Today, CIS is publishing a whitepaper called “Security Risks of Government Hacking.” Also called “equipment interference” or “lawful hacking,” government hacking allows investigators to exploit hardware and software vulnerabilities to gain remote access to target computers. We hope our new publication will make a valuable contribution to policy discussions about this important topic.
Government hacking is often lauded as a solution to the “going dark” problem. Some experts believe that, if regulated, government hacking is preferable to mandatory “backdoors” for accessing encrypted data. However, the security risks of government hacking have not been thoroughly explored. The premise of this whitepaper is that the risk of government hacking compared to an access mandate is relatively under-examined. We should not take it on faith that government hacking is a safe practice. This is why we need more discussion and research on the security risks from government hacking. Understanding those risks is necessary for technologists and policymakers assessing the desirability of government hacking as a responsible option for law enforcement to achieve its objectives.
CIS, in conjunction with Mozilla, hosted a series of convenings on government hacking in 2016 and 2017. This whitepaper grew out of the February 2017 panel discussion on government hacking’s implications for computer security. Our February 2017 panel, and this whitepaper, are meant as a starting point for further work as the national, indeed global, debate over encryption and law enforcement powers continues. We look forward to the conversation.