Breach, Compliance Management, Data Security, Network Security, Privacy

Experts not surprised by CIA’s leaked cyber weapons, but stunned agency failed to protect them

Upon publishing a batch of documents that exposed various cyber espionage tools allegedly used by the CIA, WikiLeaks claimed that the anonymous source who supplied the so-called Vault 7 materials wanted to spark discussion around the use of cyber weapons. At least in the short term, this mysterious individual – now the subject of a federal criminal probe – may have succeeded, as experts across the cyber spectrum have already weighed in on the data dump and its key revelations.

For several pundits, the scandal isn't so much that the CIA possesses sophisticated spying tools, but that the agency allowed someone to exfiltrate close to 9,000 sensitive files from an isolated, secure network in Langley, Va. (That's assuming the data dump is genuine, which reports now appear to confirm.) In fact, experts have made note that nothing within the leaked documents points to any incriminating activity.

"The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits. Most nation-states have similar hacking tools, and they're being used all the time,” said Omer Schneider, CEO of industrial cybersecurity firm CyberX, in comments provided to SC Media. “What's surprising is that the general public is still shocked by stories like these.”

“Let's not be naive here. The ‘I' in CIA stands for ‘Intelligence,' so that's their job – to spy on our adversaries and protect us against threats like nuclear weapon systems from North Korea and Iran,” Schneider later continued in a separate interview with SC Media. “Don't forget that Stuxnet relied on no less than seven zero-day vulnerabilities to achieve its mission,” he added, referring to the worm that the U.S. reportedly created to sabotage Iran's nuclear program.

Ilia Kolochenko, CEO and founder at web security firm High-Tech Bridge, had a similar take: "I am bit surprised that this particular incident has attracted so much attention… "So far, we don't have any evidence that these capacities were used unlawfully – for example, to violate reasonable expectation of privacy of innocent U.S. citizens or for illicit interference with elections.”

Kolochenko doesn't even think the Vault 7 data dump necessarily revealed the CIA's most critical cyber secrets. “I am pretty confident that U.S. intelligence has much bigger technical resources than the garbage exposed in the leak,” he noted, in comments emailed to SC Media.

Edward McAndrew, a partner at Ballard Spahr who co-leads the law firm's Privacy and Data Security Group, was not surprised to read that the CIA has allegedly collected exploits for common desktop and mobile operating systems, or that the agency found a technique for eavesdropping on Samsung smart television users.

“If you think about their mission – gather human intelligence, you would want tools focused on consumer products like TVs, cars, things that allow you to track and surveil human beings,” said the former federal cybercrime prosecutor, cybercrime coordinator and national security cyber specialist with the Department of Justice.

On the other hand, the fact that someone was able to steal this intelligence and distribute it to WikiLeaks – “that is truly shocking and it shows you that the folks who are engaged in… the exploitation of cybersecurity for surveillance purposes are not very good at cybersecurity in their own houses,” McAndrew added, in an interview with SC Media.

In other words, even if the CIA didn't overstep its bounds, it apparently failed at protecting its assets.

And while the agency did not necessarily break any laws by hoarding vulnerabilities, such practices can sow distrust between the government and private industry, as well as with the public. “The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process,” the digital rights group Electronic Frontier Foundation protested in a blog post.

All this leads to even more questions: Does the CIA lack adequate oversight regarding cyber concerns? If not the CIA, which agency or official should ultimately be responsible for managing, securing and utilizing the U.S.'s cyber arsenal? And how can the Feds reliably protect their cyber weapons from falling into the hands of rogue nations and cybercrime gangs?

“The fact that a government intelligence agency has been actively purchasing, developing, and distributing critical vulnerabilities in ubiquitous consumer devices forces us to ask some very hard questions about the levels of oversight these agencies have right now,” said Richard Henderson, global security strategist at endpoint security firm Absolute Software. “Second, this incident makes it crystal clear to me that the government push to mandate or legislate backdoors into devices… can never be successful. These backdoors will leak out into the open, making it entirely likely that agencies not friendly to the West will also take advantage of these vulnerabilities.”

Brian Vecci, technical evangelist at enterprise infosec management company Varonis Systems, agreed that the CIA has an oversight problem, but also said the agency suffered from inadequate access control that made its files vulnerable to leaks. (Indeed, WikiLeaks claimed that its Vault 7 documents were openly passed around by former U.S. hackers and contractors in an unauthorized manner before they were eventually shared with the controversial organization.)

As a result of this breach, “Files that were once useful in their operations are suddenly lethal to those same operations. I call this toxic data – anything that is useful and valuable to an organization, but once stolen and made public turns toxic to its bottom line and reputation,” said Vecci. “They need to put all that data lying around in the right place, restrict access to it, and monitor and analyze who is using it.”

James Gabberty, associate dean and professor of information systems at Pace University's Seidenberg School of Computer Science and Information Systems, told SC Media that he thinks the U.S. Office of the CISO (which sits unoccupied due to the January resignation of Gregory Touhill) should establish a framework, perhaps based on NIST standards, that specifically protects cyber assets belonging to the CIA and other spying agencies. “These clandestine agencies would then be in a position to be audited regularly by external agencies to demonstrate proof of compliance,” Gabberty said.

Despite the call for better controls, certain pundits were hesitant about relegating cyber weaponry to one specific department or agency, for reasons demonstrated by the WikiLeaks breach itself.

“If this incident…shows us anything, it's that that the aggregation of tools in any one place creates major security concerns,” said McAndrew. “Keeping the crown jewels or all of the tools in one place is a recipe for disaster.”

“There is no single agency that controls the U.S. cyber arsenal, and with good reason,” said Eric O'Neill, national security strategist at endpoint security company Carbon Black and a former FBI counterterrorism operative. “We need cyber capabilities in many government areas, such as international relations, defense, military, homeland security, law enforcement, etc. All of the various agencies have their own hacking groups specializing in what their teams need to get done.”

With that said, “The government definitely needs to be aligned on cybersecurity strategy and practices,” O'Neill added, in an interview with SC Media. “A fragmented approach will always have pitfalls. The current issues provide an opportunity for the Trump administration to drive alignment and unify our federal agencies, but we won't know more until the draft version of the cybersecurity executive order becomes final.”

Meanwhile, perhaps lost in this debate is how this latest disclosure will ultimately sway public perception of WikiLeaks, especially if the organization goes on to publish the actual code from these cyber weapons, making them widely available to anyone.

“By putting these tools into the public domain, WikiLeaks has done the equivalent [of] handing lighter fluid and matches to children,” said Gabberty. “Now that WikiLeaks has unleashed the potentially most damaging cybersecurity tools ever to hit the street, I wonder if supporters of [whistleblowers] Manning and Snowden will continue to cheer when the electricity powering their computer digital devices, ATMs, cellular networks and mass transportation systems stops flowing.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.