Main Logo Expert commentary on tech and security

Responsibly disrupting cyber-enabled counterterrorism operations

Michael Genkin 8 October 2024
Share On:
Private sector discovery of cyber tools used in counterterrorism operations raises ethical questions about the balance between user protection and national security, underscoring the need for transparent, multistakeholder governance in cyberspace
Main Top Image
Image generated using DALL-E 2

The ethics of private sector discovery of vulnerabilities exploited ‘in-the-wild’ – outside a laboratory or research environment – are complex. A June 2024 opinion piece re-ignited a debate about a 2021 incident when Google was blamed for compromising a long-running counterterrorism operation of a Western intelligence service.

The Google zero-day incident

In January 2021, Google’s Project Zero and Threat Analysis Group (TAG) teams published an ‘In-the-Wild Series’. The report documented a series of vulnerabilities and exploitation techniques they had discovered at the beginning of 2020.

The report described a threat actor who used two full-chain attacks – a combination of vulnerability exploits chained together by executing them in succession to bypass all of the security measures present on a device, usually intending to compromise it to install malware. Both exploited Google’s Chrome browser for initial access. At the time of the discovery, one of the exploited Chrome vulnerabilities was a ‘zero-day,’ a vulnerability unknown to Google and thus without a patch available. This initial report did not focus on the vulnerabilities discovered but examined the exploit techniques used.

Two months later, in March 2023, Google’s Project Zero released another report detailing additional activity, discovered in October 2020, by the same actor. This time Google chose not to provide significant context on the exploitation techniques discovered. Instead, it briefly described them as ‘novel’ and ‘sophisticated’. This follow-up report also noted that, after Google patched a Chrome vulnerability, it was immediately replaced with an exploit for another Chrome vulnerability, demonstrating that the threat actor had planned for this eventuality.

Ethics of vulnerability hunting

Unlike the field of Advanced Persistent Threat (APT) malware research, ‘in-the-wild’ vulnerability exploitation hunting has largely avoided a discussion of the ethical dilemmas that might arise from this kind of work. APT research has been compared to intelligence brokerage or counterintelligence. This has resulted in a collection of informal guidelines and proposed norms for threat actors and security companies – enabling a delicate balancing act between the companies’ duty to protect their customers and the methods used to meet this duty.

In contrast, most discussions of vulnerability exploitation hunting skip ethical considerations and aim to ‘make zero-day hard’. That is, increase the cost of discovering and exploiting unknown vulnerabilities so it is out of reach for most threat actors. To achieve this goal, vulnerabilities should be discovered, disclosed, mitigated and patched, using whatever means necessary, on the hunter’s terms. Google’s ‘In-the-Wild Series’ and the surrounding controversy offer a rare opportunity to advance the ethics of in-the-wild vulnerability exploitation hunting, similar to the debate around APT research.

Nuanced decisions

A central and often repeated point in the discussion around Google’s conduct in this case is that patching vulnerabilities exploited in the wild is the only right thing to do, even if doing so threatens responsible use of that exploit. However, the reality is more complex, in five ways.

First, it is not clear that Google’s vulnerability patching ‘shut down’ a cyber operation. The threat actor appeared to have a mitigation plan, including ready-to-use exploits for additional vulnerabilities. Patching vulnerabilities does not necessarily stop operations that are using them, both because the availability of a patch does not immediately prevent further exploitation and because resourceful threat actors can find and exploit additional vulnerabilities.

Second, vulnerabilities are often discovered separately by different actors. Even if the threat actor detected by Google acted responsibly, other less responsible actors might be exploiting the same vulnerability. Fixing vulnerabilities as soon as they are discovered limits potential additional harm.

Third, how you report vulnerabilities matters. The ‘In-the-Wild Series’ focuses on the tactics, techniques, and procedures (TTPs) of exploitation used. This serves Project Zero’s goal of ‘making zero-day hard’ by describing attacker techniques defenders should try to mitigate. However, in a departure from common practice, Google chose to withhold all indicators of activity, such as malware hashes, IP addresses, or domain names used. This decision prevents other cyber security vendors from following up or detecting this activity or its targets becoming aware they have been targeted.

Besides omitting what is often seen as necessary information, Google described at length the amount of engineering effort that the threat actor put into preventing unintended consequences from using the exploits. This description provides little value for defenders, but it can be seen as calling out and even promoting responsible behaviour. Google also applauded the threat actor for targeting the appropriate devices with the minimally required exploits – again echoing commonly proposed norms of responsible behaviour.

Fourth, although we don’t know how Google initially discovered the exploitation, we know that Google actively monitored and probed relevant sites and servers to extract additional exploits successfully. This suggests that Google had enough insight to circumvent exactly the threat actor’s targeting mechanisms it previously applauded. 

Google’s control of popular software, such as the Chrome browser and the Android operating system, give it a significant advantage to in-the-wild vulnerability exploitation hunting. No APT or intelligence agency has capabilities similar to Google; indeed, some such actors went to great lengths to get access to those capabilities.

Finally, the March follow-up reporting should be viewed in a different light than the initial ‘In-the-Wild Series’. Although the initial discovery was largely due to Google’s Project Zero and TAG teams’ technical pedigree, the follow-up appears to have been the result of an operational security failure by the threat actor. Despite earlier indications of the threat actor’s responsible behaviour, Google’s use of this incident to discover additional exploits and thus further disrupt this campaign might be viewed as a debatable ethical decision.

The bigger picture

Google made non-trivial ethical decisions in this matter. The firm is a major stakeholder in internet governance and, as such, in the security of cyberspace. If one subscribes to the notion of multistakeholder internet governance, then Google, along with other Big Tech companies and a wide variety of private sector entities,  should make decisions responsibly – in an accountable, calibrated, transparent and inclusive manner.

Google’s initial response, given its duty to protect its customers, seems to have been a well-calibrated decision in response to the responsible behaviour they discovered. On the contrary, the follow-up report seems to have been less well-calibrated. It arguably does not demonstrate accountable and transparent decision-making, ultimately undermining the overall goal of reducing harm.

avatar
Michael Genkin

Related

Featured image
Binding Edge
The EU’s Human Rights Sanction Regime could target malicious spyware vendors
Mailyn Fidler 12 July 2024
Read more arrow
Featured image
Binding Edge
Satellites: Our invisible infrastructure
Benjamin Charlton 24 January 2024
Read more arrow
Featured image
Binding Edge
Public-private collaboration in Ukraine and beyond
Taylor Grossman / Monica Kello / James Shires / Max Smeets 4 April 2024
Read more arrow

Terms & Conditions

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.