At this point, most of us have heard about the Vault 7 Wikileak which details methods and technology the CIA uses in its spying operations. These range from turning Samsung TV’s into listening devices, hacking iPhone/android devices with zero-day exploits (issues the manufacturers aren’t aware of), as well as computers of every operating system, smart cars, and a whole host of other consumer electronics.
These zero-day exploits can bypass encryption for applications that had previously been able to keep communications secret, as well as giving them full access to the array of sensors a phone/computer may have. What is particularly troubling about this to many in the cybersecurity world is the fact that the government knew these zero-day exploits existed, and they did not tell the manufacturers of those products. This may on its face seem like a good idea to ensure secrecy of their intelligence gathering tools, but it also leaves the devices open for exploitation to anyone else who discovers these security flaws.
Compounding this concern is the easy proliferation of these disruptive cyber weapons. In order for these tools to be properly used, the CIA would have to give access to those who need them. This means that the small army of hackers they have built up would have ready access to some of the most dangerous tools in the world. Just such a hacker seems to be the source of this leak, which came from an isolated network in their Langley headquarters.
Once these lines of code reach the wild, they are able to be spread across the globe in seconds. These aren’t radioactive weapons requiring a complex smuggling operation to reach hostile forces, they are copyable computer programs, much like any program, we have installed on our chosen devices. These, unfortunately, can be distributed quickly and on a mass scale to anyone who may have to want to purchase them on the black market.
Some of the issues brought up in the leaks, are the CIA budgetary and oversight methods in place. The NSA already had similar technologies developed, but asking them for permission to use their technology brought people into operations they would have rather excluded and left a paper trail I am sure the CIA would rather do without. Building redundant programs for the CIA’s personal use enabled them to skirt that extra level of oversight, and also cost the American taxpayer money to develop.
Wikileaks had this quote near the top of the Vault 7 release page;
“Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers. The agency’s hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA’s hacking capacities.”
This statement brings up a lot of questions that should have been asked a long time ago. To what extent should agencies cooperate? If there are areas where they must be separate, do we need redundant programs? What kind of weapons should we build for cyber warfare, and how do we ensure these weapons aren’t stolen and used against us? What kind of oversight are we comfortable with where the CIA and NSA are concerned?
The leaks appear to be genuine, and the threat we face in an ever growing digital world are rapidly becoming clearer to all of us. I don’t have the answers to the question posed, but I do know they deserve to be in the national conversation since we are going to be affected by this whether we like it or not. These leaks have not reached a conclusion by any means, and I expect significantly more news to come out surrounding this subject.
It’s time as American citizens that we stop burying our heads in the sand, and confront the new modern battlefield. If we don’t assert ourselves in this process, these policies will be written and set in stone for decades to come, and we will have nobody to blame but ourselves.