CIA

CIA: Protect Americans First Instead of Hacking Their Phones and TVs

'Fundamentally, security is more important than surveillance.'

|

CIAlogo
CIA

As all the world now knows, Wikileaks released the "Vault 7" trove of secret information about the Central Intelligence Agency's cyberwarfare and electronic surveillance activities. Among other things, the Vault 7 documents revealed hacking vulnerabilities in the code that operates Apple and Android devices and Windows, OSx, Linux, and internet servers. After the Edward Snowden National Security Agency mass surveillance revelations, the Obama administration promised to share with private vendors what the government learns about software vulnerabilities. To increase sharing, the Obama adminstration purportedly "reinvigorated" the Vulnerabilities Equities Process (VEP) in which the spooks at the NSA basically got to decide which exploitable software flaws to disclose to private companies.

Some critics of the VEP think it unreasonably disarms the U.S. intelligence community in the long twilight struggle with our international adversaries. For example, cybersecurity specialists Dave Aitel and Matt Tait assert:

Public protestations to the contrary, there should be no confusion: the VEP is, inherently, harmful to intelligence operators. The IC's adversaries in Russia, China, Iran and North Korea are not—nor will they ever be—hamstrung by similar policies….So no matter how limited the VEP might be, it will always represent a strategic disadvantage against foreign adversaries, a window into the US government's most sensitive operations. …

As problematic as the current VEP policy is, astoundingly plenty of US civil liberties groups and think tanks now clamour to make things significantly worse. Misunderstanding and discarding strategic interests, they offer policy proposals premised on an unexamined axiom that the US government should disclose essentially all vulnerabilities and do so at a much faster rate—there even appears to be some underlying uncertainty as to whether the government should be allowed to have an undisclosed vulnerability in the first place.

Herein lies the basic problem: US cyber operations already face a greater level of scrutiny and limitations than our competitors. But single-minded reformists seek still more restrictions. At the same time, US cyber capabilities grow increasingly critical and central to the basic function of democratic interests worldwide. Without a robust investment in these capabilities, the US will lack the ability to solve the "Going Dark" issue and our intelligence efforts will start to run into quicksand around the world.

Interestingly, if disclosing software vulnerabilities enhances the "Going Dark" problem for U.S. spooks, it would also tend to put Russian, Chinese, and Iranian cyberspies in the dark too. At a 2013 Cato Institute conference to discuss NSA spying, renowned cybersecurity guru and Harvard Berkman Center fellow Bruce Schneier persausively asserted, "A secure Internet is in everyone's interests. We are all better off if no one can do this kind of bulk surveillance. Fundamentally, security is more important than surveillance."

Today, Moxie Marlinspike, the developer of Signal the encrypted instant messaging and voice calling app, was on NPR's Morning Edition to talk about the Wikileaks Vault 7 revelations. The NPR segment noted that Wikileaks founder Julian Assange has suggested that his group would work with tech companies to fix the vulnerabilities in their systems that the CIA has kept secret. Marlinspike was then asked about Assange's offer by reporter David Greene:

Question: Is there an argument that Julian Assange is offering is something that the government should be doing; if they know about vulnerabilities in technology that they might tell you or Android about them and that's not a role that Wikileaks should be playing?

Answer: Absolutely, I think certainly I agree that is irresponsible to hoard these vulnerabilities and say (A) that no one else has discovered these vulnerabilities or to (B) think that they can manage them securely because, you know, obviously they can't. If what the CIA is interested in doing is protecting Americans, then I think it should be in the CIA's interest to disclose these vulnerabilities to American companies so that they can fix them and protect their users.

Yes.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

22 responses to “CIA: Protect Americans First Instead of Hacking Their Phones and TVs

  1. This is 100% true and its infuriating seeing idiots think otherwise out of sear ignorance.

    We would be far better served with good unbroken encryption standards system wide.

    Enctyped dashcams
    cameras
    file systems
    interenet
    cellphones
    phone calls
    and everything.

    There is no real good reason for our data to be so fucking broken.

    1. What I want to know is, will the psychotic Trump The Hump, lying, hypocritical phony Sean “Ugly, Little, Chimp Face” Hannity and the rest of the contards still now lick the shit from rapist Julian Assange’s diseased asshole?

    2. Contard hack/toady chimp face (he really does look very simian) Hannity must think that the brown stuff that comes from rapist Julian Assange’s diseased asshole is fudge. Nah, he just loves the taste of shit.

  2. If what the CIA is interested in doing is protecting Americans…

    Well there’s your problem right there.

    1. Agreed…i have never seen or heard any government agencies interest to protect Americans besides the military. Any police/spy organization has never really given a shit about Americans. The military oddly enough does….to an extent.

      1. Don’t get me wrong Military has no problem turning on Americans (Katrina) but at its core its purpose to to defend the homeland and not police/spy.

        1. I think that was NOLA cops that went nuts in Katrina. Not soldiers.

          1. National Guard was caught too. IIRC even the army was complicit in certain ways.

            Its been a number of years since i read about it but it was bad.

  3. “There’s a fine line between cuddling and holding someone down so that they can’t get away.”

    Oops, wrong Dave Aitel. But the sentiment’s the same, ain’t it?

  4. Disclosure would make CIA a servant of the people, rather than master.

    Can’t have that.

  5. I’ve long wondered how long it will be before it’s considered “suspicious” by the authorities to NOT own a cell phone, or to own one but sometimes leave it at home. “The only reason you didn’t bring your cell phone with you is you’re trying to HIDE SOMETHING!!!”

    1. It is true i try to hide many many things in my VC cascading containers with multiple layers, redirects, fake data. My VPNs, Tails, TOR, and so much more. Hidden shit in various places in the real world. Shit hidden in online games and so on. I do many things to hide stuff.

      FUCK OFF SLAVES 😀

    2. It is true i try to hide many many things in my VC cascading containers with multiple layers, redirects, fake data. My VPNs, Tails, TOR, and so much more. Hidden shit in various places in the real world. Shit hidden in online games and so on. I do many things to hide stuff.

      FUCK OFF SLAVES 😀

  6. “the VEP is, inherently, harmful to intelligence operators. The IC’s adversaries in Russia, China, Iran and North Korea are not?nor will they ever be?hamstrung by similar policies….So no matter how limited the VEP might be, it will always represent a strategic disadvantage against foreign adversaries…”

    Yeah, well those countries also practice all sorts of stuff like random arrests/interrogations, summary executions without the need for jury trials, extended at-will prison sentences, laws governing speech, internet access, the press, and even simple freedom of assembly, etc. By the logic of these guys, the US intelligence/law enforcement community should be able to do all that, too. I mean, isn’t it a huge “disadvantage” to be “hampered” by a stupid thing like a Bill of Rights?

    1. You do realize everything you listed the US does too…….

      1. Yeah, but not in the open.

        1. yes it does. Drone strikes, Chicagos PD black site, numerous safe space and protest laws exist, indefinite detention of “sex offenders”, attacking people who are protesting on private property with permission, and so on.

  7. RE: CIA: Protect Americans First Instead of Hacking Their Phones and TVs
    ‘Fundamentally, security is more important than surveillance.’

    We must all trust our leaders to spy on us for our own good and for the good of the collective.
    They always have our best interests at heart and have never done anything since the inception of our country that damaged or ruined the lives of Americans.
    Therefore, let us all inform our slave masters in power what we think, say and do, along with what other people think, say and do if we are to continue down the enlightened path of socialist totalitarianism.
    Spying by our ruling elitist betters only simplify and better our lives.

    1. The fucked up part is i have met people who totally think this.

  8. “The IC’s adversaries in Russia, China, Iran and North Korea are not?nor will they ever be?hamstrung by similar policies”

    Maybe not, but they will be hamstrung when the security gaps they were exploiting in products used by/in the US are closed thanks to the tireless efforts of NSA whitehats. I doubt we’re obligated to disclose similar vulnerabilities to Russian, Chinese, and North Korean software companies, so it’s mostly of benefit to violating the rights of Americans, not legit espionage, anyway.

  9. Please understand, dear posters, that the Hollywood Evil CIA buzzing about in your fevered brain doesn’t exist. CIA has no mandate to operate in the United States. It is a foreign-intelligence organization. Other agencies may hack gear located within the United States. CIA does not. It’s an important distinction you should keep in mind.

Please to post comments

Comments are closed.