The recent leaking of classified CIA files has raised great concern about the capacities of intelligence agencies to infiltrate computers, smartphones and smart TVs. Even more concerning is the use of zero-day exploits. If intel agencies collect zero-days instead of alarming those affected, it is very likely that global actors take advantage of these vulnerabilities.
A Comment by Christoph Abels
Vault 7 Is No Surprise
The CIA has developed sophisticated tools to infiltrate and at least partly control a broad range of consumer electronics such as smartphones and smart TVs. That is the essential message of WikiLeak’s latest leak code-named Vault 7. Around 8.700 documents have been released including information about ways to bypass end-to-end encryption of services like WhatsApp and Signal by exploiting vulnerabilities of smartphones which has been discussed before. So this is not completely new but a friendly reminder of problems related to cybersecurity: there is nothing like an absolute secure system (albeit quantum computers might provide a more accessible solution within the next five years).
The Internet-of-Things Will Be Skyrocketing Digital Vulnerabilities in Society
Vault 7 reveals that the CIA rather compiles so called zero-day exploits (vulnerabilities for which right now no patch exist), instead of notifying the affected organisations. The ultimate risks of software vulnerabilities have been highlighted in a recently published study showing that the average life expectancy of a zero-day is 6.9 years while only 25 percent of exploits live no longer than 1.51 years. This is a big issue. In other words if zero-days are available for almost 7 years, attackers can peacefully corrupt your system and you don’t even know it.
With the Internet of Things or IoT (a network of different connected systems and devices such as cars and smart homes) knocking on our door, society’s vulnerability towards cyberattacks will be skyrocketing. While more and more people buy devices that somehow contribute to the IoT, public security is at best questionable. The CIA’s impressive collection of zero-days indicates that there is already a lot to patch. And due to an increasing interdependence, the number of vulnerabilities will very likely increase.
Attribution Has Just Become More Difficult
But there is more to it. If the CIA has stockpiled zero-days, intel agencies of other nations might have them as well. And if these agencies continue to be able to hack, the next problem strikes at a global level.
It has always been difficult to identify the origins of cyberattacks but the recent leaks make this attribution even more difficult. The CIA is able to lay out a false trail and thereby increase the issues regarding attribution. Even now, if you can track an attacker you may never really know whether these traces are the actual ones or intentionally placed decoys. Although this has been known before, the recent leaks provide for the first time public evidence of a government agency instructing its personnel to hide traces. Obviously, this is not proving that the CIA has falsely accused Russia of hacking the DNC – even if some people like to think that.
A New Global Security Environment
In its latest global risk report, the World Economic Forum named massive incidents of data fraud/theft one of the top five global risks in terms of likelihood. Cyberattacks were considered a top risk in 2012 and 2014 already and in the face of Vault 7 and the problems related to zero-days, this valuation seems to be more than reasonable.
Vault 7 strongly emphasises the importance of cybersecurity in a digitalised world. Depending on who the attacker is and what the intentions are, international security might quickly become the most important challenge. Within an interconnected society, immense harm can be caused without a single shot fired. No army is necessary if attackers want to disrupt the global order, hence aggressors do not need to fear military power or maybe even nuclear capacities. On the contrary, this strength could become a major weakness. The New York Times recently highlighted a severe problem related to nuclear weapons: they are hackable. Just imagine unidentifiable hackers taking control over US nuclear warheads – the world’s security lying in the hands of zeros and ones.
Even if this might be a perhaps unlikely scenario, states need to acknowledge the changing environment. Cybersecurity has to be incorporated in a comprehensive security strategy accounting for both traditional and cyber threats. A sustainable approach can be achieved on an international level and in collaboration with corporations and civil society. NATO has already made cyber defence a core task and began to adopt a coherent policy in 2014. But the alliance needs to continuously increase its cyber capacities to keep track within a changing threat situation. Especially when it comes to identifying the source of a cyberattack and defining mutual responses, full-scale international cooperation is inevitable. Until such cooperation is established, states will painfully learn that the cyberspace does not stop at national borders.
The Polis Blog serves as a platform at the disposal of Polis180’s members. Published comments express solely the authors’ opinions and shall not be confounded with the opinions of the editors or of Polis180. Image source: “-We want information….”, Känno Filth, http://bit.ly/2nMTlK3, lizensiert unter Creative Commons license 2.0.: https://creativecommons.org/licenses/by/2.0/.