Big tech and spyware II (26 October)
- Shane Huntley, Director of Google Threat Analysis Group
- Jo De Muynck, Head of Operational Cooperation Unit at ENISA
- Saad Kadhi, Head of CERT-EU
- Rosanna Kurrer, Cyberwayfinder
Shane Huntley reports that Google, among others, is running „Project Zero“. Spyware is becoming more and more of a threat everywhere. More and more countries want the surveillance possibilities offered by Pegasus and its competitors because they see it works. Very small countries with very poor records of human rights are able to get top-tier capabilities because companies like NSO will sell it to them. It is also used to spy on foreign governments, the software collects a lot of information. Ostensibly, however, it is only used to fight crime.
In 2017, the Google Android team distributed warnings for the first time. Then in 2019, further material, then in 2021 from „Project Zero“; but that only concerned the most advanced works trains. At that time, 30 products were discovered. Newly discovered zero-days can fetch millions in business on the grey market of vulnerability brokers. Governments can hoard them for their own purposes. Their accumulation and hoarding are a real harm to society because they increase risk.
He said that Europe has also intervened in the debate, including with Commissioner Joureva. They are developing protection features, including special programmes such as „Project Shields“ for human rights defenders. They are calling on the EU to work with governments where there are relevant industries to put them on the chain. Google is committed to actively fighting such spyware.
When asked, he confirmed how the trade in exploits was spreading, they were also leaking out of government apparatus. There were then successes of attacks against iPhones, that again put a considerable number of people at risk.
He said his team covers three threat areas: Government spying, cybercriminality and threats from Russia. Google has published a white paper on better cyber security and resilience in Europe.
The European Union should „lead a diplomatic effort“ to limit the harms of advanced spyware apps such as Pegasus.
Jo De Muynck reports that ENISA keeps publishing studies and other reports on threats, including the economics of vulnerability disclosure. There are so-called „Cyber Crisis“ liaison offices and the „Cyclone“ project. Together with Europol, there was a publication on the balance between intrusive investigation tools and fundamental rights. ENISA had identified difficulties with Pegasus. In addition, millions of malware programmes such as Trojans are downloaded, often undetected.
The commercial spyware industry has grown and there are many „hackers for hire“. The market for zero-day vulnerabilities is flourishing, it is becoming more and more difficult to regulate this way, the vulnerabilities are the core of this threat. These are not noticeable at first. Such vulnerabilities also exist in the „wilderness“.
In order to reduce risks, vulnerabilities must be disclosed in a coordinated manner, and companies must report them in order to be able to reduce vulnerability. This lowers the attack threshold. This needs to be coupled with legislation such as the planned Cyber Resilience Act, which is key to this cause. Manufacturers would have to invest more in the security of their products, security by design. This could well counteract the spread of Pegasus. But there is no panacea. Of course, import and export regulations and transparency also help. The bar must be raised so that trust in IT security does not fall. Only by promoting cybersecurity and data protection through technology, and by making the IT products we buy resistant to attacks and intrusions, can we create the economic incentives needed to combat the commercial espionage market.
When asked, it says ENISA is also working with US big tech frms. Information on attacks is also shared there.
The more zero-day vulnerabilities there are, the greater the risk that these will fall into the hands of criminals.
Saad Kadhi describes that CERT EU has around 100,000 users across Europe. It is a place to exchange information on cyber incidents, also works with cyber defence agencies, and also has numerous contacts inside and outside the EU, including Google and Apple. CERT EU is a non-profit service provider. There is also forensic cyber security capacity.
In 2020, there were already twice as many normal, traditional incidents than usual. Evidence that subsequently needs to be processed has tripled by 2022; so in fact, it has increased sixfold.
In 2018, CERT EU had one major, significant incident, at an EU institution; this means weeks or months of work with victims and investigating agencies. In 2019, there were already 8 such cases, in 2020 already 13, in 2021 17. In 2021, there was also one of the biggest attacks in the whole history, where 45 experts dealt with it for months.
There is good expertise in PCs and laptops, browsers, etc., he said. But there is not enough capacity to detect spyware like Pegasus. Guidelines and tools have been issued for Pegasus to be able to detect it. This of course relies on input from other agencies, including ENISA. The PEGA Committee may help to facilitate the enhancement of CERT EU’s capabilities to detect such cases. Mobile phones could currently be poorly included in threat monitoring systems.
When asked if the attack on the EU Commission could be solved, he replied as a private citizen, because he could not speak for them. However, the CERT EU had investigated it.
Kadhi’s mandate is not to investigate attacks like the one with Pegasus. It could be investigated when they uncover incidents themselves. They also work well with victims, such as the Medicines Agency or the EU Banking Authority, and they have also cooperated well with the police. CERT EU is owned by the victim, so to speak, who can allow them to say something publicly about the incident. But victims can also choose to remain silent about the incident.
Companies such as the American company Zerodium, founded in 2015, awards bonuses for the discovery of zero-day vulnerabilities, which emerged from a once European foundation. ENISA processes IP addresses that are collected as Indicator of Compromise, CitizenLab has published these for instance on Pegasus. Since 2011, there has also been an insider case.
There is a CCERT network based on the NIS Directive for the EU-wide development of national cyber security capacities. Member States‘ response teams are also organised in this network. „Cyclone“ is something similar, but it is about operational exchange.
There is an urgent need for more prevention, detection and reaction to infections with vulnerabilities and reaction also for mobile phones. So better configuration and more liability of the manufacturers. In addition, the threat landscape covered by CERT EU must be extended to phones. In addition, evidence of attacks must be collected as quickly as possible; for computers, such forensics can be done remotely, but for mobile phones, this must currently always be handed in for investigation.
Rosanna Kurrer points out that cybercrime causes costs of around 10.5 billion euros daily, but not all incidents are reported. With 5G and the Internet of Things, this is getting worse. There is a cybersecurity skills gap. There are up to 3 million vacant, unfilled positions. This affects the private and public sector. This is becoming a greater threat to prosperity and the functioning of society. At cybersecurity conferences, there is also more and more talk about burnout.
With cyber security, people always think you have to have studied computer science, but that’s not true, there are many areas that can be covered such as security architectures, career departments, management, risk assessment, etc. Career transitioners could help get people into jobs, supported by trainers, mentors and coaches.
Kurrer adds in the Q&A session that any person who has vulnerabilities on their devices can be attacked many times. The agencies would have to determine the risk of this. It is also not unusual for criminals to work together with states.
See here the stream of today‘s hearing.