In early March, Wikileaks pushed a huge trove of government secrets into the public domain. It was dubbed Vault 7 and, consisting of more than 8,700 Central Intelligence Agency documents, was described in news reports as the biggest such leak in the spy agencys history. If there is a hall of fame or of infamy for unauthorized leaks, then Vault 7 seems deserving of a place alongside the alleged thefts attributed to former Army intelligence analyst Chelsea Manning and exiled National Security Agency contractor Edward Snowden, to name just two prominent examples of the digital era.
At least as disturbing as the Vault 7 compromise was what it exposed about tools and techniques for breaking into smartphones and eavesdropping through televisions and other devices connected to the Internet of Things. There was also the question of who did the leaking and whether it was the result of a nation-state attack.
The CIA issued a statement March 8 that it had no comment on the authenticity of the documents.
Intelligence and cybersecurity experts for the most part accepted the documents at face value. Snowden himself tweeted that the code names and terminology looked legitimate and that Vault 7 seemed to be genuinely a big deal.
Yet within days Vault 7 had pretty much faded from the news. Stewart Baker, an attorney with Steptoe & Johnson who served as NSA general counsel in the 1990s, wondered during his March 13 cyberlaw podcast why the story didnt have legs. Although it seemed to be immensely painful for the CIA, assuming it was the CIAs tools that were released, the impact on the body politic is starting to look not very big, Baker commented.
Tom Kellermann wishes it were otherwise. Formerly chief cybersecurity officer of threat protection company Trend Micro and now CEO of investment firm Strategic Cyber Ventures, Kellermann has been sounding the alarm in particularly colorful terms. Vault 7, he says, represents the greatest robbery of a government armory since the French Revolution. He sees it as an action by a foreign power to discredit the U.S. government and escalate a criminal arms race with the digital equivalents of grenade launchers and machine guns. With the exploits and attack platforms unveiled in the WikiLeaks cache, criminals can become telepathic, Kellermann warns, adding that they are now hitting the streets and creating a free-fire zone in American cyberspace.
Others echo the magnitude of the risks, albeit less stridently.
At a March 13 Cybersecurity Summit in New York, sponsored by Nasdaq and the National Cyber Security Alliance, Michael Viscuso, who has worked as an offensive hacker for both the CIA and the NSA, said the Vault 7 revelations get to the heart of everything we rely on for connectivity. Co-founder and chief technology officer of information security company Carbon Black, Viscuso was referring to the potential threat to networking equipment and the possibility that the core integrity that we rely on wont be there.
But there have been other sober reactions to Vault 7 that may have contributed to its receding from public prominence.
Ilia Kolochenko, founder and CEO of web security firm High-Tech Bridge, says he was surprised that this particular incident has attracted so much attention. It isnt news that the CIA uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country, he notes. This is their duty. So far, we dont have any evidence that these capacities were used unlawfully to, for example, violate U.S. citizens privacy.
Although some observers worry that a CIA security vulnerability was exposed, Kolochenko says the truth may be more complicated: This can be an insider incident, against which no large companies or governmental agencies are protected in any country. It can also be a honeypot to distract someones attention from the real arsenal of U.S. cyberwarfare. I am pretty confident that U.S. intelligence has much bigger technical resources than the garbage exposed in the leak.
Kenneth Geers, senior research scientist with Internet security company Comodo and senior fellow of the Atlantic Council, saw nothing shocking and, for the most part, old information in the release. If anything, it reinforces the notion that encryption is effective in data protection a point also made by University of North Carolina associate professor Zeynep Tufekci in a New York Timesopinion article describing Vault 7 as part of a misinformation campaign.
However, nobody disputes another implication of the leaks: that cyberwarfare is intensifying and that private citizens and corporations are in the line of fire. James Lee, chief marketing officer of application security firm Waratek, put it this way: The release of an entire library of previously unknown attack vectors means that underresourced and overworked application (and network) security teams must prepare for the inevitable tools intended for government intelligence being directed at businesses of all sizes.