Reason.com

Free Minds & Free Markets

Vault 7 Versus Snowden: Why Was One Such a Bigger Story?

Vault 7 serves as another reminder of the inherent folly in building government-mandated backdoors into secure systems.

Ingram Publishing/NewscomIngram Publishing/NewscomLast week Wikileaks finally released its much-hyped "Vault 7" data detailing the CIA's arsenal of hacking tools. The first tranche, consisting of 8,761 documents and attachments from an "isolated, high-security network" in the CIA's Center for Cyber Intelligence, reveals important information about the federal spy body's intrusion techniques, alliances with other government bodies, and internal culture from 2013 to 2016.

These new details alone would be explosive. But the media's relative lack of interest in these major revelations makes this story even more curious. The CIA's hacking toolkit, while not surprising to those in the security community, should be downright paranoia-inducing for most Americans.

Big Brother Really Is Watching

According to the Vault 7 documents, the CIA can hack into most consumer devices, rendering even the strongest encryption techniques useless.

Some of the CIA's techniques have been diabolical. For example, one exploit of Samsung smart TVs would surreptitiously spy on owners even though the device appeared to be turned off. Another, more chilling technique could be used to hack a smart car and send its driver careening into a fiery death on the road. Furthermore, the CIA's "UMBRAGE" library of foreign "fingerprints" can make it falsely appear as if other governments are behind its dirty deeds.

Most of the conversation so far has revolved around the CIA's trove of "zero day vulnerabilities," computer bugs that are known only to the discoverer (which means that the software industry would have had "zero days" to patch them—get it?). Wikileaks itself has emphasized this dimension of the story: the first batch of documents was called "Year Zero," a title that might refer to the CIA's need to re-build its cyber-arsenal.

While the data dump stops short of releasing the full code, the leak describes enough about the CIA's hacking techniques to render them functionally impotent. This is because software providers scrambled to patch up the vulnerabilities soon after they were made public. Assuming that most of the CIA hacks were in the leak, America's top international spy agency could be effectively powerless for the time being, at least in terms of hacking capability.

This does not mean we should celebrate. The Wikileaks press release suggests that they were not the first body to get their hands on this cyber-arsenal, reporting that "the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner." It is possible that hostile groups got their hands on these weapons first, which means that both our "enemies" and our "protectors" could have been hacking and spying on us with these methods for the past few years. Since Wikileaks has not released the entire database to the public yet, some of these vulnerabilities likely remain unpatched.

As others have noted, the Vault 7 debacle serves as yet another reminder of the inherent folly in building government-mandated backdoors into secure systems or hoarding zero days to circumvent security. If powerful and capable groups like the CIA and NSA can't protect their cyber-arsenals, why should we expect others to manage it?

A Tale of Two Leaks

What has been most striking to me about this episode is the amazing lack of interest in the broader dimensions of the story. Compare reactions to the Wikileaks-enabled CIA leaks with reactions to the National Security Agency (NSA) leaks provided by Edward Snowden in 2013. In both cases, a notoriously secretive and powerful U.S. intelligence agency was unmasked before the world, expansive surveillance or intrusion techniques were laid bare, and the public learned of serious vulnerabilities in their privacy or their security (or both). Civil libertarians simultaneously cheered the revelations, while muttering that deep down, they knew it all along.

But where the NSA leaks dominated headlines for months and stimulated executive audits and congressional battles, the CIA leaks have mostly been greeted with a shrug. Why?

First, there is the scope of the disclosures. The NSA revelations concerned bulk surveillance methods that could theoretically affect all Americans, whereas the CIA leaks relate to narrower hacking methods. It is certainly troubling that the CIA could install malware on your smartphone to bypass encrypted communication applications like Signal, but the program doesn't automatically hoover up millions of conversations like NSA bulk collection programs do. (Although this cuts both ways: with the NSA, you are just one of billions; with the CIA, you could be targeted individually.)

Or perhaps people simply have surveillance fatigue. It's possible that Americans have merely accepted a new world of invasive intelligence monitoring and moved on with their lives. All of the drama and intrigue of the Snowden revelations generated no real change. Why would things be any different this time?

As to the media's relative lack of interest in the Vault 7 leaks, perhaps we should consider publication methods. Snowden developed relationships with journalists at respected platforms like The Guardian, The Washington Post, The New York Times, and Der Spiegel to make his disclosures. Obviously, a journalist will be more eager to crank out every angle of a story if they have a direct monopoly on the source material. And since such outlets tend to make or break news cycles, other platforms followed their lead and amplified Snowden's leaks.

Evidence of CIA spying, meanwhile, was published by Wikileaks. The benefit of this approach is it empowers a decentralized army of diggers to crowd-source the juiciest nuggets, rather than relying on media gatekeepers to determine what is most newsworthy. The downside is that major media outlets might not be as eager to report on the second-hand contents.

In the past, however, this hasn't been much of a problem. Previous Wikileaks publications—notably, the Afghanistan and Iraq war documents and the State Department diplomatic cables—received considerable coverage in national papers of record, and indeed in some cases were coordinated with these platforms. But these days, Wikileaks is no longer the media darling that it once was—not because of any shortcomings on its own part (even the intelligence report on "Russian hacking" begrudgingly admitted that it could not dispute Wikileaks' "reputation for authenticity") but because of contemporary geopolitical events.

Many in the establishment are still furious that Wikileaks decided to publish the Democratic National Committee and John Podesta emails during the 2016 U.S. presidential election, believing this to be de facto evidence of the group's latent pro-Trump or pro-Russian sympathies. Former acting CIA Director John McLaughlin went so far as to claim on national T.V. that Wikileaks is "clearly linked to Russia." But one needn't be a Russian plant to oppose expansive intelligence surveillance and hacking. Many patriotic Americans welcome Wikileaks' disclosures of intelligence agency power, and public commentators insult civil libertarians by tarring us as foreign puppets.

Grudges aside, the CIA leaks could serve to undermine the prevailing "Russian interference" narrative directed at the Trump administration. The intelligence community and its allies in the media have been engaged in an unprecedented public brawl with the new administration that paints President Trump as a "Siberian candidate" of sorts. Yet Wikileaks' earlier revelations that the CIA directly interfered with the 2012 French presidential elections does not give the intelligence agency much of a moral high ground. Furthermore, the new leaks expose a heretofore unknown spy base in the U.S. consulate in Frankfurt—thereby potentially implicating the State Department as well—and provide direct proof of the CIA's abilities to frame other countries for their hacking activities.

Given the heavy implications of Wikileaks' most recent revelations—ones that arguably exceed those of the earlier NSA surveillance leaks—I almost wish that the media's characterization of Wikileaks as a willing handmaiden for the Trump administration's war against the intelligence community was actually correct. But in fact, the Trump administration has granted more power to the out-of-control intelligence agency, reversing an Obama-era prohibition on CIA-directed drone strikes. Civil libertarians should be thankful that transparency groups like Wikileaks remain committed to informing the public of what goes down behind the scenes no matter which political faction or federal agency is behind the dirty deeds.

Photo Credit: Ingram Publishing/Newscom

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • $park¥ don't care bout yo mom||

    Because it is completely unsurprising to anyone who's heard of it.

  • $park¥ don't care bout yo mom||

    Some of the CIA's techniques have been diabolical

    Diabolical? Come on.

  • Fist of Etiquette||

    Another, more chilling technique could be used to hack a smart car and send its driver careening into a fiery death on the road.

    Because if you talk about Michael Hastings you sound like a crazy person. Maybe when they put a face to this release of documents, you'll get journalists to actually cover the story and at that time one or two news reports might accidentally give consumers a few details about what the intelligence bureaucracy is doing.

  • CatoTheChipper||

    Journolists are much more interested in promoting fake news about the Russian bear. The CIA protects us from the Russian bear.

  • Tony||

    Don't talk like Trump or defend Trump. It's embarrassing.

  • The Last American Hero||

    When you went from worrying about Trump starting a nuclear war with Russia to worrying that he's Putin's Puppet, did the spinning make you dizzy?

  • Tony||

    Why do you people constantly make things up about me? I'm worried Trump will start a nuclear war with *whomever* because someone didn't give him his midnight scoop of bubble gum ice cream.

    I don't worry that he might be Putin's puppet; the facts are pretty well established.

  • x'); DROP USER Tony;||

    Which 'facts'? Please, do be specific.

  • Rhywun||

    It's worth noting that "hacks" such as the one that makes your TV spy on you actually require the physical presence of someone to mess around with the item in order to get it to do that. Most of the breathless reporting seems to be implying that they can crack any encryption schemes that are out there. Which is BS, but makes for good scares.

  • $park¥ don't care bout yo mom||

    Everyone knows that the Internet is some vast Escheresque landscape of flashing lights, bright colors, and floating math equations. Don't try to downplay it.

  • Cynical Asshole||

    It looks like this, right?

  • ||

    It's worth noting that "hacks" such as the one that makes your TV spy on you actually require the physical presence of someone to mess around with the item in order to get it to do that.

    The old, lame, social-engineering "walk in the front door" physical presence too.

  • Diane Reynolds (Paul.)||

    Stranger in white uniform and baseball cap: Excuse me, Ma'am, your husband called to have the TV repaired?

    Wife: I didn't know there was anything wrong with it. Oh, I don't understand these technical things, if Bob called you, there must have been a reason! I'll show you to the TV. Can I get you some coffee?

  • Diane Merriam||

    The specific TV one (and not even all connected TV - some brands they don't need that), yes, they need to physically upload the malware. But when it comes to your phones, laptops and other items, nope ... all they need is the internet connection.

    Of course in day to day matters, you're in much more danger from your "ordinary" everyday hacker.

  • SomeGuy||

    its been shown the government intercepts or installs shit at the manufacture already.

  • Crusty Juggler - #2||

    . But the media's relative lack of interest in these major revelations makes this story even more curious.

    If it doesn't involve Twitter it don't matter.

  • Diane Reynolds (Paul.)||

    This is going to be a lot of data to go through and I'm probably not going to get to it all. If much of it. But a quick scan of just a couple of the examples shows this as potential hacking techniques-- or in the case of the Samsung Smart tv hacking technique, shows that hands must be on the device to implement the hack.

    Lacking the ability to get a CIA agent inside my basement, the only other way to get the firmware pushed to my device would be to compromise Samsung's firmware without their knowing it and get that pushed to the devices during the next auto-update.

    Also, as usual, it looks like they're still not cracking encryption, it looks like they're attacking the endpoints.

    Bottom line, I'm all for uncovering the methods out government uses to spy on us, but this smells of 'paranoia-inducing' to people who don't have a complete grasp of technology.

  • Diane Reynolds (Paul.)||

    As others have noted, the Vault 7 debacle serves as yet another reminder of the inherent folly in building government-mandated backdoors into secure systems

    I think it's worth nothing that the government desires these mandated backdoors because they know that despite all the breathless concern over the sophistication of CIA/NSA hacking ability, they know that the hacks are fleeting, temporary, fraught with limitations and in some cases only theoretical- like all the 'firmware' viruses you hear about floating around. Yes, they're possible, yes, they've been successfully executed in laboratory environments, but they're difficult to implement and very narrow in scope.

  • Diane Reynolds (Paul.)||

    I worry about anything which the CIA might use to domestically spy on Americans. But I'm in agreement, I know that the CIA spies on other nations. If a spying technique is invented, there's no reason it can't be turned on Americans. That included tiny microfilm cameras used by 1960s James Bond.

    A tiny pen that fires a deadly neurotoxin is just as effective against my neighbor Bob as it is against the Nefarious Dr. Kernichansky of the NKVD.

    If an antidote formula is leaked to the public and my neighbor Bob can craft it using ingredients purchased at Bartel's, sucks for the CIA. If CIA's hacking techniques spill into the public and Apple fixes its iPhone firmware, sucks for the CIA.

  • ||

    The CIA has bigger fish to fry.

    This makes the CIA sound like some manner of competent cook.

    "The CIA has much more important sponges to microwave."

  • Longtobefree||

    But there is gun control! That simply could not happen. Just like shootings never happen in Europe.

  • Fuck you, Shikha (Nunya)||

    So as long as I don't do anything "illegal" or have anything to "hide" I should totally be ok.

    /sarc

  • Jickerson||

    It's not original at all, but we've seen the 'they have bigger fish to fry' argument debunked by our own government so many times that it's laughable that you even made it. Just stop.

  • Jickerson||

    The CIA has bigger fish to fry.

    I've heard that argument used to dismiss the idea of the mass surveillance of Americans, and look how that turned out. I've heard that argument used to dismiss the idea that the government would ever abuse the unconstitutional domestic mass surveillance, and yet we still end up with abuses like LOVEINT and using the surveillance for the drug war (nevermind that the surveillance is unconstitutional and abusive in and of itself). I guess if you're a selfish piece of garbage who doesn't care if the surveillance is used to destroy activists, journalists, political opponents, whistleblowers, and so on, then everything is just fine as long as nothing happens to you or those around you.

    I don't believe this argument that the CIA is above harassing innocent people, even ones in the US.

  • Diane Reynolds (Paul.)||

    Previous Wikileaks publications—notably, the Afghanistan and Iraq war documents and the State Department diplomatic cables—received considerable coverage in national papers of record, and indeed in some cases were coordinated with these platforms. But these days, Wikileaks is no longer the media darling that it once was—not because of any shortcomings on its own part (even the intelligence report on "Russian hacking" begrudgingly admitted that it could not dispute Wikileaks' "reputation for authenticity") but because of contemporary geopolitical events.

    There are a couple of feature length articles on why Wikileaks isn't the darling it once was. It has a lot to do with the guy being criticized isn't always in power.

  • Crusty Juggler - #2||

    The Wikileaks press release suggests that they were not the first body to get their hands on this cyber-arsenal, reporting that "the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner." It is possible that hostile groups got their hands on these weapons first, which means that both our "enemies" and our "protectors" could have been hacking and spying on us with these methods for the past few years.

    Shocking!

  • ChipToBeSquare||

    Old news to some, but if you haven't tried asking an Amazon Alexa if she or Amazon reports to the CIA/NSA, you need to find a friend who owns one and give it a shot because it's pretty damn surreal to see it in person. It's programmed to never intentionally mislead you and so it will go silent at the question

    They may have released an update that causes it to interpret the question differently, but there's probably still a way to phrase it. Kinda hilarious that they partnered with Mr. Robot of all shows last year

  • Cynical Asshole||

    But the media's relative lack of interest in these major revelations makes this story even more curious.

    Government spying/ hacking is sooo 2013. *Yawn* /media retards

  • Diane Reynolds (Paul.)||

    You mean so 2004.

  • Longtobefree||

    "Snowden developed relationships with journalists at respected platforms like The Guardian, The Washington Post, The New York Times, and Der Spiegel to make his disclosures"
    Which of the listed propaganda pushers are "respected platforms"? Not seeing it here.

  • buybuydandavis||

    the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner.

    To me, this is the big story here.

    Of course the government collects methods to hack. That they lost control of their own weapons is the story. They had already been compromised a thousand times over.

    The new hack didn't expose US intelligence methods; the new hack exposed that US intelligence methogs had already been compromised.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online