I thought I was done writing about this incident, but in fact no. This morning I listened to the BBC Global News podcast, as I do most days, and heard a story about this breach. The story explored several angles of the Wikileaks CIA documents but one was of particular note: An interview with an ex-CIA agent and his analysis of the impact “if” these were authentic. It was completely off target. Here’s why:
First he essentially insults “engineers” as being “odd” and building cool products without regard to security. This is patently false. Engineers build to products to specifications decided on by executives and managers. This includes product features, what will and will not be fixed, and most decidedly, security. The overriding motivation behind each decision is to maximize profit (time to market, cost of development, what the competition is doing, you name it). Security invariably falls to the bottom of the list of where to put resources. Security problems are not due to engineering shortcomings.
I have to emphasize this, engineers are NOT to blame for the security holes in released products. Period.
I don’t expect a CIA agent to know this, of course. But then he went off track again and parroted what a lot of the media is thinking, which is incorrect. And to be honest, it makes me wonder if this guy WAS an ex-CIA agent.
This agent went on to describe the damage done by this release as enabling attackers around the world to “come after us” by using the CIA tools and techniques. This is patently false. Why?
The CIA does not have a monopoly on cyber spying tools, nor will they ever have one. All the vulnerabilities that the CIA documents describe could have been found by anyone, and indeed were. One of the leaked documents describes how the CIA acquired knowledge of vulnerabilities, and this included BUYING them from cyber security researchers who found them. Really? So Russia, North Korea and Iran couldn’t buy them as well?
Building cyber weapons is not in the same class as building a nuclear bomb, for instance. Unfortunately, cyber weapons could potentially be far more effective than nukes, especially against the internet-dependent United States. To build a nuclear weapon, you need refined plutonium or uranium. This is extremely difficult to do and the world is watching for it. Building a cyber weapon requires money. That’s all, money. A group of individuals could have the same “cyber-power” as any nation-state in the world if they simply had the money to invest.
The real problem with the CIA leak is not that the “enemies” have new cyber spy tools, but that the CIA now has to start from scratch and build new ones. That is the angle the media is missing. All the vulnerabilities described in the documents have apparently been fixed, possibly because the CIA knew about the breach months ago and warned the companies whose products were affected. If so, kudos for the CIA for, in the end, doing the right thing.
All nation-states are cyber-spying, as well as many other actors (corporations, criminals, hacking groups, and organizations that you never hear about). These documents do not reveal anything new to them. However, the CIA cannot now use all the tools they developed at great expense and they will have to write new ones.
I’m not worried that the CIA is spying on Americans, as many media outlets imply. It is illegal for them to do so, but if that doesn’t ameliorate your concern, they could have spied on you before the computer age too. No need to be more concerned now, in my opinion. They are spying, that is their job. I don’t see how the U.S. can survive without such agencies. But like the NSA, they ironically don’t seem to have much control of their own internal security.
Posted in Cyber Security, Sailing by Mark with .