On March 7, when WikiLeaks released a portion of what its founder, Julian Assange, claimed was the biggest-ever trove of classified CIA documents, which it is calling Vault 7, it was inevitable that comparisons would be made to Edward Snowden’s theft of top-secret NSA material almost four years ago. Though the content of the stolen files is very different—WikiLeaks has gotten access to an extensive suite of malware used by the CIA to hack into computers, phones, and devices connected to the Internet, while Snowden’s cache detailed the NSA’s data-mining operations—WikiLeaks itself encouraged this analogy when it echoed the former NSA contractor with its explanation of the motivation behind the leak.
“I’m just another guy who sits there day to day in the office, watching what’s happening, and goes, ‘This is something that’s not our place to decide.’ The public needs to decide whether these programs or policies are right or wrong,” Snowden said at the time, justifying his actions by appealing to basic democratic and constitutional principles. Similarly, in its press release announcing Vault 7, WikiLeaks noted that the person who handed over what the group says is “entire hacking capacity of the CIA” did so “to initiate a public debate about the security, creation, use, proliferation and democratic control of cyber-weapons.”
Yet given what these files contain—actual programs designed to infect, disable, or take over any number of digital devices—and given that they’ve landed in the hands of Julian Assange, this statement might be read more as a threat than an invitation.
WikiLeaks is the publisher of anonymous, purloined material, which it releases on its website, often without removing personal identifiers and other potentially harmful information; I once came across Bill Clinton’s home phone number in a WikiLeaks file. (In the case of the CIA cache, it has provisionally redacted the source code of the hacked software, a troubling prospect I will go into below.) Snowden, in contrast, was the leaker, not the publisher. Once he gave the documents he’d taken to a select group of national security journalists to study and determine what should be made public and what should remain concealed, he came forward and identified himself as their source.
This mattered then, because it allowed Snowden to make his case directly to the public, which he did in an interview broadcast to a shocked and curious world soon after the first piece in The Guardian revealing that the NSA was spying on innocent Americans, often with the help of tech companies. The conversation he hoped to initiate happened and influenced both public policy and the law.
And it matters now, because anonymity, while synonymous with the WikiLeaks “brand,” is also what has—among many other things—undermined WikiLeaks’s credibility and caused the defection of supporters who once saw the group as a new way of holding power accountable. This past year, after WikiLeaks disseminated hacked emails from the Democratic National Committee, from Hillary Clinton, and from her campaign adviser John Podesta, all of which were seen as bald attempts to tip the scales against Clinton, and after numerous intelligence agencies concluded that WikiLeaks had been fed these files by Russian agents or hackers working on behalf of Russian interests, WikiLeaks—and Assange—were widely characterized as Russian agents, witting or not.
This is why the notion that an anonymous hacker working through WikiLeaks will spur a conversation about the acceptable limits of CIA spying activities is unconvincing. As long as the public believes that WikiLeaks is working in concert with the Russians to undermine faith in American institutions, or on its own to support the Trump agenda—theories that gained a lot of traction with the DNC hack and even more after the release of John Podesta’s private correspondence—there will be no debate over the CIA’s development and deployment of cyber-weapons. Instead, the conversation will be about Julian Assange himself—his motives, his personality, his showmanship.
The timing of the release of Vault 7, which was apparently kicking around for months and maybe longer, was curious, coming a few days after Trump accused Obama of wiretapping Trump Tower during the election. Curious, too, was the appearance at Assange’s hideout in the Ecuadorian Embassy shortly after the release of Vault 7 by Brexit campaigner and Trump advisor Nigel Farage, who—surprise!—could not remember what he and Assange had been talking about. And while the White House was dodging questions about the interference of Russia in the presidential election, the release of Vault 7 allowed Assange to suggest that the United States was not itself innocent in this regard since, he claimed, the CIA has been doing similar “attacks on the French political parties” to influence French economic policy.
But what of the leaked materials themselves? At the press conference announcing the release of Vault 7, Assange was able to tease the press with sensational stories about the CIA spying on people in their homes through their Samsung smart TVs, and the agency’s ability to crack the encryption on popular programs like Signal and WhatsApp, and how it was failing to tell tech companies when it found what are known as “zero day” exploits in their products—unpatched holes that allow a hacker to get inside of them—but instead using these exploits to its own advantage. As Zeynep Tufekci observed in The New York Times, one of Assange’s strategies is to dump lots of files on the web at once, before they can be adequately scrutinized, giving him an advantage when it comes to describing their significance.
After a day or so of panic, the consensus of tech experts was that so far, Vault 7 does not reveal that the CIA possesses hacking capacities that are not already well-known, or at least long-suspected. This doesn’t make them less destructive, just less remarkable. For years, many of us have been writing about the vulnerability of devices connected to the Internet. We’ve known how smart TVs, and appliances like Amazon’s Alexa, can be turned into remote spying devices. We’ve reported on researchers who have successfully demonstrated the capacity for a third-party to take over a “smart” car and how foreign hackers infiltrated the control system of an American dam. We’ve pointed out that even though a text message sent via the very secure Signal app will be encrypted, unless that message is then deleted, it will be accessible to anyone who gets ahold of the phone, since even locked phones are only minimally secure. And we know—or should have learned from Stuxnet, the joint American-Israeli program to undermine Iran’s nuclear program—that intelligence agencies search for, and rely on, zero day exploits to gain access to adversaries’ computer systems. The Stuxnet worm was built around four of these. It is hardly surprising that the CIA is developing ways to turn the vulnerabilities of digital technology to its advantage.
So far, it is unclear from the programs detailed in Vault 7 if the CIA is overstepping its bounds. When asked by a reporter from CNN if the CIA malware was legal as long it was used against overseas targets, Assange’s answer strangely echoed language we’ve been hearing these past few weeks from the White House: “There are many questions that might be asked by CNN, and one that seems to defend the interests of the CIA I think is a bit problematic to have been the first question to be asked.” Reporting on the hack in the Times, Steve Lohr and Katie Benner pointed out that if, as some of the material suggests, the CIA failed to inform companies that it had detected security flaws in their products, they would have ignored the Obama administration’s promise to those companies to do so. But as the ACLU has noted in the past, this policy allows broad exceptions for national security and law enforcement purposes.
In his press conference, Assange observed that no cyber weapons are safe from hacking because they live on the Internet, and once deployed are themselves at risk of being stolen. When that happens, he said, “there’s a very easy cover for any gray market operator, contractor, rogue intelligence agent to take that material and start a company with it. Start a consulting company, a hacker for hire company.” Indeed, the conversation we almost never have when we’re talking about cyber-security and hacking is the one where we acknowledge just how privatized intelligence gathering has become, and what the consequences of this have been. According to the reporters Dana Priest, Marjorie Censer and Robert O’Harrow, Jr., at least 70 percent of the intelligence community’s “secret” budget now goes to private contractors. And, they write, “Never before have so many US intelligence workers been hired so quickly, or been given access to secret government information through networked computers. …But in the rush to fill jobs, the government has relied on faulty procedures to vet intelligence workers, documents and interviews show.” Much of this expansion occurred in the aftermath of the September 11 attacks, when the American government sought to dramatically expand its intelligence-gathering apparatus.
Edward Snowden was a government contractor; he had a high security clearance while working for both Dell and for Booz, Allen, Hamilton. Vault 7’s source, from what one can discern from Assange’s remarks, was most likely a contractor, too. The real connection between Snowden’s NSA revelations and an anonymous leaker handing off CIA malware to WikiLeaks, however, is this: both remind us, in different ways, that the expansion of the surveillance state has made us fundamentally less secure, not more.
Julian Assange, if he is to be believed, now possesses the entire cyber-weaponry of the CIA. He claims that they are safe with him while explaining that nothing is safe on the Internet. He says that the malware he’s published so far is only part of the CIA arsenal, and that he’ll reveal more at a later date. If that is not a veiled threat, then this is: Assange has not destroyed the source codes that came to him with Vault 7, the algorithms that run these programs, and he hasn’t categorically ruled out releasing them into the wild, where they would be available to any cyber-criminal, state actor, or random hacker. This means that Julian Assange is not just a fugitive, he is a fugitive who is armed and dangerous.