Untold Intricacies of Snooping

Last fortnight our newsiest and nosiest news channels have relentlessly debated on alleged bugging of a cabinet minister’s residence. Opposition minced no words and created a furore in the Parliament demanding a thorough investigation of the matter. Undeniably, bugging the house of minister in power is a matter of serious concern wherein nation was caught off the guard. Following the vociferous denials of government and the minister on the veracity of the claims, the matter ebbed out of media and public discussions for time being. But the case of bugging shone light on Rampart A agreement inked by previous government with US government giving them a free hand over surveillance of information in India. Even Edward Snowden’s leaks acknowledged that US government has been snooping over the activities of six political organisations world over including BJP. A classical document released by the Washington Post has later confirmed that BJP was NSA’s authorised target. This contentious issue therefore necessitates a prompt and strictest scrutiny on the issues of snooping by a foreign government. It is incumbent at this stage to evaluate the magnitude of the snooping and its impact on country’s security.

Against this back ground, it’s interesting to deliberate on the bugging devices often implanted in official residences and work places for spying. These constitute the first line of snooping. Expeditious advancements in the field of information technology have resulted in development of sophisticated devices that are tipped to emerge as weapons of modern day warfare. The miraculous miniature chips, the bloodline of computers are now readied to cause disasters of humongous proportions. The arsenal of the modern day coded wars is computer bugs.

In the present technological era, real world began emigrating into software-lined innards of computer. Life without any of the latest gadgets is practically inconceivable. As a consequence the market potential for fixing the mistakes of the software embedded in gadgets has gained enormous prominence. What does a bug, in computer technology really means and how it works? All the software developed to carry out a specific task would invariably contain certain flaws. The real crux of developing bugs lies in skilfully looking for these flaws. Meticulously intelligent and skilful individuals identify the major flaws overlooked by creators. They locate the vulnerability or simply put a zero-day which is serious enough to be a security problem and is previously unknown. Zero-day refers to bug’s freshness and means that the bug has been in public domain for zero days and hence no one tried to fix it. It has great commercial potential. People expend their brilliance to use this bug either for constructive purposes like selling back to the software maker who splurges money to use the bug for upgrading the software. Government agencies lap up these bugs and covertly use them for espionage. If a criminals buy them in black market, they use for stealing trade secrets or personal information of rival party. Owing to its huge offensive potential trading of bugs is unregulated. Its marketing potential is global and eventually it is used for devious purposes or for upgrading newer of software alike. Taking this cue, expert hackers are trying to make bugs more nasty and invasive and touting their superiority about their technical capabilities.

On a positive front, big soft ware companies are now finding it cost-effective to buy their own bugs to fix any issues with the new software recently launched by them. In 2010, Google chrome has set a new trend in this direction by offering rewards for the vulnerabilities in their software. Others who followed the suit were Microsoft and Facebook which announced a bounty of $100,000 and $1.5 billion respectively as payoff the hackers. Similarly the potential for abuse of bugs is also high. Verizon reported that 22% of data breaches in the year 2013 were the cases of cyber espionage operations caused by bugs targeted by hackers. Unlike in other crimes, pinning down source of the bug and intent of attack is difficult to find. Destructive capacity of the bugs is enormous and governments are now waking up to this Franko monster. Unlike the trade of jet fighters and artillery the trade of vulnerabilities is not regulated. To this end, under the Wassenaar arrangement, an international agreement which governs arms sales among US and 40 other participating countries was recently modified to include the “intrusion software” under the list of restricted dual-use technologies. But legally binding statutes have not been drafted.  With unrestrained availability of zero days in black market, the scenario of terror outfits or pot dictators derailing the public infrastructure is really high.

An ideal situation would be one where software is perfected offering complete security. But as we aspire for powerful computers capable of executing complex tasks there would be more security issues, hence the software needs to be more complex. Higher the complexity more will be the number of bugs. Thus, it has become a vicious circle. Further, as we hitch on several gadgets like tablets, phone each with different configuration of hardware and software the situation is becoming unmanageable. Further as the latest and upgraded versions of the operating systems enter the market, the software is burdened with the task of supporting the older versions as well when hooked onto older devices. Thus, the saga of new class of vulnerabilities will continue to prop-up. Fixing vulnerabilities seems to be an unending trail.

Snowden leaks also reveal that US government has expended $25.1 million for covert purchases of software vulnerabilities suggesting that they buy Zero-days and subsequently roll them on internally. The leaks also inform that US has already mounted offensive operations against China, Russia, Iran and North Korea. Unlike other kinds of invasive wars, extricating personal data and intellectual property in stealth operations remain undetected for immediately.  But the threat seems to be constant and pervasive in this new millennium.

Some notorious cyber attacks have already wrecked havoc- Stuxnet, 2009 a joint operation of US and Israel aimed at mining the Uranium enrichment program of Iran. The Zero day vulnerabilities infected the Microsoft Windows machines and subsequently infected computers worldwide. In 2009 China based hackers launched Aurora operation on internet explorer to attack Google, Adobe and other major US companies. It also spied on human rights activists and stole intellectual property. Russian operation Black hole of 2010-13 attacked all personal computers. In 2013 hackers introduced vulnerabilities in Java which installed sophisticated malware on Facebook   employees’ laptops.

Akin to double-edged knife, intrusive software evolved into private arsenal threatening to shackle the foundations of the paradise of information. Covertly, the million chips which cradled us into life of comfort are turning monstrously dangerous. With governments actively engaging in these unobtrusive wars, matters of internal security and sovereignty become grievously important.  India reckoned as prodigal nurturing ground of software personnel would be ridiculed if it succumbs to the elitist sneaky technology of the west.