What they are not telling you about the CIA leaks.

What they are not telling you about the CIA leaks.

CIA Leaks

The CIA leaks are making huge waves across the world. In a nutshell, the documents claim to reveal some of the hacking capabilities that the CIA has. Many privacy advocates believe that exposure of secrets like these is a net benefit for citizens because it provides transparency in government action. The media also likes leaks like these because it provides excellent story fodder.
But there is one thing that no one is talking about with these leaks that has serious long-term consequences with all of our foreign relationships. The concept is called attribution in the intelligence field, and it’s important that everyone get an idea of what it is and why it is important so they can put the real danger of these leaks into the proper context.

What is Attribution?

Attribution is the ability to accurately trace back evidence of a situation back to whoever did it. Even if you don’t know the term, these examples will make it quite clear. Let’s say you’re a child on a school playground. You tell your best friend a secret that you don’t want anyone to know about. A few days later, the whole school knows. If you know you didn’t tell anyone, who told the secret? The obvious one to blame is the best friend. That breach of trust could end your friendship.
That’s a simple example. A more complex one is a murder case. Let’s say that your neighbor kills your best friend in your house, but isn’t caught. Instead, you are accused and you spend a lot of money on lawyers to get the charges dismissed. Your reputation is damaged, but you stay out of jail. The case grows cold.
Now, let’s say over time you become close friends with your neighbor. Later, for whatever reason, the neighbor gets his DNA analyzed and there is a match to the old murder. The neighbor might get arrested, but how would you react?
In the first case, the fact that only one other person knew the secret and leaked it makes us able to attribute the link to the person. In the second, a telltale fingerprint that’s impossible to forge creates an attribution that wasn’t there before and provides ironclad evidence that you weren’t involved.

Leaking and Attribution

 Put bluntly, the general public and the media are overreacting in how much the CIA might or might not be using the things leaked to spy on them. A much more serious concern is what every other government in the world is thinking about the information in these leaks. Here’s why.
One of the roles of any government is to protect the interests of the country and its citizens. Countries use intelligence networks, spies, hacking, and other espionage techniques to gather information in advance about what their enemies and their allies might do next. Failing to get that knowledge puts the country at risk of something called information asymmetry. Other countries can get more information about you than you can about them. It’s like they can peek at your hand in a game of poker before the betting round, but you can’t.
The CIA’s role in America’s spy networks is international intelligence. The CIA isn’t going to turn their attention to people inside of the U.S. unless there is an extraordinarily good reason, despite what conspiracy theorists may think. But foreign governments definitely know the CIA will have at least thought about spying on them at some point. However, unless a spy was caught red-handed and confessed they were a CIA operative, it’s hard for a country to accuse us of spying on them in a specific instance. In short, there is no attribution. Just guesses.
What the CIA leaks do is give information to every government who wants to know how we might hack them. It is extremely difficult to attribute a hacking attack to a specific state actor, despite what the media and television might lead you to believe. You might be able to detect the attack and gather forensic evidence about a hacking incident, but until you can get definitive proof that another country knew about that particular exploit at the time of the attack and had the tools necessary to leverage it, you can’t say for certain. The leak now gives other governments details they can use to analyze their old forensic data and see if there is a match, much like the DNA evidence in the earlier example.
In short, now they can prove that we peeked at their poker hands and know how we did it. The how is also crucial not just for attribution, but for how hacks are conducted between governments.

Hidden Exploits

99.9% of all breaches are the result of the exploitation of known vulnerabilities (for which patches exist), many of which have been published (open to the public) for over a year. But those aren’t the vulnerabilities that governments generally want to exploit. They want to target 0-day vulnerabilities with 0-day exploits. A 0-day vulnerability is a bug in software that is unknown to the vendor or the public.  A 0-day exploit is the software that leverages a 0-day vulnerability usually to grant its user access to and control over the target. 0-day’s are the secret in the playground of geopolitical hacking.
Governments want to keep some 0-day exploits as state secrets. The time for a defense to be built against a revealed exploit can be as little as 24 hours. A 0-day exploit can be used for 6 months or even years. That is a lot of time for a government. But governments don’t want to use these too often anyway. Each time a 0-day exploit is used successfully, it leaves behind some form of forensic evidence that could be used later to gain attribution. The first time might be a surprise. The second will reveal similar patterns with the two attacks. The third time runs the risk of getting caught.
The value of these exploits varies and is determined by operational need, how rare the exploit is, how likely it is to be discovered or detected, etc.  Governments can pay as little as tens of thousands of dollars to as much as several million dollars for a single zeroday exploit.. Each time a 0-day exploit is used its lifespan is shortened significantly.  In some cases, a 0-day is only used once before it is exposed (burnt).  In other cases, 0-day exploits may last years before they are burnt.  One thing is always true.  If governments are going to spend millions of dollars on 0-day exploits, then they are not likely to use them on low-value targets like everyday civilians or for easily detected mass exploitation. They are far more likely to be used for high-value, well protected targets where detection of breach simply isn’t an option.
Because these are not open secrets, when 0-day exploit information is released in a leak it makes it extremely easy to attribute attacks to a state and it diminishes that states’ intelligence capabilities. Furthermore, now every other government has leverage against that state, and could even have grievances. They could feel like the unjustly accused murder suspect. And unlike the suspect, states have options that citizens do not in terms of how they can retaliate such as levying sanctions or declaring war. Worse, they could even gain the moral high ground even though they might be doing the same thing because the managed to keep their intelligence information secret.
Regardless of whether you think leakers and whistleblowers are heroes or traitors, there are consequences for leaking intelligence information to the world. The average American citizen doesn’t know and can’t know what the foreign consequences will be. Before you go out and cheer the next leak, consider what the consequences might be for our country now.  What does it mean when we lose our intelligence capabilities and our enemies don’t? What does it mean when our enemies and allies know just how, when, and most importantly, who managed to hack them?

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.