This morning, WikiLeaks published what appears to be the largest leak of CIA documents in the agency's history. The documents included in the leak describe cyberweapons which allow the CIA to remotely control computers, turn any phone or TV into a listening device, and bypass encryption before it was even applied.
While the authenticity of the leaks remains unverified, those familiar with the agency said that the documents appeared to be real.
Unfortunately, the mainstream media's coverage of this event fails to mention an important consequence of the leak. While its technical disclosures only confirm what industry professionals long suspected (Matt Green, a cryptographer at Johns Hopkins University, said that the list of cyberweapons was "impressive" but not unexpected), they also reveal that details of the cyberweapons circulated among unauthorized individuals, and the existence of the leaks mean that the technical details surrounding the cyberweapons themselves could potentially be in the hands of foreign adversaries.
Cyberweapons, with few exceptions, operate by exploiting vulnerabilities in popular software. For example, Heartbleed was a vulnerability in OpenSSL, a popular open-source cryptography library used by web servers to secure web traffic (HTTPS). The vulnerability allowed for hackers to extract the contents of a server's memory, giving them access to passwords, user data, and other private information stored on affected servers. After the Heartbleed vulnerability was discovered, it was quickly fixed.
The CIA chose to stay silent about vulnerabilities that could be used by hackers from other countries or governments.
The CIA's cyberweapons are only able to operate because the agency is aware of technical vulnerabilities in popular software. This knowledge is not exclusive to the CIA — any foreign government or adversary could potentially have the same discovery. As a result, the CIA's decision not to notify the groups responsible for maintaining the software leaves everyone vulnerable. By choosing to stockpile vulnerabilities for its own use rather than fix them, the CIA only weakens the world's digital infrastructure.
To imply that we were not at risk when only the CIA was in possession of the cyberweapons would be misleading, however. The CIA is not known for its particularly constitutional or ethical practices (take, for example, its illegal torture program or its extrajudicial drone assassination program), and there is no guarantee that they were only used with proper court supervision. As Americans, however, we are undoubtedly in a worse situation when both the CIA and international adversaries have such cyberweapons.
At this point, the only responsible course of action is for the CIA to notify equipment manufacturers and software developers of the exploits they are aware of, so that the software can be secured.
While this would have been the most responsible action at any point, it is particularly imperative now that it is known that the technical details of the cyberweapons could already be in the hands of our adversaries.
And, as @Snowden puts it on Twitter:
In 2014, the government sought to create the world's most dangerous key, claiming it would never be leaked... Followed by FBI Director Comey's WaPo Editorial, Compromise needed on smartphone encryption: Apple's and Google's approach to encryption is too extreme. The Snark. IT BURNS!!
The Vault 7 leak is empirical proof that a backdoor for the government is a vulnerability regardless, and that these tools will inevitably end up in the wrong hands.
This is a developing story. Cover image courtesy of Wikimedia.