WikiLeaks leader Julian Assange’s revelation last week of the CIA’s arsenal of hacking tools had a misplaced tone of surprise, a bit like Claude Raines’ famous line in “Casablanca”: “I’m shocked, shocked to find that gambling is going on in here!”
The hacking community, of which WikiLeaks and the CIA’s cyberwarriors are both aggressive offshoots, has been invading and exploiting every device in sight since the dawn of the digital age. It would be nice if governments, criminals and self-appointed do-gooders didn’t invade privacy and steal things from the internet, but we don’t live in that world.
Cyber-mischief is a crowded and well-established field. The hackers’ convention known as “DEF CON” is holding its 25th anniversary gathering this July in Las Vegas.
Last year, DEF CON hosted discussions on hacking driverless cars, hotel keys and point-of-sale systems, and on inserting “ransomware” via your home thermostat that would roast or freeze you until you pay up, among other topics. One session was called “How to overthrow a government.” Nice.
I attended DEF CON in 2012 when I was researching a novel about hacking and espionage called “The Director.” I have never forgotten the “Wall of Sheep” near the entrance, an electronic scroll that recorded all the attendees’ devices that were being hacked, in real time. Topics included hacking cloud servers, mobile phones, routers, GPS and even airplanes.
The hardest question here is whether the CIA and other government agencies have a responsibility to disclose to software vendors the holes they discover in computer code, so they can be fixed quickly. This may sound like a no-brainer. The government even has a little-known program, called the “Vulnerability Equities Process,” which posits that U.S. agencies should share such exploits whenever the public benefit outweighs the cost to the government.
A recent report by the RAND Corp., titled “Zero Days, Thousands of Nights,” opens a window on this spooky market. By RAND’s calculation, there are about two dozen companies selling or renting exploits to the U.S. and its allies, with many of these contractors making between $1 million and $2.5 million annually. (Another, darker network sells to adversaries and criminals.)
The surprise was that the exploits being marketed survived a long time undetected, and were unlikely to be snatched by competitors. The more than 200 zero-day exploits studied by RAND went undetected for an average of 6.9 years, with only 5.8 percent discovered by competitors. Given this evidence, RAND argued, “some may conclude that stockpiling zero-days may be a reasonable option” to combat potential adversaries.
But let’s be honest: The real shocker in the WikiLeaks scoop is the demonstration, once again, that the U.S. government can’t keep secrets. It makes little sense for the CIA to argue against disclosing its cyber tricks to computer companies if this valuable information is going to get leaked to adversaries or the hacker underground anyway.
Unilateral disarmament sounds like a bad idea. But so is the assumption that this information is safely protected.
David Ignatius is an award-winning columnist for the Washington Post. Readers can contact him at firstname.lastname@example.org.