And the Other Branches of Government Chime In
God Save Us All

The vulnerabilities exposed by Log4j were apparently a wake up call for governments the world over.  The United Kingdom has been the most aggressive in its cyber security initiatives. 

The government has proposed introducing new laws to ensure that firms who provide essential digital services follow strict cyber-security duties, with large fines for non-compliance.

The proposal from the Department for Digital, Culture, Media & Sport (DCMS) also includes other legislation such as improved incident reporting and giving the UK Cyber Security Council, which regulates the cyber-security profession, additional powers.

It would allow it to create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.

The government in the UK has discovered that unpatched software with known vulnerabilities, and especially open source software, is a threat to both its economy and national security.  The government proposes to expand its regulatory scope to include "Managed Service Providers (MSPs) which provide specialised online and digital services. MSPs include security services, workplace services and IT outsourcing, which often have privileged access to their clients’ networks and systems "  This move against MSPs in the UK comes in the wake of the Log4j attack on the global HR contractor Kronos.  The UK is serious about enforcement, too.  "Organisations which fail to put in place effective cyber-security measures can be fined as much as £17m."

The US also has issued more stringent guidelines for systems and servers deployed within the US government.  An updated list of vulnerable software used throughout the government noted "15 new security issues that serve as a frequent attack vector against federal enterprises."  Of these newly announced 15 attack vectors, only 4 are recent, dating back to  2020 and 2021.  The oldest dates back to 2013.  Unpatched vulnerabilities in years old software is a very large part of the bigger problem.

Established November 3, 2021, with the publication of Reducing the Significant Risk of Known Exploited Vulnerabilities  "Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise," BOD 22-01 merely "requires ... agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats."  No million dollar fines as the UK government proposes.

Into the fray of software security enters the United States Congress, with the purposed Open App Markets Act (SIL21995).  As the newly formed Chamber of Progress noted in a statement about SIL21995.  "

"I don't see any consumers marching in Washington demanding that Congress make their smartphones dumber. And Congress has better things to do than intervene in a multi-million dollar dispute between businesses."

 It should be noted that Chamber of Progress CEO, Adam Kovacevich, was formerly a longtime Google lobbyist.

The main issue in dispute is what is known as "sideloading."  What really is in question is who controls what apps a user of an iPhone or Android might want to install, and how appropriate are the commissions Apple, Google, and Microsoft earn from app placement in their online stores.  The proposed new law would allow:

A Covered Company that controls the operating system or operating system configuration on which its App Store operates shall allow and provide the readily accessible means for users of that operating system to—
(1) choose third-party Apps or App Stores as defaults for categories appropriate to the App or App Store;
(2) install third-party Apps or App Stores through means other than its App Store; and
(3) hide or delete Apps or App Stores provided or preinstalled by the App Store owner or any of its business partners.

The purpose of the bill is to "tear down coercive anticompetitive walls in the app economy, giving consumers more choices and smaller startup tech companies a fighting chance.”  Similar legislation is pending in Europe in the "Digital Markets Act." 

Apple Computer has been most aggressive in fighting these new laws both in the US and Europe.  In June 2021, Apple published its position paper, Building a Trusted Ecosystem for Millions of Apps: The important role of App Store protections [ed PDF will open], outlining its opposition to any move to allow sideloading of apps onto its platform.  Within this document, Apple quotes the Department of Homeland Security statement on sideloading from 2017.

“The best practices identified for mitigating threats from vulnerable apps are relevant to malicious and privacy invasive apps. Additionally, users should avoid (and enterprises should prohibit on their devices) sideloading of apps and the use of unauthorized app stores.”

And, channeling my best George Putnam, "And in this reporters opinion," not much as changed since DHS made the above statement in 2017; indeed the situation is now far worse.

Apple uses the example of the Google Play Store, which does allow for sideloading, to make its point.  Apple quoted a study made by Nokia that stated:

Android smartphones are the most common mobile malware targets and have recently had between 15 and 47 times more infections from malicious software than iPhone. A study found that 98 percent of mobile malware targets Android devices. This is closely linked to sideloading: In 2018, for example, Android devices that installed apps outside Google Play, the official Android app store, were eight times more likely to be affected by potentially harmful applications than those that did not.

Furthermore, Apple points out that many Apple users prefer that Apple continues its opposition to sideloading.  Technical issues that will inevitably arise from sideloading will have negative impacts on those Apple customers.  Apple CEO, Tim Cook, put it more succinctly.  Allowing the sideloading of apps "would destroy the security of the iPhone" and "a lot of the privacy initiatives that we've built into the App Store."

Google, for its part, claims that its customers can already choose apps from alternative sources, and thus the issues addressed by proposed law are moot.  

Contributing to this openness and choice, we also give developers more ways to interact with their customers compared to other operating systems. For example, Google Play allows developers to communicate with their customers outside the app about subscription offers or a lower-cost offering on a rival app store or the developer’s website.

Samsung has summarized the logical argument against sideloading with the simple statement: "Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier."   Samsung furthers its position against sideloading by stating that "most users have no real need to sideload unapproved apps." Another detailed statement opposing the legislation comes from the Information Technology and Innovation Foundation.  This group sees the legislation as a threat to the US and world economies.

This bill aims to promote competition—namely, to “reduce gatekeeper power in the app economy, increase choice, improve quality, and reduce costs for consumers.” Yet it will achieve none of its stated objectives. On the contrary, the bill will i) damage the app economy, ii) decrease choice, iii) decrease quality, and iv) increase costs for consumers.

The problem with legislation such as that discussed herein is that the proposals are all based on a lack of understanding of the unique power inherent in today's computers and networks.  Laissez-faire does not apply here.  Society does not allow any weekend warrior to build a nuclear reactor in their garage.  The fallout from an "oops" could be devastating.  Likewise, because telephone access and electrical power generation have become essential life supporting services, societies have determined that these two industries cannot be considered mere commodities and require regulation to the benefit to the greatness number of members of that society.  The computer industry as a whole should be considered essential life supporting services, and thus subject to government regulations.  But until legislatures become more enlightened about the dangers inherent in opening up application development to any Tom's Hairy Dick, and show some understanding of the concept of there IS ONLY ONE NETWORK, it is to the greater good that we leave application development and distribution to the vendors and their experts.  It is in the interest of Google and Apple and their customers to keep their applications and websites free of malware.

On January 20, 2022, the legislation passed out of the Senate Judiciary Committee and was sent on to the full Senate.  With several Senators expressing reservations, and both of California's Senators opposed, the proposed bill is thought unlikely to proceed in its present form.

When law enforcement and legislatures fail to reach common agreement on issues, in our modern small r republican forms of government, we turn to the courts to adjudicate disputes and set the precedents that become the predicate for future legislation.  Nevertheless, judges are not technicians anymore than they are epidemiologists.  Enter the Supreme Court of Japan, who last week ruled that:

A man found guilty of using the Coinhive cryptojacking script to mine Monero on users' PCs while they browsed the web has been cleared by Japan's Supreme Court on the grounds that crypto mining software is not malware.

Tokyo High Court ruled against the defendant, 34-year-old Seiya Moroi, on charges of keeping electromagnetic records of an unjust program. That unjust program was Coinhive, a "cryptojacking" script that mines for Monero by pinching some CPU cycles when users visit a web page that includes the code. Moroi ran the code on his website.

In 2018, Brian Krebs reported, "Multiple security firms recently identified cryptocurrency mining service Coinhive as the top malicious threat to Web users, thanks to the tendency for Coinhive’s computer code to be used on hacked Web sites to steal the processing power of its visitors’ devices." 

Although the case in Japan was decided this week, on "March 8, 2019, Coinhive shutdown because, the company said, the project was no longer economically viable."

There were more issues at stake in the case itself, but the fact remains that, in the wake of the demise of Coinhive, cryptojacking and site infections went down 99% –all "thanks to death of Coinhive."  But the Japanese Supreme Court does not think that could have been indicative of malware. 

Maybe we can't exactly define malware these days when legitimate applications act like malware.  Nonetheless, like was once said by Justice Stewart Potter about pornography in 1964: "I know it when I see it."  If your application invades a user's computer; performs actions on the invaded computer not initiated by the computer user; and then steals from the computer user valuable resources like electricity and CPU cycles, then ya'all got a big putrid lump of freakin' malware, pal!!

¯\_(ツ)_/¯

Gerald Reiff