Why the Wikileaks Revelations Are So Important
The latest bombshell from Wikileaks, Vault 7; CIA Hacking Tools Revealed is valuable in many ways. The collection of 8,761 documents and files not only teaches citizens how the agency seeks to spy on them by capturing their iPhones and televisions while evading anti-virus and encryption tools, but the group’s thoughtful analysis of the trove also calls attention to the unanticipated dangers to American citizens posed by CIA cyberwarfare.
The documents reveal the complex organization and vast scope of the agency’s hacking efforts, a crucial first step toward establishing oversight and accountability. The net effect is a big plus for people who want to understand the workings of secretive government agencies, and it's a big win for Wikileaks.
In the past, the anti-secrecy group had alienated some supporters with indiscriminate release of personal information and with its apparent alignment with the Russian government during the 2016 election. This release has been redacted to withhold personal information and the code for the cyber weapons themselves. The release does not prove that the CIA spied on President Trump, as some on Twitter are claiming, but it does show how the agency could target almost anyone for undetected surveillance and manipulation.
This release signals Wikileaks’ growth as a whistleblowing organization and journalistic resource. Does the release increase the danger to Americans? It could conceivably help persons planning attacks on civilians by prompting them to get rid of their iPhones and Samsung TVs. But continuing secrecy around the proliferation of cyber weapons also poses dangers, notes Wikileaks editor Julian Assange.
"There is an extreme proliferation risk in the development of cyber 'weapons,’" Assange wrote in a press statement. “Comparisons can be drawn between the uncontrolled proliferation of such 'weapons,' which results from the inability to contain them combined with their high market value, and the global arms trade."
Wikileaks said the source for the material, apparently a former U.S. government hacker or contractor, hopes “to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”
The Wikileaks release highlights a previously unknown problem. The group charges that the released documents show the CIA is ignoring what is known as the vulnerabilities equities process. Created by the Obama administration, the process calls for the government to disclose on an ongoing basis any serious vulnerabilities, bugs, or "zero days" to Apple, Google, Microsoft, and other U.S.-based manufacturers.
The agency's alleged failure to do so actually leaves Americans—even President Trump—as vulnerable as the agency’s foreign targets, says Wikileaks. One piece of CIA malware, the group says, “is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts.”
“By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone—at the expense of leaving everyone hackable.”
So the CIA might be inadvertently allowing foreign hackers, with access to the same code, to take control of Trump’s Twitter account in a moment of crisis. That would be “yuge” and “sad” and maybe worse.
The scope of the CIA hacking activities, across platforms is impressive. The agency's Directorate of Digital Innovation (DDI) is now the organizational equal of the directorates of intelligence, operations, and science and technology which have existed for more than 50 years. One component of the DDI, the Center for Cyber Intelligence (CCI) had over 5,000 registered users as of last year. The agency’s hackers, says Wikileaks, have "utilized more code than that used to run Facebook.”
While the iPhone is a prime target, non-Apple technologies are also hacked. As of last year, “the CIA had 24 'weaponized' Android 'zero days'" that it has developed itself and obtained from British intelligence, the National Security Agency and private contractors, according to Wikileaks. (A "zero day" is hacker slang for an undetected and exploitable security breach in software.)
The problem is that, unlike conventional and nuclear weapons, the proliferation of cyber weapons costs nothing, is undetectable and takes very little time.
“Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike,” Wikileaks notes.
If the CIA’s massive secret cyber capabilities are not secure—and they clearly are not—the agency may be generating threats as much as it is preempting them.
The Wikileaks release highlights a counterintuitive truth of a networked world. An open-source approach to cyber-warfare may provide more protection to the average citizen than a secrecy approach, both in terms of individual privacy and the risk of terrorism.
Alex Rice, chief technology officer of Hacker One, a startup that enlists hackers to report security gaps to companies and organizations, told the Washington Post, "The argument that there is some terrorist using a Samsung TV somewhere—as a reason to not disclose that vulnerability to the company, when it puts thousands of Americans at risk—I fundamentally disagree with it."
In other words, publicizing and sharing technological vulnerabilities—not concealing and propagating them—is what will keep Americans and other citizens of the world secure. That’s Wikileaks' latest message and it couldn't be more timely.
Also by Jefferson Morley
Who Wins? Trump v. Koch Brothers on Jobs (March 1)
Three Hard Truths that Trump Is Facing (Feb. 28)