Today's Opinions, Tomorrow's Reality 

Choosing Your Targets

By David G. Young

Washington, DC, March 14, 2017 --  

Americans are right to be cavalier about CIA hacking.

When WikiLeaks dumped a trove of information about CIA hacking tools last week, it was expected to be the biggest thing after Edward Snowden's revelations about the NSA. Then something interesting happened: the public didn't care.

The revelations sounded shocking at first glance. The Central Intelligence Agency had amassed an arsenal of known vulnerabilities in laptops, mobile phones and connected appliances like televisions. An agency hacker could theoretically turn on the microphone and camera attached to your connected TV, laptop or phone, and watch and listen in on whatever you are doing.

But unlike the hacking done by the National Security Agency, which involved splicing in to the internet backbone at vulnerable locations and listening to everything, the CIA's toolkit requires infecting specific devices to exploit the vulnerabilities. This means that the CIA has to choose the people they want to spy on up front.

It's hard to stress how big a difference this is. The reason that the NSA's activities caused such an outrage is that they wire tapped every single person they could. This is something that any reasonable person (but apparently not secret Foreign Intelligence Service Act Court judges) would deem a violation of the bill of rights. They stored all this information in a giant database they could search at will, all the while promising those secret FISA Court judges that they wouldn't intentionally (wink, wink) search it for information belonging to American citizens inside the United States. They scooped up everything in a huge net, and figured they'd ask for forgiveness later.

The CIA can't do this with their toolkit. They must decide who they want to target first, then figure out a way to install some malware on their laptop, TV or phone, maybe by giving them a free infected memory stick, maybe by logging in remotely through a vulnerable home router.

Yes, it certainly possible that the CIA is using these tools to illegally target American citizens at home. But to date, there is absolutely no evidence they are doing so. Hence, the justifiable lack of outrage.

We know from every spy movie we have ever seen that foreign agents will break into offices and homes, install listening devices, and do whatever it takes to intercept information. Why should we be surprised to learn that they use highly technical tools to accomplish the same ends? Indeed, any spy agency that failed to do so would not be doing its job.

But just because the CIA might not be violating Americans' civil liberties doesn't mean there's nothing wrong with its actions.

Much of this arsenal uses what is known as "zero day" exploits, meaning that the manufacturers are unaware of the vulnerabilities and have therefore had zero days to try and fix them. Such exploits are extremely dangerous and extremely valuable on the hacking market. Spy agencies around the world, organized crime networks and other bad guys pay top dollar to get access to them.

If you think of the CIA as the good guys, you probably don't mind such dangerous tools being in their hands. But the problem is that these tools won't stay there. The longer that these exploits remain unpatched by device manufacturers, the more likely it is that other people will find these same vulnerabilities and use them against innocent victims.

Perhaps hackers working for or selling exploits to Russia, China or other Western adversaries will discover them on their own. Or maybe they will manage to steal them directly from the CIA. Anyone who doubts this possibility should take note of the WikiLeaks example, and be thankful that the information ended up there rather than in the arsenals of the enemies of the West. The fact that the CIA decided to keep the exploits to themselves and risk that they may be used against American citizens is scandalous all by itself.

To be clear, WikiLeaks did not publish the specifics about how to use these technical exploits. Doing so would be terribly irresponsible. Instead, it says it shared them only with the hardware and software manufacturers responsible for patching them, something Apple and Google have already acknowledged.

For international spies, criminals and evil hackers, this is terrible news. But for the rest of us, even those in the general public who don't seem to care, this is a very, very good thing.