Vault 7 Versus Snowden: Why Was One Such a Bigger Story?

Vault 7 serves as another reminder of the inherent folly in building government-mandated backdoors into secure systems.

Andrea O'Sullivan | 3.16.2017 3:00 PM

Last week Wikileaks finally released its much-hyped "Vault 7" data detailing the CIA's arsenal of hacking tools. The first tranche, consisting of 8,761 documents and attachments from an "isolated, high-security network" in the CIA's Center for Cyber Intelligence, reveals important information about the federal spy body's intrusion techniques, alliances with other government bodies, and internal culture from 2013 to 2016.

These new details alone would be explosive. But the media's relative lack of interest in these major revelations makes this story even more curious. The CIA's hacking toolkit, while not surprising to those in the security community, should be downright paranoia-inducing for most Americans.

Big Brother Really Is Watching

According to the Vault 7 documents, the CIA can hack into most consumer devices, rendering even the strongest encryption techniques useless.

Some of the CIA's techniques have been diabolical. For example, one exploit of Samsung smart TVs would surreptitiously spy on owners even though the device appeared to be turned off. Another, more chilling technique could be used to hack a smart car and send its driver careening into a fiery death on the road. Furthermore, the CIA's "UMBRAGE" library of foreign "fingerprints" can make it falsely appear as if other governments are behind its dirty deeds.

Most of the conversation so far has revolved around the CIA's trove of "zero day vulnerabilities," computer bugs that are known only to the discoverer (which means that the software industry would have had "zero days" to patch them—get it?). Wikileaks itself has emphasized this dimension of the story: the first batch of documents was called "Year Zero," a title that might refer to the CIA's need to re-build its cyber-arsenal.

While the data dump stops short of releasing the full code, the leak describes enough about the CIA's hacking techniques to render them functionally impotent. This is because software providers scrambled to patch up the vulnerabilities soon after they were made public. Assuming that most of the CIA hacks were in the leak, America's top international spy agency could be effectively powerless for the time being, at least in terms of hacking capability.

This does not mean we should celebrate. The Wikileaks press release suggests that they were not the first body to get their hands on this cyber-arsenal, reporting that "the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner." It is possible that hostile groups got their hands on these weapons first, which means that both our "enemies" and our "protectors" could have been hacking and spying on us with these methods for the past few years. Since Wikileaks has not released the entire database to the public yet, some of these vulnerabilities likely remain unpatched.

As others have noted, the Vault 7 debacle serves as yet another reminder of the inherent folly in building government-mandated backdoors into secure systems or hoarding zero days to circumvent security. If powerful and capable groups like the CIA and NSA can't protect their cyber-arsenals, why should we expect others to manage it?

A Tale of Two Leaks

What has been most striking to me about this episode is the amazing lack of interest in the broader dimensions of the story. Compare reactions to the Wikileaks-enabled CIA leaks with reactions to the National Security Agency (NSA) leaks provided by Edward Snowden in 2013. In both cases, a notoriously secretive and powerful U.S. intelligence agency was unmasked before the world, expansive surveillance or intrusion techniques were laid bare, and the public learned of serious vulnerabilities in their privacy or their security (or both). Civil libertarians simultaneously cheered the revelations, while muttering that deep down, they knew it all along.

But where the NSA leaks dominated headlines for months and stimulated executive audits and congressional battles, the CIA leaks have mostly been greeted with a shrug. Why?

First, there is the scope of the disclosures. The NSA revelations concerned bulk surveillance methods that could theoretically affect all Americans, whereas the CIA leaks relate to narrower hacking methods. It is certainly troubling that the CIA could install malware on your smartphone to bypass encrypted communication applications like Signal, but the program doesn't automatically hoover up millions of conversations like NSA bulk collection programs do. (Although this cuts both ways: with the NSA, you are just one of billions; with the CIA, you could be targeted individually.)

Or perhaps people simply have surveillance fatigue. It's possible that Americans have merely accepted a new world of invasive intelligence monitoring and moved on with their lives. All of the drama and intrigue of the Snowden revelations generated no real change. Why would things be any different this time?

As to the media's relative lack of interest in the Vault 7 leaks, perhaps we should consider publication methods. Snowden developed relationships with journalists at respected platforms like The Guardian, The Washington Post, The New York Times, and Der Spiegel to make his disclosures. Obviously, a journalist will be more eager to crank out every angle of a story if they have a direct monopoly on the source material. And since such outlets tend to make or break news cycles, other platforms followed their lead and amplified Snowden's leaks.

Evidence of CIA spying, meanwhile, was published by Wikileaks. The benefit of this approach is it empowers a decentralized army of diggers to crowd-source the juiciest nuggets, rather than relying on media gatekeepers to determine what is most newsworthy. The downside is that major media outlets might not be as eager to report on the second-hand contents.

In the past, however, this hasn't been much of a problem. Previous Wikileaks publications—notably, the Afghanistan and Iraq war documents and the State Department diplomatic cables—received considerable coverage in national papers of record, and indeed in some cases were coordinated with these platforms. But these days, Wikileaks is no longer the media darling that it once was—not because of any shortcomings on its own part (even the intelligence report on "Russian hacking" begrudgingly admitted that it could not dispute Wikileaks' "reputation for authenticity") but because of contemporary geopolitical events.

Many in the establishment are still furious that Wikileaks decided to publish the Democratic National Committee and John Podesta emails during the 2016 U.S. presidential election, believing this to be de facto evidence of the group's latent pro-Trump or pro-Russian sympathies. Former acting CIA Director John McLaughlin went so far as to claim on national T.V. that Wikileaks is "clearly linked to Russia." But one needn't be a Russian plant to oppose expansive intelligence surveillance and hacking. Many patriotic Americans welcome Wikileaks' disclosures of intelligence agency power, and public commentators insult civil libertarians by tarring us as foreign puppets.

Grudges aside, the CIA leaks could serve to undermine the prevailing "Russian interference" narrative directed at the Trump administration. The intelligence community and its allies in the media have been engaged in an unprecedented public brawl with the new administration that paints President Trump as a "Siberian candidate" of sorts. Yet Wikileaks' earlier revelations that the CIA directly interfered with the 2012 French presidential elections does not give the intelligence agency much of a moral high ground. Furthermore, the new leaks expose a heretofore unknown spy base in the U.S. consulate in Frankfurt—thereby potentially implicating the State Department as well—and provide direct proof of the CIA's abilities to frame other countries for their hacking activities.

Given the heavy implications of Wikileaks' most recent revelations—ones that arguably exceed those of the earlier NSA surveillance leaks—I almost wish that the media's characterization of Wikileaks as a willing handmaiden for the Trump administration's war against the intelligence community was actually correct. But in fact, the Trump administration has granted more power to the out-of-control intelligence agency, reversing an Obama-era prohibition on CIA-directed drone strikes. Civil libertarians should be thankful that transparency groups like Wikileaks remain committed to informing the public of what goes down behind the scenes no matter which political faction or federal agency is behind the dirty deeds.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Trump Budget Ends Subsidies for Rural Airports, Promising $175 Million in Savings

Hide Comments (38)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

$park? don't care bout yo mom 8 years ago

Because it is completely unsurprising to anyone who's heard of it.
$park? don't care bout yo mom 8 years ago

Some of the CIA's techniques have been diabolical

Diabolical? Come on.
Fist of Etiquette 8 years ago

Another, more chilling technique could be used to hack a smart car and send its driver careening into a fiery death on the road.

Because if you talk about Michael Hastings you sound like a crazy person. Maybe when they put a face to this release of documents, you'll get journalists to actually cover the story and at that time one or two news reports might accidentally give consumers a few details about what the intelligence bureaucracy is doing.
CatoTheChipper 8 years ago

Journolists are much more interested in promoting fake news about the Russian bear. The CIA protects us from the Russian bear.
1. Tony 8 years ago
  
  Don't talk like Trump or defend Trump. It's embarrassing.
  1. DanO. 8 years ago
    
    Maybe it's Weigel. "Journolist" is his cover. Nefarious he is.
  2. The Last American Hero 8 years ago
    
    When you went from worrying about Trump starting a nuclear war with Russia to worrying that he's Putin's Puppet, did the spinning make you dizzy?
    1. Tony 8 years ago
      
      Why do you people constantly make things up about me? I'm worried Trump will start a nuclear war with *whomever* because someone didn't give him his midnight scoop of bubble gum ice cream.
      
      I don't worry that he might be Putin's puppet; the facts are pretty well established.
      1. x'); DROP USER Tony; 8 years ago
        
        Which 'facts'? Please, do be specific.
Rhywun 8 years ago

It's worth noting that "hacks" such as the one that makes your TV spy on you actually require the physical presence of someone to mess around with the item in order to get it to do that. Most of the breathless reporting seems to be implying that they can crack any encryption schemes that are out there. Which is BS, but makes for good scares.
1. $park? don't care bout yo mom 8 years ago
  
  Everyone knows that the Internet is some vast Escheresque landscape of flashing lights, bright colors, and floating math equations. Don't try to downplay it.
  1. Cynical Asshole 8 years ago
    
    It looks like this, right?
2. mad.casual 8 years ago
  
  It's worth noting that "hacks" such as the one that makes your TV spy on you actually require the physical presence of someone to mess around with the item in order to get it to do that.
  
  The old, lame, social-engineering "walk in the front door" physical presence too.
  1. Diane Reynolds (Paul.) 8 years ago
    
    Stranger in white uniform and baseball cap: Excuse me, Ma'am, your husband called to have the TV repaired?
    
    Wife: I didn't know there was anything wrong with it. Oh, I don't understand these technical things, if Bob called you, there must have been a reason! I'll show you to the TV. Can I get you some coffee?
3. Diane Merriam 8 years ago
  
  The specific TV one (and not even all connected TV - some brands they don't need that), yes, they need to physically upload the malware. But when it comes to your phones, laptops and other items, nope ... all they need is the internet connection.
  
  Of course in day to day matters, you're in much more danger from your "ordinary" everyday hacker.
4. SomeGuy 8 years ago
  
  its been shown the government intercepts or installs shit at the manufacture already.
Crusty Juggler - #2 8 years ago

. But the media's relative lack of interest in these major revelations makes this story even more curious.

If it doesn't involve Twitter it don't matter.
DanO. 8 years ago

Oh yeah. Vault 7. That was going to be HUGE. Then the brackets loomed and I got distracted and besides who is going to stop using his phone and computer and TV and if you're Kellyanne your microwave? They're spying on Radical.Islamic.Terrorists so that's a good thing but they're also spying on Trump's bathroom which is so sad, so sad, believe me. Crooked Hillary!
Diane Reynolds (Paul.) 8 years ago

This is going to be a lot of data to go through and I'm probably not going to get to it all. If much of it. But a quick scan of just a couple of the examples shows this as potential hacking techniques-- or in the case of the Samsung Smart tv hacking technique, shows that hands must be on the device to implement the hack.

Lacking the ability to get a CIA agent inside my basement, the only other way to get the firmware pushed to my device would be to compromise Samsung's firmware without their knowing it and get that pushed to the devices during the next auto-update.

Also, as usual, it looks like they're still not cracking encryption, it looks like they're attacking the endpoints.

Bottom line, I'm all for uncovering the methods out government uses to spy on us, but this smells of 'paranoia-inducing' to people who don't have a complete grasp of technology.
1. Diane Reynolds (Paul.) 8 years ago
  
  As others have noted, the Vault 7 debacle serves as yet another reminder of the inherent folly in building government-mandated backdoors into secure systems
  
  I think it's worth nothing that the government desires these mandated backdoors because they know that despite all the breathless concern over the sophistication of CIA/NSA hacking ability, they know that the hacks are fleeting, temporary, fraught with limitations and in some cases only theoretical- like all the 'firmware' viruses you hear about floating around. Yes, they're possible, yes, they've been successfully executed in laboratory environments, but they're difficult to implement and very narrow in scope.
2. DanO. 8 years ago
  
  Personally I want the CIA to spy on foreigners. They are surely spying on us. Spying has been going on since humans finally settled down into communities. And Vault 7 pertains only to the CIA, whose mission, as you noted, is relegated to physical missions abroad, not domestic. So am I worried about Vault 7? Not a bit. Another swing and miss for Assange.
  1. Diane Reynolds (Paul.) 8 years ago
    
    I worry about anything which the CIA might use to domestically spy on Americans. But I'm in agreement, I know that the CIA spies on other nations. If a spying technique is invented, there's no reason it can't be turned on Americans. That included tiny microfilm cameras used by 1960s James Bond.
    
    A tiny pen that fires a deadly neurotoxin is just as effective against my neighbor Bob as it is against the Nefarious Dr. Kernichansky of the NKVD.
    
    If an antidote formula is leaked to the public and my neighbor Bob can craft it using ingredients purchased at Bartel's, sucks for the CIA. If CIA's hacking techniques spill into the public and Apple fixes its iPhone firmware, sucks for the CIA.
    1. DanO. 8 years ago
      
      A tiny pen that fires a deadly neurotoxin is just as effective against my neighbor Bob as it is against the Nefarious Dr. Kernichansky of the NKVD.
      
      Of course. The CIA can also use conventional means to kill Bob and Sally if they want to. A 9mm to the back of the head on a dark and deserted street doesn't require a secret laboratory and some geek biochemists. Just because they can kill your Pictionary partners doesn't mean they will, or even that they want to. The CIA has bigger fish to fry.
      1. mad.casual 8 years ago
        
        The CIA has bigger fish to fry.
        
        This makes the CIA sound like some manner of competent cook.
        
        "The CIA has much more important sponges to microwave."
      2. Longtobefree 8 years ago
        
        But there is gun control! That simply could not happen. Just like shootings never happen in Europe.
      3. Fuck you, Shikha (Nunya) 8 years ago
        
        So as long as I don't do anything "illegal" or have anything to "hide" I should totally be ok.
        
        /sarc
        
        DanO. 8 years ago
        
        You probably think that's an original retort. Sad!
        
        Jickerson 8 years ago
        
        It's not original at all, but we've seen the 'they have bigger fish to fry' argument debunked by our own government so many times that it's laughable that you even made it. Just stop.
      4. Jickerson 8 years ago
        
        The CIA has bigger fish to fry.
        
        I've heard that argument used to dismiss the idea of the mass surveillance of Americans, and look how that turned out. I've heard that argument used to dismiss the idea that the government would ever abuse the unconstitutional domestic mass surveillance, and yet we still end up with abuses like LOVEINT and using the surveillance for the drug war (nevermind that the surveillance is unconstitutional and abusive in and of itself). I guess if you're a selfish piece of garbage who doesn't care if the surveillance is used to destroy activists, journalists, political opponents, whistleblowers, and so on, then everything is just fine as long as nothing happens to you or those around you.
        
        I don't believe this argument that the CIA is above harassing innocent people, even ones in the US.
Diane Reynolds (Paul.) 8 years ago

Previous Wikileaks publications?notably, the Afghanistan and Iraq war documents and the State Department diplomatic cables?received considerable coverage in national papers of record, and indeed in some cases were coordinated with these platforms. But these days, Wikileaks is no longer the media darling that it once was?not because of any shortcomings on its own part (even the intelligence report on "Russian hacking" begrudgingly admitted that it could not dispute Wikileaks' "reputation for authenticity") but because of contemporary geopolitical events.

There are a couple of feature length articles on why Wikileaks isn't the darling it once was. It has a lot to do with the guy being criticized isn't always in power.
Crusty Juggler - #2 8 years ago

The Wikileaks press release suggests that they were not the first body to get their hands on this cyber-arsenal, reporting that "the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner." It is possible that hostile groups got their hands on these weapons first, which means that both our "enemies" and our "protectors" could have been hacking and spying on us with these methods for the past few years.

Shocking!
ChipToBeSquare 8 years ago

Old news to some, but if you haven't tried asking an Amazon Alexa if she or Amazon reports to the CIA/NSA, you need to find a friend who owns one and give it a shot because it's pretty damn surreal to see it in person. It's programmed to never intentionally mislead you and so it will go silent at the question

They may have released an update that causes it to interpret the question differently, but there's probably still a way to phrase it. Kinda hilarious that they partnered with Mr. Robot of all shows last year
Cynical Asshole 8 years ago

But the media's relative lack of interest in these major revelations makes this story even more curious.

Government spying/ hacking is sooo 2013. *Yawn* /media retards
1. Diane Reynolds (Paul.) 8 years ago
  
  You mean so 2004.
Longtobefree 8 years ago

"Snowden developed relationships with journalists at respected platforms like The Guardian, The Washington Post, The New York Times, and Der Spiegel to make his disclosures"
Which of the listed propaganda pushers are "respected platforms"? Not seeing it here.
buybuydandavis 8 years ago

the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner.

To me, this is the big story here.

Of course the government collects methods to hack. That they lost control of their own weapons is the story. They had already been compromised a thousand times over.

The new hack didn't expose US intelligence methods; the new hack exposed that US intelligence methogs had already been compromised.
damavodadu 8 years ago

what Ralph answered I didnt know that anybody can get paid $6830 in 1 month on the computer . i was reading this?????O FAST JOB FAST CASH
????? ??????? 8 years ago

Cooing has 9 units available for sale in joulz in 6th October. See prices, amenities, and maps of new and resale homes by Inertia Egypt.

Please log in to post comments

Vault 7 Versus Snowden: Why Was One Such a Bigger Story?

Vault 7 serves as another reminder of the inherent folly in building government-mandated backdoors into secure systems.

Latest

Brickbat: Lawn Sign Litigation

Texas A&M's Drag Ban Shows the Threat to Campus Free Speech Is Bipartisan

Will Trump's Tariffs on Venezuelan Oil Matter?

Uncertain Tariffs Make Beauty a Lot Uglier

Sleepwalking Into a Cashless Society

Recommended

Login Form