View from Washington: Wikileaks’ woefully wrong-headed wibbledump
The Vault 7 leaks basically show the CIA doing its job but will now make it much harder to accomplish.
I cannot see how the public interest is served by the latest Wikileaks document dump detailing cyberspycraft and tools used by the CIA. It has instead seriously undermined my and your security.
Yes, I include the UK in that as well as the US. Collaboration between our national security services and those of our allies generally is essential – and if you disagree, frankly just connect your tinfoil hat to the mains right now.
Wikileaks’ initial ‘Year Zero’ release from Vault 7 is a nightmare to sift at 8,761 documents. But the group’s accompanying statement is revealing enough. It mostly directs attention to charges and revelations that are either disingenuous or already known.
Let’s start with ‘disingenuous’. I want to quote one section at length:
“By the end of 2016, the CIA’s hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other ‘weaponized’ malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its ‘own [National Security Agency]’ with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
“In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”
This is seriously misleading, and suffers from a whopping sin of omission.
Wikileaks frames its revelations within the long-standing turf war in US intelligence between the CIA and NSA, and claims of CIA overreach. One egregious problem with the quotation, though, is its focus on the CIA’s operations as of 2016. That leaves out something vitally germane: notwithstanding inter-agency rivalry, the CIA had to fall back on more of its own resources from 2013 onwards because so many NSA surveillance programmes were compromised by Edward Snowden (a leak process into which Wikileaks inserted itself once the former NSA contractor was on the run).
Because here’s a big surprise. The leaks mainly fall between 2013 and 2016. But, hey, who needs to know the full context?
Moving on, the source apparently wants to “initiate a public debate”. Well, we all want one of those. But how on earth can debate be constructively provoked by revealing the strategies and weak spots that the CIA exploits in a multi-faceted game, while effectively ignoring the actions of other influential players, most notably China and Russia?
US (and, in at least one case, UK) programmes have been compromised, possibly fatally, while those of rivals have not; meanwhile every criminal hacker has been given a fresh set of targets (if, admittedly, not yet the tarball with which to hit them).
Tilting the playing field like that to stimulate a discussion is astonishing overkill, even assuming debate is what you seek to achieve. Because the fermentation of chaos is always a precursor to rational discussion, isn’t it just. However, if your goals lie elsewhere, well…
The CIA and its allies at MI5, MI6 and GCHQ do what most of us want them to do. When it comes to intelligence gathering, the public comprises many millions of wise monkeys, not just the three.
Should security services be subject to close oversight and clear legal boundaries? Absolutely. Are current procedures insufficient given the rate of technological change and its impact on signals intelligence? Probably. But, again, on that last point we have known as much for a long time.
Because we now come to the second set of problems with Vault 7: the fact so much is neither ‘black hat’ nor ‘white hat’, but ‘old hat’.
You don’t say!
Had I an Electoral College vote for every time I have used this quotation, I would be President of the United States; so, you see, things could be worse. Anyway, here it is:
“You have zero privacy. Get over it.”
McNealy said that in 1999. Yup, almost two decades ago, one of Silicon Valley’s most powerful CEOs publicly highlighted the fundamental vulnerability of any digital system.
Let’s come up to date. Wikileaks lists a series of consumer technologies for which the CIA developed exploits. These include iPhones and iPads, Android handsets, and various devices running Windows.
Well, this is hardly news. Even the product getting most media attention right now, the Samsung Smart TV, was identified as vulnerable in 2012. Shocked, Captain Renault? Well, just check out this Mashable report from an open session at the 2013 Black Hat conference in Las Vegas. It’s entitled ‘Your Smart TV Could Be Hacked to Spy On You’.
Meanwhile, not just governments but also many companies have required visitors to hand in all electronics at reception before entering sensitive offices for several years now. Heck, even investigative journalists have been known to park their cellphones in a fridge before interviewing a confidential source.
All connected platforms suffer ceaseless attacks and have done for donkey’s years. As well as criminals, various branches of various national security agencies research and undertake them. You’re welcome.
Given this, I suppose Vault 7 shows the CIA has not just been doing what we would expect a covert agency to do, but doing it pretty efficiently. That is, of course, until now.
And your point is…?
The final sceptical charge against Wikileaks is the lack of a ‘smoking gun’. Let’s attempt a précis of what Vault 7 chiefly tells us. I would offer this:
“After a significant number of NSA programmes were compromised in 2013 by the Edward Snowden leaks, the CIA substantially ramped up its own cybersurveillance activities. It targeted the same devices and platforms attacked by rival agencies and criminals because of their ubiquity and usefulness as sources of signals intelligence. These documents describe the CIA’s strategies, vulnerabilities it exploited and its cybersecurity infrastructure.”
None of that disturbs or surprises me. What surprises me, given the kerfuffle Wikileaks wants to stir, is that Vault 7 does not appear to include a single example of the CIA using any of these techniques or infrastructure to exceed its operational remit or even place it on dodgy ground.
Where is its equivalent to the hacking of Angela Merkel’s cellphone? Where is there an example of the CIA’s tools being unlawfully used to monitor a US citizen on US soil? Where’s the beef?
Oh right. The US consulate in Frankfurt houses an electronic surveillance outpost. Cor blimey! Just about every country’s embassy hosts some kind of national spying resource. As Scott McNealy would say, “Get over it.” Do you really think the German government has no idea what is going on?
Forgive me, I’ve been tugging your coat for even longer than usual. One last point does need emphasising.
I think most of us appreciate the idea of our security services and those of our allies having access to the best cybersurveillance tools, particularly given that rival nations are seeking the same capacity (and using what they have aggressively). Nobody likes any kind of arm’s race – well, apart from defence contractors – but anyone with a modicum of sense wants to be on the winning side. It’s how things are.
Vault 7 is hard to see as anything other than an assault both on the US’ and the West’s current cyber-pre-eminence. Was it maliciously seeded by another country or is it simply the result of a misguided worldview? We don’t know for sure – but you can be sure that the spooks in Moscow, Beijing, Tehran and Pyongyang are laughing their heads off today.
Indeed, they’re laughing so hard they might blow out the mikes in their cellphones. That’s a pity.