iapp-privacycore
ONETrust_Webcon-3_23_17_Ad_300x250_OneTrust_v2
PrivacyCore_ad_300x250-01
Tech sector, enterprises respond to CIA-hacking leaks

As the dust begins to settle following Tuesday's Wikileaks data dump of the U.S. Central Intelligence Agency hacking methods, the technology sector is scrambling to patch security fixes and warn users to update their software. The 9,000 pages of documents released by Wikileaks, which security professionals believe are legitimate, reveal methods the CIA has developed to circumvent the hardware and software of some of the world's top technology products, including exploiting smartphone operating systems, which allows agents to circumvent encryption apps. 

Though it has yet to confirm the authenticity of the leaks, the CIA said, "The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community's ability to protect America against terrorists and other adversaries." It is unclear who provided Wikileaks with the material, but, according to a Reuters report, U.S. intelligence and law enforcement officials suspect U.S. government contractors likely handed over the information. 

Edward Snowden and Harold Thomas Martin were both employed by a government contractor when they leaked sensitive government information. 

Tech sector responds

The leaks revealed a number of ways the CIA can exploit so-called zero-day vulnerabilities in hardware and software without informing the companies of the bugs. 

Google Director of Information Security and Privacy Heather Adkins said, "We're confident that security updates and protections both in Chrome and Android already shield users from many of these alleged vulnerabilities ... Our analysis is ongoing, and we will implement any further necessary protections." 

In an emailed statement to Agence France Presse, Apple said, "While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities." Microsoft and Samsung also said they were "looking into" the revelations. 

There has also been a misunderstanding about whether the CIA could break the encryption of apps like Signal, Telegram, and WhatsApp. The New York Times originally reported that it could, but security professionals and Signal have responded that the documents prove encryption works. By taking control of a phone's operating system, an adversary can control all the apps on the phone, like a user, but that doesn't mean the encryption itself was compromised. 

Open Whisper Systems, which produces the encrypted app Signal, tweeted, "None of the exploits are in Signal or break Signal protocol encryption."

In a blog post, Columbian University's Steve Bellovin wrote, "The existence of these hacking tools is a testimonial to the strength of encryption." 

Speaking in Boston yesterday, however, FBI Director James Comey said, "There is no such things as absolute privacy in America." In response to the leaks, Comey continued: "All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces." 

California Congressman Ted Lieu concluded differently. "It is very disturbing to anyone who cares about privacy," he told The Guardian. "It should also put to rest any argument about encryption backdoors. You can't just give encryption keys to the good guys and hope they don't get to the bad guys. Our best protection is to have no security defects in the products we use." 

Center for Democracy & Technology's Joseph Lorenzo Hall said the CIA documents reveal the U.S. government did not live up to a pledge it gave last year to technology companies that it would share vulnerabilities with them. 

Though, in a blog post, security professional Bruce Schneier argued, "there is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace." 

On Thursday morning, Wikileaks' Julian Assange said the organization has decided to share the details with the tech sector. 

Others, however, believe it should be the U.S. government, and not Wikileaks, that shares such data with tech companies.

Threats to the enterprise?

The documents also reveal the nature of the CIA's hacking tools. Unlike the Snowden revelations about the National Security Agency's surveillance tools which can surveil data subjects en masse, the CIA tools are selective and choose high-value targets. 

In a column for The Wall Street Journal, Christopher Mims writes that the disclosure "should be a wake-up call to essential personnel in governments, corporations, nonprofits, and media outlets: If you find yourself in the crosshairs of a hacker, your digital life could get owned like never before." He says the ability for adversaries to compromise our devices at deep levels means enterprises should be concerned, especially with the fact that many employees use their own devices for work and personal purposes. 

He notes that our phones "are the nexus of our lives" and the lines between our work and personal devices is blurry. "The same devices that have access to our corporate networks are also where we browse the internet and let our children play games. As soon as they are breached through personal use, they become vectors into our professional lives." he warns.

Mims' column also also backs up a Privacy Perspectives post from earlier this week that pointed out trends in the rise of enterprise communications vendors - a category of privacy tech solutions the IAPP has identified in its Privacy Tech Vendor Report

Photo credit: Official U.S. Navy Imagery USS Barry conducts a practice pipe-patching drills during MultiSail 17. via photopin (license)

Written By

Jedidiah Bracy, CIPP/E, CIPP/US

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»