Wikileaks just published a trove of documents resulting from a hack of the CIA Engineering Development Group , the part of the spying agency that is in charge of developing hacking tools. The documents seem genuine and catalog, among other things, a number of exploits against widely deployed commodity devices and systems, including Android, iPhone, OS X and windows. Also smart TVs. This hack, with appropriate background, teaches us a lesson or two about the direction of public policy related to “cyber” in the US and the UK.
Routine proliferation of weaponry and tacticsThe CIA hack is in many ways extraordinary, in that it allowed the attackers to gain access to the source code of the hacking tools of the agency ― an extraordinary act of proliferation of attack technologies. In other ways, it is mundane in that it is neither the first, nor probably the last hack or leak of catastrophic proportions to occur to a US/UK government department in charge of offensive cyber operations.
The Snowden leaks contained a number of documents containing intimate details about the techniques, infrastructure and operations of both GCHQ and the NSA. It is unclear whether source code of particular attack tools is within the leaked documents, which has not been published yet. However, it is clear that configuration files and targeting information is present. Then we have the story of Harold T. Martin III, aformer NSA contractor, that walked out with reportedly 50TB of hacking tools from the sensitive Tailored Access Operations (read “hacking”) of the NSA. We then have the Shadow Broker archive, that appeared for sale online last year (2016) that contained a sample, and a further dump of hacking tools looking very much like those used by the Equation Group , authors of Flame and other sophisticated spyware. Finally, we have the recent CIA hack and leak .This list of leaks of government attack technologies, illustrates that when it comes to cyber-weaponry the risk of proliferation is not merely theoretical, but very real. In fact it seems to be happening all the time.
I find it particularly amusing and those in charge of those agencies should probably find it embarrassing that NSA and GCHQ go around presenting themselves as national technical authorities in assurance; they provide advice to others on how to not get hacked; they keep asserting that they can be trusted to operate extremely dangerous spying infrastructures; and handle in secret extremely dangerous zero-day exploits. Yet, they seem to be routinely hacked and have their secret documents leaked. Instead of chasing wisteblowers and journalists , policy makers should probably take note that there is not a high-enough level of assurance to secure cyber-weaponry, and for sure it is not to be found within those agencies.
In fact the risk of proliferation is at the very heart of cyber attack, and integral to it, even without hacking or leaking from inside government. Many of us quietly laughed at the bureaucratic nightmare discussed in the recent CIA leak, describing the difficulty of classifying the cyber attack techniques while at the same time deploying them on target system. As the press release summarizes:
To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified.
This illustrates very clearly a key dynamic in hacking: once a hacker uses an exploit against an adversary system, there is a very real risk the exploit is captured by monitoring and intrusion detection systems of the target, and then weponized to hack other computers, at a low cost. This is very well established and researched, and such “honey pot” infrastructures have been used in the academic and commercial community for some time to detect and study potentially new attacks. This is not the premise of sophisticated defenders, the explanation of how honeypots work is on wikipedia! The Flame malware, and Stuxnet before, were in fact found in the wild.
In that respect cyber-war is not like war at all. The weapons you use will be turned against you immediately, and your effective use of weapons relies on your very own infrastructures being utterly vulnerable to them.
What “Cyber” doctrine?The constant leaks and hacks, leading to proliferation of exploits and hacking tools from the heart of government, as well through operations, should deeply inform policy makers when making choices about “cyber” doctrines. First, it is probably time to ditch the awkward term “Cyber”.
“Cyber” conflates two distinct policy directions, one on attack and the other on defense. On on side it encompasses offensive doctrine, operations, infrastructures and technologies, such as hacking, interception, introducing backdoors, weakening security standards, retaining data, and on the harsh end the blackmail, fraud, and social engineering needed to get access to keys and communications. On the other hand, it also covers assurance ― or computer security as we known it for a while ― namely techniques to ensure that computer systems operate correctly, are available, and maintain secrets according to policy. The conflation is dangerous, since to maintain capabilities for attack, there are incentives to perform actions that are detrimental to communal defense ― the only effective defense we have against sophisticated hacking.
In the case of the CIA hack this tension is clear: exploits were not shared with vendors to ensure they are fixed in a timely manner; yet they were weaponized and deployed potentially exposing them to hostile parties; and ultimately they were leaked putting users of those devices ― including high-risk users in the UK, US and beyond ― at risk. It is not clear if the CIA or others have now disclosed those vulnerabilities
