The WikiLeaks revelation last week about alleged CIA hacking into web-connected consumer devices immediately prompted comparisons with the leaks by fugitive National Security Agency contractor Edward Snowden, which exposed highly classified U.S. intelligence gathering activities.
But this posting of thousands of documents by WikiLeaks, purporting to reveal the tools used by the CIA to get into smartphones, TVs and other consumer devices that make up the Internet of Things, comes in a different policy environment and is likely to have a substantially different impact.
University of Houston researcher Chris Bronk, a former foreign service officer with the State Department, called the March 7 WikiLeaks posting “the big breach for the CIA, on par with the Snowden and [Bradley] Manning breaches.”
Added Virginia Tech’s Charles Clancy: “If the documents are genuine, this is a huge hit to the CIA’s covert cyber operations program. Coming on the heels of NSA’s Shadow Brokers leaks and lingering impacts of the Snowden disclosures, the consequence is a sustained degradation in the intelligence community’s sources and methods for cyber espionage necessitating significant new investment to rebuild capability.”
“The natural tendency to combat such leaks is to further restrict access to data on classified cyber capabilities, which could come at the expense of effective collaboration and mission impact across divisions and agencies,” he added.
That kind of impact would certainly track with how the earlier Snowden leaks affected all kinds of government agencies and initiatives.
The Snowden affair, with leaks beginning in 2013 and dribbling out in subsequent years about NSA surveillance of private citizens’ communications, upended cybersecurity policy efforts in Congress and relations with allies abroad for years, and inspired a wave of suspicion aimed at the U.S. intelligence community.
But there are at least three big differences in the two episodes.
First, there is no allegation so far that the CIA was using its hacking tools to spy on Americans through their personal devices. Snowden’s revelation that the NSA was pulling in massive amounts of data on Americans’ private communications gave that leak an immediate and explosive impact on U.S. policy.
The CIA declined to comment last week, but one high-profile intelligence veteran used an unusual platform to refute the idea that Americans’ TVs and microwave ovens were spying on them.
“I can tell you that these tools would not be used against an American,” former CIA and NSA Director Michael Hayden said March 7 on “The Late Show with Stephen Colbert.”
“But there are people out there that you want us to spy on. You want us to have the ability to actually turn on that listening device inside the TV, to learn that person’s intention,” Hayden said. “This is a wonderful capability. You give the intelligence community $53 billion a year. You gotta get something for your money.”
Second, unlike at the time of the Snowden leaks, there is no big — and controversial — cyber policy bill working its way through Congress that could be derailed by the WikiLeaks disclosure.
This leak will not halt major cybersecurity legislation in its tracks, as happened in 2013-2014 when many lawmakers wouldn’t touch anything cyber-related, including cyber information-sharing legislation that was largely unrelated to the issues raised by Snowden leaks.
Third, there are a multitude of initiatives afoot across the government to address the type of vulnerabilities that the CIA allegedly exploited in consumer devices.
Some members of Congress are already engaged regarding the widely known vulnerabilities of the Internet of Things, along with a variety of federal agencies in partnership with industry.
For example, legislation was introduced this year in the House and Senate calling for a government-industry partnership to develop a national strategy for Internet of Things security.
The Federal Trade Commission, often the cop that identifies and punishes lax security efforts by companies, is urging greater use of draft guidelines developed out of the Commerce Department to identify Internet of Things vulnerabilities. Such encouragement is often a not-so-subtle signal that anything less could draw enforcement scrutiny.
The issue is also popping up prominently as policymakers consider the security implications of self-driving cars.
The need to improve and, to the extent possible, ensure the basic security of the Internet of Things was identified as a top priority by the Obama commission on cybersecurity and in the recent package of recommendations for the Trump administration developed by the Center for Strategic and International Studies.
And that highlights one of the most significant impacts of the latest WikiLeaks dump: The Internet of Things will not reach its potential as a driver of economic growth if consumers harbor deep doubts about its underlying security.
Government credibility and faith in tech-driven evolutions to the economy both take a blow when it appears, as the leaks suggest, that the CIA is identifying security flaws in consumer devices and keeping that information to itself.
But on the plus side, the government and the private sector have set in motion processes that could result in new ways to identify and fix vulnerabilities in consumer goods and to ensure that security is a front-of-mind issue for industry and regulators alike in the Internet of Things.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
