While there needs to be more analysis this seems disturbing:
U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
via The Belarusian Connection | Washington Free Beacon.
It is somewhat hard to fathom how such a large Government IT project could be outsourced to foreign developers. Generally this is not allowed but perhaps this part of the article gives some clues:
The company involved in the software was identified as EPAM, a Belarusian firm with U.S. offices and international clients that conducts programming work in Belarus. Spokesmen for the company did not respond to email or telephone inquiries about the company’s role in developing the Obamacare software.
So perhaps EPAM was a subcontractor for the ACA contract and leveraged or used developers in their home country of Belarus which would certainly allow for the Belarusian state security services to influence EPAMs work. It is not unheard of for large government contracts to have subcontractors wittingly or unwittingly violate rules about all work being done by US citizens in the US. Often these violations do happen without the Prime contractor even knowing due to the often incredible complexity and shear number of subcontractors involved in large Government projects. Regardless these sorts of reports further damage the public already shaky faith in the security of healthcare.gov.
Ars Technica has a interesting article here on a open letter to Anti-Virus vendors asking them if they are enabling Spying. The article is interesting but they make a comment that is perhaps worth looking at:
“Schneier has said that the NSA only relies on these methods when analysts have a high degree of confidence that the malware won’t be noticed. That means detection by AV programs could make the difference between such attacks succeeding, failing, or being used at all.”
It is suspect that Schneier is aware of the different approaches and situations were the NSA, or any other Agency, might use specific malware. There may be many situations were Intelligence agencies may care little about if their malware is noticed as long as it meets the goals of their mission. Indeed in times of war, active conflict, or against a high profile threat, especially were probability of attribution is very low, risk of malware discovery might be very low compared with operational considerations. It is a pretty safe assumption though that many agencies are concerned about their involvement in any attack being known. It is not a good assumption to assume that because AV programs do not often detect these attacks that AV vendors are enabling or collaborating with the NSA. Indeed various Russian and European AntiVirus companies have about as bad as record as US based AV companies when detecting malware created by Intel agencies suggesting that there is not wide spread collaboration. Add to this the simple fact that its rather easy to create malware that will fool most AnitVirus software especially if you target only a few computers and reduce the likelihood that your malware will ever be submitted for analysis.
On the other hand companies like Microsoft, which makes AntiVirus software, have been reported to work closely with the NSA. So while its worth pressuring AV companies to share their rules and values about working with Intel agencies its a large assumption to assume that since AV companies are not detecting these threats that they are some how collaborating as implied by the wording in the article.
“AT&T gives DEA 26 years of phone call records to wage war on drugs” http://feedly.com/k/139yDpJ
One of the most common methods is simply purchasing datasets
“Let us count the ways: How the feds (legally, technically) get our data” http://feedly.com/k/1fEPIuj
Snowden’s leaks have been useful and important to data privacy and civil rights activists leading many to support Snowden’s claims of leaking information just to expose illegal programs by the NSA against its citizens. Unfortunately Bradley, and those he supplied data to, have revealed legitimate and highly sensitive intelligence programs that have harmed not only US interests but those of the UK and other allied nations. As such it becomes difficult to support Snowden’s claims that he leaked only information to expose unlawful activity in the US.
Britain runs a secret internet-monitoring station in the Middle East to intercept and process vast quantities of emails, telephone calls and web traffic on behalf of Western intelligence agencies, The Independent has learnt.
via Exclusive: Edward Snowden leaks reveal UK’s secret Middle-East internet surveillance base – UK Politics – UK – The Independent.