Last week, WikiLeaks released thousands of documents that allegedly exposed the hacking tools the CIA used to bypass encryption methods. Security experts are still reeling from these revelations. But one question remains: how could such a vast amount of confidential information be leaked without the spy agency noticing?
According to a report from The Wall Street Journal, the FBI officials currently investigating the leak have identified independent contractors as the potential sources. If this is true, the perpetrators likely followed the same discloser methods of another former contractor: Edward Snowden.
In November 2013, Venafi issued analysis that indicated Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. Roughly two years after our announcement, a leaked NSA memo confirmed that a highly privileged digital certificate was used in the compromise. Unfortunately, the latest leak from the CIA indicates we still misusing the power of keys, certificates and encryption.
“Every organization’s security posture is heavily influenced by their partners, and this is especially true for the Federal government,” says Kevin Bocek, Venafi VP of security strategy. “We saw with Edward Snowden how the use of encryption and digital certificates was turned against the NSA.”
Encryption is a powerful instrument when used properly, however, bad actors and agencies can use the tool maliciously. We expose ourselves to great risks when we utilize formidable security tools without support or awareness. As Bocek explains,
“The government is pushing to encrypt everything and authenticate every machine. However, there was no guidance given on how to protect this incredibly powerful technology that is still today classified as a munition.”
As we learn more about the exposure and methods of the CIA’s hacking tools, we must continue to strengthen our keys and certificates in positive ways. At the end of the day, encryption must not be broken or exposed, but reinforced and protected.
“Encouraging the use of powerful technology like encryption without guidance is akin to offering up F-16s with no training. Because there is no oversight focused on how encryption is secured, it’s entirely likely that we’ll see more government agency breaches like this one in the future,” concludes Bocek.
Do you have stronger key and certificate security than the CIA?