From the Amazon case to the use of Microsoft software to manage the judiciary’s systems: why defending networks means normalising preventive surveillance by Andrea Monti – Initially published in Italian by La Repubblica – Italian Tech
The case of the theoretically possible — but unproven — abuse of Microsoft software for the remote management of computers supplied to the Italian judges is the other side of a problem posed by the recent discovery of a North Korean hacker, whom Amazon was able to identify by measuring the delay in typing on a computer connected to its network.
When security goes beyond control
Without beating about the bush, in fact, the two events highlight the cross-cutting nature of an issue that has been well known for some time but neglected: the management of the security of information systems in infrastructures equipped with even just a few hundred computers, or rather, as they are now called, “endpoints”, has reached such a level of complexity that in-place intervention of an “IT guy” is unthinkable.
The days of amateur attacks by individuals (inevitably portrayed wearing hoodies that hide their faces) who are determined to find a way to take control of a system are long gone. Of course, “tailor-made” approaches to committing illegal acts still exist, but precisely because they are so costly, they are at least initially replaced by automation, unless there is a large number of “public employees”, perhaps with the insigna of some rogue state, who are dedicated to the activity.
Therefore, the high number of “attacks” that we hear about from time to time is not attributable to hordes of malicious singletons but to groups of servers that continuously target the networks of businesses and institutions. This means that when newly discovered vulnerabilities arise, what makes the difference is the ability to intervene immediately to “plug the hole” or eliminate the “bug” because the enemy is constantly at the gates.
The system administrator’s paradox
On the one hand, therefore, and leaving aside system issues for the moment, we should ask ourselves whether it is actually possible to imagine or accept that the routine maintenance of a network of forty thousand computers, such as that of the Italian Ministry of Justice or any other comparable structure, can be managed by a single individual who has to physically intervene during office hours.
The fine line between protection and surveillance
On the other hand, and coming to the Amazon case, we should also ask ourselves how long we will continue to ignore the importance of prevention — that is, the continuous and constant search for operational anomalies — in countering attacks on information systems on which the operational continuity of public and private services depends.
As mentioned, Amazon was able to discover the North Korean intruder because its security systems include such extensive monitoring of the computers used by staff that they even measure the response times of keystrokes on the keyboard.
As in the case of the 1989 intrusion by a German hacker into the University of Berkeley’s systems, which was discovered due to an inexplicable difference of 75 cents in the billing for computer usage time at the computing centre, in the case of Amazon, it was the ability to analyse even the most insignificant data that made it possible to avert the worst, and so we should ask ourselves whether it still makes sense to oppose security based on preventive control — only to then penalise those who have not done “everything possible” to prevent damage, perhaps to personal data.
Is the negotiation of rights inevitable?
It is clear that, in the name of prevention, it is unrealistic to think of weakening the rights of individuals and workers in particular.
However, a balance can be found, for example by allowing the immediate adoption of security measures based on continuous monitoring in the workplace, but prohibiting their use for disciplinary or dismissal purposes. Alternatively, criminal penalties could be eliminated for those who report software, network and system vulnerabilities to the judiciary or the competent authorities.
An illusion to overcome: security without pervasiveness
It should be remembered, however, that regardless of the use of this or that management software, cloud-based IT security and security operation centres already involve the continuous analysis of network traffic, and therefore the issue of third parties taking control of individual PCs is not a new one. Furthermore, it should be remembered that the EU is moving forward at a rapid pace to get the chat control regulation approved for the preventive search of mobile devices, and is pushing to create DNS4EU, a centralised domain name resolver that is not mandatory (for now) but which, once implemented by telcos and internet providers, will make it easier to intercept communications and block the visibility of content.
The normalisation of preventive technological surveillance
The case of Microsoft’s ECM and the many similar tools used daily almost everywhere has distant origins.
When, in 2014, Apple decided to activate the “kill switch” on iPhones, it defused the controversy by also making the remote phone locking feature available to users, which also involved locating the phone.
Since then, it has become normal to accept that in order to use a computer, software and now even the latest “connected” vacuum cleaners, it is necessary to “activate an account”.
No one questions why they do not really own an object that has been (handsomely) paid for, and why they have to put up with the continuous sending of data to the manufacturer of the object.
It is quite clear that, when put into perspective, the issue of remote control of anyone’s computers takes on a completely different form. It is not only public services that have voluntarily submitted to preventive control “for security reasons”, but also citizens who have voluntarily chosen a similar fate.
At this point in the argument, we could propose a conclusion based on ecumenical approaches, such as highlighting that it is no longer a question of choosing whether to accept control, but of deciding who to leave it to, with what guarantees, and under what conditions. Or we could point out that ignoring this transformation, or relegating it to a technical issue, means giving up the possibility of setting boundaries between protection and abuse. Or, finally, the evergreen argument could emerge that what is at stake is not only the security of systems, but the ability of a society to govern its tools before they govern it.
The reality, however, suggests otherwise: we have allowed information technologies to spread without any real control, to the point where they have become a huge colossus with feet of clay, and we have put ourselves in a position of having to depend, with no real alternatives, on those who built this colossus with feet of clay and have an interest in keeping it that way.