Open Rights Group

Home Blog CIA and GCHQ hacking – they must clear up their own mess

08 Mar 2017 Ed Johnson-Williams

CIA and GCHQ hacking – they must clear up their own mess

The agencies will use these vulnerabilities for targeted surveillance. However vulnerabilities can also be discovered and exploited by criminals and other countries’ intelligence agencies. GCHQ’s decision to keep their exploits secret could have devastating effects for society at large.

It is likely that the CIA and GCHQ are not the only organisations with knowledge of these vulnerabilities with the capability to exploit them. The agencies have, possibly through their own mistakes, increased the risks vastly by failing to ensure that the vulnerabilities are either reported or kept to themselves.

Many of the vulnerabilities disclosed in the CIA’s files came from UK intelligence agencies including GCHQ. The UK Government has some serious questions to answer. These include:

  1. How does the Government ensure that GCHQ’s process for deciding whether to exploit or report a vulnerability is adequate? Are they creating unnecessary risks for organisations and individuals?

  2. How do oversight bodies check that GCHQ’s policies for assessing the risk of keeping an active vulnerability secret are sufficiently robust?

  3. Did any hacking operations reduce the security and privacy of an individual/organisation with respect to other actors?

  4. Is the authorisation process sufficient to avoid future problems?

  5. How will the UK government and agencies work to clean up the mess created by their decision not to report these vulnerabilities to the vendors?

While targeted surveillance is a legitimate aim, we need to know that government regulation of this area is sufficient. Governments should be regulating the way their intelligence agencies hoard and use vulnerabilities that affect devices owned by millions of ordinary people. From what we learnt during the passage of the Investigatory Powers Act, it appears that the ‘creation’ of techniques is not really regulated at all.

Whatever benefits there may have been to GCHQ and the US agencies in stockpiling these vulnerabilities to use for “good”, the race is now on to repair them as fast as possible. NSA and GCHQ must disclose what they know about repairing these vulnerabilities and how they might be exploited to assist in this effort. The agencies must now work with the manufacturers of internet-connected devices like phones, laptops, TVs and routers, but potentially also fridges, toasters and home automation systems to repair the vulnerabilities.

Even if intelligence agencies report the vulnerabilities to device manufacturers, this does not mean that the devices will immediately be secure. The devices need to be updated to fix vulnerabilities. Manufacturers of Internet-connected devices have an ongoing responsibility to prioritise security, to actively test the security of the devices they sell, and to push out security updates to fix known vulnerabilities, which does not always happen.

At the moment, we have a secretive and unaccountable system of device hacking, badly in need of accountability and oversight. We should remember that our worry is only partly the agencies. It is the results of their actions, especially through enabling criminality, that we most need to worry about.