The WikiLeaks exposure of thousands of documents relating to the Central Intelligence Agency’s (CIA) hacking program, which was expanded dramatically under President Barack Obama between 2013 and 2016, has created something of a panic in the users of cell phones, online computers and even for smart television viewers. The documents describe “more than a thousand hacking systems, trojans, viruses and other ‘weaponized’ malware” and one document even identifies attempts to enable CIA controllers to take control of automobiles that have “On Star” or similar satellite interactive features.
According to analysts who have gone through the documents, any electronic device that is connected to the internet is reported to be vulnerable to being taken over and “weaponized,” manipulated through its microphone or camera function even if it appears to be turned off. Apple, Google, Android and Microsoft products were among the technologies that were targeted, with the security systems being constantly probed for vulnerabilities. When a flaw was discovered it was described as “zero day” because the user would have zero time to react to the detection and exploitation of the vulnerability.
And they are indeed everywhere. Ron Paul has described a woman’s test on the Amazon marketed interactive voice controlled device called Alexa, asking it if it were reporting to the CIA. Alexa, which allegedly cannot tell a lie, refused to answer.
According to Wikipedia, “Alexa is an intelligent personal assistant developed by Amazon Lab126, made popular by the Amazon Echo. It is capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and providing weather, traffic, and other real time information.” One reviewer observed “In a good but scary feature, Amazon Echo can learn a person’s habits over time. It will get used to the way a person talks, his/her habits and routines and will save all the data in the cloud.”
Alexa demonstrates that CIA and NSA intrusion into the lives of ordinary people is not unique. In the cyber-sphere there are many predators. Amazon has apparently run special sales to get Alexa devices into as many homes as possible, presumably for commercial reasons, to have a machine in one’s home that will eventually replace the cookies on computers that collect information on what people are interested in buying. The company’s president Jeff Bezos also recently completed a deal worth $600 million for Amazon to provide cloud hosting services for the Agency. And there are, of course, two clear conflicts of interest in that deal as Bezos is selling a device that can be hacked by the government while he also owns The Washington Post newspaper, which, at least in theory, is supposed to be keeping an eye on the CIA.
But spying for profit and spying by the government are two different things and the WikiLeaks revelations suggest that the CIA has had a massive program of cyberespionage running for a number of years, even having created a major new division to support the effort called the Directorate for Digital Innovation, with an operation component called the Center for Cyber Intelligence. Media reports also suggest that a major hub for the operation was the American Consulate General in Frankfurt Germany, where the Agency established a base of operations.
First of all, it is necessary to make an attempt to understand why the CIA believes it needs to have the capability to get inside the operating systems of phones and other devices which rely on the internet. It should be pointed out that the United States government already has highly developed capabilities to get at phones and other electronics. It is indeed the principal raison d’etre of the National Security Agency (NSA) to do so and the FBI also does so when it initiates wiretaps during criminal and national security investigations.
Beyond that, since the NSA basically collects all electronic communications in the United States as well as more of the same fairly aggressively overseas, it would seem to be redundant for the CIA to be doing the same thing. The CIA rationale is that it has a different mission than the NSA. It exists to conduct espionage against foreign intelligence targets, which frequently requires being able to tap into their personal phones or other electronic devices by exploiting vulnerabilities in the operating systems. As the targets would be either sources or even prospective agents, the Agency would have to protect their identity in the highly compartment world of intelligence, making outsourcing to NSA problematical.
This need to develop an independent capability led to the development of new technologies by the CIA working with its British counterparts. There were apparently successful efforts to target Samsung “smart” televisions, which would use their speakers to record conversations even when the set was turned off. The project was called “Weeping Angel,” and other hacking programs were called “Brutal Kangaroo,” “Assassin,” “Hammer Drill,” “Swindle,” “Fine Dining” and “Cutthroat,” demonstrating that government bureaucrats sometimes possess a dark sense of humor.
Being able to enter one’s home through a television would be considered a major success in the intelligence world. And the ability to access cell phones at source through obtaining full control of the operating system rather than through their transmissions means that any security system will be ineffective because the snoopers will be able to intrude and hear the conversation as it is spoken before any encryption is applied. CIA and its British allies were reportedly able to take control of either Android or i-Phones through vulnerabilities in their security systems by using their attack technologies.
WikiLeaks claims to have 8,761 documents detailing efforts to circumvent the security features on a broad range of electronic devices to enable them to be remotely tapped, the information having apparently been passed to WikiLeaks by a disgruntled government contractor, though the Russians are perhaps inevitably also being blamed. The U.S. government has apparently been aware of the theft of the information for the past year and one presumes it has both done damage control and is searching for the miscreant involved. Also, there have been security fixes on both Apple and Android phones in the past year that might well have rendered the attack technologies no longer effective.
So many will shrug and wonder what the big deal is. So the CIA is tapping into the electronics of suspected bad guys overseas. Isn’t that what it’s supposed to do? That question has to be answered with another question: How do we know if that is all the CIA is doing? Technology that can attack and take control of a telephone or television or computer overseas can also do the same inside the United States. And the Agency can always plausibly claim that a connection with a suspect overseas leads back to the U.S. to enable working on related targets on this side of the Atlantic.
Another issue is the possibility to engage in mischief, with potentially serious consequences. The WikiLeaks documents suggest that the CIA program called UMBRAGE had been able to acquire malware signatures and attack codes from Russia, China, Iran and other places. It does that so it can confuse detection systems and preserve “plausible denial” if its intrusion gets caught, disguising its own efforts as Russian or Chinese to cast the blame on the intelligence services of those countries. It has been alleged that the hack of the Democratic National Committee computers was carried out by Moscow employed surrogates and part of the evidence produced was signature malware that had left “fingerprints” linked to Russian military intelligence in Ukraine. What if that hack was actually done by the CIA for domestic political reasons?
Critics have also pointed out that President Obama in 2014 had come to an agreement with major communications industry executives to share with manufacturers information regarding the vulnerabilities in their systems so they could be addressed and made secure. This would have benefited both the industry and the general public. The agreement was obviously ignored in the CIA case and is just another sign that one cannot trust the government.
However, the real downside regarding the CIA hacking is something that might not even have occurred yet. It is an unfortunate reality that government spying operations largely lack regulation, oversight or any effective supervision by Congress or anyone else outside the agencies themselves. Even if knowledge about communications vulnerabilities has not been employed illegally against American targets or to mislead regarding domestic hacks, the potential to use those capabilities once they are in place will likely prove too hard to resist. As such, no home or work environment will any more be considered a safe place and it is potentially, if not actually, the greatest existing threat to Americans’ few remaining liberties.