17 March 2017

Wikileaks and the CIA: What’s in Vault7?

by Adam Segal

On Tuesday, Wikileaks released a huge cache of documents it said were descriptions of CIA cyber tools used to break into smartphones, computers and internet-connected TVs. Wikileaks says the documents came from an inside source–speculation is it is either a CIA operator or contractor–and claimed the release was meant to spur a debate over “whether the CIA’s hacking capabilities exceed its mandated powers” and “the security, creation, use, proliferation and democratic control of cyberweapons.” In any case, it is damaging to the CIA and another in a growing list of embarrassing instances of the U.S. intelligence agencies losing control of their digital weapons (see, for example, Edward Snowden; Shadow Brokers; Harold Thomas Martin III). 

Here’s a roundup of what we know so far: 

Did the CIA break the internet? No. Unless you are already a CIA target, you are unlikely to get hacked by any of these tools. NSA tools work at internet-scale, sucking up as much data as they can legally acquire and sift through it later. According to the Wikileaks dump, the CIA malware is different in that operatives must want to target you specifically, and in some cases, require physical access to implant malware into your iPhone. Unless you’re a Chinese spy, a member of the self-declared Islamic State group, or selling nuclear material to North Korea, the CIA is not interested in your cat videos. Also, the CIA operations did not break or bypass encrypted messaging apps like Signal or WhatsApp. As far as we know, encryption remains strong. If someone is already in your phone, they can take screenshots or log your keystrokes–no amount of encryption will save you from that. Also, according to much of the technical analysis out there, the tools are not particularly sophisticated. CIA operators recycled attacks, techniques, and code that has been used by many others. Still, as always with these reports of vulnerabilities, you should update your phone’s operating system. 

Is there a Russian angle? Wikileaks claims the documents came from a whistleblower with a conscience. James Lewis of the Center for International and Strategic Studies believes it is more likely that a foreign power was behind the leaks. No matter the source, bots have been set up on Twitter to promote fake stories arguing that the dump proves that the CIA used Russian malware in the hack of the DNC in a false flag operation to tarnish the Kremlin. Moscow will certainly not mind the embarrassment of the Agency, and more distrust among Trump supporters of the intelligence community. 

What does this mean for the VEP? The VEP, or Vulnerabilities Equities Process, is a process by which the government decides if it will reveal a software vulnerability to the vendors or keep it for offensive purposes. In the past, government officials say the VEP is biased toward responsible disclosure. NSA Director Admiral Mike Rogers has said “by orders of magnitude, the greatest number of vulnerabilities we find, we share.” Jason Healey has estimated that the government holds a small number of zero days, “dozens of such zero days, far fewer than the hundreds or thousands that many experts have estimated.” Healey seems to argue that, given the age of the vulnerabilities and their use outside of the United States, the CIA did not need to them report to the VEP. Robert Graham uses the leaks to argue that the VEP is “nonsense”–largely a public relations exercise to assuage the tech world that the U.S. government is not stockpiling flaws affecting products made by U.S. companies. The intelligence agencies buy vulnerabilities and they are going to use them; “if they [CIA and NSA] spend millions of dollars buying 0days because it has that value in intelligence operations, they aren’t going to destroy that value by disclosing to a vendor.” 

What does this mean for the split between Silicon Valley and Washington? It is not good, but it could be worse. The tech companies are going to be angry that the CIA had vulnerabilities and did not report them (here’s Mozilla’s statement). This makes everyone worse off. These reports will also be used by foreign governments to increase scrutiny of US tech companies in their markets (the Chinese paper Global Times already ran this headline, “US consulate becomes a hacking center! WikiLeaks once again exposes shocking CIA secrets”). But the attacks were targeted, did not undermine encryption or the internet backbone, and do not expose thousands or millions of users. This leak will join a growing list of events that keep the two sides apart–and here I suggested how to bridge the gap–but will not be in top 3.

No comments: