WikiLeaks has sparked a debate about cybersecurity by publishing secret CIA documents. In a DW interview, its founder, Julian Assange, said he will publish more information – and he was critical of US tech companies.
There are no less than 16 different intelligence agencies in the United States. In 2017, they will cost US taxpayers some $70 billion (65 billion euros) – roughly twice Germany’s overall annual defense budget. The actual distribution of that sum among US intelligence services is classified, but revelations brought to light by Edward Snowden in 2013 suggest that the Central Intelligence Agency (CIA) receives the lion’s share.
In 2013, that sum was around $15 billion. Now the CIA, a highly funded agency tasked with gleaning state secrets from other countries, has a problem keeping its own secrets: On March 7, the whistleblower platform WikiLeaks began publishing CIA documents under the name “Vault 7.”
The platform published 9,000 documents exposing the CIA’s secret hacking tools, many developed by a team of hackers at the US consulate in Frankfurt and used throughout Europe. In a DW interview, WikiLeaks founder Julian Assange said that the German government has yet to react to the revelations – apart from a statement issued by the attorney general that he would examine whether German law had been violated. Assange says that the lack of a serious reaction “sadly reveals the relative weakness of the German government when dealing with the United States.”
The CIA has lost control of its cyberweapons
In speaking with DW, Assange announced that more CIA documents would be published over the coming months: “We have only published one percent of the material; 99 percent of the material is still to go.” Assange criticizes the fact that the CIA has developed its own version of the National Security Agency (NSA), which is itself specialized in electronic espionage.
“[The CIA] became a giant hacker spy agency,” he said. “This hacker CIA then stockpiled an enormous quantity of cyberweapons – hundreds of millions of lines of code, more than all of Facebook, in cyberweapons. And then it lost control of all of them.”
According to WikiLeaks, the published material comes from an isolated and highly protected network within the “CIA Center for Cyber Intelligence” at CIA headquarters in Langley, Virginia – one not connected to the internet. Assange explains that cyberweapons pose a particular proliferation risk as they are only made up of information – so-called code. This makes the possession of cyberattack tools especially dangerous, most notably when those who possess them cannot guarantee that they will remain secure. That appears to be the case now, as seen in the Vault 7 publication.
Massive procurement of zero-day malware
The published documents also show that the CIA purchased massive amounts of information from hackers pertaining to the so-called zero-day vulnerability of software and electronic devices. This information was then developed into malware to exploit such vulnerabilities: allowing cellphones, computers and even televisions to be turned into remote spying tools. This malware allows the remote and undetected operation of cameras and microphones. It also allows remote users to read text messages and e-mails directly from screens before they are sent, for example, as encrypted WhatsApp messages. A recent photo of Facebook founder Mark Zuckerberg showed that it isn’t just paranoid crazies that take the threat seriously: the picture featured Zuckerberg at his laptop, the microphone and camera of which were covered with tape.
US tech firms working with the government
Companies whose products may be compromised by the CIA’s tools were informed about those vulnerabilities by WikiLeaks, Assange told DW. European firms reacted quickly. US tech companies, however, were more reserved – with the exception of the browser provider Mozilla. Other companies affected by the CIA’s hacking tools, such as Google, Microsoft and Apple, in contrast, simply forwarded WikiLeaks’ offer to provide further information to their legal departments.
Assange claims that this was done because these companies work with US intelligence agencies. It is also the reason that so many employees at such companies have US government security clearance, especially those who work in cybersecurity departments. But security clearance rules stipulate that if a person is given clearance, they are not allowed to accept leaked information. Assange’s critical summary: “[These companies’] entanglement, their proximity to the US government, means that so far, they are not able to properly secure their users from attacks conducted from the CIA or the NSA.”
Assange’s assessment is rather similar to that of Finnish cybersecurity expert Mikko Hypponen. In his keynote address at the computer fair CeBit in Hanover on Wednesday, Hypponen warned that the world was witnessing the start of a new arms race that would be fought out in cyberspace. The Finn was also clear about who is currently leading the race: the US. “No other country has invested so much in cyber capability for so long as has the US.” The security expert said that Israel was in second place, followed by Russia and China. Hypponen also had a clear answer to the question of just what makes cyberweapons so attractive: they are effective, cheap – and they allow attackers to deny their actions.