It’s impossible to keep up with the nonstop news coverage and multiple storylines around the recent WikiLeaks CIA dump. The initial Vault 7 data drop led to Assange’s press conference about “helping” private companies patch vulnerabilities, all while fear started to spread around the intelligence community listening in to our internet-connected Samsung TVs and Apple products at home, and Cisco disclosing that its routers and Internet switches had been hacked.
Most recently, CIA Director Mike Pompeo criticized WikiLeaks in his first public address since being confirmed, calling the organization a “non-state hostile intelligence service.” Pompeo makes an undeniable point about the far-reaching consequences of a leak such as this one — which, speaking from an intelligence perspective, is likely the most frightening yet.
The truth of the matter is that the breach of the CIA’s attack tools not only placed the U.S. at a deficit in our offensive cyber capabilities, it has threatened the world’s most critical businesses, organizations and national security peace of mind. To echo Pompeo’s statements, we are now all more vulnerable.
If WikiLeaks releases details on the vulnerabilities, attackers of all stripes will soon have the ability to weaponize the CIA’s tools — not just nation states with advanced cyber programs like China, Russia, North Korea and Iran, but anyone with adequate internet access and some technical knowhow.
This isn’t just a dump of information by a disgruntled employee that saw the new Snowden movie and thought they could be a hero. It appears to be a calculated breach by a spy.
Cyber espionage has been the new normal for years
There are no hackers anymore — now it’s all about the spies we in the intelligence and security communities are trying to stop. The “insiders” have known this for some time, but it’s becoming more apparent to the business community and now individuals. Numerous criminal and espionage attacks plague computer systems in all industries, public and private.
For the CIA breach, it’s imperative for the FBI to determine how it occurred. We hope that the breach was a single employee or contractor that acted out of ‘hacktivism.’ More concerning is the thought that a foreign intelligence service could have recruited an insider traitor to extract the hacking tools. The recent DOJ indictment around the Yahoo breach shines a light on Russia’s recruiting tactics.
The intelligence community may have a serious trusted insider problem. There’s a fine line between whistleblowing and leaking information that directly aids foreign intelligence services. Leaks of classified information can be incredibly harmful — especially when they reach the wrong hands.
The real threat of WikiLeaks’ CIA dump: the rise of non-malware
Despite news coverage mainly focusing on spying capabilities for consumer-level devices, there is a silent killer lurking in the shadows of the dump: several of the tools released were non-malware attacks (often called fileless attacks or “living-off-the-land” attacks).
Non-malware attacks gain control of computers without downloading malicious software. Instead, they use trusted, native operating system tools, such as PowerShell, and exploit running applications, such as browsers, to “live off the land.” These attacks pose a bigger risk than malware attacks because they are harder to detect and cause more damage.
The security industry has noticed the rise of these attacks as criminals and spies use them more. The CIA was also exploiting these attack methods — given that they’re a nearly undetectable way to breach a system — but the Vault 7 release gives these tools to a large number of potentially malicious actors.
Non-malware attacks will become more commonplace, more advanced and more frequent, and security practitioners everywhere need to be on high alert. Based on previous history, I expect WikiLeaks to make these vulnerabilities public immediately after tech companies create a patch. If they follow this route, that will allow attackers to use the tools to conduct surgical strikes and weaponize every asset available.
What happens next, and what needs to happen to mitigate our risks
Russia will never stop spying. Similarly to what we’ve done with China, we should try to limit espionage to government against government, not government against the private sector. There have been discussions about enacting a ‘Digital Geneva Convention,’ but that will hinge on our ability to come to agreements across the board.
Our best move against Russia, China, North Korea, Iran and countless others to defend against cyber attacks is not necessarily in policy or diplomacy, but in stronger cybersecurity across our nation’s mission critical systems.
Cybersecurity relies on a partnership between the public and private sectors. Private industry is attacked as often as government, and must therefore invest in robust cybersecurity technology, software and personnel. The government has been deficient in cyber defense and needs to invest similarly. Both public and private must coordinate cyber efforts and share threat information among a defense community.
The uphill battle for individuals and the business community is still awareness — I’m shocked that the very high profile attacks on the DNC and Clinton campaign, the extraordinary amount of ransomware attacks and the high profile government breaches haven’t brought home the very present threat to a more general public.
I fear that the message won’t hit home for most people until a cyber attack rises to the level of a kinetic attack. At some point attackers will successfully target our critical infrastructure — once the lights are out for a significant period of time, cybersecurity will be taken more seriously, but the hope is that we can begin to wake up before then.