Depending on who you ask, this week’s WikiLeaks leaks — the Vault 7 files said to describe the CIA’s hacking arsenal — are either an unprecedentedly dangerous breach of national security, or no big deal. One intelligence official told BuzzFeed that the leak was, “if you look at the big picture, worse than Snowden.”
Senator John McCain seems to have concurred. “You are now looking at ways our intelligence agencies do business being revealed. It has all kinds of ramifications,” he this week, later adding, “I can’t tell you how serious this is.” Of course, it is currently in no politicians best interest to try to downplay any news concerning a foreign power’s hypothetical ability to meddle in U.S. affairs through technology, but Buzzfeed’s anonymous intelligence official agrees: “What we have here could potentially put thousands of people in danger in countries around the world. It’s like handing our biggest cyber guns over to anyone with an internet connection.”
On the other hand, Leonid Bershidsky at Bloomberg calls the leaks a “dud,” and Kelsey Atherton at Popular Science says they “don’t live up to the hype.” The thrust of this argument tends to be that it would be naive to be surprised at these supposed revelations: Obviously, the CIA is trying to infiltrate the communications tools of high-value targets. You think any enemies of America don’t already assume the CIA is cracking smartphones? (Furthermore, as Atherton points out, the salacious claims in Wikileaks’s original announcement — such as that the encrypted messaging app Signal had been compromised — have not been borne out by the leaks themselves.)
So which is it? “Dud,” or, uh, “biggest cyber gun”? At the center of the dispute is the “cyberweapons” that allowed the CIA to compromise security mechanisms on smartphones, computers, and Samsung smart TVs. The cache confirms that these weapons exist, and details them, but the organization is currently declining to release the source code (i.e., the actual software). In its own, characteristically dramatic words, WikiLeaks is “avoiding the distribution of ‘armed’ cyber weapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should [sic] analyzed, disarmed and published.”
The idea of these programs being “armed” and “disarmed” is weird language, but that’s neither here nor there. Still, if we consider hacking programs as weapons, then we should also recognize that WikiLeaks is not actively proliferating these weapons, and is outspokenly against such action.
This is where comparisons to the Snowden leaks begin to fall apart. Both leaks revealed how the intelligence community uses consumer technology to surveil its targets. But the specifics of each reveal are different. Snowden’s biggest revelation was that the NSA was essentially dredging for terrorists by collecting private data on a huge number of Americans, by using man-in-the-middle attacks (this is why end-to-end encryption is still very important).
The CIA’s hacking tools require specific targeting — which is much riskier, but yields much greater gains. It’s the difference between having a backdoor into a major internet company, and having the ability to crack an individual iPhone. This type of narrow focus on one person, or one device, sounds like typical CIA stuff; and according to security experts Tarah Wheeler and Sandy Clark, it wouldn’t scale to widespread NSA-style collection. To strain the “cyberweapon” analogy to its breaking point, Snowden revealed that the NSA was indiscriminately carpet-bombing the United States; Vault 7 reveals that the CIA owns an arsenal of high-powered sniper rifles that most experts had already assumed existed.
The question, then, is what happens to those sniper rifles. As Bershidsky explains, the cache “contains all sorts of publicly available malware, as well as samples tentatively attributed to foreign intelligence services; all that does is confirm that hackers, including CIA ones, aren’t picky about the origins of the products they use.” WikiLeaks’s source claims that the material had been circulating among former U.S.-government hackers and contractors, so all Assange’s organization did was bring leaks that were already happening into the spotlight.
That dangerous hardware and software exploits were being circulated on an open market is much more concerning than the expected eventuality that the CIA will put them to use. In other words, what’s not in the leaks is much more important than what is. Giving public comment yesterday, Senator McCain called for a significant reevaluation of how the intelligence community handles sensitive materials like its cybersecurity arsenal. Significantly, he had less to say about WikiLeaks than he did about the path the leaks took to their servers.