A recent discussion with friends about how, on a trip to Singapore, the vast network of government-run surveillance cameras was both reassuring from a security standpoint and creepy, made me recall a story from earlier this summer in which such cameras in Mexico City were pressed into malicious, murderous use by a hacker working on behalf of a drug cartel. 

The hacker, affiliated with the Sinaloa cartel run by the infamous El Chapo, back in 2018, used the city’s surveillance cameras along with phone records belonging to an FBI official to hunt down and murder informants. The ins and outs of the operation came to light in an audit on the bureau’s efforts to mitigate the effects of technical surveillance released by a Justice Department Inspector General back in June. 

The audit report recounted how the hacker monitored people entering and leaving the U.S. Embassy in Mexico City, eventually identifying an FBI Assistant Legal Attache (ALAT) whose mobile phone number was then used to see calls made and received and associated geolocation data. The FBI said the hacker “also used Mexico City’s camera system to follow the ALAT through the city and identify people the ALAT met with.” That information was used, according to the case agent, “to intimidate and, in some instances, kill potential sources or cooperating witnesses.” 

Thomas Richards, infrastructure security practice director at Black Duck, calls the Mexico City incident “a devastating example of how invasive government and private sector surveillance has become.” It’s not the first time, of course, that we’ve seen technology meant to secure and safeguard turned into weapons in the hands of cyber miscreants. In this case, the surveillance cameras, installed to fight crime, actually helped perpetuate it. 

The cartel-affiliated hacker didn’t have to move mountains to execute his deadly scheme; he just had to exploit obvious security holes. Both as a CIA officer and federal cartel prosecutor, I have long been concerned about growing threats to the use of undercover assets with ever-increasing video surveillance, analytical tools, and, now, AI. Identifying an FBI attaché at an embassy would not be difficult at all,” says Bryan Cunningham, president at Liberty Defense and a former lawyer at the White House and career CIA officer.  

In many cases, Cunningham notes, “they are not even under any sort of cover, unlike most CIA officers would be.” 

He expressed some skepticism that the miscreant hacked into the Mexican telecom and said it was more likely “the Cartel had penetrated the telecoms themselves.” Likewise, “it is at least as likely that the MC camera data was provided by a corrupt insider as that it was actually hacked,” he says, noting that both entities are significant risks, “particularly in countries known for corruption.” 

Part of the problem, says Deepwatch Field CTO Chris Gray, is the blurred lines between work and personal platforms. “Gone are the days of air-gapped computers and TEMPEST-hardened workplaces.  We all carry our work, or at least access to it, in our pockets daily,” he says. As a result, security leaders often find themselves having to balance protection with availability, and “end users are almost always pushing for the latter.” 

The quest for ubiquitous access and mobile operations “has effectively shattered our perimeters,” Gray says, explaining that the focus has been on access. “SaaS platforms allow access to remote users and systems, relying upon the secure configurations and programmatic protections resident on those processes and technologies,” he says.  Unfortunately, as he points out, technological capabilities may have kept up, “but the application of those controls often lags.” 

Those potential security gaps, coupled with a vastly more savvy, capable and well-resourced cybercriminal, lend urgency to mitigating the potential for exploitation posed by surveillance tech. “Imagine how much more vulnerable undercover officers and agents are now in the age of AI and even more ubiquitous surveillance,” says Cunningham.  

He praised the IG for bringing the dangers of surveillance schemes into stark relief. “This also shows the value of government Inspectors General, without which these risks likely never would have been known to the public or Congress, and maybe not to the FBI itself,” he says. 

IG Recommendations for the FBI: 

1. Thoroughly document and incorporate all identified Ubiquitous Technical Surveillance (UTS) vulnerabilities into its final UTS mitigation plan, including those identified in the Anatomy of a Case. 
2. Finalize its UTS Strategic Plan to include strategies for coordinating disparate UTS efforts found across the enterprise and leveraging existing resources that are already in place to address the evolving risks posed by UTS. In addition, the new Strategic Plan should ensure that FBI officials who have the authority to execute the strategy are identified and are empowered to ensure that the FBI has clear and unambiguous UTS-related policies throughout the enterprise. 
3. Establish a clear line of authority for responding to enterprise-wide, UTS-related incidents to ensure a coordinated response. 
4. Assess its ability to further expand the availability of its advanced UTS-related training modules and take any necessary additional steps to ensure all personnel are and remain adequately trained on both the basic and advanced skills they need to address the evolving UTS threat.