For those of you who have not been following #hackingteam on Twitter, let me summarize. Hacking Team is and maybe was an Italian cyber surveillance company that sells tools to law enforcement and government security services around the world. While claiming to abide by human rights and weapons exportation rules, they have been accused by researchers at the Citizen Lab and others of selling their wares with less discrimination.
This week, hackers apparently thoroughly infiltrated their corporate network and published internal records, invoices, and technical documents detailing the extent to which Hacking Team was consciously seeking to circumvent law and regulation. Additionally, it appears that their surveillance technology is being furiously examined by global security researchers and privacy advocates seeking direct and targeted countermeasures. This will likely result in a safer Internet for everyone as security holes are discovered and plugged.
#hackingteam on Twitter also reveals the global scope of their reach. The sheer linguistic variety of the uproar appearing on a single hashtag is testament to the many people around the world whose governments have purchased and employed Hacking Team’s technologies. There are a lot of angry Internet users out there.
Which brings me back to the NSA. From the Snowden revelations, most of us are aware of the effort and technical surveillance capacity of the NSA. Does anyone doubt that the NSA could hack Hacking Team to the same or greater extent while keeping it secret? Hacking Team was seemingly tailor-made for the NSA. As documented in the hack, Hacking Team employed laughably weak passwords and security itself. Its signature surveillance tool had a backdoor that its customers were unaware of allowing Hacking Team access. It sold its products to companies around the world to regimes with a “Made in Italy” rather than a “Made in USA” stamp.
One need not look further back than the story of ENIGMA to see how this might be useful. The British and US governments did not reveal that they had cracked ENIGMA after World War 2 but kept it a closely guarded secret for decades while supplying governments around the world with surplus and new ENIGMA machines for countries to “protect” their sensitive communications. For much of the Cold War, ENIGMA offered no protection against Western surveillance to the communications of user countries.
Given the recent revelations about government-level hacking attacks directed at Kaspersky, it would be foolish to think that the NSA had not hacked the Hacking Team and was using its capabilities to surveil its client base, especially in countries where the US might not have a strong asset base. Where the NSA might have to struggle to obtain access, Hacking Team with the cooperation of a foreign government would build its tools into the national network infrastructure as a default.
This leaves governments who want to surveil their citizens in a very difficult position. They can choose to acquire surveillance tools from a large country such as the US, China, or Russia with the understanding that those tools are likely backdoored to the intelligence community of the country of origin. They can acquire tools from private sector vendors like Hacking Team which lack the resources, skills, and expertise to defend themselves from hacking attacks by national intelligence organizations. They can try and develop at great cost an internal capacity.
The market for user surveillance tools has reached a turning point even before treaties on cyberweapons begins to advance. With the advent of aggressive nation state surveillance, private sector surveillance companies are little more than proxies for nations, wittingly or unwittingly. Nations will be left with a stark choice: who do they fear more? Their Internet users or foreign surveillance.