CIA Leak Shows How We're Losing Both Privacy and Security with Tech Data
Agency hoards infiltration tools and puts our information at risk of exposure.
Consider this: The actual details about certain CIA cybersurveillance tools and hacking programs making it out into the public sphere aren't as important as we think. That the fact these details leaked in the first place is what matters. That our intelligence agencies cannot expect to keep their practices secret from the public at large (and other nations) should influence policy decisions on how much information they collect and how they prioritize infiltrating devices over revealing security risks.
After WikiLeaks dumped thousands of documents about CIA surveillance and cyberespionage techniques Tuesday, Ed Krayewski looked through and summarized some of the more notable discoveries. There have been some responses that maybe overstate what the CIA is doing based on at least what's in these documents. The use of surveillance through smart televisions, for example, requires a person to physically interact with the television in order to install malware. There is no evidence that CIA snoops can simply access the camera in any Samsung smart television.
So maybe the information from this leak is itself not particularly shocking. The CIA is doing largely what people expect them to do. That doesn't mean there's nothing important we should be learning from this info dump. Julian Sanchez, a Cato senior fellow who writes and speaks on surveillance issues and is a founding editor of Just Security, spoke to Reason (via Twitter direct messages) about the greater implications of the dump.
The CIA documents demonstrated an emphasis on data and device infiltration over security and the desire to keep "zero day" exploits (security weaknesses the device or software creator doesn't initially know exists) to themselves to aid in surveillance. Except, as this latest leak demonstrates, the CIA may not actually be good at keeping these exploits secure. And that creates more cybersecurity vulnerabilities for everybody because the CIA isn't informing companies about holes in their devices and programs.
"Many of us have been saying for a while that the default really ought to be quite prompt disclosure, because on net the security gain from closing vulnerabilities—defense against attacks against Americans—is likely to be greater than the value of the intelligence gleaned from maintaining the access," Sanchez says. "And I think that holds even if we're just talking about the risk of a hacker or foreign intel service independently discovering the same leak."
It's not unlike the fight over encryption "backdoors," deliberately designed mechanisms to access the data of a device or program by bypassing its security systems. Government officials want to use backdoors to access data for investigations of crime or terrorism. But there's no such thing as an encryption bypass that only the "right" people can use. Just like zero day exploits, anybody with the right knowledge—regardless of whether they have good or ill intent—would be able to exploit an encryption backdoor.
If even the secretive CIA cannot keep the details of its exploits out of the hands of Wikileaks, then we've surrendered both privacy and security for the benefit of the intelligence community's desire to collect information. Sanchez notes that "when you add what appears to be a very real problem of the actual tools we develop—weaponized vulnerabilities—making it into the wild, the risk of opting for retention over disclosure is even greater."
The leak should also be a reminder that when the federal government snoops, collects, and stores data about everybody, there's also the risk of that information "making it into the wild." We already saw this under President Barack Obama's administration when the private personnel data on millions of federal employees was compromised. The more information the government has, the greater potential for harms from other compromises.
But it's unclear right now whether any of these concepts or concerns will play any role in this post-leak analysis. Right now the emphasis is on who is responsible for the leaks ("Was it Russia? Was it? It was Russia, wasn't it? Tell us if it was Russia.") and the embarrassment the CIA must feel over the leak.
