Last week, the Justice Department criminal charges against a North Korean operative for a malware attack that endangered hospital systems and crippled the computers of businesses, governments, and individuals around the world. Americans might be surprised to learn that the software used for this 2017 attack 鈥 known as 鈥淲annaCry鈥 鈥 was based on a hacking tool created by the U.S. government itself.
The NSA developed the tool for its own hacking operations and, inevitably, it leaked out. This incident raises questions about the wisdom of allowing the U.S. government 鈥 and law enforcement agencies in particular 鈥 to deploy hacking as a tool of surveillance.
Government hacking proposals have evolved in the context of the FBI鈥檚 鈥淕oing Dark鈥 public relations campaign, which claims that the growing use of encryption will eviscerate the FBI鈥檚 ability to eavesdrop on criminals. To guard against this, the government says it needs tech companies to compromise customer security by providing 鈥渂ackdoor鈥 access to law enforcement, giving it broad access to private communications and other revealing personal data.
But security experts almost uniformly agree that it is dangerous to design encryption to ensure investigators can have access to everything. Giving the government this power would render encryption software less secure since it would necessarily have a built-in weakness.
As the government vigorously pursues its campaign to force back doors into communications systems and devices, some security experts have proposed an odd compromise in response: That instead of giving the government more expansive backdoor privileges, the government should be allowed to deploy hacker tricks, arguably compromising fewer people鈥檚 data in the process.
The thinking goes like this: Because the government would not be allowed to force companies to build insecurities into all modern communications systems, most consumers could maintain their digital privacy. Regulations, moreover, could ensure that the government only hacks people in limited investigations and with probable cause to believe criminal activity is underway.
In a , at Stanford Law School鈥檚 Center for Internet and Society (CIS) analyzes the cybersecurity risks of this practice for all internet users 鈥 not just law enforcement鈥檚 few targeted suspects. (The 老澳门开奖结果鈥檚 Jennifer Granick, formerly with CIS, contributed to the report.)
Pfefferkorn argues that government hacking creates an incentive to hoard 鈥 rather than disclose and patch 鈥 vulnerabilities that criminal hackers could steal or independently discover. She also points out that government hacking cultivates a market for surveillance tools and creates an incentive for the government to push for less secure software and standards.
These concerns are far from theoretical, as multiple government hacking operations have jeopardized the digital security of innocent people. In the case of the WannaCry attacks, in April 2017, a group of hackers released a cache of NSA hacking tools, which included details of previously undisclosed flaws in popular Microsoft software. Microsoft had issued a patch a month earlier 鈥 after the NSA noticed the tools were stolen but before the hackers released them to the public. Nevertheless, too many users 鈥 as is often the case 鈥 did not or could not quickly install it.
The following month, a team allegedly working for the North Korean government used the software flaw to launch a global ransomware attack that, as Pfefferkorn writes, 鈥渋nfected such crucial systems as hospitals, power companies, shipping, and banking, endangering human life as well as economic activity.鈥 Microsoft, rightfully, was . The NSA had kept the vulnerability secret rather than giving the company and its customers more time to update the software.
While targeted government hacking might initially affect fewer people compared to back doors, as the paper concludes, 鈥渨hen the government cannot maintain control over its exploits, hacking looks less like a targeted sniper鈥檚 bullet and more like a poorly-aimed bomb, with a broad and indiscriminate blast radius.鈥 Even regulated government hacking poses a security danger to the public.