The CIA has been trying to hack into iOS for years. British and American agencies reportedly have collaborated to create a map of the Internet and Web users. The United States National Security Agency has, together with the UK’s GCHQ, reportedly stolen SIM card encryption keys from Gemalto. The FBI is frothing at the mouth over Google’s and Apple’s encryption of their mobile OSes. Vulnerabilities in Signaling System 7 telephony protocols let third parties eavesdrop on cellphone calls and intercept text messages, despite encryption.
Law enforcement agencies in several states in the U.S. are using Stingray devices to scoop up data from everyone’s cellphones within range, and reportedly are using private funds to purchase the devices.
And, for the third time, the U.S. government is trying to revive CISPA, the Cyber Intelligence Sharing and Protection Act. The latest version of the bill, filed in January, would give the NSA more access to Americans’ data and create a data-sharing program between the Department of Homeland Security, the Director of National Intelligence and the Secretary of Defense, without any external accountability and with exemption from the Freedom of Information Act.
Meanwhile, Google is fighting a proposed amendment to Rule 41 of the U.S. Criminal Code that might allow the U.S. to hack into computers abroad, GCHQ has used fake LinkedIn pages to target telecom engineers, and the NSA has forced U.S. high-tech companies to include back doors in their hardware and software.
President Obama has insisted — not quite truthfully, it turns out — that the U.S. government is not conducting surveillance on Americans. Despite trumpeting the president’s strong support of privacy, the White House has just come out in support of the renewed CISPA bill.
“Hacking is like a gun or any other dangerous tool,” said Jonathan Sander, strategy and research officer for Stealthbits Technologies.
“People who use it will argue that it’s the intention and the results that matter ethically. The difference is that murder is a well understood evil, and stealing information is still morally vague,” he told TechNewsWorld.
The Dungeons of Despair
Billions of dollars are being spent on cybersecurity, but why even bother? If there’s a back door, some intrepid hacker will find it sooner or later and leap in.
“The greatest security threat isn’t wearing a hoodie and armed with a laptop and Metasploit,” said Ken Westin, senior security analyst at Tripwire.
“They wear suits and are armed with secrecy and legal loopholes,” he told TechNewsWorld.
The real problem is that government surveillance “appears to be done illegally with little oversight or transparency,” Westin continued. “As governments pass laws to crack down on criminal hackers, we are learning that they in many respects are hypocrites. The law needs to provide citizens protection both from criminal hackers as well as our own governments.”
Espionage and cyberware are impacting businesses around the world because “they get caught in the middle, with foreign nations trying to penetrate their front door and our own governments trying to install and find weaknesses in the back door,” Westin observed.
The CIA: Tiger or Kitty Cat?
Don’t be too concerned about the CIA, suggested Brett Fernicola, CISO at Stealthbits.
The agency “is one of the biggest leeches and script kiddies to date. Most of what they know infosec-wise was stolen or taken from hackers or legitimate research groups,” he told TechNewsWorld.
Nevertheless, “the NSA, CIA, Chinese security agencies and many others polluting the security of ecosystems [through hacking] is really bad for trust and for security,” warned Eric Cowperthwaite, VP of advanced security and strategy at Core Security.
Creating systems that are inherently insecure “is going to destroy trust in operating systems, software, applications and devices,” he told TechNewsWorld.
The e-commerce ecosystem, in particular, is fundamentally based on trust, Cowperthwaite pointed out. “What happens when the average consumer no longer trusts that the systems they use daily are trustworthy? How will CISOs secure systems when they don’t know what’s been polluted by government agencies?”
A Side Helping of Ethics, Please
It’s not so much that intelligence agencies spy on people. After all, that’s their job, contended Derek Bambauer, professor of law at the University of Arizona’s James E. Rogers College of Law. The question is whether their operations are sanctioned by law.
The Obama administration has “increasingly sought and used FISA orders” to conduct surveillance of U.S. persons on the grounds of national security, Bambauer told TechNewsWorld.
U.S. persons “might” have some Fourth Amendment claims against surveillance, he said, “but the Supreme Court has been very careful never to address this issue, and I don’t expect it to do so.”
Mass surveillance is not unnecessarily unlawful, but it’s “best described as being in conflict with individuals’ perceptions of ethics and privacy,” commented Philip Lieberman, president of Lieberman Software.
“The purpose of a government is the protection of its citizens and the promotion of their welfare,” he told TechNewsWorld.
Technical security measures “are not restraining surveillance, because the NSA and GCHQ are compromising them,” pointed out Gregory Nojeim, senior counsel for the Center for Democracy & Technology.
That “cries out for a strengthening of the extremely weak standards under which surveillance is conducted,” he told TechNewsWorld.
What Can Be Done
“One of the best ways to secure user data is to not collect it in the first place,” Tripwire’s Westin said. “The second is to encrypt it and ensure the keys stay safe.”
In the long run, though, hacking and surveillance will become a way of life, and the old saw about not putting anything online you don’t want someone else to know might be the only safe course.