What the WikiLeaks CIA Dump Says About the Weakness of Washington’s Data Security
This week, WikiLeaks published thousands of documents describing Central Intelligence Agency (CIA) technical cyber capabilities, including how the agency might hack into commonly used consumer Internet-connected devices. As the latest in a punishing string of unauthorized disclosures and exposures of classified and other sensitive information over the last several years demonstrates, the U.S. government is still failing at securing critical information that it retains.
There have been plenty of warning signs. Following the unauthorized disclosures by Edward Snowden about National Security Agency (NSA) surveillance activities beginning in 2013, President Barack Obama appointed a special committee—commonly known as the Surveillance Review Group—to assess whether “the United States employs its technical collection capabilities in a manner that optimally protects our national security.” The report did more than just assess whether NSA actions were in line with U.S. national security imperatives. Buried way back in Chapter Eight of the report was this line: “The security of classified networks is, in the age of cyber war, one of the highest priorities in national security.” It went on to state, “The government’s classified networks require immediate internal hardening.”
Early reports regarding the WikiLeaks data dump of CIA files have focused on the agency’s capabilities, and how they might make average technology consumers vulnerable to hacking. The CIA, of course, is an organization whose very purpose is to spy on foreign persons and entities in order to protect American security. The revelation that the CIA has developed modern cyber tools to do so is the least surprising aspect of this release.
It is against the law, however, for the CIA to conduct surveillance against Americans inside the U.S. Notwithstanding the laws and rules in place, the exposure no doubt will add to the already strained relationship between Silicon Valley and the U.S. intelligence community, as tech companies that sell their products and services globally strive to reassure customers that their privacy is being protected and their devices are reasonably secure.
But while the headlines blare about the CIA’s spying capacities, the buried lead is that the federal government still is failing to secure critical data. And it is failing to secure this data after repeated, significant exposures of data held in its possession are hacked, leaked, and, in some cases, released to the world.
Not surprisingly, the beginning of our modern era of mass digital insider theft and release began with WikiLeaks, the same organization responsible for this week’s publication. In 2010, Army intelligence analyst Chelsea Manning—then known as Bradley—leaked sensitive U.S. military and diplomatic documents to WikiLeaks. As a result, the intelligence community changed its policies and procedures. Since 9/11, the community had focused on sharing information across relevant agencies and breaking down stovepipes that prevented sharing. After that exposure, the community focused more deliberately on safeguarding information.
In 2013, NSA contract employee Edward Snowden absconded with a treasure trove of documents, including but not limited to classified court orders, descriptions of NSA surveillance capabilities, and international foreign intelligence targets—much of this was later published through established media outlets. In 2015, the U.S. Office of Personnel Management, which serves as a hiring and human resources hub for the federal government, experienced data breaches involving the personal information of over 20 million current, former, and prospective federal and contract employees. More recently, NSA cyber tools have been exposed publicly, and in a separate case, it was revealed that NSA contractor Harold Martin, currently under indictment in Baltimore, Md., stole thousands of classified documents over many years. Whether he shared them with another entity or government remains unclear.
In this week’s case, WikiLeaks head Julian Assange has, in a move stunning for its irony, publicly offered to “work with” technology companies to address the vulnerabilities his organization has exposed through the publication of classified material. His offer carries the faint whisper of extortion, assuming that WikiLeaks has possession of actual code important to companies whose devices or products may be vulnerable, and could release it at any time.
The better collaborative opportunity is, however, for the U.S. government and technology community to establish a functional partnership aimed at solving the federal government’s security weaknesses. That way, Silicon Valley companies won’t be forced into the position of having to bargain with a rogue actor such as WikiLeaks in order to protect their product equities, shareholder value, consumer information, and global reputation.
Over three years ago, Obama’s Surveillance Review Group urged greater attention to government information technology systems from both insider threats and external hacks. The review group also encouraged further scrutiny of the process for vetting individuals’ access to classified information; the technology used to protect systems; and the continual management, review, and updating of these processes. Notably, the review group highlighted the inadequacy of the technology underlying some U.S. government systems, and compared it negatively to technology and risk management processes used in the financial services industry, for example. More recently, in December 2016, a Defense Department report found that “most military systems, networks and missions” are vulnerable to cyberattack.
Considering the continued harm being inflicted by internal actors and external threats to sensitive data held by the U.S. government, Washington must move quickly to restore competence, and confidence, that it is capable of safeguarding sensitive data. Yet amid this damage may lie an opportunity for America’s technology and security communities and government to work collaboratively to improve the nation’s ability to protect sensitive data.
That data, after all, could include technical capabilities that would enable the CIA to hack into a device that could reveal a terrorist plot abroad, or important information about a foreign adversary’s nuclear weapon ambitions. Allowing such information to fall into the hands of malicious actors could have devastating consequences.
Carrie Cordero is an attorney in private practice, adjunct professor at Georgetown Law, and former counsel to the U.S. assistant attorney general for national security.