The CIA’s Unexploded CyberBomb

After WikiLeaks published techniques used by the CIA for breaking into smartphones, the biggest leak in the spy agency’s history faded away.


In early March, Wikileaks pushed a huge trove of government secrets into the public domain. It was dubbed Vault 7 and, consisting of more than 8,700 Central Intelligence Agency documents, was described in news reports as the biggest such leak in the spy agency’s history. If there is a hall of fame — or of infamy — for unauthorized leaks, then Vault 7 seems deserving of a place alongside the alleged thefts attributed to former Army intelligence analyst Chelsea Manning and exiled National Security Agency contractor Edward Snowden, to name just two prominent examples of the digital era.

At least as disturbing as the Vault 7 compromise was what it exposed about tools and techniques for breaking into smartphones and eavesdropping through televisions and other devices connected to the Internet of Things. There was also the question of who did the leaking and whether it was the result of a nation-state attack.

The CIA issued a statement March 8 that it had no comment on the authenticity of the documents.

Intelligence and cybersecurity experts for the most part accepted the documents at face value. Snowden himself tweeted that the code names and terminology looked legitimate and that Vault 7 seemed to be “genuinely a big deal.”

Yet within days Vault 7 had pretty much faded from the news. Stewart Baker, an attorney with Steptoe & Johnson who served as NSA general counsel in the 1990s, wondered during his March 13 cyberlaw podcast why the story didn’t have legs. Although it seemed to be “immensely painful for the CIA, assuming it was the CIA’s tools that were released, the impact on the body politic is starting to look not very big,” Baker commented.

Tom Kellermann wishes it were otherwise. Formerly chief cybersecurity officer of threat protection company Trend Micro and now CEO of investment firm Strategic Cyber Ventures, Kellermann has been sounding the alarm in particularly colorful terms. Vault 7, he says, “represents the greatest robbery of a government armory since the French Revolution.” He sees it as an action by a foreign power “to discredit the U.S. government” and escalate a criminal arms race with the digital equivalents of grenade launchers and machine guns. With the “exploits and attack platforms” unveiled in the WikiLeaks cache, criminals can become “telepathic,” Kellermann warns, adding that “they are now hitting the streets and creating a free-fire zone in American cyberspace.”


Others echo the magnitude of the risks, albeit less stridently.

At a March 13 Cybersecurity Summit in New York, sponsored by Nasdaq and the National Cyber Security Alliance, Michael Viscuso, who has worked as an offensive hacker for both the CIA and the NSA, said the Vault 7 revelations “get to the heart of everything we rely on for connectivity.” Co-founder and chief technology officer of information security company Carbon Black, Viscuso was referring to the potential threat to networking equipment and the possibility that “the core integrity that we rely on won’t be there.”

But there have been other sober reactions to Vault 7 that may have contributed to its receding from public prominence.

Ilia Kolochenko, founder and CEO of web security firm High-Tech Bridge, says he was “surprised that this particular incident has attracted so much attention.” It isn’t news that the CIA “uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country,” he notes. “This is their duty. So far, we don’t have any evidence that these capacities were used unlawfully” to, for example, violate U.S. citizens’ privacy.

Although some observers worry that a CIA security vulnerability was exposed, Kolochenko says the truth may be more complicated: “This can be an insider incident, against which no large companies or governmental agencies are protected in any country. It can also be a honeypot — to distract someone’s attention from the real arsenal of U.S. cyberwarfare. I am pretty confident that U.S. intelligence has much bigger technical resources than the garbage exposed in the leak.”

Kenneth Geers, senior research scientist with Internet security company Comodo and senior fellow of the Atlantic Council, saw “nothing shocking” and, for the most part, old information in the release. If anything, it reinforces the notion that encryption is effective in data protection — a point also made by University of North Carolina associate professor Zeynep Tufekci in a New York Times opinion article describing Vault 7 as part of a misinformation campaign.

However, nobody disputes another implication of the leaks: that cyberwarfare is intensifying and that private citizens and corporations are in the line of fire. James Lee, chief marketing officer of application security firm Waratek, put it this way: “The release of an entire library of previously unknown attack vectors means that underresourced and overworked application (and network) security teams must prepare for the inevitable — tools intended for government intelligence being directed at businesses of all sizes.”