5 December 2016

Why the Snooper’s Charter is also a hacker’s charter

By Henry Williams

Much of the debate over the Investigatory Powers Bill, which received royal assent last week, has centred around the bulk harvesting of our communications data. It was these concerns which led to the new law being dubbed the “Snooper’s Charter”.

One aspect of the law which has received less interest, however,  is the hacking powers it gives to government agencies. Yet as the creator of the World Wide Web, Sir Tim Berners-Lee, suggested to the BBC, “the bulk hacking powers in the Bill risk making the internet less safe for everyone”.

This is because, in terms of cyberwarfare, government departments are now faced with a digital version of the Coventry Dilemma: do they reveal the intelligence they have, so that software can be patched up? Or do they keep it to themselves and hope no one else comes across the vulnerability they have discovered?

The Investigatory Powers Bill does not only provide for defensive measures – using this vast harvesting of our personal data to pick up more clues from criminals, terrorists and hostile governments. It also permits offensive measures: hacking and using digital exploits which equip the government to wage cyberwarfare.

Some of the powers proposed by the new law are fascinating, if not a little troubling.

For instance, the authorities can compel messaging services to provide them with unencrypted messages so they can work out the encryption systems (the equivalent to catching an Enigma machine mid-broadcast).

They can also compel software companies to give them first access to any updates or patches they are developing, in order to check that their hacking techniques will still work. Hence Apple’s concern that under the new law, the next time you update your iPhone, there’s a good chance the Government will have already checked it is still hackable.

But the most powerful weapon the new law makes allowance for is the state use of “zero days”. Zero days are the rarest of hacking tools – undiscovered chinks in mainstream software such as iOS or Windows, which can sell for millions on the open market.

They are called “zero days” because once the hack is launched, the target has zero days’ notice to patch it up. They do not even have to be complicated pieces of code.

A vintage example would be a flaw in many laptops’ security in the 1990s, under which the password could be bypassed simply by pressing the Escape key.

The potential of zero days is such that hackers have set up their own firms like the Malta-based ReVuln, which happily sell their findings to the highest bidder, or Zerodium, which has offered a bounty of $1.5 million to the first person who successfully jailbreaks Apple’s latest iOS update.

And governments have not been slow to realise the opportunities presented by this market. A report by Reuters found that the United States’ digital spy agency, the NSA, was the number one purchaser of zero days on the open market.

Typically hackers will act through either a specialist middleman such as Zerodium, or a defence contractor such as Northrop Grumman, which will then their discovery on to government.

There is nothing to stop hackers selling to multiple buyers in this grey market – but the logic of the hack means that as soon as they have been launched they becomes less effective.

As of its last audit, GCHQ had stockpiled 20 zero days to use to wage cyberwarfare. Such is their rarity value that the use of a zero day in a cyber-attack is a good indicator that it was state-sponsored.

It is certainly a good thing that the UK is defending itself against cyberwarfare, with Chinese and Russian hackers are high up on the list of those known to be targeting British interests.

But Western government’s involvement in the zero day market has created two major headaches for the developers who manage everyday software, from iPhones to infrastructure.

The first is that government money has made the zero day market much more lucrative. Previously, many tech firms would offer a bounty to hackers who alerted them to holes in their software. Now the same hackers can sell the same work to governments, who are willing to pay a lot more.

The developers have upped their offers but they are still outgunned by the state. That tilts the market towards the poachers rather than the gamekeepers. As one middleman between hackers and their government buyers, going by the not so reassuring moniker The Grugq, told Forbes: “If they want their bugs fixed, [tech firms] can buy them at market rates like everyone else.”

While The Grugq was confident that most people would only sell to Western governments (the Chinese have their own teams working on finding zero days, and criminal networks are notoriously bad payers), this is no guarantee that they will be the only participants in this now thriving market.

The second problem with zero days is that after paying millions to acquire a bug, it makes no sense to tell the developer about the hole in their software. But GCHQ’s stockpile of 20 zero days is also a stockpile of 20 security holes that other hackers might discover, and use for much less enlightened purposes.

This problem was illustrated after GCHQ supplied some of the four zero days contained within the Stuxnet virus. This complex piece of malware infected Iran’s uranium-enrichment programme by worming its way from infected Windows computers to Siemens industrial software, eventually causing Iran’s nuclear centrifuges to spin too fast and then blow up.

Stuxnet was followed up with another virus called Duqu. When hackers became aware of it, they reverse-engineered some of the malware components and repackaged it. That exploit then became one of the most popular hacks of 2012, used to access many people’s financial data.

It is this market for holes in our day-to-day software which should be the major concern with Britain’s new data law.

“The Government’s goal ought to be getting the vulnerabilities in our systems resolved as soon as possible,” says Dr Richard Tynan of campaign group Privacy International. “Especially as devices become more pervasive and embedded in everyday objects, while systems are increasingly being trusted to make decisions in place of people.”

It is an argument similar to calls for nuclear disarmament. If the government used zero days to patch up our everyday software rather than hold on to them as weapons, we would all be more secure – while potential weapons in our opponents’ arsenals could be rendered useless.

GCHQ’s actions suggest the government is aware of this argument but is engaged in a delicate balancing act.

Much like during the Cold War, the government has prioritised the ability to retaliate against an unpredictable foe over more pedestrian concerns about our day-today security.

The ultimate message of Investigatory Powers Bill is that we will have to trust them much more than they trust us.

Henry Williams is a freelance journalist based in London.