What WikiLeaks’ massive CIA leak tells us about cybersecurity

Here we go again.

In 2010, WikiLeaks published a disturbing heads-up video of US helicopters strafing “insurgents” who turned out to be Reuters journalists. Weeks later came Cablegate, a leak by Bradley (now Chelsea) Manning of 251,000 US diplomatic cables.

By the time Edward Snowden’s name became famous in 2013, the mystique around US intelligence agencies was disappearing faster than the movie assassins who fancied a crack at killing Jason Bourne.

Yesterday, WikiLeaks returned with a further instalment dubbed “Vault 7/Year Zero” that exposes the first cache of 7,818 partly redacted web pages and 943 attachments that make up some of the CIA’s most precious software riddles.

What’s inside Vault 7? Let’s start with an interesting sentence from WikiLeaks’ intro:

Year Zero introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.

Which tells us several things.

The CIA hacks stuff

Of course it does, and doubtless other nation states have been crawling all over TVs and smartphones too. The significance of Samsung TV hacking is not that the CIA will do this to the average citizen – CIA target lists are tiny – but that they can do that at all. As we know from numerous IoT vulnerability stories, these devices have a security problem.

Secure messaging apps are still secure

Apparently, the CIA has been infecting Android and iOS devices to bypass secure messaging software encryption. Except this technique goes back donkey’s years and is even openly used by some police forces. No matter how secure its encryption, no app can stop a compromise of the platform on which the app is running, but using encryption raises the bar for an attacker.

Lots of old zero-days

WikiLeaks documents a pile of zero-days affecting Android and iOS that have been used by the CIA but these all appear to either be old or (in the case of Android) affect very old versions of the OS. As far as we can tell, most will either have been patched or will affect only obsolete devices.

This is mild stuff beside the four completely new zero-days the famous Stuxnet cyberweapon deployed to disrupt Iran’s nuclear program – still a record number for any malware.

Leaks are everybody’s problem

Losing control of spying tools is a disaster, but these are only one piece of a larger US arsenal that includes potent programmes run by the NSA. The bigger menace is that nation states or cybercriminals might get hold of the CIA tools and use them against civilian targets.

False flags

On that topic, Vault 7 reveals that the CIA has started doing precisely the same thing by borrowing dastardly techniques from other malware, including other nation state malware. This muddies attribution because it makes an operation look like someone else’s.

And yet the CIA can’t secure itself

The intriguing issue is how WikiLeaks obtained this cache. A sequence of US intelligence leaks is starting to look less like a trend than the symptom of a deeper reality that nothing can be kept secret by anyone. It’s as if rogue insiders (who may well be the source of this data) have become the ultimate cyberweapon.

Reports suggest that hundreds of thousands people might have had access to highly sensitive US intelligence data at the time of Snowden in 2013. That is not insecure so much as unsecurable. After operating quietly in the shadows for decades, the world of intelligence service secrecy is starting to look like a golden era that has gone for good.