Monday, October 31, 2011

Cyber Profiteering: Profits Over Ethics

Profiteering is what happens when a business takes advantage of an emergency or a shortage to boost their prices. The Iraq war had its war profiteers like Haliburton/KBR and many others. The same thing is happening today during the "cyberwar" gold rush. Two recent examples are Gunter Ollman's article "Sinkholing for Profit" and Brian Krebs' article "Chasing APT: Persistance Pays Off". Krebs should have underscored the word "Pays" in the title because the article describes something akin to ambulance chasing. A cybersecurity firm Cyber ESI uses proprietary techniques (perhaps similar to what Ollman describes in his article) to identify corporate victims, then contacts them and tries to sell them remediation services at a high price. Unlike Krebs' article, Ollman didn't provide any names but thanks to Anonymous and the AntiSec movement, at least two companies' profiteering activities have come to light: Unveilance and Endgame Systems.

It's no secret that corporations and governments are overwhelmed, confused, and desperately looking for solutions that will allow them to defend themselves in cyberspace. That's a perfectly understandable state for them to be in. What isn't understandable, at least to me, is the behavior of some companies seeking to make a quick buck at the expense of the very people that they're purportedly trying to help. For example, I'll never understand how Symantec can sell services to protect their customers against IP theft from China while at the same time be profiting from a joint venture with Huawei, a Chinese company with clear ties to the Chinese government.

Profit with no ethics is what brought us to the point that we're at today; the Occupy movement being just the beginning. If things don't change in the "Cyber Industrial Complex"(CIC) soon, there will almost certainly be a backlash. Fortunately, this level of greed hasn't infected the entire industry. I personally know dozens of infosec companies that profit by putting their customer first; by providing a fair service at a fair price and getting paid for results. If CIC CEO's don't adopt an ethical pricing model and business practices on their own, then their customers should do it for them. C-level executives at victim corporations need to educate themselves about the realities of information security and network defense because cyber profiteers count on two things to win a customer: ignorance and fear. Becoming smarter about information security will save you money and improve your company's profitability instead of the other guy's.

1 comment:

  1. Not much of war ethics remained since the age of knights. War profiteering increases rapidly in the business world. It is widespread not only in industry but much more within the “media community”. World is full of former national advisors or politicians who are talking about “cyber armagedon” which will destroy our world. While working on cyber war industry they are deliberately spreading fear of cyber war among people. It is especially characteristic for USA and UK. Their statements that US is “loosing cyber war” or that “Russia and China will destroy US” etc, sound very silly. Cyber war can be relatively easily prevented if the strongest powers in the international relations realy want to do it. I must say that this mostly depends on the US. The main danger of cyber war is not for states, but for ordinary people who will be denied knowledge and social and cultural connections via Internet. And who will be denied of their own money, unnecessarily spent on cyber war against North Korean evil hackers” (You simply have to see where the great danger for the US lies: ) . We are talking about huge amounts of money, which can be spent much smarter within the US society:
    Therefore, commentators, journalists and advisers can be cyber profiteers too, if they are speaking for money about something they don’t believe. OWS folks talks about social justice. It is democracy, not socialism. They need jobs, not imaginary wars pushed through media statements.
    This is why I do not want to pay attention on all “cyber war blogs”, but only some of them whose authors write what they believe.