What If Intelligence Agencies Can’t Secure Their Own Hacking Tools?
That’s the question that Julian Sanchez asked in her article on the defense and national security website — DefenseOne.com, in their March 9, 2017 edition. Her bottom line up front: “The Wikileaks dump [on CIA hacking tools], makes it harder to argue that concealing vulnerabilities makes us safer.”
“It’s a cliche of a political scandal that “the cover- up is worse than the crime.” “Attempts to conceal misconduct because they’re easier to prove; and otherwise provide elusive evidence of a guilty mind — often end up being more politically damaging than the underlying misconduct would have been,’ had it been disclosed up front. In the case of the latest Wikileaks document dump,” Mr. Sanchez writes, “we have an apparent reversal of the formula. The un-cover-up — the fact that the leak itself — is probably more significant than the substance of what has thus far been revealed.”
The more widespread adoption and employment of encryption, helped spur intelligence agencies, and no doubt, law enforcement to seek alternative/new means of surveiling and collecting intelligence — once their previous sources and methods were no longer available. And, the proliferation of the Internet of Things (IoT) and all the potential ways of gaining access — was too lucrative a target to pass up by these same entities. Indeed, Mr, Sanchez writes that the IoT was viewed as such a lucrative source of intelligence and information, “that it spawned its own research department, Embedded Development Branch.” “One of the more widely-reported projects in Vault-7, the name Wikileaks gave to its cache of purloined CIA documents, has been the Doctor Who-referencing “Weeping Angel” implant, which can turn Samsung televisions into surveillance microphones, even when they appear to be turned off. Yet,” Mr, Sanchez writes, “at least at the time of the Wikileaks release was written, Weeping Angel appeared to require physical access to be installed — which makes it a fancy and less detectable method of bugging a particular room, once a CIA agent has managed to get inside.” Having said all that, Mr. Sanchez makes clear that despite all the hype in the public domain about the CIA’s ability to compromise devices we use in our daily lives — there is no evidence as yet that “these tools have been deployed either against inappropriate targets, or on a mass scale, it’s not intrinsically all that controversial. Finding clever ways to spy on people is what spy agencies are supposed to do.”
Mr. Sanchez urges the intelligence community and the U.S. national security establishment to consider the very real possibility that “the Intelligence Community cannot properly secure its own hacking tools.” This line of observation/argument essentially states that the IoT a goldmine for information; but, the means and methods of breaching the IoT can also be used against us. Disclosing these vulnerabilities in the public domain, will in the long run, make us safer and less vulnerable, this line of argument goes, because the public will demand that the corporations who develop and manufacture these same devices will make compromising these devices harder to do with each new version that is developed. Otherwise I guess, we shouldn’t be surprised if lawsuits start to come against these companies for not adequately anticipating the cyber threat to their devices; nor, accounting for this threat when developing the security defenses for the same device. Sounds right — except for one thing. The foundation that these devices will eventually operate on — the WorldWide Web/Internet, was built for access and ease of use, freedom to communicate. Security, was not a primary consideration; and thus, we have an Internet foundation that simply has too many vulnerabilities to ever foresee a time — at least in the short to mid-term — when we can be assured as individuals that our personal devices aren’t being used to spy against us. Yes, we can write laws as well as enforce existing laws that prevent our intelligence agencies from domestic spying — except in extreme circumstances where a threat is imminent — but, no such laws is likely to deter criminals, foreign entities, and others who will continue to exploit the IoT’s many vulnerabilities and weaknesses. Unless and until we build a brand new Internet, with security as a main characteristic, we will continue to use the Internet we have; but, not necessarily the Internet we want. But, an Internet built with security as a main tenant, may be so cumbersome to use, that it becomes more trouble than it’s worth and not embraced by the public. Whether disclosing all these vulnerabilities and the sources and methods used to compromise it — would make us safer and our secrets more protected is an open question. I do not believe Mr, Sanchez provided us an answer. V/R, RCP