On May 13, a major security flaw in the popular messaging app, WhatsApp, was announced. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using the WhatsApp’s VOIP-based call function.
The world is now accustomed to daily data breach news, and the reality is more problematic than we realise; in ISACA’s State of Cybersecurity 2019 research, 3 in 4 respondents say security breaches are underreported. What makes this latest threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from their logs. Device hacks that don’t require victim participation, such as clicking a weaponised hyperlink, are difficult to fend off and dramatically alter the game.
According to a media report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defence contractors or niche malware developers.
These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, manipulate elections, silence opposition, and spy on journalists, suspected terrorists, and a wide array of other targets. According to research, the global cyber weapon market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.
When we dig deeper into factors that have spurred the exponential rise in the cyber weapon market, three insightful answers emerge. At the root of this predicament is the rapid shift in defence policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own.
In 2017, US defence chiefs, via a joint statement to the US Congress, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasised.
This was demonstrated locally when state actors hacked into the Australian Federal Parliament through a supplier to steal files on naval vessels, so the Government invested further into ensuring that last week’s Federal Election would not be subject to the same cyber security issues.
Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. International cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system is invariably slim.
Granted there have been sporadic efforts to address this void, at the 2015 G20 summit, leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it only represented form, not substance, and did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.
Governments need to agree to and enforce industry-wide policies and standards, just as IT leaders turn to organisations, such as ISACA, for guidance on assurance and risk in cyber security.
Thirdly, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into the wrong hands. The NSO Group, for instance, claimed that its program “is licensed to authorised government agencies for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions of dollars in damages. Further compounding matters, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”
What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure, such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent opinion piece “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”
About the authors:
Phil Zongo is a director and co-founder of cyberresilience.com.au , ISACA member, and the Amazon best-selling author of The Five Anchors of Cyber Resilience.
Darren Argyle is a non-executive director and co-founder of cyberresilience.com.au and the former Group Chief Information Security Officer (CISO) at Qantas Airlines.