Complete Control Over a Phone
WhatsApp (Facebook) alleges in a lawsuit that a surveillance (aka spy) company exploited a vulnerability and inserted spyware into the WhatsApp app and was using it to spy on hundreds of human rights activists, journalists, and lawyers.
The spyware, known as Pegasus, gives the attacker complete control over a phone’s functions without the victim’s knowledge or use. The victim doesn’t even need to accept a phone call or send or receive a message.
Is it a National Security Interest?
The fact that the end-to-end encryption that WhatsApp uses prevents casual observers from viewing the message in a meaningful natural language has always been a challenge for government intelligence agencies when they have a legitimate, national security interest in learning what two bad guys are saying to each other.
These intelligence agencies have previously called for technology companies to build backdoor access that only they can use to view users’ conversations. The refusal of the tech industry to capitulate has led to a multi-million-dollar market for companies like the defendant who sell spyware and exploit kits to government agencies who lack the legal or technical capability to create their own.
While most of the surveillance companies have recently introduced politically correct human rights protections into their software, they also are able to plead plausible deniability through a defense that treads somewhere against the guardrails of lacking oversight into the targets of their spyware once their product is in the field.
Weaponizing Malware: More than Just a Legal Concern
Whether or not the spy firm is found guilty and held liable for spying on these targets, the issue raises serious questions about the private espionage industry as a whole. The most challenging among them is whether private companies can be trusted to ensure their digital weapons don’t end up in the wrong hands. And if so, what are the mechanisms to prove the trust?
The first part is obviously easy to answer. Our own top spymasters at the NSA vividly demonstrated that risk by the creation and subsequent failure to protect EternalBlue, which was stolen by the Shadow Brokers in 2017 and used to execute the now globally infamous WannaCry ransomware attack, which crippled thousands of computers around the world.
If Facebook should prevail in the lawsuit, the resulting waves will completely change the rules around weaponizing this class of malware, and we will see multiplying lawsuits against governments whose cyber tools have been stolen, and then leaked into the dark web and used in cyber-attacks against special interest targets.
Malware Beyond the Traditional Cybercriminal
A simple scenario under which a targeted entity could capture the malware for re-use would be to set up a honey-pot on a readied device, recover the code, and reverse engineer the exploit as well as the exploit code itself. This is not unlike recovering an unexploded enemy weapon on your own property and re-using it against a new target belonging to an adversary,
One other troubling question that arises from all this is whether states should be allowed to use commercial third parties to do the dirty work that the state actors are unable to do through a lack of capability, or not allowed to do by law.
Facebook’s lawsuit accuses the defendant of violating the Computer Fraud and Abuse Act (CFAA), a law that is usually used to punish hackers for cybersecurity attacks. The CFAA was enacted in 1986 as an amendment to the first federal computer fraud law to address hacking.
Over the years, it has been amended several times to cover a broad range of conduct far beyond its original intent. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization but fails to define what “without authorization” means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.
This lawsuit may present an opportunity for many who oppose the CFAA to re-craft a replacement, so some definite good may come out of this regardless of the specific outcome for Facebook or the NSA Group.
The Existential Backlash isn’t Purely Philosophical
The suit also pits an industry experiencing a severe bout of existential techlash against it by people who associate tech companies with what is wrong with society against an industry sporting a long list of ethical issues, secrecy obsessions, complaints, and negative public opinion itself.
Here are two bad actors. Choose your least favorite.
While legal experts caution Facebook that their use of the CFAA law is problematic, a courtroom win for the giant social media monster would be welcome news on the PR front as it continually battles an image problem over its draconian misinformation and disinformation policies.
Facebook’s problems aside, this case resurfaces the nastier complexities of the cybersecurity business and forces us to ask the questions nobody wants to answer. If it were up to John Kerry, we’d all look the other way, go skiing in France and hope nothing bad happens. If on the other hand, it became John Bolton’s call, we’d all be working for the NSA.
The only winners here are the lawyers.