Security Research At The Hague: The Mobile Malware Threat

One thing that was often on display during this visit to the Netherlands was the degree to which government, business, and research teams collaborate on common goals. It's difficult to imagine this model working in the United States, where companies are typically far more focused on one-upping their competitors and citizens look with a gimlet eye on the idea that government can accomplish anything of note. This bedrock assumption of American life seems absent -- or at least, significantly reduced -- in the Netherlands.


But American suspicion of government involvement isn't the only reason to wonder if this collaborative model could work in the United States. One thing the federal government has proven extremely good at is building a comprehensive surveillance state -- and that means that private industry is going to be more wary of voluntary collaboration. That's not to say that a great deal of cooperation doesn't still occur, but the Dutch companies and representatives we talked to spoke about a spirit of openness that it's hard to imagine in the wake of Snowden.

end-to-end encryption

Images like the one above, which reportedly left Google engineers apoplectic, work against any comprehensive plan to bring government and private industry together in an equivalent setting. Given the ongoing race between black and white hats, that's probably not a good thing. That's not to suggest that there's no more cooperation between private industry, government sources, and research institutions in the United States -- there obviously is -- but there's also no getting away from the fact that in the 1970s, the NSA worked behind-the-scenes to strengthen emerging US cryptography standards. For decades, researchers suspected that the NSA had inserted backdoors into the then-new DES (Digital Encryption Standard), only for later information to prove the opposite. The NSA had actually strengthened the standard by using its knowledge of emerging cryptographic attack methods to harden the code against certain vectors that would've otherwise compromised it.

Today, in contrast, we know that the NSA worked to subvert modern standards like the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). The shift in organizational priority over the past 40 years is stark, and that makes it intrinsically difficult for international companies to engage with the NSA on matters of security. Google, Microsoft and Apple are already fighting the perception that they roll over whenever the NSA comes calling, which makes tacit, acknowledged cooperation politically complicated for any multinational.

It's a shame because based on what we saw, there's real strength to the Dutch model. Unfortunately, neither the US public nor our elected officials have shown much appetite for reigning in the NSA, which will complicate any future collaboration on fighting malware.