alan buzdar

Software Engineer at Microsoft

The Good News From The CIA Hacks

The CIA and Strong Cryptography Are Working Exactly Like They’re Supposed To

It’s understandable to think that any time a leak comes from a three letter agency it must be similar to Edward Snowden’s leaks from the NSA. We’ve seen the “Vault 7” hacks portrayed this way in the media and many who were on Snowden’s side then, seem to be against the CIA now. However, these are radically different situations. While the Snowden leaks showed the NSA engaging in unconstitutional behavior at the expense of American’s privacy, these leaks seem to contain a lot of good news for privacy hawks.

The CIA is Working Exactly Like It’s Supposed To

Let’s start by examining the CIA’s mission statement:

CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to assist the President and senior US government policymakers in making decisions relating to national security. https://www.cia.gov/about-cia/todays-cia/what-we-do

So far, the leaks have been consistent with this mission statement and the CIA’s goal of foreign intelligence. And there is no indication they are spying on Americans or doing anything illegal. This is a far cry from the warrant-less domestic surveillance of the NSA. We want our CIA to be able to collect foreign intelligence to keep us safe.

The leaks mostly focus on the collection of hacking tools that the CIA uses for targeted surveillance. All but the extreme fringe of privacy activists agree that targeted surveillance is exactly what we want our intelligence agencies to do. This method of surveillance means that the CIA has to expend manpower and resources to hack a target and listen in on them. It’s essentially the same as the past, where the CIA had to physically plant a bug to listen in on someone or tap a specific phone line. In general, since the CIA has limited resources, they won’t waste those resources hacking anyone they don’t believe to be a legitimate threat. In contrast, the NSA engaged in passive, large-scale surveillance which spys on everyone without probable cause or expending extra energy.

One area that the CIA should be acting differently is hoarding vulnerabilities in consumer goods. This isn’t illegal but leaves those vulnerabilities unpatched and available for other hostile actors to use.

Crypto Is Working

It’s been misreported several places that WhatsApp and Signal encryption were broken. But the leaks actually say that they’ve been bypassed. This simply means that the CIA is able to hack people’s cell phones and read the messages there. Not that they are able to actually break the encryption in these apps and read the messages in transit. Why is this good news?

In the computing world, it’s long been known that if a sophisticated actor wants to spy on a specific individual, there is essentially no way to get around it. The chips in cyber security are heavily tilted in the favor of attackers. Security expert Bruce Schneier stated it this way:

Ubiquitous encryption protects us much more from bulk surveillance than from targeted surveillance. For a variety of technical reasons, computer security is extraordinarily weak. If a sufficiently skilled, funded, and motivated attacker wants in to your computer, they’re in. If they’re not, it’s because you’re not high enough on their priority list to bother with. Widespread encryption forces the listener — whether a foreign government, criminal, or terrorist — to target. And this hurts repressive governments much more than it hurts terrorists and criminals. https://www.schneier.com/blog/archives/2016/02/security_vs_sur.html

The whole point of making Crypto widespread wasn’t to prevent all hacking but to force agencies to make it targeted and active. If the NSA or CIA actually had the ability to break Signal encryption, they wouldn’t need to bypass it and could simply passively collect all the messages. The very fact that they are forced to bypass the encryption is exactly what privacy activists have intended.

In short, what the CIA is doing is essentially military activity on foreign threats. As long as the it isn’t abused, I think most people would agree it’s a perfectly valid use of their power. The NSA, however, was spying on ordinary citizens and should be held to the standards of police who require a warrant and probable cause. The success of encryption is (unless the NSA is hiding their capabilities from the CIA) that it’s no longer possible to passively collect a lot of the public's data.

If you enjoyed this article make sure to recommend it and follow the author to help other’s see it.

More by alan buzdar

More Related Stories