The CIA leaks are making huge waves across the world. In a nutshell, the documents claim to reveal some of the hacking capabilities that the CIA has. Many privacy advocates believe that exposure of secrets like these is a net benefit for citizens because it provides transparency in government action. The media also likes leaks like these because it provides excellent story fodder.
But there is one thing that no one is talking about with these leaks that has serious long-term consequences with all of our foreign relationships. The concept is called attribution in the intelligence field, and it’s important that everyone get an idea of what it is and why it is important so they can put the real danger of these leaks into the proper context.
What is Attribution?
Attribution is the ability to accurately trace back evidence of a situation back to whoever did it. Even if you don’t know the term, these examples will make it quite clear. Let’s say you’re a child on a school playground. You tell your best friend a secret that you don’t want anyone to know about. A few days later, the whole school knows. If you know you didn’t tell anyone, who told the secret? The obvious one to blame is the best friend. That breach of trust could end your friendship.
That’s a simple example. A more complex one is a murder case. Let’s say that your neighbor kills your best friend in your house, but isn’t caught. Instead, you are accused and you spend a lot of money on lawyers to get the charges dismissed. Your reputation is damaged, but you stay out of jail. The case grows cold.
Now, let’s say over time you become close friends with your neighbor. Later, for whatever reason, the neighbor gets his DNA analyzed and there is a match to the old murder. The neighbor might get arrested, but how would you react?
In the first case, the fact that only one other person knew the secret and leaked it makes us able to attribute the link to the person. In the second, a telltale fingerprint that’s impossible to forge creates an attribution that wasn’t there before and provides ironclad evidence that you weren’t involved.
Leaking and Attribution
Put bluntly, the general public and the media are overreacting in how much the CIA might or might not be using the things leaked to spy on them. A much more serious concern is what every other government in the world is thinking about the information in these leaks. Here’s why.
One of the roles of any government is to protect the interests of the country and its citizens. Countries use intelligence networks, spies, hacking, and other espionage techniques to gather information in advance about what their enemies and their allies might do next. Failing to get that knowledge puts the country at risk of something called information asymmetry. Other countries can get more information about you than you can about them. It’s like they can peek at your hand in a game of poker before the betting round, but you can’t.
The CIA’s role in America’s spy networks is international intelligence. The CIA isn’t going to turn their attention to people inside of the U.S. unless there is an extraordinarily good reason, despite what conspiracy theorists may think. But foreign governments definitely know the CIA will have at least thought about spying on them at some point. However, unless a spy was caught red-handed and confessed they were a CIA operative, it’s hard for a country to accuse us of spying on them in a specific instance. In short, there is no attribution. Just guesses.
What the CIA leaks do is give information to every government who wants to know how we might hack them. It is extremely difficult to attribute a hacking attack to a specific state actor, despite what the media and television might lead you to believe. You might be able to detect the attack and gather forensic evidence about a hacking incident, but until you can get definitive proof that another country knew about that particular exploit at the time of the attack and had the tools necessary to leverage it, you can’t say for certain. The leak now gives other governments details they can use to analyze their old forensic data and see if there is a match, much like the DNA evidence in the earlier example.
In short, now they can prove that we peeked at their poker hands and know how we did it. The how is also crucial not just for attribution, but for how hacks are conducted between governments.
99.9% of all breaches are the result of the exploitation of known vulnerabilities (for which patches exist), many of which have been published (open to the public) for over a year. But those aren’t the vulnerabilities that governments generally want to exploit. They want to target 0-day vulnerabilities with 0-day exploits. A 0-day vulnerability is a bug in software that is unknown to the vendor or the public. A 0-day exploit is the software that leverages a 0-day vulnerability usually to grant its user access to and control over the target. 0-day’s are the secret in the playground of geopolitical hacking.
Governments want to keep some 0-day exploits as state secrets. The time for a defense to be built against a revealed exploit can be as little as 24 hours. A 0-day exploit can be used for 6 months or even years. That is a lot of time for a government. But governments don’t want to use these too often anyway. Each time a 0-day exploit is used successfully, it leaves behind some form of forensic evidence that could be used later to gain attribution. The first time might be a surprise. The second will reveal similar patterns with the two attacks. The third time runs the risk of getting caught.
The value of these exploits varies and is determined by operational need, how rare the exploit is, how likely it is to be discovered or detected, etc. Governments can pay as little as tens of thousands of dollars to as much as several million dollars for a single zeroday exploit.. Each time a 0-day exploit is used its lifespan is shortened significantly. In some cases, a 0-day is only used once before it is exposed (burnt). In other cases, 0-day exploits may last years before they are burnt. One thing is always true. If governments are going to spend millions of dollars on 0-day exploits, then they are not likely to use them on low-value targets like everyday civilians or for easily detected mass exploitation. They are far more likely to be used for high-value, well protected targets where detection of breach simply isn’t an option.
Because these are not open secrets, when 0-day exploit information is released in a leak it makes it extremely easy to attribute attacks to a state and it diminishes that states’ intelligence capabilities. Furthermore, now every other government has leverage against that state, and could even have grievances. They could feel like the unjustly accused murder suspect. And unlike the suspect, states have options that citizens do not in terms of how they can retaliate such as levying sanctions or declaring war. Worse, they could even gain the moral high ground even though they might be doing the same thing because the managed to keep their intelligence information secret.
Regardless of whether you think leakers and whistleblowers are heroes or traitors, there are consequences for leaking intelligence information to the world. The average American citizen doesn’t know and can’t know what the foreign consequences will be. Before you go out and cheer the next leak, consider what the consequences might be for our country now. What does it mean when we lose our intelligence capabilities and our enemies don’t? What does it mean when our enemies and allies know just how, when, and most importantly, who managed to hack them?