March 8, 2017


Q: So what’s the big news in this particular leak?

There’s three things, I think.

The CIA has built a capability to hack pretty much anything, anywhere. It turns out that they, potentially, have more ability to intrude into servers, computers, smartphones and electronic communications than even the NSA.
This capability is now in the hands of people other than the CIA.
All the things you’ve read, that seem like science fiction movie plots, are really true. Other people can listen to you via your smart TV, can read your email, turn on the webcam on your laptop, without you ever knowing.

Q: The leak itself is a sign of problems, but what do we know about how the CIA is using this stuff?

According to what we know, the CIA’s capabilities and tools were not actually classified, because that would mean that CIA employees and contractors would break the law as they moved the tools, and information gleaned with the tools, across various networks and computer systems. Apparently, the tools, data, etc were freely shared within the CIA hacking teams. Which is what led to the Wikileaks leak, but also, apparently, has led to this entire capability being acquired by people outside the CIA. I’m sure that further details will come out in the near future on this topic.

Q: Is there an upside to these leaks?

This is a tough one to answer. I’m torn, honestly. There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US Intelligence Community has a problem keeping its cyberwar tools off the blackmarket. And if the CIA, NSA, etc can’t keep these things under control, that is something that citizens should know.

Eric side note — this goes back to your “don’t fear the leaker” talk at ISSA. I am … mostly … in agreement with you.

Some final comments from Eric:

The Wikileaks disclosure also makes clear that the CIA (and undoubtedly every other government agency) built tools that would make it look like they were some other intelligence agency. For example, there is a tool in this called “Stolen Goods 2.0” that uses Russian techniques and footprints. This means that it becomes very difficult for investigators to have any idea who actually conducted the cyber attack. It might have been the Chinese, but it might actually have been the British using tools that made it look like the Chinese were the bad actors. Just because someone publicly attributes the attack, does not mean anything. As security professionals say to each other all the time, “attribution is hard, bro.”

So for all we know, “Russian hacks” might actually be by the CIA, or by the Iranians, or by Indian mobsters. Great.

And here’s my Don’t Fear The Leaker paper that came from that talk.