Why this and why now?

The recent CIA leak has demonstrated a fact that bears repeating: “Encryption works.”

This is an Edward Snowden money quote. However, the context for the quote is really really important: “Properly implemented strong crypto systems are one of the few things that you can rely on.”

Encryption is math and that is why it works. But math won’t magically transform your thoughts into scrambled communication and beam them across to the other side of the planet to magically unscramble them into the mind of the receiver.

You need hardware, like a laptop, tablet or phone, and software in the form of an operating system, like Windows, iOS or Android plus an encrypted messenger like Signal, WhatsApp or iMessage to actually communicate in private. This is is where the math happens. But this is also where the trouble starts.

The thing is, math has to be written into code for the hardware to do the magic. And code is always full of bugs. So, even the most magnificent encryption algorithm can be defeated by a misplaced larger-than sign in the code of the app or a fault in the operating system. And the worst bugs (so called zerodays since it’s been precisely zero days since they were known to the software vendor) can be used against the software to make it do stuff you don’t want, like reveal your scrambled messages.

This leads to the final part of that Snowden money quote: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” Because of the complexity of the hardware and of the software running on the machines, even the most well developed secure messengers can be circumvented if an adversary has direct access to the machine. And this is what the leak shows that the CIA are capable of, although this is in no way news.

On the other hand, this is actually the good news. It is much more costly and difficult to get access to individual machines than to just vacuum up unencrypted communications from the network. Often the spooks need hands-on, physical access to the device. It is still much cheaper for the spooks to break into your house and implant your smart tv, than to hide a custom microphone bug in your desk lamp. But it is still costly.

By using encrypted messengers, you raise the cost of mass surveillance and “make the bastards work for it” if they really want access to your private communication. Zeroday exploits, especially against iPhones, are super expensive. So unless you are worth the expense, you don’t get the attention of the spooks.

There are of course problems with the fact that governments all over the world buy up, weaponize, stockpile and keep the worst computer bugs (aka. the best zerodays) secret from the public. In the end, this makes everyone less safe, but at this point it is less of a problem and more of a fact. There’s not much you can do about it, at least in the short term. Just because everything is broken it doesn’t mean that everything is hopeless. Software gets updated and bugs get fixed. Public health is a better metaphor for information security than warfare (with or without the cyber prefix).

I think the actually interesting questions raised by the leak is the why and the who. Who leaked it and why now? We are living in a time of open information conflict between the great, formerly great, and/or great again powers of the world, and the release of sensitive information is not a neutral gesture, but an intentional tactical or strategic act. The question that needs to be unraveled is, to which goal was this information aimed? In order to actually understand the leaked information, we need to know its geopolitical and geostrategic context, and so far there is only speculation.

Originally published on Medium.