Researchers tasked with revealing attacks by intelligence agencies are being harassed, locked out of tenders, and in some cases deported, Kaspersky researcher Juan Andrés Guerrero-Saade says.
Retaliation by the unnamed agencies is in direct response to news of prominent advanced-persistent threat campaigns that have coloured information security reporting over recent years.
Those reports are forcing researchers to reveal malware attacks by government spy agencies.
Specific details on the harassment is tightly-held, although some may occur in Eastern Europe and Asian nations.
Guerrero-Saade told Vulture South researchers have spoken about their ordeals in private information security circles. Other stories circulate as industry rumour.
"In many places intelligence services tend to be more civilised than in others -- you would be lucky to deal with them in the US versus wherever else, Latin America, Asia, or Eastern Europe where they take very different tactics, " Guerrero-Saade says.
"You can definitely see these threats to livelihood[s] where it can be as simple as patriotic notions … all the way to 'you have already made it clear where you stand and it's going to be next to impossible for you to get a security clearance' and to work in a large sector of countries where a large amount of anti-malware work is being done.
"I think it is easier to imagine situations where blackmail, compromise, and threat of livelihood is an issue, and it has been an issue for certain researchers for obvious reasons aren't going to speak up."
Other researchers speaking to this reporter have heard similar stories. Others haven't but aren't surprised their colleagues find security clearances revoked. China is cited as a nation some opt to avoid.
Guerrero-Saade spoke on the back of his paper The ethics and perils of APT research: An unexpected transition into intelligence brokerage [pdf] which he says is a "meditation" that covers the perils faced by threat intelligence companies and researchers as the ultimately altruistic academics aggravate diplomatic and national interests.
The paper notes researchers are targeted through blackmail which is regarded as a cheap way for agencies to "own" an individual by digging up their secrets, debt, and "shameful proclivities and mis-steps".
"This type of compromise is in some cases related to the threat to livelihood as private information security companies have displayed a more or less strict moralism in their hiring practices, often preferring practitioners untainted by publicly known blackhat tendencies," Guerrero-Saade writes.
Security researchers who live in the country of the aggrieved intelligence agency face the harshest treatment. Here agencies target threats to living conditions including the revocation of non-citizens' resident status, "in some cases separating families or forcing a return to dreadful conditions".
Natives are described as unpatriotic, and are barred from government work and holding security clearances.
“In certain countries, citizenship is only a protection from overt and legal repercussions but processes without oversight are the main playing field of security services. Vague threats carry weight in this space.”
That is leading to an industry Balkanisation which is "well underway at this time".
Intelligence firms too are being harassed. Guerrero-Saade says unnamed agencies serve threats to "operational viability, revenues, ongoing and potential contracts, strategic partnerships, PR value, as well as regulation-based financial repercussions".
Such harassment merits "any effective measures available" when threat research stands in direct opposition to national diplomatic, financial, or political viability.
Such work may cause heightened diplomatic tensions to flare, or jeopardise the reputation of an intelligence agency or those to which it serves. Here's a fragment of his talk:
"Companies with government contracts will see these contracts dangled and unrelated vital strategic partnerships may suddenly become unstable or entirely unavailable. When international companies are involved, unsubstantiated but well-placed insinuations may suffice in closing off entire crucial market sectors and, if not, threats of loosely applied embargoes can destroy the most meticulously built business. "
He further details the perils of the burgeoning threat intelligence industry in the absence of kinds of rules of engagement whereby many researchers - rightly-so - treat all malware as abusive regardless of source, and the motivations and actors behind attacks are often glossed over.
The nine-page report notes the publication of intelligence materials by private sector firms as 'regular grievances' that are "unthinkable to their intelligence agency counterparts". Another extract:
"Provocation occurs in two scenarios: first, where the (threat intelligence) company’s research causes political, diplomatic, or military tensions to flare between nations in an already escalated posture. Secondly, when the company’s public disclosure -- or private offering provided directly to sensitive targets -- endangers the reputation of the intelligence agency itself or worse yet comes close to revealing or endangering the requesting customer. The former scenario is undesirable; the latter scenario is unacceptable."
Not all research weighs the same. Guerrero-Saade says a recent report examining Chinese threat actors overstepped the boundaries of usefulness when it revealed the personal information of attackers including their daily activities, photos, and family members.
The future is unclear, the researcher says. Intelligence agencies may be pushed to develop highly-capable malware designed to slip past researchers, while even most-capable researchers dabbling in the unmasking of intelligence agencies will need to undergo "drastic preparations" to not only excel but survive. ®