Updated 5:15 p.m. ET
WikiLeaks has released thousands of files that it identifies as CIA documents related to the agency’s cyber-espionage tools and programs.
The documents published on Tuesday include instruction manuals, support documents, notes and conversations about, among other things, efforts to exploit vulnerabilities in smartphones and turn smart TVs into listening devices. The tools appear to be designed for use against individual targets, as part of the CIA’s mandate to gather foreign intelligence.
A CIA spokesperson would not confirm whether the documents were genuine, telling NPR, “We do not comment on the authenticity or content of purported intelligence documents.”
Former CIA Director Michael Hayden told MSNBC that if WikiLeaks’ account was true, the document dump would be “very, very damaging.”
And the anti-secrecy site says there’s more to come: WikiLeaks has dubbed Tuesday’s release “Year Zero,” saying it is the first of a series of CIA-related leaks that the site is collectively calling “Vault 7.”
Nicholas Weaver, a computer scientist at the University of California at Berkeley, says the documents don’t seem to reveal significant news about the CIA’s capabilities — “it’s describing a hacking organization that’s doing a reasonably good job,” he says.
What is surprising is that the documents are being published.
In a statement accompanying the document release, WikiLeaks alleges that the CIA has recently “lost control of the majority of its hacking arsenal,” and that an archive with “several hundred million lines of code” has been circulating among former government hackers. One former government hacker or contractor gave a portion of that code to WikiLeaks, according to the organization.
Weaver calls that story “implausible,” and raises the possibility that someone from outside the U.S. government compromised the CIA’s systems to acquire the documents. And that, he says, would be a big deal: “Spies gonna spy, that’s dog bites man. Spy dumps data on Wikileaks, proving that they exfiltrated it from a top secret system? That’s man bites dog.”
Regardless of how they were acquired, the documents in the “Year Zero” release do not include the code for any cyberespionage programs. In its press release, WikiLeaks says it is “avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges” on how to analyze and disarm such weapons.
Instead, the purported CIA documents reference and describe agency tools designed to extract information from computers, monitor communications and control electronic devices.
WikiLeaks says the files came from the CIA’s internal Confluence system — a platform for team collaboration. They include instructions on how to use programs, and guides describing how to reduce the risk of CIA involvement being detected in a program. Some pages have comments from users whose names have been redacted, but appear to be software developers.
The alleged CIA documents show techniques developed specifically for “embedded systems” — which the files describe, in non-technical terms, as “the Things in the Internet of Things.” Think devices that don’t look like computers, but use the Internet to work. For instance, one program uses a Samsung TV as a listening device, turning the microphone on while the TV appears to be off.
The documents also appear to show techniques the CIA has used to compromise and control individual smartphones. WikiLeaks notes that such tactics would allow the agency to read even encrypted communications — but Weaver says that’s misleading.
“The real story on encryption is not, ‘Oh my God the CIA breaks encryption,’ but that encryption is so good that the CIA has to risk $1.5 million assets to compromise a target’s iPhone if they want to read his messages,” he says, noting the high price of developing smartphone-infiltrating techniques.
There’s another concern about the methods that the CIA used to compromise phones. Ben Wizner, director of the ACLU Speech, Privacy, and Technology Project, says the documents suggest the CIA “deliberately maintained vulnerabilities” in widely used devices.
“Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,” he said in a statement. (Security consultant Tom Ritter tells NPR that according to the documents, the CIA does seem to have been aware of security vulnerabilities and not informed companies that could have fixed them.)
The CIA has traditionally been responsible for human espionage — officially, the NSA gathers “signals intelligence” and the CIA analyzes it. But the CIA also carries out its own cyber operations.
In February 2016, then-CIA Director John Brennan spoke with NPR’s Mary Louise Kelly about, in part, the agency’s desire to expand its cybercapabilities.
“The technological changes are taking place at a warped speed,” he said:
“So we here at CIA, we recently set up a fifth directorate for the first time in 50 years, a new directorate … the directorate of digital innovation, so that we can understand all of the opportunities and challenges associated with that digital environment.
“I’m not a technological expert by any means, but I recognize that more and more human transactions and interactions take place in that cyber environment. And it profoundly affects all of our ways of life, and it affects the intelligence mission. So I want to make sure that for CIA to be able to fulfill its responsibilities in the years ahead, we understand what the pitfalls are, what the opportunities are, so that we are able to master that environment consistent with our authorities, so we can carry out our respective missions.”
Mike Pompeo, the new head of the CIA under President Trump, said in a written questionnaire accompanying his confirmation hearing that he understood that the agency, “upon direction from the President and working in cooperation with other agencies when appropriate, has capabilities to perform a wide [array of] actions related to all forms of cybersecurity policies.”