Governments are Embracing Hacking: What does that Mean for Everyone Else?

Governments around the world are increasingly embracing hacking methods to try to accomplish their law enforcement and national security goals. In the global debate on whether law enforcement should be able to get access to encrypted communications, some see government hacking as a better alternative to weakening encryption through the use of backdoors. Yet government hacking also has serious implications for security, privacy, human rights, and business. 

Government hacking is when governments or contracted third parties exploit unintentional vulnerabilities to get access to encrypted data. This is different from an encryption backdoor, where a vulnerability is intentionally added or maintained on a product to provide law enforcement access to data.

Government hacking can be characterized by two distinctions: what it is used for and how it is performed.

·      It can be used for criminal investigations (where they may be looking for specific evidence to be used in a court of law) or for intelligence purposes (much more data will be useful, not just what can be admitted into court).

·      The other distinction is between remote hacking (the use of exploits over the network to gain access to communications or data) and targeted hacking of a physical device (the use of a hacking tool to get into a device that is on hand).

In a recent Global Encryption Coalition webinar, panelists from the American Civil Liberties Union, Center for Democracy and Technology, Stiftung Neue Verantwortung, and the Center for Democracy and Technology highlighted some concerns about the impacts of government hacking, and considerations that should be taken about the practice.

Government hacking activities are increasing globally, with more governments than ever signaling their intent to ramp it up. In the United States, more than 2,000 state and local police agencies have purchased ‘mobile device forensics tools’ to bypass security on mobile devices in their custody.

As Upturn’s Harlan Yu pointed out, these tools have been used for “hundreds of thousands of cellphone extractions since 2015,” including for “mundane cases like graffiti, shoplifting, … and the full gamut of drug related offenses.” In early 2021, European authorities hacked an encrypted phone network, SkyECC, leading to arrests related to organized crime.

Countries like Germany are even considering expanding their government’s mandate to perform hacking operations, such as through using ‘state Trojans”.

As a result of governments’ eagerness to implement government hacking, the practice has helped generate a dubious ‘grey market’ for zero-day vulnerabilities (undisclosed vulnerabilities). Usually, when a company finds a vulnerability in their product, they will patch the vulnerability through an update. Government hacking works by exploiting unpatched vulnerabilities in services or devices to provide access. An entire industry was built on finding zero-day vulnerabilities or develop hacking tools that they can sell to governments or other actors. Unfortunately, the same tools being sold to North American and European governments may also be sold to authoritarian regimes which use them to use to target activists, or to organized crime to commit cyberattacks. The ACLU’s Jennifer Granick highlighted “the United States Drug Enforcement Agency bought some kind of technology from [Hacking Team]… basically cultivating and participating in this market for surveillance tools.” Hacking Team has been accused of selling its spyware to authoritarian regimes who used it to help commit human rights abuses.

Even if an exploit is not sold to authoritarian regimes or criminal organizations, when a government exploits a zero-day vulnerability or develops hacking tools to do so, other actors can and do discover and exploit it as well. And the consequences are significant. For instance, Eternalblue, an exploit developed by the United States National Security Agency, was discovered and exploited by criminals to launch the WannaCry cyberattack in 2017. The attack infected hundreds of thousands of computers and even brought healthcare appointments and medical operations to a standstill.

Except for those companies supplying tools exploiting zero-day vulnerabilities, government hacking can have negative economic consequences for businesses. When a business experiences a cyberattack, stock prices tend to drop – generally, prices will fall around five percent and brand reputation is damaged after a data breach is announced. As shown with the WannaCry cyberattack, government hacking tools that are ‘in the wild’ can be exploited to attack systems used in business sectors beyond the tech field. Almost every company has some aspect of their business operations that could be impacted by a cyberattack. In the tech industry, opportunities to profit from government hacking can also be an incentive for third parties not to disclose zero-day vulnerabilities to companies so they can patch their product. Selling the vulnerability to a government, or multiple governments, is potentially a more lucrative route.

Despite the view by some that government hacking is a better alternative to weakening encryption through the use of backdoors, as Jennifer Granick noted, “governments are going to push for both, as well as other means of using technology to conduct surveillance.” Both encryption backdoors and government hacking are practices that create serious risks for the security and privacy of people, businesses, and institutions.

As governments consider expanding their mandates for government hacking, there must be a thoughtful dialogue with all stakeholders regarding the real consequences of the practice. Governments should not use government hacking unless within a very strict set of bounds, including only being used in response to serious crimes, with strong judicial oversight, and when there are no other viable alternatives. With more of our economy, institutions, and daily life relying on cybersecurity, we can’t afford to let this practice be abused or create an environment where exploits and hacking tools can so easily fall into the wrong hands.

Ryan Polk is a Senior Policy Advisor at the Internet Society. He is primarily focused on issues related to Internet trust. In this capacity, Ryan contributes to the development and implementation of the Internet Society’s policy agenda on key Internet trust and security topics. Ryan is the co-lead on the Internet Society’s encryption project.