Depending on who you ask, this week’s WikiLeaks leaks — the Vault 7 files said to describe the CIA’s hacking arsenal — are either an unprecedentedly dangerous breach of national security or no big deal. One intelligence official told BuzzFeed that the leak was, “if you look at the big picture, worse than Snowden. What he released led to big headlines and put a few lives in danger. What we have here could potentially put thousands of people in danger in countries around the world. It’s like handing our biggest cyber guns over to anyone with an internet connection.”
Senator John McCain similarly emphasized the severity of the leaks. “You are now looking at ways our intelligence agencies do business being revealed. It has all kinds of ramifications,” he said, later adding, “I can’t tell you how serious this is.” Of course, it is currently in no politicians best interest to try to downplay any news concerning a foreign power’s hypothetical ability to meddle in U.S. affairs through technology.
On the other hand, Leonid Bershidsky at Bloomberg calls the leaks a “dud,” and Kelsey Atherton at Popular Science says they “don’t live up to the hype.” The thrust of this argument tends to be that it would be naive to be surprised at these supposed revelations: Obviously, the CIA is trying to infiltrate the communications tools of high-value targets. (Furthermore, some of WikiLeaks’s more salacious claims — such as that the encrypted messaging app Signal had been compromised — have not been borne out by the leaks themselves.)
So which is it? “Dud,” or, uh, “biggest cyber gun”? At the center of the dispute is the “cyberweapons” at the heart of the leaks, which allowed the CIA to compromise security mechanisms on smartphones, computers, and Samsung smart TVs. The cache confirms that these weapons exist, and details them, but the organization is currently declining to release the source code (i.e., the actual software). In its own, characteristically dramatic words, WikiLeaks is “avoiding the distribution of ‘armed’ cyber weapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”
The idea of these programs being “armed” and “disarmed” is weird language, but that’s neither here nor there. Still, if we consider hacking programs as weapons, then we should also recognize that WikiLeaks is not actively proliferating these weapons, and is outspokenly against such action.
Comparisons to the Snowden leaks are, in some ways, apt — in that both leaks revealed how the intelligence community uses consumer technology to surveil its targets. But the specifics of each reveal are different. Snowden’s biggest revelation was that the NSA was essentially dredging for terrorists by collecting private data on a huge number of Americans, by using man-in-the-middle attacks (this is why end-to-end encryption is still very important).
The CIA’s hacking tools require specific individual targeting — which is much riskier, but yields much greater gains — compromising someone’s entire device, rather than specific services. This type of narrow focus on one individual, or one device, sounds like typical CIA stuff; and according to security experts Tarah Wheeler and Sandy Clark, it wouldn’t scale to widespread NSA-style collection. To strain the “cyberweapon” analogy to its breaking point, Snowden revealed that the NSA was indiscriminately carpet-bombing the United States; Vault 7 reveals that the CIA owns an arsenal of high-powered sniper rifles that most experts had already assumed existed.
The question, then, is what happens to those sniper rifles. As Bershidsky explains, the cache “contains all sorts of publicly available malware, as well as samples tentatively attributed to foreign intelligence services; all that does is confirm that hackers, including CIA ones, aren’t picky about the origins of the products they use.” WikiLeaks’s source claims that the material had been circulating among former U.S.-government hackers and contractors, so all Assange’s organization did was bring leaks that were already happening into the spotlight.
That dangerous hardware and software exploits were being circulated on an open market is much more concerning than the expected eventuality that the CIA will put them to use. In other words, what’s not in the leaks is much more important than what is. Giving public comment yesterday, Senator McCain called for a significant reevaluation of how the intelligence community handles sensitive materials like their cybersecurity arsenal. Significantly, he had less to say about WikiLeaks than he did about the path the leaks took to their servers.
- We Salute This Man’s Tireless Quest to Roast the Hell Out of Idiots on Twitter During International Women’s Day
- How Uber Got Here
- A Brief History of ‘Cash Me Outside, Howbow Dah?’
- Google’s Dangerous Identity Crisis
- It’s Time to Assume Your TV (and Your Game Console, and Your Smart Bulbs, and Your Smart Thermostat, and Your Smart Speaker, and Anything Else in Your House Connected to the Internet) Is Bugged