Data is the new oil. And while governments in the US and EU are looking for opportunities to capitalize on this hot new commodity, they need to be aware that investments in surveillance can quickly backfire. A new paper from F-Secure Labs highlights these dangers by explaining how a surveillance tool sold to law enforcement agencies has now fallen into the hands of the Callisto Group, and being used in cyber attacks on government officials, military personnel, journalists, and think tanks with information on foreign and security policy in Europe.
Specifically, the tool is question is part of something called Remote Control System Galileo. It was stolen from Italy-based developers HackingTeam in 2015, and leaked online. F-Secure Labs’ research suggests the tool is being used to collect intelligence in Europe and the South Caucuses. And while the Callisto Group has connections to several different nation-states, there’s not enough evidence to say exactly who’s behind them.
It’s a case of surveillance tools gone wild. Erka Koivunen, F-Secure’s Chief Information Security Officer, says this should come as no surprise, and governments should keep this example in mind when they start talking about weakening the security and privacy of software and other products in order to make surveillance easier.
“Government-sponsored surveillance with legal oversight and systems of checks and balances is one thing, and it’s typically what the governments of well-functioning democracies sell to constituents in the name of security,” Erka explains. “But what happens when those surveillance capabilities fall into the hands of adversarial nation states, cyber criminals, mercenaries, hacktivists, or just someone with an axe to grind? That’s what we’re seeing with the Callisto Group, and that’s the elephant in the room that surveillance advocates avoid talking about.”
Erka, who gave expert testimony to the British parliament in 2015 regarding the “Snooper’s Charter” (pictured above), warned British politicians that the kind of powers they were assuming could easily be appropriated by adversaries. He went as far as saying such initiatives could undermine cyber security on a national level. The Callisto Group’s use of government-grade spyware certainly looks like Erka’s warning has merit.
And it’s an example governments’ should consider very carefully before brashly pressuring or even legislating companies to begin providing less secure products. The European Commission recently announced they would be presenting tech companies with options on how they can provide law enforcement with access to digital information (such as messages sent through Whatsapp). While reports say the options will range from voluntary measures to legislation, it’s clear that many government officials are ignoring the fact that they cannot expect to maintain a monopoly on surveillance capabilities.
“Governments without a plan B, without redundancies, should be very careful about sacrificing cyber security for surveillance. Because attackers ARE using those surveillance capabilities against us. And that’s not some hypothetical, dystopian scenario. That’s a fact,” says Erka.