• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

Farm groups saved Bayer in court over RoundUp cancer claims. Five days later, Bayer called for tariffs on the ingredient farmers rely on

2

Billionaire MacKenzie Scott just donated $20 million to support America’s youth mental health, as a fifth of teens struggle with suicidal thoughts

3

Self-made multimillionaire says Canadians 'give no money away' compared with Americans—research shows U.S. giving is more than twice as high

1

Farm groups saved Bayer in court over RoundUp cancer claims. Five days later, Bayer called for tariffs on the ingredient farmers rely on

2

Billionaire MacKenzie Scott just donated $20 million to support America’s youth mental health, as a fifth of teens struggle with suicidal thoughts

3

Self-made multimillionaire says Canadians 'give no money away' compared with Americans—research shows U.S. giving is more than twice as high
CommentaryCybersecurity

The world’s most sophisticated hacks: governments?

By
Bruce Schneier
Bruce Schneier
Down Arrow Button Icon
By
Bruce Schneier
Bruce Schneier
Down Arrow Button Icon
March 3, 2015, 10:54 AM ET
US-IT-CRIME-POLITICS-CYBERSECURITY-OBAMA
Staff members sit at their work stations at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, January 13, 2015. US President Barack Obama visited the facility to talk about cyber security. AFP PHOTO / SAUL LOEB (Photo credit should read SAUL LOEB/AFP/Getty Images)Photograph by Saul Loeb AFP/Getty Images
Add Fortune on Google for similar content.

Last month, Moscow-based security software maker Kaspersky Labs published detailed information on what it calls the Equation Group and how the U.S. National Security Agency and their U.K. counterpart, GCHQ, have figure how to embed spyware deep inside computers, gaining almost total control of those computers to eavesdrop on most of the world’s computers, even in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested in tech to read the Kaspersky documents, or these very detailed articles.

Kaspersky doesn’t explicitly name the NSA, but the connection is obvious. There are similarities between these techniques and Stuxnet, the NSA-led cyberweapon that was used to attack Iran’s Natanz nuclear facility. The NSA-like codenames pepper the Kaspersky findings. A related Reuters story provides more confirmation: “A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.”

In some ways, this isn’t news. We saw examples of these techniques in 2013, when Der Spiegel published details of the NSA’s 2008 catalog of implants. In those pages, we saw examples of malware that embedded itself in computers’ BIOS and disk drive firmware. We already know about the NSA’s infection methods using packet injection and hardware interception.

This is targeted surveillance. There’s nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It’s doing it only to networks it wants to monitor. As Reuters reported: “Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, according to Kaspersky.” A map of the infections Kaspersky found bears this out.

So, what do we think of this? On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities. In the overall scheme of things, this is much less disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure.

On the other hand, the NSA’s definition of “targeted” can be pretty broad. We know that it has been accused of hacking Belgacom, the Belgian telephone company and Petrobras, the Brazilian oil company. We know it’s collected every phone call in the Bahamas and Afghanistan. It hacks system administrators worldwide.

On the other hand – or, for science fiction readers, on the gripping hand — I can’t help but recall a line from my latest book: “Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.” Today, the Equation Group is “probably the most sophisticated computer attack group in the world,” but these techniques aren’t magically exclusive to the NSA.

We know China uses these sorts of tricks against its own citizens. There have already been both academic presentations and hacker posts on similar techniques. Companies like Gamma Group sell less sophisticated versions of the same things to governments worldwide. We need to figure out how to maintain security in the face of these sorts of attacks, because I expect we’re all going to be subjected to the criminal versions of them in three to five years.

That’s the real problem. Security researcher Steve Bellovin wrote about this:

For more than 50 years, all computer security has been based on the separation between the trusted portion and the untrusted portion of the system. Once it was “kernel” (or “supervisor”) versus “user” mode, on a single computer. The Orange Book recognized that the concept had to be broader, since there were all sorts of files executed or relied on by privileged portions of the system. Their newer, larger category was dubbed the “Trusted Computing Base” (TCB). When networking came along, we adopted firewalls; the TCB still existed on single computers, but we trusted “inside” computers and networks more than external ones.

There was a danger sign there, though few people recognized it: our networked systems depended on other systems for critical files…. Too many threats, such as Word macro viruses, lived purely at user level. Obviously, one could have arbitrarily classified word processors, spreadsheets, etc., as part of the TCB, but that would have been worse than useless; these things were too large and had no need for privileges.

In the 15+ years since then, no satisfactory replacement for the TCB model has been proposed.

We have a serious computer security problem. Everything depends on everything else, and security vulnerabilities in anything affects the security of everything. We simply don’t have the ability to maintain security in a world where we can’t trust the hardware and software we use. When governments and others can secretly subvert security in non-detectable ways, insecurity wins.

Concerted government research on these hard security problems would be a sensible thing for us to do, but it’s not going to happen as long as the government is intent on maintaining these insecurities for attack purposes.

Bruce Schneier is a security technologist, and chief technology officer of Resilient Systems, Inc. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. He blogs here.

 

About the Author
By Bruce Schneier
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Commentary

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Commentary

m
Commentarymedicine
America’s bone health is quietly headed for a $19 billion crisis
By Matthew T. DrakeJuly 9, 2026
20 hours ago
t
CommentaryEducation
AI is about to disrupt millions of jobs. A century ago, America’s answer was to build a new high school
By Tim KnowlesJuly 8, 2026
2 days ago
amit
CommentaryVenture Capital
Physical AI’s $50 trillion opportunity requires long-term conviction, but the payoff is huge 
By Amit ChaturvedyJuly 8, 2026
2 days ago
heat
Commentaryclimate change
McKinsey Global Institute: Climate planning has prioritized floods. Heat demands equal attention
By Sylvain Johansson, Mekala Krishnan, Kanmani Chockalingam and Annabel FarrJuly 7, 2026
3 days ago
j
CommentaryEducation
AI didn’t break higher education—It exposed the credential trap
By Jason BenedictJuly 7, 2026
3 days ago
e
CommentaryEntrepreneurship
I skipped college and founded a company at 18. Several exits later, this is what I learned
By Eric FranciaJuly 7, 2026
3 days ago

Most Popular

Farm groups saved Bayer in court over RoundUp cancer claims. Five days later, Bayer called for tariffs on the ingredient farmers rely on
Economy
Farm groups saved Bayer in court over RoundUp cancer claims. Five days later, Bayer called for tariffs on the ingredient farmers rely on
By Mia OsmonbekovJuly 9, 2026
13 hours ago
Billionaire MacKenzie Scott just donated $20 million to support America’s youth mental health, as a fifth of teens struggle with suicidal thoughts
Success
Billionaire MacKenzie Scott just donated $20 million to support America’s youth mental health, as a fifth of teens struggle with suicidal thoughts
By Emma BurleighJuly 9, 2026
13 hours ago
Self-made multimillionaire says Canadians 'give no money away' compared with Americans—research shows U.S. giving is more than twice as high
Success
Self-made multimillionaire says Canadians 'give no money away' compared with Americans—research shows U.S. giving is more than twice as high
By Preston ForeJuly 9, 2026
14 hours ago
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
Success
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
By Preston ForeJuly 6, 2026
4 days ago
Current price of oil as of July 9, 2026
Personal Finance
Current price of oil as of July 9, 2026
By Joseph HostetlerJuly 9, 2026
17 hours ago
Current price of gold as of July 8, 2026
Personal Finance
Current price of gold as of July 8, 2026
By Danny BakstJuly 8, 2026
2 days ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.