TRNN Summer 2018 Fundraising Banner
TRNN Summer 2018 Campaign Banner Mobile

Wikileaks CIA Docs Suggest Gov. Hides Knowledge of Security Vulnerabilities from Tech Industry

SHARMINI PERIES: It’s The Real News Network. I’m Sharmini Peries, coming to you from Baltimore.

WikiLeaks released nearly 8,000 secret CIA pages and nearly 1,000 associated files on Tuesday. They provide details of the CIA’s effort to hack into computer systems, smartphones, and even television sets, and our cars. WikiLeaks says this document trove, which it calls “Vault 7” is the largest CIA leak ever. And it is only the first release in a series of leaks to come. WikiLeaks says the files cover the time period between 2013 and 2016. And these files were released by an insider, who says they wish to initiate a public debate about the security, creation, use, proliferation, and democratic control of cyber weapons.

Joining us from Grand Rapids, Michigan to analyze the CIA leaks with me is Marcy Wheeler. Marcy is an investigative reporter covering national security and civil liberties at Marcy is the author of, “Anatomy of Deceit: A Short Primer on Pre-war Intelligence and CIA Leaks”. Thanks for joining us today, Marcy.

MARCY WHEELER: Thanks for having me.

SHARMINI PERIES: So, Marcy, we know from the Snowden case and the Snowden film, that the government uses other countries to spy on us and they’ve been spying on us. Why are these releases so significant?

MARCY WHEELER: Well, Snowden didn’t reveal a lot of details about the specifics of NSA’s hacking on other people. He kind of gave you a big picture that the NSA hacks on people. There was a separate leak starting in August called “Shadow Brokers” and they released some of NSA’s hacking tools. This shows us what the CIA is up to. So, it’s the counterpart. We see the kinds of attacks that they make.

WikiLeaks has a list of the IP addresses that the CIA uses both for command and control, presumably as well as some of the targets. It’s withholding that for now, though it says it may release it in the future. It’s withholding a lot of the code itself, so you and I can’t go use it to hack somebody else. But it does give us an important picture of the kinds of things CIA does when it’s trying to hack a source.

SHARMINI PERIES: Alright now, assuming that these documents are authentic, I mean, the CIA or no government agency has actually challenged the authenticity of this. Does that mean, in your experience, that they’re acknowledging that these are actual documents of the CIA?

MARCY WHEELER: Well, Reuters actually reported that CIA says they’re aware of the breach that lead to… What WikiLeaks claims is that there were a bunch of former CIA hackers and contractors who inappropriately took these materials and one of them then passed them on to WikiLeaks. CIA told Reuters today that they are aware of the primary breach there. And they have suspicions about who the actual leaker to WikiLeaks may be. So, that does seem to confirm these are their documents.

SHARMINI PERIES: Right. And as I mentioned in the introduction, WikiLeaks says that the source of the leak wants to initiate a public debate about CIA’s cyber hacking and capabilities. Do you think the public is ready to have those discussions and hold government accountable?

MARCY WHEELER: Well, some of the things we need to discuss are how many vulnerabilities of American companies such as Apple, you know, the IPhone, should our spying agencies sit on rather than handing them to the company to fix. Especially, if they can’t keep them safe, I mean, it’s one… You know, last summer we had a bunch of American firewall companies exposed in the Shadow Brokers’ leak. Now we’re learning about holes in IPhone and Android phones and Samsung TVs, if anybody cares about that.

And so, you know, (a) is the government doing what it claims it will do to help us all be more secure? And (b) if it can’t keep its files safe, and thus far it can’t, then it really shouldn’t be keeping these vulnerabilities because it’s just going to make us all less safe.

There are other questions too I think. You know the debate about Russian hacking, for example, takes place in a vacuum of the kind of hacking that our own government does. Largely because there’s an entire industry to report on Russian hacking and there’s just not the counterpart to report on CIA and NSA hacking.

So, it is useful for Americans to understand that in addition to going to Google, and Facebook, and Yahoo, and getting data on foreigners in large amounts, CIA and NSA both do the same kind of hacking that we’re really angry at the Russians for doing.

SHARMINI PERIES: Right. And Marcy, when these kinds of leaks happen the government, CIA, NSA, they go after the person that might have leaked it, the whistle-blower and try to discredit them and so forth. And then the issue of them actually doing and violating our privacy laws and so on, gets sidelined or put on the back burner, as not as critically important.

So, what kind of debate should happen out there in the public? And what kind of mechanisms, tools do we need in order to monitor and control these agencies from being able to do the kind of activities that violate our laws?

MARCY WHEELER: Right. I mean, there are two different issues. Nothing we’ve seen, from either NSA or CIA, should, we assume, is being used against Americans. We haven’t had this same kind of leak from the FBI yet. But rest assured they do hack and they do use similar vulnerabilities against Americans. And the question is — when is that appropriate? When is it not appropriate?

The FBI at the end of last year got the authority to hack massively. And the year before they conducted a hack of 2,000 people, kiddie porn criminals but nevertheless, 2,000 people in one fell swoop. And while I’m not going to defend any kiddie porn traitor, you know, there are questions about how much hacking is useful and for what uses — should they really be, for example, compromising our televisions so that they can hear conversations that are happening in the room?

And then the other thing, and I raised this issue in August when that other hacker, the Shadow Brokers’ hacker started. I was like where are the hearings? This is a massive hack. Where are the hearings about how this was allowed to happen?

We now know that there was a DOD Inspector General report given to the intelligence committees that same month that showed there were massive vulnerabilities left over from Snowden. They still hadn’t fixed the holes that they knew were in place with Snowden. And we’re not hearing anything about that.

So, you know, the intelligence community complains and says this hacker is horrible. This hacker is horrible. This hacker is horrible. But they don’t do the things that: (a) are necessary to prevent these tools from being stolen. But also, that are necessary to prevent, you know, wayward NSA or CIA spies from spying on us. And that really needs to happen. It’s almost four years since Snowden and as of last August, it had not happened yet.

SHARMINI PERIES: Right. Now, since Snowden, the relationship between the tech industry and the government has suffered a bit. One could say they are strangers still. But how do the two parties come together in terms of analyzing and fixing the problem here?

MARCY WHEELER: Well, it’s not clear that they do. Last summer the companies that were comprised were firewall companies. So, like CISCO, Fortinet. And they were a little bit quiet. They said quickly that they were patching those holes. But that meant that their customers around the world had been exposed thanks to the NSA.

Apple very quickly yesterday released a report saying that they had already found many of the holes that the CIA had identified. The CIA themselves had said a lot of them are closed. But there’s kind of this cat and mouse. And honestly, it may be better for privacy if these companies are less trustful of the government. The government wouldn’t agree with me but then they are going to be more adversarial and they’re going to be a lot more aggressive about their own security then just trusting that the best spies in the world, NSA and CIA, aren’t going to compromise them.

SHARMINI PERIES: All right, Marcy, I know it’s a busy day for you but thank you so much for joining us today. And I’m sure there’ll be more to discuss in the coming days, and I hope you join us.

MARCY WHEELER: Thanks so much.

SHARMINI PERIES: And thank you for joining us here on The Real News Network.