A pair of researchers from Toronto's storied Citizen Lab (previously) have written an eye-opening editorial and call to action on the ways that repressive states have used the internet to attack dissidents, human rights advocates and political oppositions -- and how the information security community and tech companies have left these people vulnerable.
Repressive states don't have to have any IT capability of their own to effect a "turnkey surveillance" regime; they can simply buy tools from western companies operating in the open and attracting investment from respectable, blue-chip funds. Tech giants (with the exception of Google and Facebook), generally don't even tell their users when state actors attempt to hack their accounts.
The researchers end with a four-point set of recommendations: invest in protecting users from government hacking; engage with dissident groups to understand their needs; notify people who are attacked by state actors; and remedy threats by locking out hackers and clearing malware, even if that tips off the hackers that they have been identified.
Invest: Tech and security companies should continue to invest in protecting users who are threatened by hacking and disruptive attacks from governments and criminal groups. While options for protecting accounts and devices have improved in recent years, important companies lag behind their competitors. There should not be an economic barrier to staying secure. Not every dissident can afford the latest devices from Silicon Valley and are often denied access to American services due to economic sanctions or other political issues.
Engage: Tech companies should maintain collaborative relationships with organizations and groups that understand the context that they operate within. Information should be shared with those communities in both directions when it can help the public be more resilient against attacks. Companies that provide information security and protective products should consider providing voluntary efforts or pro bono services to individuals and organizations targeted by attacks.
Notify: Those singled out by governments should be provided notice by platforms and security researchers when targeted or compromised. Where notification is currently provided, it is usually limited to a simple warning that “state-sponsored hackers had targeted their accounts.” This messaging does not provide information that would help the user to understand who had targeted them and provide further assistance.
Remedy: Where a company or a cyber security researcher encounters attacks against at-risk communities, they should act swiftly to address and end those threats. Researchers are often posed with a strategic question about whether to shut down an operation (at the risk of attackers adapting techniques) or passively continuing to observe their attacks. We are concerned that dissidents are treated as expendable compared to commercial infrastructure. We believe the apparent position of Google that all malware should be shut down regardless of its targets is a commendable position, and should be an industry standard. Researchers should operate under the principle that it is their responsibility to end threats and remedy harm wherever possible.
Dissidents Have Been Abandoned and Besieged Online [Collin Anderson and Claudio Guarnieri/Motherboard]