Julian Assange, the founder of Wikileaks, divulged at the beginning of this month that his organization had secured tools used by the Central Intelligence Agency (CIA) to hack into technology products made by U.S companies. The said revelation caused security engineers at Cisco Systems to quickly begin working on sealing the loopholes.
The documents released by Wikileaks give an account how for more than a year the CIA knew how to utilize loopholes in Internet switches supplied by Cisco that are commonly used in the country. The devices direct electronic traffic hence it would grant the CIA the ability to spy on people.
On condition of anonymity, three Cisco employees disclosed that senior managers at Cisco instantly moved staff from their work to find out how the CIA was able to exploit their systems. The intention was assisting their customers in correcting their systems and block spies and fraudulent hackers from exploiting the same flaws to take advantage of the situation.
The employees also confirmed that engineers from Cisco tirelessly worked for days to examine methodically and in detail, the tricks of their hacks, generate solutions and design a provisional alert message about a security risk that involved a variety of products which were believed to be over 300.
There were concerns shown by most present and ex U.S. intelligence and security officials about how the government is handling cyber security. The uncertainty was further reinforced by how a large U.S. company needed to use information disclosed by Wikileaks to become aware of security flaws that U.S. intelligence agencies knew.
That policy favors stopping the attacker’s offense excessively by exploiting the attacker’s weak points as compared to building a strong defense, in light of an increasing number of hacks by foreign governments hitting U.S. organizations. This policy is founded on the idea that stopping the offense that the attacker has mounted will enable companies to be in control of the hack, instead of waiting for the adversary to gain access to your network by putting up a good defense and letting the attacker call the shots.
A former White House Situation Room senior director during Obama’s tenure, Larry Pfeiffer, said that since other states were getting to the same plane as the United States concerning cyber potential, “maybe it is time to take a pause and fully consider the ramifications of what we are doing.”
U.S. intelligence agencies hold Russia responsible for the Democratic National Committee hack during last year’s election. It is also suspected that the hack of Sony Pictures Entertainment in 2014 and the attack on the U.S. Government’s Office of Personnel Management in 2015 was by Nation-states.
Heather Fritz Horniak, CIA’s spokeswoman, politely refused to give a statement on the case concerning Cisco, but pointed out that it was the task of the agency “to be innovative, cutting-edge, and the first line of defense in protecting the country from enemies abroad.”
The Office of the Director of National Intelligence supervises the activities of the CIA and NSA. The Office referred its questions to the White House, which also declined to give a statement.
Senior intelligence officials disclosed to Reuters, that a significant amount (about 90%) of all expenditure on cyber programs by the government is directed to offensive programs. This also includes breaching the security systems of the adversary, eavesdropping on communications and coming up with ways to break down and put out of action the attacker’s infrastructure.
The budget proposal by President Donald Trump allocates approximately $1.5 billion for cybersecurity defense strategies at the Department of Homeland Security (DHS). The military and the private sector are also protecting themselves by investing into cyber-security.
Documents released by Edward Snowden, who is a former NSA contractor, showed that the part of the U.S. intelligence budget which was secret amounted almost $50 billion annually as of 2013. A paltry 8 percent of the said amount was allocated to “enhanced cybersecurity,” while the bulk of it (72 percent) went toward gathering strategic intelligence and tackling violent extremism.
Rick Ledgett, the former NSA Deputy Director, agreed that the government spent 90 percent of its cyber programs expenditure on offensive strategies and concurred that it was skewed.
“It’s actually something we’re trying to address with more appropriations in the military budget,” Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well,” he added.
The NSA has the most sophisticated cyber potential of any U.S. agency, and it has a mission that focuses more on offensive strategies. The NSA has the crucial task of gathering intelligence on foreign soil and assist in guarding government systems.
The former head of the defensive mission carried out by the NSA from 2010 to 2014, Debora Plunkett, said, “I absolutely think we should be placing significantly more effort on the defense, particularly in light of where we are with exponential growth in threats and capabilities and intentions.”
How powerful the government should be in defending the private sector from cyberattacks still is an issue that needs a thorough debate.
It is in the opinion of some former senior government officials such as former Secretary of Defense Ashton Carter and former NSA Director Keith Alexander that U.S. firms and other organizations should not be allowed to entirely protect themselves against states such as North Korea, China, Iran and Russia.
On the other hand, the tech companies think that the method adopted by the government is not progressive, according to the executives and the engineers.
Sophisticated hacking methods mostly depend on weaknesses in the computer products. When the CIA or NSA can locate such loopholes, they often decide to stay mum retain them for offensive attacks under the existing policies, instead of informing the affected companies.
In Cisco’s case, the company alleged that the CIA did not inform them after the agency discovered that information regarding the hacking tools had been released towards the end of 2016.
Yvonne Malmgren, the company spokeswoman, said, “Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers.”