Earlier this week, WikiLeaks published a startling news release announcing what could be the largest-ever dump of CIA documents – 8,761 pages, a collection which the website calls “Vault 7.” WikiLeaks, the “stateless news organization” led by Julian Assange, claims the leak is the first of a series called “Year Zero” that they plan to release regarding secret information on digital tools and techniques used by the agency. The documents, which are mostly pages of highly technical code, appear to reveal the intelligence agency’s hacking capabilities, including how they exploited security flaws in popular smart electronics – like iPhones and Samsung TVs – to spy on individuals.
There is no evidence the hacking tools were used against Americans, and the CIA has refused to confirm the authenticity of the documents. On Wednesday, the CIA issued a statement declining to comment on the “purported intelligence documents” and said the agency was “legally prohibited from conducting electronic surveillance targeting individuals here at home… and CIA does not do so.” That same day, the FBI began preparing to interview people with connections to such government documents and files. Intelligence officers and cyber-security experts are weighing in with varying opinions on whether the leak came from inside the CIA or from foreign hackers outside the agency.
Since the dump, there have been several developments, from Assange announcing he would work with electronics and software companies to help patch the security flaws, to experts questioning just what the document dump reveals. In an effort to make sense of the cluster, here’s a guide to how the latest leak of secret information affects the government, tech companies and private citizens.
What did the release reveal?
The WikiLeaks dump is now being analyzed by cybersecurity experts, who are focusing on what are known as “zero-day” vulnerabilities. These are unknown holes in software that hackers (or government agencies) can use to infect a device with malware or spyware, or gain access to personal information. Since the dump, the CIA has faced criticism from groups such as the ACLU for not turning the security flaws over to the companies so they could be fixed, instead leaving American citizens open for potential cyber attacks.
The alleged CIA documents, which are dated from 2013 to 2016, describe the agency’s abilities to use the software flaws to hack into and control devices like the iPhone, Android and Samsung TVs, along with Skype, Wi-Fi networks and antivirus programs. They note, for instance, that agency’s malware can infiltrate iPhone and Android mobile devices – like the one known to handle the President’s Twitter account. “If the CIA can hack these phones then so can everyone else,” read one WikiLeaks press release, suggesting that Trump’s personal accounts might have already been compromised.
According to the dump, the CIA has the ability to hack into devices remotely and activate cameras and microphones so they can keep tabs on a person’s location and private messages. One of the most disturbing aspect of the documents comes in an explanation of how the CIA cooperated with United Kingdom intelligence services to develop techniques to hack into Samsung Smart TVs with a program called “Weeping Angel” that enabled them to record their surroundings while the television appeared to be off.
Does this mean the CIA is spying on me?
The short answer is no. Nathan White of the digital rights nonprofit advocacy group Access Now in Washington, DC, says he is not surprised to learn the CIA developed tools and techniques for spying on tech devices, but there is no evidence the agency spies on the American population. “The CIA can hack into phones, TVs, and maybe even cars,” he says, “but there is no reason to believe that this means that all of these things have been hacked.” While it might be disconcerting that the nation’s spy agency has these Orwellian abilities, they’re supposed to only use them on foreign targets.
Then again, per Obama-era guidelines, they were supposed to disclose vulnerabilities they found to the tech companies so the security holes could be fixed, and they did not. Cybersecurity expert Stuart Madnick, head of the the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity at MIT, says the CIA is conflicted: “How dangerous is it to you if the vulnerabilities persist, or how valuable are the vulnerabilities if the CIA can use them? We need to decide as a nation.”
Who leaked the CIA documents?
WikiLeaks says they published the CIA documents “as soon as its verification and analysis were ready.” The website, of course, is not outing their source, but write that the “source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”
James Lewis, an expert on cybersecurity at the Center for Strategic and International Studies in Washington, DC, says that he believes the source is probably an agency contractor. “The insider story has some odd bits: this sort of information is supposed to be compartmentalized, meaning that one person shouldn’t have access to all of it,” he says. “The agency has extensive new safeguard to detect such a leak after the Snowden incident.” He says it’s also possible the Russians stole the documents and gave them to WikiLeaks, as part of an ongoing struggle between the two powers, in which, as The Guardian describes, “WikiLeaks is widely seen as sitting firmly in Moscow’s corner.”
How does this compare to Edward J. Snowden’s leaks in 2013?
WikiLeaks says the number of Vault 7 pages “eclipses” the first three years of the Snowden NSA leaks, but there are considerable differences here. Snowden exposed the NSA was spying on American citizens and uncovered surveillance on a global scale. WikiLeaks does not outright accuse the CIA of hacking its own, but rather keeps the focus on the agency’s hacking tools. Also, WikiLeaks alleges the CIA didn’t report identified zero-day vulnerabilities, while Snowden proved the NSA talked about actually making them.
Overall, there is no clear similarity between this dump and Snowden’s. “The NSA leaks were shocking because they revealed mass surveillance that impacted all of us,” White says. “We’re not seeing that here – at least not yet.”
What’s going to happen next?
At a press conference on Thursday, Assange announced that WikiLeaks will give the affected tech companies access to CIA hacking tools for their defense measures, as the documents in the dump only described portions of agency tools, not full programs needed to run a cyber attack. Microsoft and Cisco Systems said they “have not yet been contacted,” but would welcome “submissions of any vulnerabilities through normal reporting channels.”
The offer comes two months after the American intelligence reported a link between WikiLeaks and the Russians in regards to the Democratic National Committee hack during the 2016 presidential election. It is a growing belief among U.S. officials and lawmakers that Assange is a pawn of Russian President Vladimir Putin in hacking the American government. Russia and the US will continue these battles over whodunnit. But for now, the Kremlin are telling us the CIA information dump is cause enough to turn their phones off.