Is this going to be a thing now? Political rivals spy on one another all the time, but they seem increasingly willing to track down opponents’ espionage tools and leak them on the web. Last year, it was an older collection of malware likely built by, or for, the National Security Agency. This year, it’s the turn of the newly reorganized Central Intelligence Agency.
On Tuesday, WikiLeaks—once the bright hope of information freedom activists, now a spooky dropbox for occasional whistleblowers and Russian intelligence agents—leaked a collection of 8,761 documents and files (with possibly more to come) alleged to have come from within CIA between 2013 and 2016. The documents purport to describe malicious software tools and programs designed for gaining access to, and information from, computer systems like laptops, routers, and even internet-connected televisions.
We know governments are in the hacking business. Or, more precisely, the “break into your systems and live there to vacuum up interesting tidbits of data” business. It’s caused quite a stir and even a few changes in policy. What’s different here are those tools being leaked on the web for anyone to examine and reuse. And they will be reused. Intelligence agencies in the United States, Russia, China, and Israel have a lot of talent and no small amount of budget to research and build some pretty capable malicious software.
None of the actual CIA software appears to have yet been widely released. But it’s almost certainly just a matter of time—and even knowledge of new vulnerabilities in software is enough to give researchers and malicious actors the scent. (In a bit of good news, Julian Assange said Thursday that WikiLeaks will “work with [tech companies], to give them some exclusive access to the additional technical details that we have, so that fixes can be developed and pushed out and people can be secured.”)
No one has claimed responsibility for providing the files to WikiLeaks, and it’s not clear who might have done so. But suffice to say, it probably wasn’t Julian Assange and co. hacking into the CIA and doing their best Mission: Impossible to get this data out.
It could have been Russia: After all, the leak will embarrass CIA and harm U.S. intelligence collection activities. Releasing all this information might be an effort to drag the news cycle away from the latest unreported meeting between a member of the administration and someone who sort-of looked Russian. Recall, too, that WikiLeaks was the preferred venue for Russian intelligence groups to dump information gleaned from the Democratic National Committee’s computer systems during the presidential election. But while Russia was the consensus culprit for the 2016 leak of NSA software tools, much of the embarrassment and difficulty this will cause the U.S. would also benefit a range of other states, so much of the same logic would apply to Iran or China.
The source might have been someone with direct physical access to the network where the leaked information was stored, a CIA employee or contractor. This is closer to a nightmare scenario for the intelligence community. Not only did this information leak, but the CIA must find the person who walked it all out the door (and who even now may still be showing up for work). The Department of Justice has only just finished unloading a charge sheet on one Harold T. Martin III, who allegedly brought home more than 50 terabytes of classified material over more than 20 years. (To what end he assembled this cache of data is still unclear.)
Though we don’t know who did the deed, we can speculate as to where this new information came from: likely some internal development servers at CIA. These servers would have used to share and store information, like how-to guides, software documentation, and draft versions of new software tools by developers and others working for Langley. It’s the sort of system you’d find at any software vendor, allowing developers to collaborate and coordinate with each other. Reporting from the New York Times cites a former intelligence officer who corroborates at least some of the documents that match existing CIA programs and facilities.
The leaked materials are mostly software tools and documentation you might expect from the CIA as it conducts espionage in a world with mobile phones and Wi-Fi–enabled teddy bears. In the 1940s, when the agency was born out of a World War II–era covert action and wartime intelligence outfit called the Office of Strategic Services, intelligence gathering had a lot to do with talking to the right people, wearing trench coats, and stealing paper files. Aside from updates in fashion, these sorts of activities still matter a great deal. But with the advent and evolution of personal computing, there is now a lot to be gained from breaking into phones and laptops. Doing that requires software designed for that task and, often, knowledge of flaws in the targeted software to gain and maintain access.
Given that the most recent material in this leak is from less than a year ago, there’s a high likelihood some of these tools are still in use. The tools involved in the leak now must be replaced, and that takes both time and resources.
Beyond the immediate impact, this leak drives home several points about how the government deals with malicious software and things like software vulnerabilities: those flaws in code that can give attackers access to a computer system. The U.S. government currently has a system—the Vulnerability Equities Process—to determine whether these vulnerabilities should be kept for use, or disclosed and fixed by the affected software’s developers. The VEP must consider not just what intelligence might be gained (or lost) but the likelihood that the vulnerability could be discovered by others—and used against American citizens. If the CIA or NSA knows about a vulnerability, there’s no reason someone else can’t find the same one, and there’s evidence that this happens more often than we think. Replacing a vulnerability can be expensive and uncertain, but VEP also has to consider the risk that vulnerabilities might be leaked to, say, the entire planet.
Building software tools to collect information is what we expect intelligence agencies to do, and hacking is part of that. At the same time, those activities must take place within an established legal framework together with effective oversight. So far, there doesn’t appear to be anything in this leak that suggests the CIA is engaged in legal interpretation verging on creative nonfiction to justify its activity or bulk collection of internet content and phone records. Even if this leaked material turns out to show an ability to break into Signal or WhatsApp, which so far it emphatically does not, the revelation is likely to demonstrate how incredibly difficult that would be.
The next step is for the intelligence community to start taking things apart and look for evidence suggesting how this could have happened and who is to blame. It’s going to slow down information sharing, and probably make life harder for most people working in classified environments, so go buy that friend of yours who works for “the government” a drink. The kicker here is that for the second time in less than a year, someone has dumped information about the U.S. government’s carefully crafted malicious software out in the open. If the goal was to cause a load of trouble for CIA and the intelligence community, it probably worked. Spying on your opponents can tell you a lot, but dumping their software tools onto the web makes for a headache if those tools are in active use—or expensive to build and maintain. Based on what we know so far, WikiLeaks appears to have released some major migraine material.
So yeah, this is going to be a thing.