U.S. Steps Up Cybersecurity Help for Targets of Foreign Governments

The U.S. government is stepping up cybersecurity efforts to help protect individuals against online spying and harassment from foreign states like China.

The development comes from the Open Technology Fund, a non-profit dedicated to enhancing Internet freedom, which is now offering security audits for individuals “which investigate concerns around applications that may be contributing to human rights violations or widespread surveillance efforts,” according to the OTF web site. Ten cybersecurity companies have been chosen to help OTF investigate possible malicious activity, among them Trail of Bits, Include Security, Subgraph and Radically Open Security, the OTF said last month.

Private firms have investigated spyware and other surveillance tactics by foreign governments for a while, yet this is the first time the U.S. will pay for the services, according to Dan Guido, the co-founder and chief executive officer of Trail of Bits.

“This is a pretty major turn for the government to fund security audits of code they don’t own,” Guido said. “It’s really pushing the limits of what the U.S. government is publicly funding.”

The OTF effort could be seen as a way to repair public trust in a government where the National Security Agency and the FBI have been shown to be spying on Americans and collecting mass surveillance. (Lord knows what the CIA is doing.)

Guido somewhat agreed but said, “the U.S. government contributes to industry-wide cybersecurity a lot of different ways. I think this one is so special because it's directly focused on helping end users avoid present harm. Lots of work the NSA does on cybersecurity is more preventative in nature, like helping set industry standards and best practices.”

OTF is supervised by the United States Agency for Global Media, an independent U.S. agency that also has oversight of programs like Radio Free Europe and the Middle East Broadcasting Networks.

Recent examples of malicious data tracking by app include one called Muslim Pro, which has a timer function and compass to remind Muslims to pray five times a day and face Mecca when they do. What it didn’t tell users was that it was collecting the location data on them and sending it to third parties. Its developer’s clients included the U.S. military and defense contractors. The creator of Muslim Pro denied the allegations and said it had severed ties with firms that bought its data.

A previous OTF security audit investigated possible human rights violations and mass surveillance by IJOP, “an app that the [Chinese Communist Party] police and other government officials use to communicate with the Integrated Joint Operations Platform, the main system Chinese authorities use for mass surveillance of Uyghurs and other Turkic Muslims in Xinjiang,” according to the OTF.

“There’ve been many cases like this,” Guido said, “where people have purportedly put out an application for one purpose, but it turns out to be used for a different one.” He added: “The OTF has now empowered companies like Trail of Bits to go investigate those claims and figure out what the exposures are.”

Auditors and cyber-sleuths are now up against a much improved and cheaper set of spyware tools than just a few years ago, Guido said. “Building an app for a couple of tens of thousands of dollars is a lot less expensive than building a global surveillance network.”

So if a Chinese citizen believes they’re being tracked by a their government is it wise to reach out to an arm of the U.S. government for help? Guido said many of the reports come from human rights groups that have been tracking abuses, and not necessarily from the individuals themselves. There haven’t been any audits completed under the new OTF program, but it’s soliciting reports from targeted or harassed individuals now, he said.

“They’re really trying to open this up to be user driven,” he said.

Government funding to back public safety audits changes the dynamic where previously a firm like Trail of Bits would take on these projects on a pro bono basis when they had the time. Now, Guido can staff a team full time to look into reports funneled through OTF.

“This is a really good use of taxpayer money,” he said.