Profile image
By Reason Magazine (Reporter)
Contributor profile | More stories
Story Views

Last Hour:
Last 24 Hours:

CIA: Protect Americans First Instead of Hacking Their Phones and TVs

Friday, March 10, 2017 10:09
% of readers think this story is Fact. Add your two cents.

CIAlogoAs all the world now knows, Wikileaks released the “Vault 7″ trove of secret information about the Central Intelligence Agency’s cyberwarfare and electronic surveillance activities. Among other things, the Vault 7 documents revealed hacking vulnerabilities in the code that operates Apple and Android devices and Windows, OSx, Linux, and internet servers. After the Edward Snowden National Security Agency mass surveillance revelations, the Obama administration promised to share with private vendors what the government learns about software vulnerabilities. To increase sharing, the Obama adminstration purportedly “reinvigorated” the Vulnerabilities Equities Process (VEP) in which the spooks at the NSA basically got to decide which exploitable software flaws to disclose to private companies.

Some critics of the VEP think it unreasonably disarms the U.S. intelligence community in the long twilight struggle with our international adversaries. For example, cybersecurity specialists Dave Aitel and Matt Tait assert:

Public protestations to the contrary, there should be no confusion: the VEP is, inherently, harmful to intelligence operators. The IC’s adversaries in Russia, China, Iran and North Korea are not—nor will they ever be—hamstrung by similar policies….So no matter how limited the VEP might be, it will always represent a strategic disadvantage against foreign adversaries, a window into the US government’s most sensitive operations. …

As problematic as the current VEP policy is, astoundingly plenty of US civil liberties groups and think tanks now clamour to make things significantly worse. Misunderstanding and discarding strategic interests, they offer policy proposals premised on an unexamined axiom that the US government should disclose essentially all vulnerabilities and do so at a much faster rate—there even appears to be some underlying uncertainty as to whether the government should be allowed to have an undisclosed vulnerability in the first place.

Herein lies the basic problem: US cyber operations already face a greater level of scrutiny and limitations than our competitors. But single-minded reformists seek still more restrictions. At the same time, US cyber capabilities grow increasingly critical and central to the basic function of democratic interests worldwide. Without a robust investment in these capabilities, the US will lack the ability to solve the “Going Dark” issue and our intelligence efforts will start to run into quicksand around the world.

Interestingly, if disclosing software vulnerabilities enhances the “Going Dark” problem for U.S. spooks, it would also tend to put Russian, Chinese, and Iranian cyberspies in the dark too. At a 2013 Cato Institute conference to discuss NSA spying, renowned cybersecurity guru and Harvard Berkman Center fellow Bruce Schneier persausively asserted, “A secure Internet is in everyone’s interests. We are all better off if no one can do this kind of bulk surveillance. Fundamentally, security is more important than surveillance.”

Today, Moxie Marlinspike, the developer of Signal the encrypted instant messaging and voice calling app, was on NPR’s Morning Edition to talk about the Wikileaks Vault 7 revelations. The NPR segment noted that Wikileaks founder Julian Assange has suggested that his group would work with tech companies to fix the vulnerabilities in their systems that the CIA has kept secret. Marlinspike was then asked about Assange’s offer by reporter David Greene:

Question: Is there an argument that Julian Assange is offering is something that the government should be doing; if they know about vulnerabilities in technology that they might tell you or Android about them and that’s not a role that Wikileaks should be playing?

Answer: Absolutely, I think certainly I agree that is irresponsible to hoard these vulnerabilities and say (A) that no one else has discovered these vulnerabilities or to (B) think that they can manage them securely because, you know, obviously they can’t. If what the CIA is interested in doing is protecting Americans, then I think it should be in the CIA’s interest to disclose these vulnerabilities to American companies so that they can fix them and protect their users.



We encourage you to Share our Reports, Analyses, Breaking News and Videos. Simply Click your Favorite Social Media Button and Share.

Report abuse


Your Comments
Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

Top Stories
Recent Stories



Top Global


Top Alternative




Email this story
Email this story

If you really want to ban this commenter, please write down the reason:

If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.