Privacy Experts Say CIA Left Americans Open to Cyber Attacks

The logo of the Wikileaks website is pictured on a smartphone in this picture illustration taken in Tokyo November 29, 2010. Reuters

This article originally appeared on the International Business Times.

WikiLeaks release of the latest cache of confidential C.I.A. documents as part of an ongoing "Vault 7" operation exposed some of the U.S. government's hacking and digital espionage capabilities—this time having to do with iPhones and other smart devices used by hundreds of millions of people across the globe. But cyber security experts and computers scientists are raising concerns over the C.I.A.'s disregard of safety measures put in place for discovering these dangerous flaws in smart gadgets.

The federal agency has kept its discovery of many exploits (software tools targeting flaws in products, typically used for malicious hacking purposes) a secret, "stockpiling" that information rather than reporting it to multinational corporations, throwing millions of Americans into the crosshairs of a dangerous, intergovernmental spying game in the process.

"What's critical to understand is that these vulnerabilities can be exploited not just by our government but by foreign governments and cyber criminals around the world, and that's deeply troubling," said Ashley Gorski, an American Civil Liberties Union staff attorney working on the civil rights group's national security project. "Our government should be working to help the companies patch vulnerabilities when they are discovered, not stockpiling them."

The C.I.A. knew its own classified documents had been floating around the dark web for at least a year and was well aware the hacking capabilities it was using to break into everyday tech could also have been employed by hostile foreign networks. Russian President Vladimir Putin's Kremlin reportedly orchestrated a sprawling governmental operation in an attempt to influence the 2016 U.S. presidential election, which featured several cyber attacks on email servers and devices used by members of the Democratic Party.

The government enacted the Vulnerabilities Equities Process to reduce the unnecessary stockpiling of exploits. The procedure was meant to provide guidelines for agencies like the C.I.A. for notifying companies when dangerous issues are discovered in their devices. The measure was put in place during the Obama administration to prevent cyber attacks from terrorist networks and foreign governments, including Russia and China. But the C.I.A. completely ignored the Vulnerabilities Equity Process, instead exploring ways to use exploits for their own purposes, according to the Electronic Frontier Foundation, an international nonprofit digital rights group that reviewed a copy of the practice after filing a Freedom of Information Act request.

"It appears the CIA didn't even use the [Vulnerabilities Equity Process]," said Cindy Cohn, executive director of the Electronic Frontier Foundation. "That's worrisome, because we know these agencies overvalue their offensive capabilities and undervalue the risk to the rest of us."

The CIA said it refuses to comment on any purported confidential documents but defended its use of exploits in common products by way of a press release following WikiLeaks' initial data dump earlier this month. The agency said it wasn't using the tools to target U.S. citizens but instead to "aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nations states and other adversaries."

The agency may have left millions open to the exact attacks it said it was trying to prevent, regardless of its intentions, by not reporting those flaws to major companies, said Justin Cappos, a professor in the Computer Science and Engineering department at New York University.

"Now those blueprints are out there for hackers around the world, for anyone who wants to access this information and use it to compromise all these products," Cappos said. "You have to ask yourself: If the government knows of a problem in your phone that bad guys could use to hack your phone and have the ability to spy on you, is that a weakness that they themselves should use for counterterrorism, or for their own spying capabilities, or is it a problem they should fix for everyone?"

If one thing was clear through WikiLeaks' latest release, it's that flaws in technology will always exist, while many—including the U.S. government—continue to learn of more ways to use them as tools for digital espionage. Digital privacy advocates say the tides will only begin to turn when consumers begin demanding a basic threshold of online security from companies and their governments.

When asked how to describe the thousands of pages of complex data and its implications for typical Americans, Cohn offered a real-world scenario.

"If the C.I.A. was walking past your front door and saw that your lock was broken, they should at least tell you and maybe even help you get it fixed," Cohn said.

But the federal agency doesn't appear to be helping Americans protect themselves from intrusion. Instead, the C.I.A. was building secret tunnels, discovering other ways to break into their homes and not telling them about their broken locks.

"And worse, they then lost track of the information they had kept from you so that now criminals and hostile foreign governments know about your broken lock," Cohn continued. "Stripped of the digital trappings, that is what happened here."