Implications of WikiLeaks Publishing Details of CIA’s Cyber Arsenal

March 21, 2017

SUMMARY

On Tuesday, March 7th, WikiLeaks, the whistle-blowing website run by Julian Assange, released a cache of Central Intelligence Agency (CIA) documents known as “Vault 7,” which contain details of CIA hacking tools. The cache included approximately 9,000 documents, dating from 2013 to 2016, which describe spyware, malware, and other tools allegedly used by the CIA to bypass encrypted messaging services by penetrating computer and mobile operating systems including Apple’s iOS and Google’s Android. It also suggests that developers can inject these tools without the owners’ knowledge, thus turning computers, network routers, smartphones, and web-enabled household appliances, electronics, and “smart” systems into remote spying devices. The documents also have the potential to reveal unprecedented detail about the CIA’s electronic spying tools at tremendous cost to US national security.

It has been widely reported in the media that the CIA has identified Russian officials as having fed materials hacked from the Democratic National Committee to WikiLeaks. In fact, it has also been said that the US intelligence community believes WikiLeaks has a relationship with Russian intelligence, even if WikiLeaks is simply being used as an outlet for leaked material damaging to the US. On September 7, in the aftermath of the Russian breach of the Democratic National Committee’s servers, James Clapper, then-director of national intelligence, stated, “The Russians hack our systems all the time, not just government but also corporate and personal systems.” On March 20, FBI director James Comey confirmed the existence of an official investigation into the allegation that the Russians did in fact use cyber attacks to interfere in and influence the outcome of the 2016 US Presidential election. The Vault 7 release has already inflamed the political dialog over Russian interference in the 2016 US election, and will now likely contribute to the increasing fear that Moscow is using the same cyber tactics to influence upcoming European elections.

It should come as no surprise to anyone that the CIA has invested heavily in leading-edge cyber hacking methods to further its intelligence gathering mission. Contrary to the claims of WikiLeaks, the revelations thus far do not indicate vulnerabilities in commercial decryption or encryption tools.  Instead, the Vault 7 discoveries indicate that commercial encryption is so strong that the CIA would need to inject surveillance tools onto each individual device to be able to read data prior to encryption. This process requires a much more laborious and tedious mix of human and technical intelligence, focused specifically on an individual or individuals being targeted, rather than just overriding technology en masse. The fact that today’s encryption technology is so strong that the CIA cannot break it without embedded surveillance techniques should reassure all who practice good cyber security protocols. But everyone should be clear that it does not mean that people and companies are completely safe from other types of cyber attacks, particularly insider threats that bypass encryption by originating behind the firewall or the use of embedded surveillance by increasingly sophisticated cyber criminals.

Michelle DiGruttolo, Head of Ankura’s Geopolitical Practice, said, “It is worrisome that because of this leak, people now think that the CIA can simply turn home appliances into surveillance tools. This is not true. The reason why this leak is concerning is a much greater issue. The real reason is that important coding details connected to cyber tools are now available to criminals, which potentially puts commercial secrets at risk. Also, from a technical standpoint, the leaks have revealed novel and heretofore unknown methods, at least to the average consumer, for transforming everyday electronic equipment into effective surveillance tools.”

IoT VULNERABILITIES

If the WikiLeaks allegations and materials are accurate, this is a clear demonstration of the fundamental vulnerability of the Internet of Things (IoT) devices manufactured for mass entertainment and consumer productivity rather than security. For example, the WikiLeaks writer notes that the CIA considered leveraging these newly discovered tactics to exploit a smart TV as a voice-recording mechanism. Senior Managing Director of Ankura’s Cybersecurity Practice, Luke Tenery, advises that “organizations should consider that a broad mix of consumer technologies, never identified as such before, can now become threat vectors which might allow intelligence-gathering actors to probe and attack adversaries.” An example of this was the October 21, 2016 IoT Distributed Denial of Service (DDoS) attack in which the Domain Name System (DNS) provider “Dyn” was significantly disrupted, subsequently impacting the availability of major internet platforms and services across the globe. During this attack, the now-identified ‘Mirai’ botnet was used, an unprecedented cyber incident comprised of nontraditional devices, including approximately 50,000 closed circuit television cameras. These devices, in retrospect, were very easily compromised due to the use of simple default passwords. Tenery continues, “The exact same botnet technique could be applied today to launch similar attacks. The CCTV cameras are the tip of the iceberg, as more and more devices – regardless of whether it makes sense or not – are being sold with ‘smart’ capabilities and with internet connectivity.   Hacking communities now have a much larger repertoire of tools to choose from – and their toolbox is growing every day – when they formulate these types of attacks.”

These cyber incidents present a new reality for corporations. Cyber criminals are not just compromising computers any longer, they are currently using household devices normally located in any company kitchen or break room, devices that have never needed to be factored in as potential security threats, as workstation computers, smart phones and company servers have been for years. Who would have considered before this past decade that the break room coffee pot might be hacked for nefarious purposes? Further and more frightening examples of what is now possible in daily life include surveillance hacks using televisions or baby monitors.

Another concern for corporations to consider are the ways they could potentially be connected (unknowingly) to attacks on their competitors or other non-related businesses. Ankura Senior Managing Director and cybersecurity expert Ted Theisen postulates, “Imagine if a ‘smart’ toaster in a company kitchen, or another web-connected appliance within a corporate facility, is inadvertently connected to the internet, compromised, and subsequently used as a drone in a botnet collective to attack another corporation. Many hypothetical questions arise. Some of those questions include ‘Is the corporation now responsible for securing nontraditional endpoints?’, ‘Should corporations hold the provider of the IoT device accountable to ensure no backdoors are open to third parties?’, ‘Should third parties include governments?’, ’Should some devices, such as a toaster, even be connected to the internet? And, if they are going to continue to be, regardless of the common sense of it, what are the regulatory requirements needed in this space going forward?’”

A further implication of the “Vault 7” postings is the now-reinforced obligation to protect corporate infrastructure from new and unconventional vectors of attack. For example, traditional signature-based security will more than likely be rendered less effective at preventing – let alone initially identifying — these new threats; the CIA leaks reveal the existence of tactics useful for defeating traditional security defenses.  Tenery recommends, “These tactics amplify the urgent need for new and highly sophisticated cybersecurity defense and detection mechanisms with a deeper analytical approach to detecting anomalous computing behavior.” Beyond the current common practice of trusting a sole-detection mechanism to block the known ‘known bad’ identified malware, such as the traditional anti-virus signature model, more innovative methods need to be devised immediately for the ‘known-unknown bad’ and even for the anticipated and eventual ‘unknown-unknown bad.’ We have to be thinking analytically about how to identify cyber-threat attributes and we need to do that now.”

Modern corporations are no longer, technologically speaking, simply four walls and a perimeter firewall connecting internal computers to the internet.  The modern corporate technology enterprise continues to evolve toward a dispersed and distributed network of individuals and devices. The WikiLeaks revelations confirm the broader industry suspicions that a more complex and interdependent cyber landscape is now in play – availing attackers of yet unseen points of entry. Theisen concludes, “Cyberattacks are on an exponential rise.  A cyber-induced catastrophe resulting in extensive physical destruction and human suffering in real time will transcend a mere ‘cost of doing business’ calculation for everyone. Organizations and their stakeholders must begin considering cybersecurity strategy both holistically and creatively.  By doing this, they will be armed and able to maintain the safety of their business’ data confidentiality, data integrity and data availability for their workforce.  This is critical for any business’ cybersecurity and mission assurance responsibilities today.”