WikiLeaks leader Julian Assange’s revelation last week of the CIA’s arsenal of hacking tools had a misplaced tone of surprise, a bit like Claude Rains’s famous line in “Casablanca”: “I’m shocked, shocked to find that gambling is going on in here!”
The hacking community, of which WikiLeaks and the CIA’s cyberwarriors are both aggressive offshoots, has been invading and exploiting every device in sight since the dawn of the digital age. It would be nice if governments, criminals and self-appointed do-gooders didn’t invade privacy and steal things from the Internet, but we don’t live in that world.
Cyber-mischief is a crowded and well-established field. The hackers’ convention known as DEF CON is holding its 25th anniversary gathering this July in Las Vegas: “We’re celebrating 25 years of warranty-voiding, boundary-expanding adventures in technological subversion,” boasts its website. These folks have been around so long their black T-shirts have turned gray.
Last year, DEF CON hosted discussions on hacking driverless cars, hotel keys and point-of-sale systems, and on inserting “ransomware” via your home thermostat that would roast or freeze you until you paid up, among other topics. One session was called “How to overthrow a government.” Nice.
I attended DEF CON in 2012 when I was researching a novel about hacking and espionage called “The Director.” I have never forgotten the “Wall of Sheep” near the entrance, an electronic scroll that recorded all the attendees’ devices that were being hacked, in real time. Topics included hacking cloud servers, mobile phones, routers, GPS and even airplanes.
The National Security Agency had a booth that year, over near “Lockpick Village.” (I kid you not.) I was told that recruiters from the U.S. intelligence community were in attendance, along with many contractors that serve it. So, too, presumably, were observers from foreign intelligence services, because the convention is pretty much wide open. Everyone was scouting the best hacking tools and cleverest code writers.
The dark side of this world exploded into view with WikiLeaks’ publication of the CIA toolkit. Some scary initial stories argued that the CIA could crack Signal and WhatsApp phone encryption, not to mention your toaster and television. But security experts Nicholas Weaver and Zeynep Tufekci have pushed back against those early claims, in the Lawfare blog and in the New York Times, respectively.
The hardest question here is whether the CIA and other government agencies have a responsibility to disclose to software vendors the holes they discover in computer code, so they can be fixed quickly. This may sound like a no-brainer. The government even has a little-known program, called the Vulnerability Equities Process, that posits that U.S. agencies should share such exploits whenever the public benefit outweighs the cost to the government.
But this cost-benefit analysis turns out to be tricky, many computer-security experts argue. The problem is that there’s a global market for “zero-day” exploits (ones that are unknown on the day they’re used). U.S. intelligence agencies buy some of these exploits; so do other countries’ spy services, criminal gangs and the software vendors themselves. In a hostile world, the United States needs a stockpile of such tools, for both offense and defense, the argument goes. And sharing the details may not help the public as much as it hurts the government.
A recent report by the Rand Corp. titled “Zero Days, Thousands of Nights” opens a window on this spooky market. By Rand’s calculation, there are about two dozen companies selling or renting exploits to the United States and its allies, with many of these contractors making between $1 million and $2.5 million annually. (Another, darker network sells to adversaries and criminals.)
The surprise was that the exploits being marketed survived a long time undetected and were unlikely to be snatched by competitors. The more than 200 zero-day exploits studied by Rand went undetected for an average of 6.9 years, with only 5.8 percent discovered by competitors within a year. Given this evidence, Rand argued, “some may conclude that stockpiling zero-days may be a reasonable option” to combat potential adversaries.
But let’s be honest: The real shocker in the WikiLeaks scoop is the demonstration, once again, that the U.S. government can’t keep secrets. It makes little sense for the CIA to argue against disclosing its cyber-tricks to computer companies if this valuable information is going to get leaked to adversaries or the hacker underground anyway.
Unilateral disarmament sounds like a bad idea. But so is the assumption that this information is safely protected.