BERLIN–In this city, one of the great world capitals, history is never far away. It permeates every aspect of daily life, and the German people are quite proud of much of that history. But there were dark days here too, and not so long ago, when the Stasi, the East German secret police, operated a pervasive surveillance apparatus that kept tabs on millions of Germans as a matter of course. Phone calls, daily movements and business dealings were monitored, ostensibly for the security of the nation. The environment then was quite different, obviously, from the atmosphere in the United States and other democracies today, but the effects of large-scale surveillance, security researcher Andrew Lee argues, remain psychologically devastating and debilitating for most people.
During the height of the Cold War, the surveillance apparatuses in East Germany and other countries were extensive and pervasive, but many people were aware that they were being watched on some level. What they didn’t know was how all-encompassing the data-gathering was and how the information was being used. When those details eventually were revealed, it had a profound effect.
“Everybody knew that they were being watched, but they didn’t know the extent,” said Lee, a researcher at ESET in a talk at the Virus Bulletin 2013 conference here Wednesday. “When they found out, the psychological effect was devastating.”
Drawing a comparison with what’s happening in the U.S., UK and elsewhere in the wake of the leaks regarding NSA surveillance methods and capabilities in recent months, Lee said that governments now have become major adversaries for many organizations and even some individual users.
“Not only are the governments making laws, they’re asking for things like weakening crypto systems and backdoors,” he said. “Why even ask for access to a system when the state of endpoint security in our world today is so woefully inadequate? Why not just break the endpoint? And that’s what’s happened. The government is getting into the malware business. The next big thing will be malware on mobile devices.”
Beyond the effect the NSA leaks have had on the way that the general public perceives the government, there also has been a shift in the security community regarding the way that members share information and interact with one another. The levels of trust among some researchers and companies, built up over the years, have been reduced in some case, Lee said, because researchers aren’t sure who they can trust now and who might be disclosing information to intelligence or law enforcement agencies.
“There has been a chilling of our democracy and created a distrust of companies,” Lee said. “We were having good conversations [in the community] before these leaks happened. Now we’re not talking about this anymore. We’re missing the point.”
One of the issues that’s come up often in discussions in recent months is whether governments are somehow forcing security and antimalware companies not to detect the custom malware and attack tools they’re using in their operations. Lee said he’s never been asked not to detect a government Trojan, and considers that approach a useless one.
“If you want to talk about coerced detection, that’s a really dumb way to do it. It’s not practical,” Lee said. “You do what everyone else does: You write some code and submit it to Virus Total and see who detects it.”
The revelations of the last few months have sparked endless discussions and a lot of vitriol, but Lee, for one, questions how useful all of that has been.
“I question the proportionality of our response to all of this,” he said. “What’s the return on our spend? We spend very little, if anything, educating the public on this.”