Vault 7 Versus Snowden: Why Was One Such a Bigger Story?
Vault 7 serves as another reminder of the inherent folly in building government-mandated backdoors into secure systems.
Last week Wikileaks finally released its much-hyped "Vault 7" data detailing the CIA's arsenal of hacking tools. The first tranche, consisting of 8,761 documents and attachments from an "isolated, high-security network" in the CIA's Center for Cyber Intelligence, reveals important information about the federal spy body's intrusion techniques, alliances with other government bodies, and internal culture from 2013 to 2016.
These new details alone would be explosive. But the media's relative lack of interest in these major revelations makes this story even more curious. The CIA's hacking toolkit, while not surprising to those in the security community, should be downright paranoia-inducing for most Americans.
Big Brother Really Is Watching
According to the Vault 7 documents, the CIA can hack into most consumer devices, rendering even the strongest encryption techniques useless.
Some of the CIA's techniques have been diabolical. For example, one exploit of Samsung smart TVs would surreptitiously spy on owners even though the device appeared to be turned off. Another, more chilling technique could be used to hack a smart car and send its driver careening into a fiery death on the road. Furthermore, the CIA's "UMBRAGE" library of foreign "fingerprints" can make it falsely appear as if other governments are behind its dirty deeds.
Most of the conversation so far has revolved around the CIA's trove of "zero day vulnerabilities," computer bugs that are known only to the discoverer (which means that the software industry would have had "zero days" to patch them—get it?). Wikileaks itself has emphasized this dimension of the story: the first batch of documents was called "Year Zero," a title that might refer to the CIA's need to re-build its cyber-arsenal.
While the data dump stops short of releasing the full code, the leak describes enough about the CIA's hacking techniques to render them functionally impotent. This is because software providers scrambled to patch up the vulnerabilities soon after they were made public. Assuming that most of the CIA hacks were in the leak, America's top international spy agency could be effectively powerless for the time being, at least in terms of hacking capability.
This does not mean we should celebrate. The Wikileaks press release suggests that they were not the first body to get their hands on this cyber-arsenal, reporting that "the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner." It is possible that hostile groups got their hands on these weapons first, which means that both our "enemies" and our "protectors" could have been hacking and spying on us with these methods for the past few years. Since Wikileaks has not released the entire database to the public yet, some of these vulnerabilities likely remain unpatched.
As others have noted, the Vault 7 debacle serves as yet another reminder of the inherent folly in building government-mandated backdoors into secure systems or hoarding zero days to circumvent security. If powerful and capable groups like the CIA and NSA can't protect their cyber-arsenals, why should we expect others to manage it?
A Tale of Two Leaks
What has been most striking to me about this episode is the amazing lack of interest in the broader dimensions of the story. Compare reactions to the Wikileaks-enabled CIA leaks with reactions to the National Security Agency (NSA) leaks provided by Edward Snowden in 2013. In both cases, a notoriously secretive and powerful U.S. intelligence agency was unmasked before the world, expansive surveillance or intrusion techniques were laid bare, and the public learned of serious vulnerabilities in their privacy or their security (or both). Civil libertarians simultaneously cheered the revelations, while muttering that deep down, they knew it all along.
But where the NSA leaks dominated headlines for months and stimulated executive audits and congressional battles, the CIA leaks have mostly been greeted with a shrug. Why?
First, there is the scope of the disclosures. The NSA revelations concerned bulk surveillance methods that could theoretically affect all Americans, whereas the CIA leaks relate to narrower hacking methods. It is certainly troubling that the CIA could install malware on your smartphone to bypass encrypted communication applications like Signal, but the program doesn't automatically hoover up millions of conversations like NSA bulk collection programs do. (Although this cuts both ways: with the NSA, you are just one of billions; with the CIA, you could be targeted individually.)
Or perhaps people simply have surveillance fatigue. It's possible that Americans have merely accepted a new world of invasive intelligence monitoring and moved on with their lives. All of the drama and intrigue of the Snowden revelations generated no real change. Why would things be any different this time?
As to the media's relative lack of interest in the Vault 7 leaks, perhaps we should consider publication methods. Snowden developed relationships with journalists at respected platforms like The Guardian, The Washington Post, The New York Times, and Der Spiegel to make his disclosures. Obviously, a journalist will be more eager to crank out every angle of a story if they have a direct monopoly on the source material. And since such outlets tend to make or break news cycles, other platforms followed their lead and amplified Snowden's leaks.
Evidence of CIA spying, meanwhile, was published by Wikileaks. The benefit of this approach is it empowers a decentralized army of diggers to crowd-source the juiciest nuggets, rather than relying on media gatekeepers to determine what is most newsworthy. The downside is that major media outlets might not be as eager to report on the second-hand contents.
In the past, however, this hasn't been much of a problem. Previous Wikileaks publications—notably, the Afghanistan and Iraq war documents and the State Department diplomatic cables—received considerable coverage in national papers of record, and indeed in some cases were coordinated with these platforms. But these days, Wikileaks is no longer the media darling that it once was—not because of any shortcomings on its own part (even the intelligence report on "Russian hacking" begrudgingly admitted that it could not dispute Wikileaks' "reputation for authenticity") but because of contemporary geopolitical events.
Many in the establishment are still furious that Wikileaks decided to publish the Democratic National Committee and John Podesta emails during the 2016 U.S. presidential election, believing this to be de facto evidence of the group's latent pro-Trump or pro-Russian sympathies. Former acting CIA Director John McLaughlin went so far as to claim on national T.V. that Wikileaks is "clearly linked to Russia." But one needn't be a Russian plant to oppose expansive intelligence surveillance and hacking. Many patriotic Americans welcome Wikileaks' disclosures of intelligence agency power, and public commentators insult civil libertarians by tarring us as foreign puppets.
Grudges aside, the CIA leaks could serve to undermine the prevailing "Russian interference" narrative directed at the Trump administration. The intelligence community and its allies in the media have been engaged in an unprecedented public brawl with the new administration that paints President Trump as a "Siberian candidate" of sorts. Yet Wikileaks' earlier revelations that the CIA directly interfered with the 2012 French presidential elections does not give the intelligence agency much of a moral high ground. Furthermore, the new leaks expose a heretofore unknown spy base in the U.S. consulate in Frankfurt—thereby potentially implicating the State Department as well—and provide direct proof of the CIA's abilities to frame other countries for their hacking activities.
Given the heavy implications of Wikileaks' most recent revelations—ones that arguably exceed those of the earlier NSA surveillance leaks—I almost wish that the media's characterization of Wikileaks as a willing handmaiden for the Trump administration's war against the intelligence community was actually correct. But in fact, the Trump administration has granted more power to the out-of-control intelligence agency, reversing an Obama-era prohibition on CIA-directed drone strikes. Civil libertarians should be thankful that transparency groups like Wikileaks remain committed to informing the public of what goes down behind the scenes no matter which political faction or federal agency is behind the dirty deeds.