By Aaron Warner / Guest Column
On March 7, WikiLeaks released the largest-ever publication of confidential information on the CIA. Entitled “Vault 7,” it comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia.
While it’s still early, and security experts are still working their way through this immense collection of documents, there are a few things that we’ve already learned.
The role of the CIA
These documents seem to outline an extensive and well-funded program to apply offensive cybersecurity to the fieldwork that the CIA does, primarily outside of U.S. borders. These cyberweapons can’t legally be used against U.S. citizens within the United States without the permission of the proper legal authorities, including the FISA court and direction to do so from the president of the United States. In some cases, the CIA is permitted to operate within U.S. borders, but those are incredibly limited.
“If they were used, it would have to have been done by the FBI, not the CIA. The domestic authority of the CIA is incredibly limited,” said Robert Cattanach, a partner at the law firm Dorsey & Whitney.
What was released?
Many of the tools and procedures detailed are used to gain access to computer systems and individuals private information and to use it for the purposes of monitoring. These tools seek to exploit a combination of classical IT infrastructure, mobile devices, Windows-based computers and even certain brands of smart television.
Perhaps what’s most alarming in this collection of documents is the CIA’s collection of malware. Called “zero-day” vulnerabilities, these are small applications that are used to gain access to computer-based systems. They are so-named because there created as relatively unique applications, and may be undetectable by most forms of cyber protection systems. They’ve been available for quote “zero days,” and therefore are more unique than many of the more commonly used exploits.
These documents detail a program so extensive that field operative can request malware for a specific targeted individual. Presumably the engineering teams inside of the CIA would prepare custom malware and deliver it to the field operative for their use in surveillance and counter terrorism.
Wikileaks did take some major steps to redact information that could have been damaging either to field personnel or to computer systems themselves. People’s identities have been replaced with user IDs; .ZIP files and other attachments have been replaced with simple lists of the files that were contained to keep the actual tools from being distributed. The executable act applications have been disabled to prevent them from sneaking into the wild, and most of the addresses that point to specific computer systems within the US government have been removed.
Most businesses and private citizens shouldn’t stay up at night worried about the CIA monitoring them, but many of the methods and procedures used by the CIA are now in the hands of hackers and aggressive states known to hack the U.S., including Russia, China, North Korea and Iran. If you are company is likely to see any impact from this breach, it’s in the application of these tools by third parties other than our own government.
What can I do about any of this?
An event such as this one is an excellent opportunity to pull your team together and establish where you stand. Bringing in a combination of people from your organization, including legal, finance, HR, and of course IT would be an excellent start. You can use the following areas as guidelines for your open and honest discussion:
- Backups: Do we have them, have they been tested lately?
- Incident response: Do we have one, and how would we respond if we were hacked?
- Partners: Which cybersecurity company should we use to support our needs?
- Assessment: How long is it been since we’ve done an assessment of our cybersecurity?
- Training: Have we trained our staff to help protect us?
Just the process of talking through these issues will give you a better handle on where you stand, and the degree to which you’re prepared for what seems to be a new wave of cybersecurity risks.
There is still much to be learned from this specific incident, but it underlines the need for organizations to begin taking cybersecurity more seriously. It’s clear that the distribution of these methods and tools is only going to make matters worse, and being prepared becomes increasingly important. Good cybersecurity protection is about people, and the more involved you have your company and your leadership, the better prepared you will be for the worst.
Aaron R. Warner is CEO of ProCircular, a cybersecurity and privacy firm based in North Liberty.