Consider this: The actual details about certain CIA cybersurveillance tools and hacking programs making it out into the public sphere aren’t as important as we think. That the fact these details leaked in the first place is what matters. That our intelligence agencies cannot expect to keep their practices secret from the public at large (and other nations) should influence policy decisions on how much information they collect and how they prioritize infiltrating devices over revealing security risks.
After WikiLeaks dumped thousands of documents about CIA surveillance and cyberespionage techniques Tuesday, Ed Krayewski looked through and summarized some of the more notable discoveries. There have been some responses that maybe overstate what the CIA is doing based on at least what’s in these documents. The use of surveillance through smart televisions, for example, requires a person to physically interact with the television in order to install malware. There is no evidence that CIA snoops can simply access the camera in any Samsung smart television.
So maybe the information from this leak is itself not particularly shocking. The CIA is doing largely what people expect them to do. That doesn’t mean there’s nothing important we should be learning from this info dump. Julian Sanchez, a Cato senior fellow who writes and speaks on surveillance issues and is a founding editor of Just Security, spoke to Reason (via Twitter direct messages) about the greater implications of the dump.
The CIA documents demonstrated an emphasis on data and device infiltration over security and the desire to keep “zero day” exploits (security weaknesses the device or software creator doesn’t initially know exists) to themselves to aid in surveillance. Except, as this latest leak demonstrates, the CIA may not actually be good at keeping these exploits secure. And that creates more cybersecurity vulnerabilities for everybody because the CIA isn’t informing companies about holes in their devices and programs.
“Many of us have been saying for a while that the default really ought to be quite prompt disclosure, because on net the security gain from closing vulnerabilities—defense against attacks against Americans—is likely to be greater than the value of the intelligence gleaned from maintaining the access,” Sanchez says. “And I think that holds even if we’re just talking about the risk of a hacker or foreign intel service independently discovering the same leak.”
It’s not unlike the fight over encryption “backdoors,” deliberately designed mechanisms to access the data of a device or program by bypassing its security systems. Government officials want to use backdoors to access data for investigations of crime or terrorism. But there’s no such thing as an encryption bypass that only the “right” people can use. Just like zero day exploits, anybody with the right knowledge—regardless of whether they have good or ill intent—would be able to exploit an encryption backdoor.