To trade and/or to spy?

Is there a spy in your firmware?There are two developing stories that attracted my attention recently, specifically in connection with one another. These stories present a certain puzzle with several fitting explanations. It is probably impossible at the moment to tell which explanation is true, so it remains to be just an interesting topic to think about…

Story number one is the discovery of very advanced spyware, the development and use of which can be quite reliably linked to our government, most likely the NSA. (There is no need to get into details in this post — a good summary by Joseph Menn was published recently on Reuters and an excellent in-detail analysis is available at Ars Technica.) The second story is the recent presidential executive order on promoting cybersecurity information sharing between the private sector and the government.

Now, I see a certain conflict of interest here. For example, one of the characteristics of the newly discovered spyware – the characteristic that made it a “breaking news”-level discovery – is that the spyware rewrites hard drive firmware and uses it to store its code and data. The consensus out there is that the only way to pull that off is to have access to the firmware source code, since it is nearly impossible to reverse engineer modern hard drive firmware or create it from scratch (think about timing disk read-write heads’ movements, etc.). And the most dominant theory on how the creators of the spyware got access to the firmware source code is that the code was submitted by the hard drive manufacturers to the government for a security review, so that the hardware could be used in sensitive government applications. This discovery may seriously undermine the willingness in other countries to purchase computer hardware from American manufacturers, which is bad news for business.

On the other hand we have the president’s executive order about sharing cybersecurity information. Any vulnerability has two sides: there are those who want to protect themselves against the vulnerability exploitation, and there are those who want to use the vulnerability to attack. The two groups have cardinally different position in regards to sharing the information about the vulnerabilities. The first group wants such information to be published as quickly as possible, while the second group wants the information to stay secret for as long as possible. With this background, we have a government that is interested in protecting its own systems and using vulnerabilities to gain access to systems of others, and we also have computer industry businesses that want to be able to claim that their products are safe in order to sell their products on the global market. Where is a common interest here? I can see how the businesses would want to know about vulnerabilities that are unknown to them and are known to the government, but what should motivate the businesses to share the information with the government? Certainly not care for their reputation. My worry is that the “sharing” will be in some way forced upon businesses, further damaging their standing in the global marketplace.