“Weeping Angel, Hidden documents”: CIA leaks, professional hackers and upcoming challenges in data protection

Recently, the world was rocked by the release of official documents released from the CIA’s private collection. It was WikiLeaks’s most thorough collection of official documents yet: the vigilante group leaked roughly 9000 documents stolen from the CIA’s specialist digital team. Analysis of the documents revealed that they were designed as a record of new hacking methods, which the CIA had developed in partnership with British Intelligence. According to the leak, CIA hackers had been targeting personal forms of technology such as smartphones and communication apps in order to monitor people of interest in the future and increase their monitoring capabilities.

Both the Wikileaks leak and the various reports that have followed have exposed the detailed ways in which the CIA claimed to be breaking into phones and other electronic devices within the released documents. Many people were particularly frightened by the “weeping angel” program: which was supposedly capable of hacking into television sets, whilst the TV’s appeared to be switched off. It seems, eerily, that “Big Brother” is watching all of us…

However, the problems to cybersecurity do not end with these Orwellian tactics. A report jointly taken up by the National Crime Agency and the National Cyber Security Centre revealed that the rise of interconnected devices is creating a new, aggressive kind of hacker which targets individual citizens. The report believes that “ransomware” is already becoming the next commonplace concern for our increasingly digital society: software which will allow hackers to take hold of people’s personal data such as photos, emails and wearable fitness tracker data. Hackers can then use this information as leverage – threatening to release the personal data of their victims unless a payment is received.

The repercussions of these kind of attacks can be shocking and upsetting to most. We often see pictures of celebrities being released to the masses which they would rather have kept private. Alarmingly, the very apps we use can put us at risk: most recently a huge settlement came out of a company which had gathered and failed to protect information about its customer’s sexual habits.

You can imagine, if these kinds of attacks started occurring to each of us on an individual level, we would most definitely pay whoever was controlling the ransomware to protect ourselves, our private information and our reputations.

These developments and news stories may be alarming for many people outside of the cybersecurity world. This is only natural. As many people are becoming increasingly attached to their electronic devices and methods of document storage, the Wikileaks story becomes terrifying to them in two ways: How do we know if our digital data is safe, and how can we protect ourselves and our data from hackers who want to exploit it?

From the perspective of a cybersecurity professional, however, these revelations should not be shocking to people at all. It is a widely known fact in our industry that anything which we keep connected to the Internet has the potential to be hacked or broken into, whether it’s a phone or even a driverless car. This is the very nature of the digital technologies we have worked so hard to create across the past few decades. Whether or not data is compromised simply boils down to two things: how much patience and time people have to break into something, and the level of resources they can put towards said hacks. Although we know in many cases it can take huge amounts of manpower and time to break into a system, we still have to recognise that it is always a possibility with enough effort and resources put in.

Members of the public must learn that the main reason something is secure is because of the length of time and effort it would take a hacker to break into it – not because the data itself is impossible to access. This can be reflected in the way we should use strong encryption passwords: the length and complexity of the password is directly related to the amount of time it would take a brute-force attack to crack it. Strong controls such as: regularly updated software (e.g. anti-virus and firewalls), being aware of and mitigating phishing attacks and keeping passwords “secret”, is the basis for good security. Sadly, regardless of these practices, people need to start getting real about all of these “leaks” and “hacks”, by recognising that they will inevitably keep occurring as no security system can be bullet-proof. Obviously when it comes to publicly stored data, they represent a greater target and therefore, hacking of personal data will have to be accepted as an even more likely possibility.

If anything, we can perhaps use the aforementioned cyber-attacks and disasters as a way to learn and prepare for the future. The leaks and cyber threats which have consistently been capturing media interest are a prime example of why businesses need procedures in place to install security updates and patches, as part of a strategic and holistic security regime. This works from both the perspective of a business caring for its own protection, or businesses which have a responsibility to their customers and clients by protecting the data which passes through their apps and products. As individuals, we must also take it upon ourselves to keep our “secrets secret”, to be every vigilant against phishing attacks and to monitor our devices for breaches or viruses – especially as organisations increasingly allow us to bring our own devices (through “BYOD” policies) into the workplace. This two pronged approached, which organisations and consumers alike must take together, should be a way to keep most people safe from unwanted attacks.

As long as we look at cybersecurity measures from a presumptive standpoint, in which we consider the possibility of someone being capable of infiltrating our network at any time, it will be difficult to create opportunities for hackers to slip past our security measures, and gain access to data that we’d rather be keeping out of their reach. That way, we can ensure it remains the private property of those who first produced it – and stays away from those people who would seek to manipulate it.

By Phil Beckett is a Managing Director for Alvarez and Marsal.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.