Government hackingGovernment hacking raises new security concerns

Published 20 September 2018

News of governments such as Russia and North Korea deploying their tech teams to hack into companies for political reasons has made headlines (think Sony after release of the movie The Interview). But what about when the U.S. government “hacks” to get around security measures designed to protect consumers? Can those hacks backfire and put us all at risk?

News of governments such as Russia and North Korea deploying their tech teams to hack into companies for political reasons has made headlines (think Sony after release of the movie The Interview). But what about when the U.S. government “hacks” to get around security measures designed to protect consumers? Can those hacks backfire and put us all at risk? Riana Pfefferkorn, Cryptography Fellow at Stanford Law School’s Center for Internet and Society, looks at these issues in a new paper Security Risks of Government Hacking. Pfefferkorn discussed her findings with Sharon Driscoll, director of editorial strategy at the Stanford Law School and editor pf the Stanford Lawyer.

Sharon Driscoll: Your paper explores the security risks posed by government hacking. Can you explain government hacking?
Riana Pfefferkorn
:“Government hacking” refers to when government investigators use vulnerabilities (bugs) in software and hardware products to, first, gain remote access to computers that have information the investigators want, and then remotely search the computer, monitor user activity on it, or even interfere with its operation. These hacking operations can be conducted by intelligence agencies or law enforcement agencies, in furtherance of criminal, national security, or terrorism investigations.

Driscoll: Does the U.S. government have the technical expertise for that? Are they typically government employees?
Pfefferkorn
: The U.S. government, particularly its intelligence agencies, likely has more technical expertise than most if not all other countries in this area. And law enforcement agencies like the Federal Bureau of Investigation request funding from Congress every year to develop their capabilities even further.

Sometimes the people developing government hacking techniques are government employees, and other times not. As the paper explains, the U.S. government may discover vulnerabilities itself and build “exploits” that make use of those vulnerabilities. But there is also a market where third-party entities (that are not governments themselves) sell software and services to governments to conduct their hacking operations, and the U.S. government buys from that market too. For example, in the “Apple vs. FBI” case, the government bought an exploit from an unnamed third party in order to break into the San Bernardino shooter’s iPhone.