Project Covert Operations and Zero Days – Controlled Compromise of Infrastructure and Code
Once you collect information, you will eventually have to decide on when to use which part for what reason. This is the dilemma of intercepting intelligence from an adversary and using it for defence (or offence). Once you act on your the knowledge no one else is supposed to have, then you will also disclose your capabilities. The digital world is full of these scenarios. The most recent case is a disclosure of Google’s Project Zero. The publication covered vulnerabilities dating back to the first half of 2020. As it turned out the discovery comprised 11 powerful weaknesses used to compromise iOS, Android and Microsoft® Windows devices. By publishing these vulnerabilities Project Zero essentially shut down a nine-month digital hacking operation by a Western government.
Bugs in software have no labels. They may be vulnerabilities, and these findings may get turned into real exploits that can be reproduced to work all the time against unpatched systems. However, these exploits can be used to attack anybody. The attack doesn’t distinguish between cyber-crime organisations, terrorists, governments, companies, individuals, or NGOs. A system connected to a network does not hoist a flag marking its affiliation. Most security researchers do not spend time on attributing attack software. Attribution itself is very hard. Furthermore, using red herrings is a standard evasion tactic for all sides. And then there are also false flag operations to make things more complicated.
Fixing critical bugs in software and hardware affects everybody. Information security cannot wait until the attribution is possible or allowed. Once you notice a flaw in code, you have to act by investigating and documenting the problem. Period. The gain of improving the security for all of us will always outweigh any argument in favour of less secure systems. This is true for secure communication (see the discussion about end-to-end-encryption) and for zero day bugs in code. There is no room for discussion. Either it is information security or it is information insecurity. There is no third possibility.
How to deal with threat intelligence and what to do about attribution in case of emergency will be discussed in-depth at the DeepINTEL Security Intelligence conference on 17 November 2021.