The CIA is scrambling to assess and contain the damage from the release by WikiLeaks of thousands of documents that catalogued the agency’s cyberspying capabilities, temporarily halting work on some projects while the FBI has turned to finding who was responsible for the leak.
Investigators say the leak was the work not of a hostile foreign power like Russia but of a disaffected insider, as WikiLeaks suggested when it released the documents on Tuesday. The FBI was preparing to interview anyone who had access to the information, a group likely to include at least a few hundred people, and possibly more than 1,000.
An intelligence official said the information, much of which appeared to be technical documents, may have come from a server outside the CIA managed by a contractor. But neither he nor a former senior intelligence official ruled out the possibility that the leaker was a CIA employee.
The officials spoke on condition of anonymity to discuss an ongoing investigation into classified information. The CIA has refused to explicitly confirm the authenticity of the documents, but it all but said they were genuine on Wednesday when it took the unusual step of putting out a statement to defend its work and chastise WikiLeaks.
The disclosures "equip our adversaries with tools and information to do us harm", said Ryan Trapani, a spokesman for the CIA. He added the CIA was legally prohibited from spying on individuals in the United States and "does not do so".
White House
The leak was perhaps most awkward for the White House, which found itself criticising WikiLeaks less than six months after the group published embarrassing emails from John D Podesta, the campaign chairman for Hillary Clinton, prompting President Donald Trump to declare at the time, "I love WikiLeaks."
Sean Spicer, the White House spokesman, said the release of documents "should be something that everybody is outraged about in this country". There was, he added, a "massive, massive difference" between the leak of classified CIA cyberspying tools and personal emails of political figures.
The documents, taken at face value, suggest that US spies had designed hacking tools that could breach almost anything connected to the internet – smartphones, computers, televisions – and had even found a way to compromise Apple and Android devices. But whether the CIA had successfully built and employed them to conduct espionage remained unclear.
A number of cybersecurity experts and hackers expressed scepticism at the level of technical wizardry that WikiLeaks claimed to uncover and pointed out that much of what was described in the documents was aimed at older devices that have known security flaws. One document, for instance, discussed ways to quickly copy 3.5-inch floppy disks, a storage device so out of date that few people younger than 35 have probably used one.
One indication that the documents did not contain information on the most highly sensitive CIA cyberespionage programmes was that none of them appeared to be classified above the level of “secret/noforn”, which is a relatively low-level of classification.
Some technical experts pointed out that while the documents suggest the CIA might be able to compromise individual smartphones, there was no evidence that the agency could break the encryption that many phone and messaging apps use. If the CIA or the US National Security Agency could routinely break the encryption used on such apps as Signal, Confide, Telegram and WhatsApp, then the government might be able to intercept such communications on a large scale and search for names or keywords of interest. But nothing in the leaked CIA documents suggests that is possible.
Instead, the documents indicate that, because of encryption, the agency must target an individual phone and then can intercept only the calls and messages that pass through that phone. Instead of casting a net for a big catch, in other words, CIA spies essentially cast a single fishing line at a specific target and do not try to troll an entire population.
Targeted surveillance
"The difference between wholesale surveillance and targeted surveillance is huge," said Dan Guido, a director at Hack/Secure, a cybersecurity investment firm. "Instead of sifting through a sea of information, they're forced to look at devices one at a time."
Guido also said the CIA documents did not suggest that the agency was far ahead of academic or commercial security experts. “They’re using standard tools, reading the same tech sites and blogs that I read,” he said. Some of the vulnerabilities described by the CIA have already been remedied, he said: “The holes have been plugged.”
But Joel Brenner, formerly the country's top counterintelligence official, said he believed the leak was "a big deal" because it would assist other countries that were trying to catch up to the US, Russia, China and Israel in electronic spying.
He added that the intelligence agencies would have to again assess the advisability of sharing secrets widely inside their walls. “If something is shared with hundreds or thousands of people, there’s a sense in which it’s already no longer a secret,” he said.
The WikiLeaks release included 7,818 web pages with 943 attachments. Many were partly redacted by the group, which said it wanted to avoid disclosing the code for the tools. But without the code, it was hard to assess just what WikiLeaks had obtained – and what it was sitting on. The documents indicated that the CIA sought to break into Apple, Android and Windows devices – that is, the vast majority of the world’s smartphones, tablets and computers.
While the scale and nature of the CIA documents appeared to catch government officials by surprise, there had been some signs a document dump was imminent. On Twitter, the organisation had flagged for weeks that something big, under the WikiLeaks label "Vault 7", was coming soon.
On February 16th, WikiLeaks released what appeared to be a CIA document laying out intelligence questions about the coming French elections that agency analysts wanted answers to, either from human spies or eavesdropping. When WikiLeaks released the cyberspying documents on Tuesday, it described the earlier document as "an introductory disclosure". – (New York Times)