WikiLeaks’ CIA Document Dump: More Questions than Answers

On March 7, WikiLeaks released a large collection of documents from the Central Intelligence Agency (CIA) with a catalogue of technical tools in the agency’s arsenal and the techniques it uses to get around privacy protections. This release has been compared to the ones facilitated by Edward Snowden and Chelsea Manning. While it is comparable in scale, are we premature in comparing their impact?

It should come as no surprise to anyone that the CIA (or indeed any intelligence agency in the world) uses hacking to conduct espionage operations. What is important here is that these methods have been forced into the open. These leaks raise several important questions that must not be derailed by alarmist analyses, mass paranoia, and clickbait content.

We need to first determine the source of these leaks. WikiLeaks has stated that, “the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.” This collection was allegedly being circulated among former contractors, one of whom passed it along to WikiLeaks. This claim has not been verified.

Regardless of whether it was a contractor with a conscience or some unknown actor, the point here is that there was a breach that allowed exfiltration of these documents. Reuters reported that US government officials have known about this situation since late 2016 and are investigating contractors.

Experts have raised the possibility of a Russian role in the breach. The timing of these leaks and the target align with Russia’s agenda of undermining the US government. The leaks could serve to further discredit the US intelligence community and widen the apparent rift between the community and US President Donald J. Trump.

WikiLeaks’ revelation that the CIA has the capability to deflect attribution and that some malware earlier attributed to external threat actors can now be traced back to the CIA could cast some doubt on Russian involvement in the Democratic National Committee e-mail leaks in 2016 and similar incidents across Europe. This would suit Russia’s shadowy cyber agenda well and could potentially damage the credibility of the CIA and the US government with international (especially European) partners.

Another aspect is the commitment that device and technology manufacturers make toward securing the privacy of their consumers. A New York Times article refers to a warning in Samsung Smart TVs’ terms of service fine print that the television sets could capture background conversations even when turned off. This does not mean that the CIA is conducting mass surveillance by listening to every conversation had in front of a Samsung Smart TV. Security experts concur that there has been no evidence of the possibility of remote hacks in these leaks and physical access to these devices is still required.

Robert Graham, a cybersecurity blogger at Errata Security, spoke to Beau Woods, deputy director of the Atlantic Council’s Cyber Statecraft Initiative, about the significance of the leaks. Graham claimed the leaks have provided no evidence that the CIA is doing anything more than conducting legitimate espionage activities on adversaries through human intelligence (HUMINT), unlike the NSA which, as Snowden revealed, was responsible for mass surveillance of US citizens. It does, however, raise uncomfortable questions about consumer privacy and safety.

According to Woods, while nation-state-level adversaries have capabilities to defeat nearly any security measures, basic practices can raise the bar higher than capabilities cyber criminals or ideological actors possess today. This is particularly the case for cars, medical devices, planes, and areas where it’s not just privacy or profit at stake, but much more. Consumers must expect a higher standard of security from technology manufacturers. “Where the consequences of cybersecurity failure impact human life and public safety, such as industrial and vehicle controls systems, such care is merited,” said Woods.

Woods also spoke with Katie Moussouris, founder and chief executive officer (CEO) at Luta Security, who asserted that consumers must demand more of the manufacturers of their technologies. For example, she said: “We, as general consumers of always-on technology, like smart phones, smart TVs, and Amazon Echos, or Google Home services should first of all demand from manufactures an easy hardware disable feature. I can physically cover cameras, but I would have to unplug a TV, or remove my SIM from my powered-down phone to ensure they are not still listening.”

Jason Healey, a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, also raised questions about the intelligence community’s practice of collecting “zero day” vulnerabilities. In a tweet, he pointed out there is no information on how many of the vulnerabilities listed in the documents were zero days (if any) and whether these vulnerabilities went through the Vulnerabilities Equities Process (VEP). VEP is a framework established to determine whether governments should withhold or disclose software vulnerabilities that they have in their possession. Disclosure of such information allows the manufacturers to fix the vulnerability; withholding it allows the US government to exploit it against its adversaries.

VEP’s efficacy has been questioned by experts and activists since its inception. While some experts continue to push for a better VEP with more transparency and/or inclusion of non-government personnel (with clearance) in the process, others are not too optimistic about any modification in the process. In a blog post, Graham argued that the US intelligence community would have no reason to acquire vulnerabilities if it had to disclose them to manufacturers. He warned that although the CIA would have to disclose any of the zero days leaked by the WikiLeaks dump, it does not mean that activists’ demands for a total “zero day disarmament” will make any headway.

Many security experts also question the potency of the techniques disclosed. “Quite a lot of the exploits outed in the leak are either publicly known, fixed in the latest version, or target outdated systems. By staying even reasonably current on software updates, almost none of these will work,” said Woods.

Another cybersecurity expert, Jonathan Nichols, agreed. “None of the exploits described are above what one would expect from the CIA. No one should be surprised that CIA can hack an iPhone, for example. There has been no shocking or novel exploit described such as a CIA version of Shellshock,” he told Woods.

WikiLeaks has promised that the 8,761 documents and files it has released is just the beginning of a series of data dumps. In the events to follow, it is important to make sure that the right questions are being asked of WikiLeaks, its source, and the CIA so we do not lose important information in a gaggle of outrage.

Asvatha Babu is an intern at the Cyber Statecraft Initiative and a master’s student at American University, studying cyber policy and digital communication strategy. 

Related Experts: Beau Woods and Jason Healey

Image: A man walked through the lobby of the CIA headquarters in Langley, Virginia, in this August 14, 2008, photograph. (Reuters/Larry Downing)