  • Optimistic, pragmatic view: Acceptance of complete transparency despite actions to the contrary.
  • Highly realistic view: Be highly selective in how technology is used.

All the advice you hear about computer security is still valid safeguards against general information leakage. Current computer security measures and theories simply has limits when it comes to all possible means of compromising systems. Hackers on behalf of one company may not be able to overcome the safeguards at a target company. However, there are other groups how can overcome most safeguards. It means that confidentiality agreements covering work of a digital nature are rendered moot in terms of the potential unknowable disclosure of such information.

Until a new or substantially revised theory of computation, information theory, or system architecture arises that is verifiably sound in terms of security emerges, default insecurity of systems should be the expectation. Hardware architecture, in particular, will need to be rethought and made genuinely secure by design. Such hardware will need to remain as inter-operable and standards compliant as today’s hardware. Tomorrow’s hardware of that caliber that still performs well will need to be designed or invented. A trillion-dollar market probably awaits the inventor of such things.

In the meantime, none of this means you avoid securing systems or taking precautions. Computer technology today is all about efficiency and convenience. Those are still valuable attributes. It’s just that really great security is not part of that mix right now. That means that, for the present, your best security measure comes down to deciding what to make digital and what to keep analog.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s