By Dean Tan ’18, News Editor

On March 7, 2017, the controversial anti-secrecy organization WikiLeaks began releasing a new series of leaks on the United States’ Central Intelligence Agency. The archive, code-named “Vault 7,” is the largest ever publication of confidential documents on the CIA in history. The unprecedented release took the CIA by surprise and sheds new light on the nature of the United States’ cybersecurity. It also confirms several suspicions that the government is able to hack into household electronics and spy on the public.

The first full part of the leak, titled “Year Zero,” is composed of 8,761 documents and files obtained from a high-security network inside the CIA’s Center for Cyber Intelligence. WikiLeaks claims that the CIA recently lost control of the majority of its hacking arsenal, and a former government hacker who obtained unauthorized access to the archive provided portions of it to WikiLeaks. The anonymous source also requested urgent public debate about whether the CIA’s hacking capabilities exceed its legal power and how to go about controlling cyber weapons.

The “Year Zero” release, which amounts to more than several hundred million lines of code, contains extensive information about the CIA’s global covert hacking program, created by the Engineering Development Group. One program, “Weeping Angel,” transforms Samsung smart TVs into covert microphones. When infested, the TV is placed in a “fake-off” mode, appearing to be off when it is actually on and recording conversations which are sent to CIA servers. The CIA has also developed substantial malware to infect and control Microsoft Windows users, including sophisticated viruses designed for automated infestation and attacks against Internet web servers. Another program is designed specifically for Apple and Android devices, which can covertly access a user’s phone camera, microphone, and location as well as bypass the encryption of secure messaging apps.

An important aspect of the CIA’s hacking program is its developments of weaponized “zero day” exploits. The Vulnerabilities Equities Process is a commitment by the US government to technology manufacturers to disclose all bugs and vulnerabilities that are discovered. However, the leak revealed that the CIA possesses undisclosed “zero day” security vulnerabilities that put technology manufacturers at risk.

Another implication of the release is that cyber weapons are “not possible to keep under effective control,” according to WikiLeaks. The CIA intentionally made its malware unclassified, since CIA implants frequently communicate with control programs which are prohibited from hosting classified information. Unclassified CIA cyber weaponry could be freely pirated by competing cyber weapons manufacturers and hackers if obtained. Several government hackers are currently under investigation for exfiltrating copies of CIA weapons; these weapons, like other computer programs, can be copied quickly without leaving any trace, and are worth millions of dollars on global “vulnerability markets.”

In recent years, WikiLeaks has entered the national spotlight for its high-profile releases. In 2010, former Army intelligence analyst Chelsea Manning released a cache of over a quarter-million confidential diplomatic cables. The leak revealed the inner workings of American diplomacy, including bargaining by US embassies, views of foreign leaders, as well as ongoing nuclear and terrorist threats. In 2013, WikiLeaks received heavy criticism for its endorsement and protection of Edward Snowden, who released classified information on the National Security Agency’s global surveillance program. Charles Pan ‘18 commented, “I’m not very surprised by the news. I think the American public is largely unaffected because the information came in a form of a leak; many Americans view this as classified information and intel that was obtained illegally.” 

WikiLeaks has been accused by the US government of recklessly releasing information that could jeopardize national security and overseas operations. In response, WikiLeaks redacted names and anonymized identifying information from its “Year Zero” release. The organization also withheld the computer code for usable cyber weapons until it has decided how to appropriately disarm and publish them. Dillan Gajarawala ‘17 approves of WikiLeaks’s releases, stating, “The people have a right to know if their private lives are being spied on.”

On March 23, 2017, WikiLeaks released the second part of Vault 7. Titled “Dark Matter,” the release contains documentation on CIA projects designed to infect Apple Mac firmware. The projects include “Sonic Screwdriver,” a mechanism to attack Apple computers through USB sticks, and “NightSkies,” an implant tool designed to be installed on new factory iPhones. Mr Siddiqui shared, “The largest concern is if they’re doing it in a way that is against the law; a warrantless wiretap or warrantless interception of information. The warrant is the dividing line between our rights and the rights of the government to keep ourselves secure. If they’re crossing that line, we should be worried about it.” It is clear that, as WikiLeaks continues to analyze and release information, the secrets of the CIA’s hacking operations will be unveiled.